Security Zone Policies
When you create and update resources in a security zone, Oracle Cloud Infrastructure validates these operations against the policies in the security zone. If any policy is violated, then the operation is denied.
When you create a security zone you assign it a recipe, which is a collection of security zone policies.
Your tenancy has a predefined recipe named Maximum Security Recipe, which includes a number of curated security zone policies. Oracle manages this recipe and you can't modify it. You can, however, create your own recipes that meet your specific security requirements.
Security Zones categorizes policies by security principle, such as Restrict Resource Movement. Each policy affects one or more cloud resources, such as Compute, Networking, Object Storage, and Database resources.
Compute Management policies apply to instance configurations and instance pools. See Using Instance Configurations and Instance Pools.
Restrict Resource Movement
To ensure the integrity of your data, certain resources in a security zone can't be moved to a compartment that is outside of the security zone because it might be less secure. You also can't move an existing resource to a compartment in a security zone unless all policies in the securitry zone are met.
The following table describes the security zone policies that restrict resource movement.
| Policy | Resource Types | Description |
|---|---|---|
deny
block_volume_in_security_zone_move_to_compartment_not_in_security_zone |
Block Storage | You can't move a block volume in the security zone to a compartment that is not in the same security zone. |
deny
boot_volume_in_security_zone_move_to_compartment_not_in_security_zone |
Block Storage | You can't move a boot volume in the security zone to a compartment that is not in the same security zone. |
deny
instance_in_security_zone_move_to_compartment_not_in_security_zone |
Compute | You can't move a compute instance in the security zone to a compartment that is not in the same security zone. |
deny
instance_not_in_security_zone_move_to_compartment_in_security_zone |
Compute | You can't move a compute instance to the security zone from a compartment that is not in the same security zone. |
deny
subnet_in_security_zone_move_to_compartment_not_in_security_zone |
Virtual Network (VCN) | You can't move a subnet in the security zone to a compartment that is not in the same security zone. |
deny
bucket_in_security_zone_move_to_compartment_not_in_security_zone |
Object Storage | You can't move a bucket in the security zone to a compartment that is not in the same security zone. |
deny
file_system_in_security_zone_move_to_compartment_not_in_security_zone |
File Storage | You can't move a file system in the security zone to a compartment that is not in the same security zone. |
deny
mount_target_in_security_zone_move_to_compartment_not_in_security_zone |
File Storage | You can't move a mount target (File Storage) in the security zone to a compartment that is not in the same security zone. |
deny db_instance_move_to_compartment_not_in_security_zone |
Database (all types) | You can't move a database in the security zone to a compartment that is not in the same security zone. |
deny
database_with_dataguard_association_move_to_compartment_in_security_zone |
Database (Bare metal and virtual machine DB systems, Exadata DB systems) | You can't move a database to the security zone if its Data Guard association isn't in the same security zone. |
Restrict Resource Association
All the required components for a resource in a security zone must also be located in the same security zone. Resources that are not in a security zone might be vulnerable, and resources in a different security zone might have a lower security posture.
The following table describes the security zone policies that restrict resource association.
| Policy | Resource Types | Description |
|---|---|---|
deny
block_volume_not_in_security_zone_attach_to_instance_in_security_zone |
Compute | You can't attach a block storage volume to a compute instance in the security zone if the volume isn't in the same security zone. |
deny
block_volume_in_security_zone_attach_to_instance_not_in_security_zone |
Compute | You can't attach a block storage volume in the security zone to a compute instance that isn't in the same security zone. |
deny
boot_volume_not_in_security_zone_attach_to_instance_in_security_zone |
Compute | You can't attach a boot volume to a compute instance in the security zone if the volume isn't in the same security zone. |
deny
boot_volume_in_security_zone_attach_to_instance_not_in_security_zone |
Compute | You can't attach a boot volume in the security zone to a compute instance that isn't in the same security zone. |
deny
instance_in_security_zone_launch_from_boot_volume_not_in_security_zone |
Compute, Compute Management | You can't launch a compute instance in the security zone if its boot volume isn't in the same security zone. |
deny
instance_not_in_security_zone_launch_from_boot_volume_in_security_zone |
Compute, Compute Management | You can't launch a compute instance using a boot volume in the security zone if the instance isn't in the same security zone. |
deny
attached_block_volume_not_in_security_zone_move_to_compartment_in_security_zone |
Block Storage | You can't move a block volume to the security zone if it's attached to a compute instance that isn't in the same security zone. |
deny
attached_boot_volume_not_in_security_zone_move_to_compartment_in_security_zone |
Block Storage | You can't move a boot volume to the security zone if it's attached to a compute instance that isn't in the same security zone. |
deny instance_in_security_zone_in_subnet_not_in_security_zone |
Compute, Compute Management | A compute instance in the security zone can't use a subnet if it's not in the same security zone. |
deny mount_target_in_security_zone_created_with_subnet_not_in_security_zone |
File Storage | A mount target (File Storage) in the security zone can't use a subnet if it's not in the same security zone. |
deny mount_target_not_in_security_zone_create_with_subnet_in_security_zone |
File Storage | You can't create a mount target (File Storage) that uses a subnet in a security zone if the mount target isn't in the same security zone. |
deny file_system_in_security_zone_export_via_mount_target_not_in_security_zone |
File Storage | You can't export a file system in the security zone through a mount target (File Storage) that isn't in the same security zone. |
deny file_system_not_in_security_zone_export_via_mount_target_in_security_zone |
File Storage | You can't export a file system through a mount target (File Storage) if the file system isn't in the same security zone. |
deny
dataguard_association_with_db_instances_not_in_security_zones |
Database (Bare metal and virtual machine DB systems, Exadata DB systems) | A database in the security zone can't have a Data Guard association with another database (primary/standby) if it's not in the same security zone. |
deny db_instance_subnet_not_in_security_zone |
Database (all types) | A database in the security zone can't use a subnet if it's not in the same security zone. |
deny db_resource_association_not_in_security_zone |
Database (Exadata DB systems) |
Exadata Infrastructure resources in the security zone can't be associated with Container Databases or VM clusters that aren't in the same security zone. |
Deny Public Access
Resources in a security zone must not be accessible from the public internet.
When you create a private subnet , compute instances launched in that subnet can't have public IP addresses. This restriction ensures that compute instances in the subnet have no internet access. For compute instances in a private subnet, a service gateway enables private access to public services such as Object Storage. See Overview of Networking.
The following table describes the security zone policies that restrict network access.
| Policy | Resource Types | Description |
|---|---|---|
deny public_subnets |
Virtual Network (VCN) | Subnets in the security zone can't be public. They must be private. |
deny internet_gateway |
Virtual Network (VCN) | You can't add an internet gateway to a VCN (virtual cloud network) within the security zone. |
deny public_buckets |
Object Storage | Object Storage buckets in the security zone can't be public. |
deny
db_instance_public_access |
Database (all types) | Databases in the security zone can't be assigned to public subnets. They must use private subnets. |
deny public_load_balancer |
Load Balancer | Load balancers in a security zone can't be public. All load balancers must be private. |
deny cloud_shell_public_network |
Cloud Shell | Cloud Shell hosts in a security zone can't have public network access. |
Require Encryption
Resources in a security zone must be encrypted using customer-managed keys. Data must be encrypted while in transit and at rest.
Oracle Cloud Infrastructure Vault lets you manage the master encryption keys that protect your data and the secret credentials that you use to securely access resources. You can also regularly rotate encryption keys.
Many services integrate with the Vault service for encryption, including Object Storage and Block Volume.
The following table describes the security zone policies that enforce encryption.
| Policy | Resource Types | Description |
|---|---|---|
deny
block_volume_without_vault_key |
Block Storage | Block volumes in the security zone must use a customer-managed master encryption key in the Vault service. They can't use the default encryption key managed by Oracle. |
deny
boot_volume_without_vault_key |
Block Storage | Boot volumes in the security zone must use a customer-managed master encryption key in the Vault service. They can't use the default encryption key managed by Oracle. |
deny
buckets_without_vault_key |
Object Storage | Object Storage buckets in the security zone must use a customer-managed master encryption key in the Vault service. They can't use the default encryption key managed by Oracle. |
deny
file_system_without_vault_key |
File Storage | File systems in the security zone must use a customer-managed master encryption key in the Vault service. They can't use the default encryption key managed by Oracle. |
Ensure Data Durability
Automatic backups must be performed regularly for resources in a security zone.
The following table describes the security zone policy that enforces data durability.
| Policy | Resource Types | Description |
|---|---|---|
deny
database_without_backup |
Database (Bare metal and virtual machine DB systems, Exadata DB systems) |
Databases in the security zone must be configured to perform automatic backups. |
Ensure Data Security
Data in a security zone is considered privileged and can't be copied outside of the security zone.
The following table describes the security zone policies that enforce data security.
| Policy | Resource Types | Description |
|---|---|---|
deny
database_not_in_security_zone_create_from_backup_in_security_zone |
Database (Bare metal and virtual machine DB systems, Exadata DB systems) | You can't use a database backup in the security zone to create a database that isn't in the same security zone. |
deny
database_in_security_zone_create_clone_not_in_security_zone |
Database (Virtual machine DB systems, Autonomous Database) | You can't clone a database in the security zone to create a database that isn't in the same security zone. |
deny file_system_in_security_zone_clone_to_compartment_not_in_security_zone |
File Storage | You can't clone a file system in a security zone to create a file system that isn't in the same security zone. |
Use Only Configurations Approved by Oracle
Oracle requires certain security features to be enabled and configured for the resources within a security zone. One example is the operating system configuration for a compute instance (Compute) .
The following table describes the security zone policies that require configurations that are approved by Oracle.
| Policy | Resource Types | Policy Description |
|---|---|---|
deny
instance_without_sanctioned_image |
Compute, Compute Management |
You must create a compute instance in the security zone using a platform image. You can't create a compute instance in the security zone from a custom image. |
deny
free_database_creation |
Database (all types) | You can't create an Always Free database instance in the security zone. |
deny security_list_to_allow_traffic_to_restricted_port |
Virtual Network (VCN) | You can't create or modify a security list to allow traffic to restricted ports in the security zone. |
deny delete_network_security_group |
Virtual Network (VCN) | You can't delete a VCN network security group in the security zone. |
deny load_balancer_with_weak_SSL_communication |
Load Balancer | The SSL policy for a load balancer listener in the security zone must use TLS 1.2 or later. |
deny network_security_group_with_unsecure_ingress_rule |
Virtual Network (VCN) | You can't add a network security group with a rule that allows ingress to unsecure ports or IP addresses in the security zone. |
deny revoke_certificate_authority_version |
Certificates Management | You can't revoke an intermediate certificate in a certificate authority (CA) bundle in the security zone. |
deny delete_vcn |
Virtual Network (VCN) | You can't delete a VCN in the security zone. |
deny update_route_table |
Virtual Network (VCN) | You can't update a VCN route table in the security zone. |
deny update_network_security_group_ingress_rule |
Virtual Network (VCN) | You can't modify a network security group's ingress rules in the security zone. |
deny update_network_security_group_egress_rule |
Virtual Network (VCN) | You can't modify a network security group's egress rules in the security zone. |
deny delete_vcn_security_list |
Virtual Network (VCN) | You can't delete a VCN security list in the security zone. |
deny update_vcn_security_list_ingress_rules |
Virtual Network (VCN) | You can't modify ingress security rules of the VCN security list in the security zone. |
deny update_vcn_security_list_egress_rules |
Virtual Network (VCN) | You can't modify ingress security rules of the VCN security list in the security zone. |
deny update_DHCP_options |
Virtual Network (VCN) | You can't update DHCP options in the security zone. |
deny update_local_peering_gateway |
Virtual Network (VCN) | You can't update a local peering gateway in the security zone. |
deny detach_volume |
Block Storage | You can't detach a volume in the security zone. |
deny delete_certificate_authority |
Certificates Management | You can't delete a certificate authority in the security zone. |