Security Zone Policies

When you create and update resources in a security zone, Oracle Cloud Infrastructure validates these operations against the policies in the security zone. If any policy is violated, then the operation is denied.

When you create a security zone you assign it a recipe, which is a collection of security zone policies.

Your tenancy has a predefined recipe named Maximum Security Recipe, which includes a number of curated security zone policies. Oracle manages this recipe and you can't modify it. You can, however, create your own recipes that meet your specific security requirements.

Security Zones categorizes policies by security principle, such as Restrict Resource Movement. Each policy affects one or more cloud resources, such as Compute, Networking, Object Storage, and Database resources.

Note

Database policies do not apply to Oracle Exadata Cloud@Customer.
Note

Compute Management policies apply to instance configurations and instance pools. See Using Instance Configurations and Instance Pools.

Restrict Resource Movement

To ensure the integrity of your data, certain resources in a security zone can't be moved to a compartment  that is outside of the security zone because it might be less secure. You also can't move an existing resource to a compartment in a security zone unless all policies in the securitry zone are met.

The following table describes the security zone policies  that restrict resource movement.

Policy Resource Types Description
deny block_volume_in_security_zone_​move_to_compartment_​not_in_security_zone Block Storage You can't move a block volume  in the security zone to a compartment that is not in the same security zone.
deny boot_volume_in_security_zone_​move_to_compartment_​not_in_security_zone Block Storage You can't move a boot volume in the security zone to a compartment that is not in the same security zone.
deny instance_in_security_zone_​move_to_compartment_​not_in_security_zone Compute You can't move a compute instance  in the security zone to a compartment that is not in the same security zone.
deny instance_not_in_security_​zone_move_to_compartment_​in_security_zone Compute You can't move a compute instance to the security zone from a compartment that is not in the same security zone.
deny subnet_in_security_zone_​move_to_compartment_​not_in_security_zone Virtual Network (VCN) You can't move a subnet  in the security zone to a compartment that is not in the same security zone.
deny bucket_in_security_zone_​move_to_compartment_​not_in_security_zone Object Storage You can't move a bucket  in the security zone to a compartment that is not in the same security zone.
deny file_system_in_security_​zone_move_to_compartment_​not_in_security_zone File Storage You can't move a file system  in the security zone to a compartment that is not in the same security zone.
deny mount_target_in_security_​zone_move_to_compartment_​not_in_security_zone File Storage You can't move a mount target (File Storage)  in the security zone to a compartment that is not in the same security zone.
deny db_instance_move_to_​compartment_not_in_​security_zone Database (all types) You can't move a database in the security zone to a compartment that is not in the same security zone.
deny database_with_dataguard_​association_move_to_​compartment_in_security_zone Database (Bare metal and virtual machine DB systems, Exadata DB systems) You can't move a database to the security zone if its Data Guard association isn't in the same security zone.

Restrict Resource Association

All the required components for a resource in a security zone must also be located in the same security zone. Resources that are not in a security zone might be vulnerable, and resources in a different security zone might have a lower security posture.

The following table describes the security zone policies  that restrict resource association.

Policy Resource Types Description
deny block_volume_not_in_security_​zone_attach_to_instance_​in_security_zone Compute You can't attach a block storage volume  to a compute instance  in the security zone if the volume isn't in the same security zone.
deny block_volume_in_security_​zone_attach_to_instance_​not_in_security_zone Compute You can't attach a block storage volume  in the security zone to a compute instance  that isn't in the same security zone.
deny boot_volume_not_in_security_​zone_attach_to_instance_​in_security_zone Compute You can't attach a boot volume to a compute instance  in the security zone if the volume isn't in the same security zone.
deny boot_volume_in_security_​zone_attach_to_instance_​not_in_security_zone Compute You can't attach a boot volume in the security zone to a compute instance  that isn't in the same security zone.
deny instance_in_security_zone_​launch_from_boot_volume_​not_in_security_zone Compute, Compute Management You can't launch a compute instance  in the security zone if its boot volume isn't in the same security zone.
deny instance_not_in_security_​zone_launch_from_boot_​volume_in_security_zone Compute, Compute Management You can't launch a compute instance  using a boot volume in the security zone if the instance isn't in the same security zone.
deny attached_block_volume_not_​in_security_zone_move_to_​compartment_in_security_zone Block Storage You can't move a block volume  to the security zone if it's attached to a compute instance that isn't in the same security zone.
deny attached_boot_volume_not_in_​security_zone_move_to_​compartment_in_security_zone Block Storage You can't move a boot volume to the security zone if it's attached to a compute instance that isn't in the same security zone.
deny instance_in_security_zone_​in_subnet_not_in_security_​zone Compute, Compute Management A compute instance  in the security zone can't use a subnet  if it's not in the same security zone.
deny mount_target_in_security_zone_​created_with_subnet_​not_in_security_zone File Storage A mount target (File Storage)  in the security zone can't use a subnet  if it's not in the same security zone.
deny mount_target_not_in_security_zone_​create_with_subnet_​in_security_zone File Storage You can't create a mount target (File Storage)  that uses a subnet  in a security zone if the mount target isn't in the same security zone.
deny file_system_in_security_zone_​export_via_mount_target_​not_in_security_zone File Storage You can't export a file system  in the security zone through a mount target (File Storage)  that isn't in the same security zone.
deny file_system_not_in_security_zone_​export_via_mount_target_​in_security_zone File Storage You can't export a file system  through a mount target (File Storage)  if the file system isn't in the same security zone.
deny dataguard_association_​with_db_instances_not_in_​security_zones Database (Bare metal and virtual machine DB systems, Exadata DB systems) A database in the security zone can't have a Data Guard association with another database (primary/standby) if it's not in the same security zone.
deny db_instance_subnet_not_​in_security_zone Database (all types) A database in the security zone can't use a subnet  if it's not in the same security zone.
deny db_resource_association_​not_in_security_zone Database (Exadata DB systems)

Exadata Infrastructure resources in the security zone can't be associated with Container Databases or VM clusters that aren't in the same security zone.

Deny Public Access

Resources in a security zone must not be accessible from the public internet.

When you create a private subnet , compute instances  launched in that subnet can't have public IP addresses. This restriction ensures that compute instances in the subnet have no internet access. For compute instances in a private subnet, a service gateway  enables private access to public services such as Object Storage. See Overview of Networking.

The following table describes the security zone policies  that restrict network access.

Policy Resource Types Description
deny public_subnets Virtual Network (VCN) Subnets in the security zone can't be public. They must be private.
deny internet_gateway Virtual Network (VCN) You can't add an internet gateway  to a VCN (virtual cloud network)  within the security zone.
deny public_buckets Object Storage Object Storage buckets  in the security zone can't be public.
deny db_instance_public_​access Database (all types) Databases in the security zone can't be assigned to public subnets. They must use private subnets.
deny public_load_balancer Load Balancer Load balancers in a security zone can't be public. All load balancers must be private.
deny cloud_shell_public_network Cloud Shell Cloud Shell hosts in a security zone can't have public network access.

Require Encryption

Resources in a security zone must be encrypted using customer-managed keys. Data must be encrypted while in transit and at rest.

Oracle Cloud Infrastructure Vault lets you manage the master encryption keys that protect your data and the secret credentials that you use to securely access resources. You can also regularly rotate encryption keys.

Many services integrate with the Vault service for encryption, including Object Storage and Block Volume.

The following table describes the security zone policies  that enforce encryption.

Policy Resource Types Description
deny block_volume_without_​vault_key Block Storage Block volumes  in the security zone must use a customer-managed master encryption key in the Vault service. They can't use the default encryption key managed by Oracle.
deny boot_volume_without_​vault_key Block Storage Boot volumes in the security zone must use a customer-managed master encryption key in the Vault service. They can't use the default encryption key managed by Oracle.
deny buckets_without_vault_key Object Storage Object Storage buckets  in the security zone must use a customer-managed master encryption key in the Vault service. They can't use the default encryption key managed by Oracle.
deny file_system_without_vault_​key File Storage File systems  in the security zone must use a customer-managed master encryption key in the Vault service. They can't use the default encryption key managed by Oracle.

Ensure Data Durability

Automatic backups must be performed regularly for resources in a security zone.

The following table describes the security zone policy  that enforces data durability.

Policy Resource Types Description
deny database_without_backup Database (Bare metal and virtual machine DB systems, Exadata DB systems)

Databases in the security zone must be configured to perform automatic backups.

See Database Back Up and Recovery.

Ensure Data Security

Data in a security zone is considered privileged and can't be copied outside of the security zone.

The following table describes the security zone policies that enforce data security.

Policy Resource Types Description
deny database_not_in_security_​zone_create_from_backup_​in_security_zone Database (Bare metal and virtual machine DB systems, Exadata DB systems) You can't use a database backup in the security zone to create a database that isn't in the same security zone.
deny database_in_security_​zone_create_clone_not_​in_security_zone Database (Virtual machine DB systems, Autonomous Database) You can't clone a database in the security zone to create a database that isn't in the same security zone.
deny file_system_in_security_zone_​clone_to_compartment_​not_in_security_zone File Storage You can't clone a file system  in a security zone to create a file system that isn't in the same security zone.

Use Only Configurations Approved by Oracle

Oracle requires certain security features to be enabled and configured for the resources within a security zone. One example is the operating system configuration for a compute instance (Compute) .

The following table describes the security zone policies that require configurations that are approved by Oracle.

Policy Resource Types Policy Description
deny instance_without_​sanctioned_image Compute, Compute Management

You must create a compute instance  in the security zone using a platform image.

You can't create a compute instance in the security zone from a custom image.

deny free_database_creation Database (all types) You can't create an Always Free database instance in the security zone.
deny security_list_to_allow_traffic_to_restricted_port Virtual Network (VCN) You can't create or modify a security list to allow traffic to restricted ports in the security zone.
deny delete_network_security_group Virtual Network (VCN) You can't delete a VCN network security group in the security zone.
deny load_balancer_with_weak_SSL_communication Load Balancer The SSL policy for a load balancer listener in the security zone must use TLS 1.2 or later.
deny network_security_group_with_unsecure_ingress_rule Virtual Network (VCN) You can't add a network security group with a rule that allows ingress to unsecure ports or IP addresses in the security zone.
deny revoke_certificate_authority_version Certificates Management You can't revoke an intermediate certificate in a certificate authority (CA) bundle in the security zone.
deny delete_vcn Virtual Network (VCN) You can't delete a VCN in the security zone.
deny update_route_table Virtual Network (VCN) You can't update a VCN route table in the security zone.
deny update_network_security_group_ingress_rule Virtual Network (VCN) You can't modify a network security group's ingress rules in the security zone.
deny update_network_security_group_egress_rule Virtual Network (VCN) You can't modify a network security group's egress rules in the security zone.
deny delete_vcn_security_list Virtual Network (VCN) You can't delete a VCN security list in the security zone.
deny update_vcn_security_list_ingress_rules Virtual Network (VCN) You can't modify ingress security rules of the VCN security list in the security zone.
deny update_vcn_security_list_egress_rules Virtual Network (VCN) You can't modify ingress security rules of the VCN security list in the security zone.
deny update_DHCP_options Virtual Network (VCN) You can't update DHCP options in the security zone.
deny update_local_peering_gateway Virtual Network (VCN) You can't update a local peering gateway in the security zone.
deny detach_volume Block Storage You can't detach a volume in the security zone.
deny delete_certificate_authority Certificates Management You can't delete a certificate authority in the security zone.