Oracle Cloud Security: What is CIS Benchmark and Why Does It Matter?

Why Should You Care About Securing Your IT Systems?

In today's world, businesses store everything in cloud customer data, financial records, internal communications, and more. One misconfigured setting or weak password can open the door to attackers, leading to data breaches, regulatory fines, and loss of customer trust.

Most cloud security breaches are not caused by sophisticated hackers they happen because of simple misconfigurations that could easily have been avoided. This is exactly where a framework like CIS Benchmark comes in.

What Exactly Is a CIS Benchmark?

CIS stands for the Center for Internet Security, a nonprofit organization made up of cybersecurity experts from around the globe. They've spent years studying real-world threats and collecting the knowledge into a set of best practices called CIS Benchmarks.

It’s a checklist of security configurations for specific technology whether that's Windows, Linux, AWS, or OCI. Common examples of the Compliance reports talk about:

•         What to check (e.g., "Is multifactor authentication enabled for all users?")

•         Why it matters (the security risk if you skip it)

•         How to fix it (step-by-step remediation guidance)

 

How Does CIS Benchmark Help in Oracle Cloud ?

In any cloud a security is a shared responsibility between provider and users. The OCI CIS Benchmark targets the most common security gaps in Oracle Cloud, like:

Identity & Access Management (IAM)

Are the right people accessing the right things? The benchmark checks whether admin privileges are locked down, whether service accounts follow least privilege principles, and whether MFA is enforced for all users.

Networking

CIS checks that your VCNs and security groups don't have unnecessary exposure to the public internet or any open ports allows communications from outside/inside.

Logging & Monitoring

CIS ensures audit logging is turned on and that you're alerted when something suspicious happens like someone trying to log in from an unusual location.

Storage & Data Protection

Are your buckets and databases publicly accessible? Are they encrypted? CIS Benchmark flags storage misconfigurations that could expose sensitive data without you even knowing it.

Run CIS report  in OCI ( Cloud Shell )

Step 1: OCI Policy

Ensure the user has permission to run the CIS report script. Incase the script is being run by the non admin user adds the following policies:

·         Allow group Auditor-Group to inspect all-resources in tenancy

·         Allow group Auditor-Group to read buckets in tenancy

·         Allow group Auditor-Group to read file-family in tenancy

·         Allow group Auditor-Group to read network-security-groups in tenancy

·         Allow group Auditor-Group to read users in tenancy

·         Allow group Auditor-Group to use cloud-shell in tenancy

·         Allow group Auditor-Group to read dynamic-groups in tenancy

·         Allow group Auditor-Group to read tag-defaults in tenancy

Step 2: Create a separate directory in cloud shell

Login to your cloud shell and create a directory:

 

Step 3: Download the CIS report from Github repositories

 

Link: wget https://raw.githubusercontent.com/oracle-quickstart/oci-cis-landingzone-quickstart/main/scripts/cis_reports.py

 

beingpiyush@codeeditor:~ (us-ashburn-1)$ wget https://raw.githubusercontent.com/oracle-quickstart/oci-cis-landingzone-quickstart/main/scripts/cis_reports.py

--2026-03-22 09:19:26--  https://raw.githubusercontent.com/oracle-quickstart/oci-cis-landingzone-quickstart/main/scripts/cis_reports.py

Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...

Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 481532 (470K) [text/plain]

Saving to: ‘cis_reports.py.1’

 

cis_reports.py.1                               100%[==================================================================================================>] 470.25K  1.13MB/s    in 0.4s   

 

2026-03-22 09:19:27 (1.13 MB/s) - ‘cis_reports.py.1’ saved [481532/481532]

 

Step 4: Run the CIS report from Oracle Cloud Shell

 

beingpiyush@codeeditor:~ (us-ashburn-1)$ python3 cis_reports.py --obp --raw -dt

 

##########################################################################################

#                          Running CIS Reports - Release 3.2.0                           #

##########################################################################################

Version 3.2.0 Updated on March 19, 2026

Please use --help for more info

 

Tested up to oci-python-sdk version: 2.165.x

Installed    oci-python-sdk version: 2.167.0

The command line arguments are: ['cis_reports.py', '--obp', '--raw', '-dt']

 

Starts at 2026-03-22T09:19:54

 

Regions to run in: all regions

Once the script is completed successfully it will scan following :

a.       Identity Domains Enabled in Tenancy

b.       CIS Foundations Benchmark 3.0.0 Summary Report

c.       Writing CIS reports to CSV

d.       OCI Best Practices Findings

e.       Writing Oracle Best Practices reports to CSV

Getting a Compliance Report — Now What?

Once you run a CIS compliance scan on OCI  you'll get a report with a list of passed and failed checks. Don't be overwhelmed here's how to tackle it:

Step 1: Priorities by Severity

Start with Critical and High severity issues first. Examples include root account usage without MFA, or storage buckets that are publicly readable.

Step 2: Re-Scan and Track Progress

After remediation, run the scan again to verify the non-compliant section.

 

Read More:

Click for : OCI Blogs 

Click for : Git & GitHub

Click for : Autonomous Database