December 18, 2024

Connecting Wiz to your OCI Cloud Tenancy

We love OCI here at Cordant. Sure, it doesn't do everything - but what it does do, it does very well. And predictably. One of its weak spots however is visibility. And no, we don't mean the fact that very few people are aware it exists at all (that's a crying shame more than an issue), but rather that the inherent visualisation and resource discovery tools - Tenancy Explorer and Network Visualiser are barely MVP when it comes to mapping out the landscape of your OCI tenancy. And knowing what's there is key to knowing what you need to secure!

We also love Wiz. Wiz's ability to provide agentless, consumable visibility of resources both within and between clouds makes our lives as cloud, network and security architects and engineers far simpler. And guess what - it actually works with OCI!! The onboarding process literally takes minutes - so we're going to run you through that process right now:

Step 1) Login to your Wiz tenancy as an Administrator and navigate to Settings > Deployments

Step 2) Select "Add a Deployment > Cloud"

Step 3) Select "Oracle Cloud Infrastructure (OCI)" from the list of providers:

Step 4) Note down the Wiz tenancy OCID and Tenant Group OCID - you'll need this shortly:

Step 5) Download the Wiz OCI Terraform stack from https://downloads.wiz.io/customer-files/oci/wiz-oci-connector-standard-terraform-module.zip

Step 6) Login to your OCI tenancy and click on Hamburger Menu > Developer Services > Stacks

Step 7) Ensure you are in the root compartment and click on "Create Stack"

Step 8) On the "Stack Information" page, accept the default settings aside from:

Stack Configuration: Select ".Zip file" and browse to the file you downloaded in Step 5

Name and Description: You may want to provide a name and description in line with your cloud/corporate naming standards otherwise accept the defaults

Click Next

Step 9) On the "Configure Variables" page, configure the following settings:

dspm_enabled: Select this if you want to add permissions for Wiz to perform data discovery on Object Storage buckets (recommended)

user_name: You may want to provide a user name in line with your cloud/corporate naming standards (this will be the name of the user created to read the various resources in your OCI tenancy)

wiz_tenancy_ocid: Paste the "Wiz's Tenancy OCID" entry you recorded in Step 4 earlier

wiz_tenant_group_ocid: Paste the "Tenant Group OCID" entry recorded in Step 4 earlier

Click Next

Step 10) On the "Create Stack" page, ensure "Run apply" is selected and click "Create"

The stack will now configure your OCI tenancy accordingly. Within a minute or so, you'll have a set of outputs down the bottom of the logs.

Step 11) Copy and paste the relevant outputs from your Terraform stack to the Wiz Deployment configuration page:

home_region > Home Region

tenancy_ocid > Tenancy OCID

user_ocid > User OCID (note: a trailing space may get copied across on this field - be sure to delete this if so)

Step 12) Home stretch now! We just need to create a public/private key pair for the Wiz user for OCI API access. Navigate to Hamburger Menu > Identity & Security > Domains and click on the "Default" domain:

Step 13) Click on "Users" on the left hand side and then click on the user you created as part of your deployment stack (e.g. wiz-security)

Step 14) In the User screen, click on "API keys" in the left hand menu and then click on the "Add API key" button on the right:

Step 15) You may wish to supply your own private key, but we'll have OCI generate one for us in this case. Ensure "Generate API key pair" is selected and click "Download private key".

Important: Once saved, click "Add" down the bottom of the screen.

Step 16) On the next screen, you'll see the fingerprint of your key - copy and paste this over into your Wiz deployment configuration page:

Also point the "Private Key" field to the private key file you downloaded or supplied in step 13.

Click "Continue".

Step 17) Finally, give your OCI Connector an appropriate name (if you have, or plan to have multiple OCI tenancies, you'll want a way to differentiate the connectors):

Click "Finish"!

 

Now that OCI has been onboarded to Wiz within, discovery activities that took hours and/or required custom coding become a simple case of plain English queries - for example, if I want to see which security lists have port 3389 open to any source, I just ask the Security Graph to show me "security lists with port 3389 open to any":

But what if I want to know the VMs associated with these security lists? A painful enumeration of Subnets, VNICs and VMs in each and every region? Nope. Simply add " and the virtual machines they are associated with" to the query!

This is why we love this tool.... and that's not even scratching the surface of its capabilities. Watch this space!

Share Article

What we believe

Company

Support

Menu

Contact

(03) 9005 2399
L16, 440 Collins Street, Melbourne, Victoria 3000
© 2024 Cordant. All rights reserved