Orca Security Hardening Guide
Cloud security platform hardening for Orca Security including SAML SSO, role-based access, and cloud account integration
Code Packs:
Terraform
Overview
Orca Security is a cloud security platform providing agentless workload protection and cloud security posture management. As a platform with visibility into cloud infrastructure, Orca security configurations directly impact cloud security operations.
Intended Audience
- Security engineers managing cloud security
- IT administrators configuring Orca
- Cloud security architects
- GRC professionals assessing cloud security
How to Use This Guide
- L1 (Baseline): Essential controls for all organizations
- L2 (Hardened): Enhanced controls for security-sensitive environments
- L3 (Maximum Security): Strictest controls for regulated industries
Scope
This guide covers Orca platform security including SSO, RBAC, cloud account integration, and audit logging.
Table of Contents
1. Authentication & SSO
1.1 Configure SAML Single Sign-On
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.3, 12.5 |
| NIST 800-53 | IA-2, IA-8 |
Description
Configure SAML SSO for Orca platform access.
Prerequisites
- Orca admin access
- SAML 2.0 compatible IdP
ClickOps Implementation
Step 1: Access SSO Settings
- Navigate to: Settings → Authentication → SSO
- Enable SAML authentication
Step 2: Configure SAML
- Configure IdP settings:
- Entity ID
- SSO URL
- Certificate
- Configure Orca in IdP
Step 3: Test and Enforce
- Test SSO authentication
- Enable SSO enforcement
- Configure fallback access
Time to Complete: ~1-2 hours
Code Implementation
Code Pack: Terraform
hth-orca-1.01-configure-saml-sso.tf
View source on GitHub ↗
# SSO user group -- assign SSO-authenticated users here for group-based policies
resource "orcasecurity_group" "sso_users" {
name = var.sso_group_name
description = "Group for SSO-authenticated users. Assign this group in SAML IdP attribute mappings to enforce group-based access control."
sso_group = true
users = var.sso_user_ids
}1.2 Enforce Multi-Factor Authentication
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.5 |
| NIST 800-53 | IA-2(1) |
Description
Require MFA for all Orca users.
ClickOps Implementation
Step 1: Configure via IdP
- Enable MFA in identity provider
- All SSO users subject to IdP MFA
- Use phishing-resistant methods for admins
Code Implementation
Code Pack: Terraform
hth-orca-1.02-enforce-mfa.tf
View source on GitHub ↗
# Alert for IAM misconfigurations related to authentication weaknesses
resource "orcasecurity_custom_sonar_alert" "mfa_not_enforced" {
name = "Orca Users Without SSO/MFA Coverage"
description = "Detects scenarios where cloud identities connected to Orca may not have MFA enforced, indicating a gap in authentication hardening."
rule = "User with MFAEnabled = false"
orca_score = 8.0
category = "Authentication"
context_score = true
remediation_text = {
enable = true
text = "Ensure all users authenticate through the configured SAML SSO provider with MFA enforced. Remove local accounts that bypass SSO. See HTH Orca Guide section 1.2."
}
compliance_frameworks = [
{ name = "HTH Orca Hardening", section = "1.2 Enforce MFA", priority = "high" }
]
}2. Access Controls
2.1 Configure Role-Based Access Control
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6 |
Description
Implement least privilege using Orca roles.
ClickOps Implementation
Step 1: Review Roles
- Navigate to: Settings → Users & Roles
- Review available roles:
- Admin
- Security Analyst
- Viewer
- Assign minimum necessary role
Step 2: Configure Custom Roles
- Create roles for specific needs
- Limit scope to required accounts
- Apply asset-level permissions
Step 3: Regular Reviews
- Quarterly access reviews
- Remove inactive users
- Update role assignments
Code Implementation
Code Pack: Terraform
hth-orca-2.01-configure-rbac.tf
View source on GitHub ↗
# Read-only Security Analyst role -- least privilege for daily operations
resource "orcasecurity_custom_role" "security_analyst" {
name = var.readonly_role_name
description = "Read-only role for security analysts. Permits viewing assets, alerts, dashboards, and compliance reports without modification rights. Per HTH Orca Guide 2.1."
permission_groups = var.readonly_permissions
}
# Minimal Viewer role -- dashboard and asset visibility only
resource "orcasecurity_custom_role" "viewer" {
name = var.viewer_role_name
description = "Minimal viewer role for stakeholders who need visibility into cloud security posture without operational access. Per HTH Orca Guide 2.1."
permission_groups = var.viewer_permissions
}
# Alert when users have overly broad permissions
resource "orcasecurity_custom_sonar_alert" "excessive_permissions" {
name = "Cloud Identity with Excessive Permissions"
description = "Detects cloud identities with overly broad permissions that violate least privilege principles."
rule = "User with Permission = '*' or Permission = 'Admin'"
orca_score = 7.5
category = "IAM misconfigurations"
context_score = true
remediation_text = {
enable = true
text = "Review and reduce permissions to the minimum required for the user's role. Use the Security Analyst or Viewer custom roles instead of Admin. See HTH Orca Guide section 2.1."
}
compliance_frameworks = [
{ name = "HTH Orca Hardening", section = "2.1 Configure RBAC", priority = "high" }
]
}2.2 Configure Account Scope
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6 |
Description
Limit user access to specific cloud accounts.
ClickOps Implementation
Step 1: Configure Scoped Access
- Limit users to required accounts
- Separate production visibility
- Apply business unit boundaries
Code Implementation
Code Pack: Terraform
hth-orca-2.02-configure-account-scope.tf
View source on GitHub ↗
# Business unit for scoped access -- limits visibility to specific cloud accounts
resource "orcasecurity_business_unit" "scoped_environment" {
count = var.profile_level >= 2 ? 1 : 0
name = var.business_unit_name
global_filter = false
filter_data = {
cloud_providers = var.business_unit_cloud_providers
cloud_tags = length(var.business_unit_cloud_tags) > 0 ? var.business_unit_cloud_tags : null
}
}
# Restricted production business unit (L3) -- strictest scoping for regulated environments
resource "orcasecurity_business_unit" "restricted_production" {
count = var.profile_level >= 3 ? 1 : 0
name = var.restricted_business_unit_name
global_filter = false
filter_data = {
cloud_tags = var.restricted_cloud_tags
}
}2.3 Limit Admin Access
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6(1) |
Description
Minimize and protect admin accounts.
ClickOps Implementation
Step 1: Inventory Admins
- Review admin accounts
- Document admin access
Step 2: Apply Restrictions
- Limit admins to 2-3 users
- Require MFA
- Monitor admin activity
Code Implementation
Code Pack: Terraform
hth-orca-2.03-limit-admin-access.tf
View source on GitHub ↗
# Dedicated admin group -- limit membership to 2-3 trusted users
resource "orcasecurity_group" "platform_admins" {
name = var.admin_group_name
description = "Restricted admin group. Membership should be limited to 2-3 users maximum. All members require MFA via SSO. Per HTH Orca Guide 2.3."
sso_group = true
users = var.admin_user_ids
}
# Alert when admin count exceeds recommended limit
resource "orcasecurity_custom_sonar_alert" "excessive_admins" {
name = "Excessive Admin Accounts Detected"
description = "Monitors for an excessive number of admin-level accounts in the Orca platform, which increases attack surface."
rule = "User with Role = 'Admin'"
orca_score = 7.0
category = "Access control"
context_score = false
remediation_text = {
enable = true
text = "Reduce admin accounts to 2-3 users maximum. Assign the Security Analyst or Viewer custom role to users who do not require admin privileges. See HTH Orca Guide section 2.3."
}
compliance_frameworks = [
{ name = "HTH Orca Hardening", section = "2.3 Limit Admin Access", priority = "high" }
]
}3. Cloud Integration Security
3.1 Configure Cloud Account Security
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 3.11 |
| NIST 800-53 | SC-12 |
Description
Secure cloud account integrations.
ClickOps Implementation
Step 1: Review Integrations
- Navigate to: Settings → Cloud Accounts
- Review connected accounts
- Verify permissions
Step 2: Apply Least Privilege
- Use read-only roles where possible
- Follow Orca’s recommended IAM policies
- Review cloud permissions regularly
Code Implementation
Code Pack: Terraform
hth-orca-3.01-configure-cloud-account-security.tf
View source on GitHub ↗
# Register trusted cloud accounts used by Orca integrations
resource "orcasecurity_trusted_cloud_account" "trusted" {
for_each = { for idx, acct in var.trusted_cloud_accounts : acct.cloud_provider_id => acct }
account_name = each.value.account_name
description = each.value.description
cloud_provider = each.value.cloud_provider
cloud_provider_id = each.value.cloud_provider_id
}
# Alert for cloud accounts with overly permissive IAM roles
resource "orcasecurity_custom_sonar_alert" "overprivileged_integration" {
name = "Cloud Integration with Excessive Permissions"
description = "Detects cloud accounts connected to Orca with permissions exceeding read-only access, violating least privilege for security tooling."
rule = "CloudAccount with PermissionLevel != 'ReadOnly'"
orca_score = 8.0
category = "IAM misconfigurations"
context_score = true
remediation_text = {
enable = true
text = "Review cloud account IAM roles and reduce to read-only where possible. Follow Orca's recommended IAM policies for each cloud provider. See HTH Orca Guide section 3.1."
}
compliance_frameworks = [
{ name = "HTH Orca Hardening", section = "3.1 Cloud Account Security", priority = "high" }
]
}
# Discovery view to inventory all connected cloud accounts
resource "orcasecurity_discovery_view" "cloud_accounts_inventory" {
name = "HTH - Connected Cloud Accounts Inventory"
organization_level = true
view_type = "discovery"
extra_params = {}
filter_data = {
query = jsonencode({
"models" : ["CloudAccount"],
"type" : "object_set"
})
}
}3.2 Configure API Security
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 3.11 |
| NIST 800-53 | SC-12 |
Description
Secure Orca API access.
ClickOps Implementation
Step 1: Review API Keys
- Navigate to: Settings → API Keys
- Review all API keys
- Document key purposes
Step 2: Secure Keys
- Store keys securely
- Rotate regularly
- Monitor usage
Code Implementation
Code Pack: Terraform
hth-orca-3.02-configure-api-security.tf
View source on GitHub ↗
# Custom alert to detect stale or unused API keys in connected cloud accounts
resource "orcasecurity_custom_sonar_alert" "stale_api_keys" {
count = var.profile_level >= 2 ? 1 : 0
name = var.api_alert_name
description = "Detects API keys that have not been rotated or used recently, indicating stale credentials that should be revoked."
rule = "AccessKey with LastUsedDate before_days 90"
orca_score = var.api_alert_score
category = "IAM misconfigurations"
context_score = true
remediation_text = {
enable = true
text = "Rotate or revoke API keys that have not been used in 90+ days. Store active keys in a secrets manager. Document the purpose of each key. See HTH Orca Guide section 3.2."
}
compliance_frameworks = [
{ name = "HTH Orca Hardening", section = "3.2 API Security", priority = "medium" }
]
}
# Automation to email security team when stale API keys are found (L2+)
resource "orcasecurity_automation" "api_key_alert" {
count = var.profile_level >= 2 && var.enable_api_automation && length(var.api_alert_emails) > 0 ? 1 : 0
name = "HTH - API Key Security Notifications"
description = "Sends email notifications when stale or unused API keys are detected. Per HTH Orca Guide section 3.2."
enabled = true
query = {
filter = [
{ field = "state.status", includes = ["open"] },
{ field = "state.risk_level", includes = ["high", "critical"] },
{ field = "category", includes = ["IAM misconfigurations"] }
]
}
email_template = {
email = var.api_alert_emails
multi_alerts = true
}
}
# Discovery view for API key inventory (L3) -- strict tracking of all API credentials
resource "orcasecurity_discovery_view" "api_key_inventory" {
count = var.profile_level >= 3 ? 1 : 0
name = "HTH - API Key Inventory (All Cloud Accounts)"
organization_level = true
view_type = "discovery"
extra_params = {}
filter_data = {
query = jsonencode({
"models" : ["AccessKey"],
"type" : "object_set"
})
}
}4. Compliance Quick Reference
SOC 2 Trust Services Criteria Mapping
| Control ID | Orca Control | Guide Section |
|---|---|---|
| CC6.1 | SSO/MFA | 1.1 |
| CC6.2 | RBAC | 2.1 |
| CC6.7 | Integration security | 3.1 |
NIST 800-53 Rev 5 Mapping
| Control | Orca Control | Guide Section |
|---|---|---|
| IA-2 | SSO | 1.1 |
| AC-6 | RBAC | 2.1 |
| SC-12 | API security | 3.2 |
Appendix B: References
Official Orca Security Documentation:
Compliance Frameworks:
- SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, ISO 27701, PCI DSS v4.0.1, FedRAMP Moderate, StateRAMP — via Trust Center
- FedRAMP Authorization Announcement
- StateRAMP Authorization Announcement
Security Incidents:
- No major public incidents identified
Changelog
| Date | Version | Maturity | Changes | Author |
|---|---|---|---|---|
| 2025-02-05 | 0.1.0 | draft | Initial guide with SSO, RBAC, and integration security | Claude Code (Opus 4.5) |
Contributing
Found an issue or want to improve this guide?
- Report outdated information: Open an issue with tag
content-outdated - Propose new controls: Open an issue with tag
new-control - Submit improvements: See Contributing Guide