Getting Started with Security Zones
After creating IAM policies and enabling Cloud Guard, create a security zone for a compartment and check for any security zone policy violations.
Create IAM Policies
To use Security Zones and Cloud Guard, you must be granted the required type of access in an IAM policy written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.
If you are not an administrator for your tenancy, then ask your administrator to perform these steps.
To learn more about Security Zones and Cloud Guard IAM policies, see Cloud Guard Policies.
Enable Cloud Guard
Enable Cloud Guard in your tenancy before you create Security Zones. If Cloud Guard is already enabled, you can skip this task.
Cloud Guard is an Oracle Cloud Infrastructure service that provides a central dashboard to monitor all of your cloud resources for security weaknesses in configuration, metrics, and logs. When it detects a problem, it can suggest, assist, or take corrective actions, based on your Cloud Guard configuration.
Security Zones works with Cloud Guard to identify security zone policy violations in your existing resources.
Enabling Cloud Guard involves the following tasks:
- Creating IAM policies that allow Cloud Guard to monitor resources within your tenancy
- Choosing a reporting region
- Optionally creating targets for the compartments that you want Cloud Guard to monitor
- Optionally choosing the detector recipes for the targets
To enable Cloud Guard, you must have administrator privileges.
You do not have to create a Cloud Guard target for a compartment before creating a security zone for the same compartment. When you create a security zone, a new Cloud Guard target is created automatically.
See Getting Started with Cloud Guard for detailed instructions.
Create a Security Zone Recipe (Optional)
Security Zones provides an Oracle-managed recipe called Maximum Security Recipe, which enforces all available security zone policies. If you want to disable certain policies, you can clone this recipe.
Before creating a custom security zone recipe, understand the available security zone policies.
Create a Security Zone
After you complete all prerequisite tasks, you can create a security zone for an existing compartment.
For maximum flexibility, avoid assigning a security zone to the root compartment of the tenancy. Security zones applied to the root compartment might constrain the actions that are possible across an entire tenancy. Although this configuration might be preferable for specific use cases, it's too restrictive for most users.
- Deletes any existing Cloud Guard target for the compartment and for any child compartments
- Creates a security zone target for the compartment
- Adds the default Oracle-managed detector recipes to the security zone target
If you create a security zone for a subcompartment whose parent compartment is already in a security zone, Cloud Guard creates a separate security zone target for the subcompartment. No changes are made to the existing target for the parent compartment.
View Security Zone Policy Violations
If the compartment for your security zone has existing resources, you can identify any resources that violate the security zone's policies and take corrective actions.
Cloud Guard routinely scans the resources in your security zones for policy violations. Each policy violation is recorded as a problem in Cloud Guard. For a new security zone, it can take up to three hours before any violations are detected.
See Security Zone Policies for descriptions of all available policies.
Next Steps
After enabling Cloud Guard and creating your first security zone, you can test the zone, customize the zone, or create other zones.
Task | More Information |
---|---|
Test a zone by attempting to violate one of the zone's policies |
Choose a security zone policy that is enabled in the zone's recipe. For example, verify that you can't create a public subnet or a public Object Storage bucket. See Security Zone Policies. |
Create a separate zone in a subcompartment | Creating a Security Zone |
Remove a subcompartment from the zone | Removing a Subcompartment from a Security Zone |
Delete a zone | Deleting a Security Zone |
Customize the Cloud Guard detector recipes in a security zone target | Customizing Cloud Guard Configuration |
Check for other security problems detected by Cloud Guard | Processing Reported Problems |
Create IAM policies so that other groups can manage security zones | Cloud Guard Policies |
If you aren't able to create or test a security zone successfully, see Troubleshooting Security Zones.