Managing Recipes in Security Zones
When you create a security zone you assign a recipe to it. A recipe is a collection of security zone policies.
You can perform the following security zone management tasks:
- Creating a Security Zone Recipe
- Cloning a Security Zone Recipe
- Getting a Recipe's Details in Security Zones
- Viewing the Security Zones Associated with a Recipe
- Editing a Security Zone Recipe
- Moving a Recipe to a Different Compartment
- Deleting a Security Zone Recipe
When you perform certain resource operations in a security zone, such as creating a compute instance or a subnet , Oracle Cloud Infrastructure automatically validates the policies within the recipe that's assigned to the security zone.
Each tenancy has a predefined recipe named Maximum Security Recipe, which includes several curated security zone policies. Oracle manages this recipe, and you can’t change it.
You can create a custom recipe, or clone an existing one. Within a custom recipe, you can enable and disable security zone policies so that a security zone meets specific security requirements.
Use caution when disabling policies in the recipe. Disabled policies can reduce the security posture for resources in the security zone.
Security zone policies are organized by type. Each type aligns with one of the following cloud security principles:
- Restrict resource movement
- Restrict resource association
- Deny public access
- Require encryption
- Ensure data durability
- Ensure data security
- Use only configurations approved by Oracle
Each policy affects specific cloud resource types like Compute, Object Storage, or Database.
Required IAM Policy
To use Oracle Cloud Infrastructure, you must be granted the required type of access in an IAM policy written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.
If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you were granted and which compartment you are supposed to work in.
For example, the following IAM
policy allows users in the group SecurityAdmins to create, update, and delete all security zones and recipes in the entire tenancy.
Allow group SecurityAdmins to manage security-zone in tenancy
Allow group SecurityAdmins to manage security-recipe in tenancySee Cloud Guard Policies.