Overview of Security Zones

Security Zones let you be confident that your resources in Oracle Cloud Infrastructure, including Compute, Networking, Object Storage, Block Volume and Database resources, comply with your security policies.

A security zone is associated with one or more compartments and a security zone recipe. When you create and update resources in a security zone, Oracle Cloud Infrastructure validates these operations against the list of policies that are defined in the security zone recipe. If any security zone policy is violated, then the operation is denied. By default, a compartment and any subcompartments are in the same security zone, but you can also create a different security zone for a subcompartment.

For example, a security zone policy forbids the creation of public buckets  in Object Storage. If you try to create a public bucket in a security zone that has this policy, or if you try to modify an existing storage bucket and make it public, you receive an error message. Similarly, you can't move an existing resource to a compartment in a security zone unless the existing resource meets all policies in the security zone.

Your tenancy has a predefined recipe named Maximum Security Recipe, which includes a number of curated security zone policies. Oracle manages this recipe and you can't modify it. You can, however, create your own recipes that meet your specific security requirements.

You must enable Oracle Cloud Guard before you create Security Zones. Cloud Guard helps you detect policy violations in existing resources that were created before the security zone.

Tip

Watch a video introduction to the service.

Security Zones Concepts

Understand key concepts and components related to Security Zones.

The following diagram provides a high-level overview of Security Zones.


Resources in a region are organized into two compartments. One of the compartments is associated with a security zone, a security zone recipe, and a security zone target in Cloud Guard.
Security zone
An association between a compartment (and zero or more subcompartments) and a security zone recipe. Resource operations in a security zone are validated against all policies in the recipe.
A security zone includes a compartment and all of its subcompartments, unless you explicitly remove a subcompartment from the security zone, or create a separate zone for the subcompartment.
A compartment cannot be associated with more than one security zone.
Security zone recipe
A collection of security zone policies that Oracle Cloud Infrastructure enforces on security zones that use the recipe.
Security zone policy
A security requirement for resources in a security zone. If a security zone enables a policy, then any action that attempts to violate that policy is denied.
Security zone target (Cloud Guard)
A compartment in which Cloud Guard periodically checks resources for security zone policy violations.
A target includes all subcompartments unless you create a separate target for the subcompartment.
A target is associated with one or more detector recipes. Each detector recipe defines a list of potential security problems.

A security zone policy differs from an IAM policy in the following ways:

  • Administrators create IAM policies to grant users the ability to manage certain resources in a compartment.
  • A security zone policy ensures that these management operations comply with the Oracle maximum security architecture and best practices.
  • A security zone policy is validated regardless of which user is performing the operation.
  • A security zone policy denies certain actions; it doesn't grant capabilities.

Security Principles

In general, security zone policies align with the following core security principles.

  • Resources in a security zone can’t be moved to a compartment outside of the security zone because it might be less secure.
  • All the required components for a resource in a security zone must also be located in the same security zone. Resources that are not in a security zone might be vulnerable, and resources in a different security zone might have a lower security posture.

    For example, an instance (Compute)  in a security zone can't use a boot volume  that is not in the same security zone.

  • Resources in a security zone must not be accessible from the public internet.
  • Resources in a security zone must be encrypted using customer-managed keys.
  • Resources in a security zone must be regularly and automatically backed up.
  • Data in a security zone is considered privileged and can't be copied outside of the security zone because it might be less secure.
  • Resources in a security zone must use only configurations and templates approved by Oracle.

Security Zones and Cloud Guard

Understand the relationships between compartments, security zones, recipes, and targets.

After you create a security zone for a compartment, it automatically prevents operations, such as creating or modifying resources, that violate the security zone's policies. However, existing resources that were created before the security zone might also violate policies. Security Zones integrates with Cloud Guard to identify policy violations in existing resources.

Cloud Guard is an Oracle Cloud Infrastructure service that provides a central dashboard to monitor all of your cloud resources for security weaknesses in configuration, metrics, and logs. When it detects a problem, it can suggest, assist, or take corrective actions, based on your Cloud Guard configuration.

Here are some key Cloud Guard concepts:

Detector recipe
Defines the types of cloud resources and security problems that you want Cloud Guard to monitor.
Cloud Guard provides some default Oracle-managed detector recipes, and you can also create custom recipes.
Target
A compartment that you want Cloud Guard to monitor, and is associated with a Cloud Guard recipe.
A target can be associated with multiple detector recipes, but only one of each type (configuration, activity, and so on).
Security zone target
A type of Cloud Guard target that is also associated with a security zone. The target monitors resources in the compartment for security zone policy violations.
When you create a security zone for a compartment, Cloud Guard completes the following tasks:
  • Deletes any existing Cloud Guard target for the compartment and for any child compartments
  • Creates a security zone target for the compartment
  • Adds the default Oracle-managed detector recipes to the security zone target

The following diagram illustrates the Cloud Guard configuration for a new security zone:


A security zone has a parent compartment and two child compartments. The parent compartment is associated with a security zone target in Cloud Guard. The security zone target is associated with default detector recipes.

When you create a security zone for a subcompartment whose parent compartment is already in a security zone, Cloud Guard performs the following tasks:

  • Creates a separate security zone target for the subcompartment
  • Adds the default Oracle-managed detector recipes to the new security zone target

No changes are made to the existing Cloud Guard target for the parent compartment.

The following diagram illustrates the Cloud Guard configuration for a new security zone in a subcompartment:


The parent compartment is in a security zone and the child compartment is in a different security zone. Each compartment is associated with a different security zone target in Cloud Guard. The security zone target for the child compartment is associated with default detector recipes.

A single compartment can't be in multiple security zones, and also can't be in multiple Cloud Guard targets.

To learn more about Cloud Guard, see Cloud Guard Concepts.

Ways to Access Security Zones

You can access Security Zones using the Console (a browser-based interface), REST APIs, the Command Line Interface (CLI), or SDKs.

Instructions for the Console, API, and CLI are included in topics throughout this guide. For a list of available SDKs, see Software Development Kits and Command Line Interface.

Note

The Security Zones APIs are available from the Cloud Guard endpoints.

To access the Console, you must use a supported browser. To go to the Console sign-in page, open the navigation menu at the top of this page and click Infrastructure Console. You will be prompted to enter your cloud tenant, your user name, and your password.

Authentication and Authorization

Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).

An administrator in your organization needs to set up groups, compartments , and policies  that control which users can access which services, which resources, and the type of access. For example, policies control who can create users, create and manage a VCN (virtual cloud network) , launch instances, and create buckets .

  • If you're a new administrator, see Getting Started with Policies.
  • For specific details about writing policies for this service, see Cloud Guard Policies. The individual resource types for Security Zones are included in the aggregate type cloud-guard-family.
  • For specific details about writing policies for other services, see Policy Reference.

Security

In addition to creating IAM policies, follow these other security best practices for Security Zones.

See Securing Security Zones.

Limits

When you sign up for Oracle Cloud Infrastructure, a set of service limits is configured for your tenancy. These limits restrict the total number of Security Zones resources that you can create.

See Service Limits for instructions on requesting a limit increase.

Resource Identifiers

Security zone resources, like most types of resources in Oracle Cloud Infrastructure, have a unique, Oracle-assigned identifier called an Oracle Cloud ID (OCID).

For information about the OCID format and other ways to identify your resources, see Resource Identifiers.

Monitoring

Security Zones integrates with other monitoring services in Oracle Cloud Infrastructure.

  • The Audit service automatically records calls to all public Cloud Guard API endpoints as log entries. These endpoints include all Security Zones operations. See Overview of Audit.
  • The Events service allows your development teams to automatically respond when a Security Zones resource changes its state. See Cloud Guard Events.

Getting Started

To get started, create a security zone for an existing compartment using either an Oracle-managed or a custom recipe, and then check for any policy violations.

See Getting Started with Security Zones.