Managing Security Zones

Create and manage security zones to protect resources in a compartment.

You can perform the following security zone management tasks:

A security zone has the following characteristics:

  • Created in a compartment , but not restricted to a single compartment
  • Associated with a single compartment or hierarchy of compartments with a single parent
  • Assigned a security zone recipe

A compartment can't be in multiple security zones.

After you create a security zone for a compartment, it automatically prevents operations, such as creating or modifying resources, that violate the security zone's policies. Any operation that violates a policy in the zone's recipe is denied. However, existing resources that were created before the security zone might also violate policies. Security Zones integrates with Oracle Cloud Guard to identify policy violations in existing resources.

You must enable Cloud Guard in the tenancy before creating a security zone. See Getting Started with Cloud Guard.

Each tenancy has a predefined recipe named Maximum Security Recipe, which includes several curated security zone policies. Oracle manages this recipe, and you can't change it.

You can create a custom recipe, or clone an existing one. See Managing Recipes in Security Zones.

When you create a security zone for a compartment, any subcompartments are also in the same security zone. You can also:

  • Remove a subcompartment from a security zone
  • Create a different security zone for a subcompartment
Caution

To ensure the integrity of the data, you can't move certain resources from a compartment in a security zone to a compartment that isn't in the security zone.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted the required type of access in an IAM policy written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.

If you try to perform an action and get a message that you don't have permission or are unauthorized, confirm with your administrator the type of access you were granted and which compartment  you are supposed to work in.

For example, the following IAM policy  allows users in the group SecurityAdmins to create, update, and delete all security zones and recipes in the entire tenancy.

Allow group SecurityAdmins to manage security-zone in tenancy
Allow group SecurityAdmins to manage security-recipe in tenancy

See Cloud Guard Policies.