Managing Recipes
When you create a security zone you assign a recipe to it. A recipe is a collection of security zone policies.
When you perform certain resource operations in a security zone, such as creating a compute instance or a subnet , Oracle Cloud Infrastructure automatically validates the policies within the recipe that is assigned to the security zone.
Your tenancy has a predefined recipe named Maximum Security Recipe
, which includes a number of curated security zone policies. Oracle manages this recipe, and you can’t modify it.
You can create a custom recipe, or clone an existing one. Within a custom recipe, you can enable and disable security zone policies so that a security zone meets your specific security requirements.
Use caution when disabling policies in your recipe. Disabled policies can reduce the security posture for resources in your security zone.
Security zone policies are organized by type. Each type aligns with one of the following cloud security principles:
- Restrict resource movement
- Restrict resource association
- Deny public access
- Require encryption
- Ensure data durability
- Ensure data security
- Use only configurations approved by Oracle
Each policy affects specific cloud resource types like Compute, Object Storage, or Database.
Required IAM Policy
To use Oracle Cloud Infrastructure, you must be granted the required type of access in an IAM policy written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.
If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you were granted and which compartment you are supposed to work in.
For example, the following IAM
policy allows users in the group SecurityAdmins
to create, update, and delete all security zones and recipes in the entire tenancy.
Allow group SecurityAdmins to manage security-zone in tenancy
Allow group SecurityAdmins to manage security-recipe in tenancy
See Cloud Guard Policies.
Creating a Recipe
Use the Console to create a security zone recipe.
You must enable Cloud Guard in your tenancy before you can create a recipe. See Getting Started with Cloud Guard.
Before you create a recipe, understand the available security zone policies.
Alternatively, you can clone an existing recipe.
Cloning a Recipe
Use the Console to create a security zone recipe by cloning an existing one.
When you clone a recipe, you can enable and disable policies in the new recipe. Before cloning a recipe, understand the available security zone policies.
Viewing the Policies in a Recipe
Use the Console to identify the policies in a security zone recipe.
Viewing the Security Zones Associated with a Recipe
Use the Console to identify the security zones that were created using a specific recipe.
- Open the navigation menu and click Identity & Security. Under Security Zones, click Recipes.
- Select the Compartment that contains the recipe you want to view.
- Click the name of a recipe.
- From the Recipe Details page, click Associated Security Zones.
Editing a Recipe
Use the Console to edit a security zone recipe's name, description, or policies.
Before you edit a recipe, understand the available security zone policies.
You can't edit Oracle-managed recipes.
When you change a recipe, the security posture for resources in any security zones that use the recipe can be affected.
Deleting a Recipe
Use the Console to delete a security zone recipe.
If a recipe is associated with a security zone, you can't delete the recipe. You must delete the security zone before you delete the recipe.
You can't delete Oracle-managed recipes, only custom recipes.
- Open the navigation menu and click Identity & Security. Under Security Zones, click Recipes.
- Select the Compartment that contains the recipe you want to delete.
- Click the recipe to view its details.
- Click Delete.
- When prompted for confirmation, click Delete.
Using the API
For information about using the API and signing requests, see REST APIs and Security Credentials.
For information about SDKs, see Software Development Kits and Command Line Interface.
The Security Zones APIs are available from the Cloud Guard endpoints.
Use the following operations to manage security zone recipes: