Turbot Guardrails now provides runtime prevention for Oracle Cloud Infrastructure. If your organization runs workloads on OCI, your tenancies and compartments now get the same continuous monitoring and automated remediation available for AWS, Azure, GCP, and GitHub.
Why Runtime Prevention for OCI
Access-layer controls and manual reviews only go so far. Buckets get created with public access enabled. Versioning gets skipped. Tags are missing or misspelled. These aren't critical security failures that need to be blocked at the API layer. They're misconfigurations that can be corrected after creation, automatically, within seconds.
Runtime prevention handles this. A resource gets created in OCI. Guardrails detects it, evaluates it against your policies, and auto-remediates anything out of compliance. No tickets. No waiting for the next audit cycle. The fix happens before anyone notices the problem.
Enforce Private Access on Object Storage
Public buckets are a common source of data exposure. Set the public access policy to Enforce: Private and Guardrails ensures every Object Storage bucket across your tenancies is private. Not just new buckets going forward. Existing buckets that are currently non-compliant get corrected immediately.
Set public access to Enforce: Private with a single click
Apply it at the organization or tenancy level and all compartments inherit the protection automatically. Or target specific compartments for scoped enforcement. Inheritance flows down the hierarchy, so setting it once protects everything below.
All buckets corrected to private access across the tenancy
Versioning with Dynamic Exceptions
Not every bucket needs versioning. Temporary scratch buckets used for data processing shouldn't be versioned the same way production buckets are. Guardrails handles this with calculated policies that apply conditional logic based on your resource context.
Set a calculated policy that checks for a freeform tag: if temp is set to true, skip versioning enforcement. Otherwise, enforce versioning enabled. The policy adapts to each bucket's purpose automatically.
Calculated policy: enforce versioning unless the bucket is tagged as temporary
Need to temporarily suspend versioning enforcement for a migration or bulk operation? Grant a time-based exception. Enforcement resumes automatically when it expires. No manual follow-up required.
Consistent Tagging with Freeform Tags
OCI has two tagging systems. Defined tags are structured and namespace-controlled. OCI automates them at resource creation, and Guardrails keeps them from drifting after the fact.
Freeform tags are the harder problem. Anyone can add any key with any value. Misspellings accumulate. Tags go missing during deployment. Without automation, cloud teams are left chasing application teams to fix their tags.
Guardrails enforces freeform tags the same way it enforces any other configuration. Set the required keys and values. Guardrails evaluates each resource as it's created or modified, applies missing tags, and corrects tags that have drifted. Static values or dynamically derived values through calculated policies.
For example, enforce a cost-center tag on all resources but derive the value from the parent compartment's configuration. Or require an owner tag and populate it from the resource creator's identity. Calculated policies make tagging consistent without making it rigid.
See It Enforce
With public access, versioning, and tagging policies active, here's what happens when someone creates a new Object Storage bucket in OCI. Within seconds, Guardrails detects the bucket, evaluates it against all applicable policies, and auto-remediates. Versioning gets enabled. Required freeform tags get applied. Public access is enforced to private.
Freeform tags applied automatically: cost-center, department, environment, and owner
The developer wasn't blocked. The bucket was created and ready to use. Security requirements were enforced automatically, within seconds of creation.
Multi-Cloud, Same Approach
The same policy model, the same inheritance hierarchy, the same auto-remediation engine. If you're already running Guardrails for AWS, Azure, or GCP, adding OCI works the same way. Set policies at the organizational level and they apply across clouds. A tagging standard that works for your AWS accounts works for your OCI tenancies. Runtime enforcement that corrects S3 bucket configurations does the same for OCI Object Storage.
Get Started
OCI runtime prevention brings the same continuous monitoring and automated remediation to Oracle Cloud that Guardrails provides for AWS, Azure, GCP, and GitHub. Set your policies once and Guardrails enforces them across every tenancy and compartment.
Interested in running runtime prevention for OCI? Connect with us to see Guardrails in action. Already a Guardrails customer? OCI is available now. Connect your OCI organization or tenancy and start enforcing policies in minutes.