Cloud Guard Changes when a Security Zone is Deleted
When you delete a security zone, the Cloud Guard configuration is also changed. The specific changes in Cloud Guard depend on the existing targets and security zones in the compartment hierarchy.
This page explains five scenarios for how Cloud Guard configuration can change when a security zone is deleted.
No Dependencies
In the simplest case, the existing security zone target for this zone's parent compartment is replaced with a standard Cloud Guard target.
The new target includes the default Oracle-managed configuration and activity detector recipes, and doesn't detect security zone policy violations. No changes are made to any of the existing Cloud Guard detector recipes.
The following diagram illustrates the Cloud Guard configuration after the security zone for the parent compartment is deleted:
Parent Compartment Is in a Different Zone
The primary compartment for the deleted security zone has a parent compartment that's in a different zone. Deleting this security zone results in the compartment becoming part of the parent compartment's zone.
The security zone target for the child compartment is deleted in Cloud Guard. No changes are made to the parent compartment's security zone target, or to any of the existing Cloud Guard detector recipes.
The following diagram illustrates the Cloud Guard configuration after the security zone for the child compartment is deleted:
Parent Compartment Has a Standard Cloud Guard Target
The primary compartment for the deleted security zone has a parent compartment that's associated with a standard target in Cloud Guard. Deleting this security zone results in the compartment becoming part of the parent compartment's Cloud Guard target.
The existing security zone target for this zone's primary compartment is deleted in Cloud Guard. This compartment (and any child compartments previously in this zone) inherits the existing Cloud Guard target for the parent compartment. This standard target doesn't detect security zone policy violations. No changes are made to any of the existing Cloud Guard targets and detector recipes.
The following diagram illustrates the Cloud Guard configuration after the security zone for the child compartment is deleted:
Child Compartment Is in a Different Zone
The compartment for the deleted security zone has one or more child compartments that are in different zones. Deleting this security zone has no effect on the other security zones.
The existing security zone target for this zone's parent compartment is replaced with a standard Cloud Guard target. The new target has the same detector recipes as the deleted security zone target, and doesn't detect security zone policy violations. The child compartments that are in different Security Zones are unaffected. No changes are made to any of the existing Cloud Guard detector recipes.
The following diagram illustrates the Cloud Guard configuration after the security zone for the parent compartment is deleted:
Child Compartment Has a Standard Cloud Guard Target
The compartment for the deleted security zone has one or more child compartments that are not in a security zone and are associated with standard Cloud Guard targets. Deleting this security zone has no effect on the child compartments.
The existing security zone target for this zone's parent compartment is replaced with a standard Cloud Guard target. The new target has the same detector recipes as the deleted security zone target, and doesn't detect security zone policy violations. The child compartments that were removed from the security zone and have separate Cloud Guard targets are unaffected. No changes are made to any of the existing Cloud Guard detector recipes.
The following diagram illustrates the Cloud Guard configuration after the security zone for the parent compartment is deleted:
