Create Policy

When creating an OCI account with Multicloud Defense you need to create and apply a firewall policy. Use the following procedure and recommendations to create a policy:

Procedure

Step 1

Navigate to Identity & Security > Policies.

Step 2

Select the Compartment root .

Step 3

Click Create Policy.

Step 4

Specify the following:

  • Name: Multicloud Defense-controller-policy.

  • Description: Multicloud Defense Policy.

  • Compartment: [Must be the "root" Compartment].

Step 5

Under Policy Builder enable Show manual editor.

Step 6

Modify and paste the following policy:


Allow group <group_name> to inspect instance-images in compartment <compartment_name>
Allow group <group_name> to read app-catalog-listing in compartment <compartment_name>
Allow group <group_name> to use volume-family in compartment <compartment_name>
Allow group <group_name> to use virtual-network-family in compartment <compartment_name>
Allow group <group_name> to manage volume-attachments in compartment <compartment_name>
Allow group <group_name> to manage instances in compartment <compartment_name>
Allow group <group_name> to {INSTANCE_IMAGE_READ} in compartment <compartment_name>
Allow group <group_name> to manage load-balancers in compartment <compartment_name>
Allow group <group_name> to read marketplace-listings in tenancy
Allow group <group_name> to read marketplace-community-listings in tenancy
Allow group <group_name> to inspect compartments in tenancy
Allow group <group_name> to manage app-catalog-listing in compartment <compartment_name>
Allow group <group_name> to read virtual-network-family in tenancy
Allow group <group_name> to read instance-family in tenancy
Allow group <group_name> to read load-balancers in tenancy
Allow group <controller-group> to manage cloudevents-rules in tenancy
Allow group <controller-group> to manage ons-family in tenancy

  • group_name: Multicloud Defense-controller-group.

  • compartment_name:[Compartment where Multicloud Defense will be deployed].

    Note

    When replacing the <compartment_name> with the name of the compartment where the policy will apply, if the compartment is a sub-compartment, the name format is compartment:sub-compartment (e.g., Prod:App1).

    If the <compartment_name> is specified as the root compartment (e.g., multicloud (root)), OCI will not accept the policy and will produce an error: Invalid parameter. The policy will need to be defined for an specific compartment and that compartment cannot be the root compartment.

Step 7

Click Create.