Oracle Cloud Infrastructure Documentation

Managing Recipes

When you create a security zone you assign a recipe to it. A recipe is a collection of security zone policies.

When you perform certain resource operations in a security zone, such as creating a compute instance  or a subnet , Oracle Cloud Infrastructure automatically validates the policies within the recipe that is assigned to the security zone.

Your tenancy has a predefined recipe named Maximum Security Recipe, which includes a number of curated security zone policies. Oracle manages this recipe, and you can’t modify it.

You can create a custom recipe, or clone an existing one. Within a custom recipe, you can enable and disable security zone policies so that a security zone meets your specific security requirements.

Note

Use caution when disabling policies in your recipe. Disabled policies can reduce the security posture for resources in your security zone.

Security zone policies are organized by type. Each type aligns with one of the following cloud security principles:

  • Restrict resource movement
  • Restrict resource association
  • Deny public access
  • Require encryption
  • Ensure data durability
  • Ensure data security
  • Use only configurations approved by Oracle

Each policy affects specific cloud resource types like Compute, Object Storage, or Database.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted the required type of access in an IAM policy written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.

If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you were granted and which compartment  you are supposed to work in.

For example, the following IAM policy  allows users in the group SecurityAdmins to create, update, and delete all security zones and recipes in the entire tenancy.

Allow group SecurityAdmins to manage security-zone in tenancy
Allow group SecurityAdmins to manage security-recipe in tenancy

See Cloud Guard Policies.

Creating a Recipe

Use the Console to create a security zone recipe.

You must enable Cloud Guard in your tenancy before you can create a recipe. See Getting Started with Cloud Guard.

Before you create a recipe, understand the available security zone policies.

Alternatively, you can clone an existing recipe.

  1. Open the navigation menu and click Identity & Security. Under Security Zones, click Recipes.
  2. Select the Compartment in which you want to create the recipe.
  3. Click Create Recipe.
  4. Enter a Name and Description for the recipe.

    Avoid entering confidential information.

  5. (Optional) Apply tags to the recipe.

    If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. See Resource Tags. You can also apply tags to a recipe after you create it.

  6. Click Next.
  7. From the Policies page, clear the check box for any policy that you want to disable.

    By default, all policies are enabled in a new recipe.

    You can filter the list of policies by selecting a specific Policy type. You can also Search for policies by name.

  8. Click Next.
  9. From the Review page, review the number of policies that are enabled and disabled in this recipe, and then click Create.

    The Recipe Details page is displayed.

After creating a recipe, you can create a zone that's associated with the recipe.

Cloning a Recipe

Use the Console to create a security zone recipe by cloning an existing one.

When you clone a recipe, you can enable and disable policies in the new recipe. Before cloning a recipe, understand the available security zone policies.

  1. Open the navigation menu and click Identity & Security. Under Security Zones, click Recipes.
  2. Select the Compartment that contains the recipe you want to clone.

    Oracle-managed recipes are available in all compartments.

  3. Click the Actions icon for the recipe, and then select Clone.
  4. Update the Name and Description for the new recipe.

    Avoid entering confidential information.

  5. Select the Compartment in which you want to create the recipe.
  6. Click Next.
  7. (Optional) From the Policies page, select a check box to enable a policy, or clear a check box to disable a policy.

    You can filter the list of policies by selecting a specific Policy type. You can also Search for policies by name.

  8. Click Next.
  9. From the Review page, review the number of policies that are enabled and disabled in this recipe, and then click Create.

    The Recipe Details page is displayed.

After you clone a recipe, you can create a zone that's associated with the new recipe.

Viewing the Policies in a Recipe

Use the Console to identify the policies in a security zone recipe.

  1. Open the navigation menu and click Identity & Security. Under Security Zones, click Recipes.
  2. Select the Compartment that contains the recipe you want to view.
  3. Click the name of a recipe.

    The Recipe Details page is displayed.

    The Policies table lists the security zone policies that are enabled in this recipe.

Learn more about security zone policies in the recipe.

Viewing the Security Zones Associated with a Recipe

Use the Console to identify the security zones that were created using a specific recipe.

  1. Open the navigation menu and click Identity & Security. Under Security Zones, click Recipes.
  2. Select the Compartment that contains the recipe you want to view.
  3. Click the name of a recipe.
  4. From the Recipe Details page, click Associated Security Zones.
To create a security zone with this recipe, see Managing Security Zones.

Editing a Recipe

Use the Console to edit a security zone recipe's name, description, or policies.

Before you edit a recipe, understand the available security zone policies.

You can't edit Oracle-managed recipes.

Caution

When you change a recipe, the security posture for resources in any security zones that use the recipe can be affected.
  1. Open the navigation menu and click Identity & Security. Under Security Zones, click Recipes.
  2. Select the Compartment that contains the recipe you want to edit.
  3. Click the recipe to view its details.
  4. Click Edit.
  5. Update the Name and Description for the recipe.

    Avoid entering confidential information.

  6. Click Next.
  7. (Optional) From the Policies page, select a check box to enable a policy, or clear a check box to disable a policy.

    You can filter the list of policies by selecting a specific Policy type. You can also Search for policies by name.

  8. Click Next.
  9. From the Review page, review the number of policies that are enabled and disabled in this recipe, and then click Save changes.

    The Recipe Details page is displayed.

  10. (Optional) Click Tags if you want to manage the tags for this security zone recipe.

    If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. See Resource Tags.

Deleting a Recipe

Use the Console to delete a security zone recipe.

If a recipe is associated with a security zone, you can't delete the recipe. You must delete the security zone before you delete the recipe.

You can't delete Oracle-managed recipes, only custom recipes.

  1. Open the navigation menu and click Identity & Security. Under Security Zones, click Recipes.
  2. Select the Compartment that contains the recipe you want to delete.
  3. Click the recipe to view its details.
  4. Click Delete.
  5. When prompted for confirmation, click Delete.