Send Email Alerts for OCI Security List Changes Using Events and Notifications
Security Lists are an important part of network security in
Oracle Cloud Infrastructure. They control ingress and egress traffic at the
subnet level. A small change in a Security List rule can allow new traffic,
block an application, or open a port that was not expected. In real
environments, it is not enough to manually review Security List changes after
an issue occurs. If you want more details on how to manually review security
list changes, kindly refer “OCI
Logging – Auditing VCN Security list changes”. Manual Audit Log review is useful during
investigation, but it is reactive. With OCI Events and Notifications, we can
make the process proactive. This pattern helps us receive immediate visibility
when network security rules are changed. It is especially useful for
environments where Security List changes should be reviewed by cloud
administrators, security teams, or network teams.
We need a proactive alert mechanism so that administrators
are notified when a Security List is created, updated, or deleted.
Oracle Cloud Infrastructure provides an event driven way to
achieve this using OCI Events and OCI Notifications. In this
article, we will create an email alert whenever a Security List change happens
in OCI. We will use OCI services Virtual
Cloud Network, Security List, OCI Events, OCI Notifications.
Prerequisites
We need following resources to perform this alert mechanism.
OCI tenancy
access
Required compartment
Existing VCN
Existing Security List
Permission to create Notification topic
Permission to create Events rule
Valid email address for receiving notification
Permission to modify Security List rules for testing
For this exercise we will use an existing Security List and
add a temporary ingress rule to validate the alert.
Step 1: Create Notification Topic
First, we will create a Notification topic. This topic will
be used by the Events rule to send the Security List change alert.
From the OCI Console, navigate to:
Developer Services → Application Integration → Notifications
Create a topic with a meaningful name.
Example topic name:
security-list-change-alert-topic
After the topic is created, it will be used as the target
for the Events rule.
Step 2: Create Email Subscription
After creating the Notification topic, create an email
subscription.
Use the following subscription protocol:
Email
Provide the email address that should receive the Security
List change alerts.
Once the subscription is created, OCI sends a confirmation
email to the recipient. The subscription remains in pending status until the
confirmation link is accepted.
The email subscription must be confirmed before alert emails
can be received.
After confirmation, the subscription status changes to
active.
Step 3: Create Events Rule
Next, we will create an Events rule to capture Security List
changes.
From the OCI Console, navigate to:
Observability & Management → Events Service → Rules
Create a new rule.
Example rule name:
security-list-change-alert-rule
Add a short description.
Example:
Rule for alerting security list changes. Send email
notification when Security List is created, updated, or deleted.
The rule should be created in the compartment where the
Security List events need to be monitored.
Step 4: Configure Events Rule Condition
In the Events rule condition, select the Networking service
and Security List event types.
The important Security List event types are:
Create Security List
Update Security List
Delete Security List
For most operational scenarios, Update Security List
is the most important event because adding, removing, or modifying ingress and
egress rules updates the Security List.
For this article, we will configure the rule to capture
Security List update, create and delete events. This makes the alert mechanism
more complete.
Step 5: Configure Notification Action
After defining the rule condition, configure the action.
Use the following action type:
Notifications
Select the Notification topic created earlier.
Example topic:
security-list-change-alert-topic
After the rule is created, OCI Events will monitor Security
List events and send matching events to the Notification topic.
Step 6: Modify Security List Rule for Testing
Now we will validate the setup by modifying a Security List.
Open the required VCN and select a Security List.
Add a temporary ingress rule.
Example test rule:
Source CIDR: 10.0.0.0/16
IP Protocol: TCP
Destination Port Range: 8080
Description: Temporary rule for security list alert
validation
Save the Security List change.
This update should generate a Security List update event.
The Events rule should match the event and send a message to the Notification
topic.
Step 7: Validate Email Alert
After saving the Security List change, check the subscribed
email inbox.
The alert email should include event details in JSON format.
The message usually contains useful information such as:
eventType
eventTime
compartmentId
resourceName
resourceId
These fields help identify what changed, when it changed,
and who performed the activity. A small delay in email delivery is normal.
Step 8: Remove the Temporary Test Rule
After validating the alert, remove the temporary test rule
from the Security List.
Example rule to remove:
Source CIDR: 10.0.0.0/16
Protocol: TCP
Destination Port: 8080
After removing the rule, another Security List update event
should be generated. This means another email alert may be received.
This confirms that both rule addition and rule removal are
captured by the event-driven alert mechanism. For example, if an application
suddenly becomes reachable on a new port or stops responding after a network
rule change, the alert email can help identify that a Security List was
recently modified.
This is a simple and effective governance pattern for OCI
networking. It helps us move from manual Audit Log review to proactive
notification whenever Security List changes happen. This approach improves
visibility into network security changes without requiring Cloud Guard,
Security Zones, custom scripts, or additional monitoring tools.
No comments:
Post a Comment