Before You Begin: Compartment Hierarchy Best Practice

Oracle recommends that you create a compartment hierarchy for your Oracle Autonomous Database on Dedicated Exadata Infrastructure deployment on dedicated infrastructure as follows:

• A "parent" compartment for the entire deployment
• "Child" compartments for each of the various kinds of resources:
  • Autonomous Databases
  • Autonomous Container Databases and infrastructure resources (Exadata Infrastructures and Autonomous Exadata VM Clusters)
  • The VCN (Virtual Cloud Network) and its subnets
  • Vaults that contain your customer-managed keys

Following this best practice is especially important when using customer-managed keys because the policy statement you create to grant Oracle Autonomous Database on Dedicated Exadata Infrastructure access to your keys must be added to a policy that is higher in your compartment hierarchy than the compartment containing your vaults and their keys.

Task 1. Create a Vault and a Master Encryption Key

Create a vault in the Vault service by following the instructions in To create a new vault in Oracle Cloud Infrastructure Documentation. When following these instructions, Oracle recommends that you create the vault in a compartment created specifically to contain the vaults containing customer-managed keys, as described in Before You Begin: Compartment Hierarchy Best Practice.

After creating the vault, create at least one master encryption key in the vault by following the instructions in To create a new master encryption key in Oracle Cloud Infrastructure Documentation. When following these instructions, make these choices:

• Create in Compartment: Oracle recommends that you create the master encryption key in the same compartment as its vault; that is, the compartment created specifically to contain the vaults containing customer-managed keys.
• Protection Mode: Choose an appropriate value from the drop-down list:
  • HSM to create a master encryption key that is stored and processed on a hardware security module (HSM).
  • Software to create a master encryption key that is stored in a software file system in the Vault service. Software-protected keys are protected at rest using an HSM-based root key. You may export software keys to other key management devices or to a different OCI cloud region. Unlike HSM keys, software-protected keys are free of cost.
• Key Shape Algorithm: AES
• Key Shape Length: 256 bits

Oracle strongly recommends that you create a separate master encryption key for each of your Autonomous Container Databases. Doing so makes management of key rotation over time much simpler.

Task 2. Create a Service Gateway, a Route Rule and an Egress Security Rule

Create a service gateway in the VCN (Virtual Cloud Network) where your Autonomous Database resources reside by following the instructions in Task 1: Create the service gateway in Oracle Cloud Infrastructure Documentation.

After creating the service gateway, add a route rule and an egress security rule to each subnet (in the VCN) where Autonomous Database resources reside so that these resources can use the gateway to access the Vault service:

1. Go to the Subnet Details page for the subnet.

2. In the Subnet Information tab, click the name of the subnet's Route Table to display its Route Table Details page.

3. In the table of existing Route Rules, check whether there is already a rule with the following characteristics:

   • Destination: All IAD Services In Oracle Services Network
   • Target Type: Service Gateway
   • Target: The name of the service gateway you just created in the VCN

   If such a rule does not exist, click Add Route Rules and add a route rule with these characteristics.

4. Return to the Subnet Details page for the subnet.

5. In the subnet's Security Lists table, click the name of the subnet's security list to display its Security List Details page.

6. In the side menu, under Resources, click Egress Rules.

7. In the table of existing Egress Rules, check whether there is already a rule with the following characteristics:

   • Stateless: No
   • Destination: All IAD Services In Oracle Services Network
   • IP Protocol: TCP
   • Source Port Range: All
   • Destination Port Range: 443

   If such a rule does not exist, click Add Egress Rules and add an egress rule with these characteristics.

Task 3. Create a Dynamic Group and a Policy Statement

To grant your Autonomous Database resources permission to access customer-managed keys, you create an IAM dynamic group that identifies these resources and then create an IAM policy that grants this dynamic group access to the master encryption keys you created in the Vault service.

When defining the dynamic group, you identify your Autonomous Database resources by specifying the OCID of the compartment containing your Exadata Infrastructure resource.

1. Copy the OCID of the compartment containing your Exadata Infrastructure resource. You can find this OCID on the Compartment Details page of the compartment.

2. Create a dynamic group by following the instructions in To create a dynamic group in Oracle Cloud Infrastructure Documentation. When following these instructions, enter a matching rule of this format:

   ALL {resource.compartment.id ='<compartment-ocid>'}

   where <compartment-ocid> is the OCID of the compartment containing your Exadata Infrastructure resource.

allow dynamic-group <dynamic-group-name>
to manage keys
in compartment <vaults-and-keys-compartment>
where all {
target.key.id='<key_ocid>',
request.permission!='KEY_DELETE',
request.permission!='KEY_MOVE',
request.permission!='KEY_IMPORT',
request.permission!='KEY_BACKUP’
}

allow dynamic-group <dynamic-group>
to read vaults
in tenancy | compartment <vaults-and-keys-compartment>

where <dynamic-group> is the name of the dynamic group you created and <vaults-and-keys-compartment> is the name of the compartment in which you created your vaults and master encryption keys.