Overview of Security Zones

Understand key concepts and components related to Security Zones.

The following diagram provides a high-level overview of Security Zones.

Security zone

An association between a compartment (and zero or more subcompartments) and a security zone recipe. Resource operations in a security zone are validated against all policies in the recipe.

A security zone includes a compartment and all of its subcompartments, unless you explicitly remove a subcompartment from the security zone, or create a separate zone for the subcompartment.

A compartment cannot be associated with more than one security zone.

Security zone recipe

A collection of security zone policies that Oracle Cloud Infrastructure enforces on security zones that use the recipe.

Security zone policy

A security requirement for resources in a security zone. If a security zone enables a policy, then any action that attempts to violate that policy is denied.

Security zone target (Cloud Guard)

A compartment in which Cloud Guard periodically checks resources for security zone policy violations.

A target includes all subcompartments unless you create a separate target for the subcompartment.

A target is associated with one or more detector recipes. Each detector recipe defines a list of potential security problems.

A security zone policy differs from an IAM policy in the following ways:

• Administrators create IAM policies to grant users the ability to manage certain resources in a compartment.
• A security zone policy ensures that these management operations comply with the Oracle maximum security architecture and best practices.
• A security zone policy is validated regardless of which user is performing the operation.
• A security zone policy denies certain actions; it doesn't grant capabilities.

In general, security zone policies align with the following core security principles.

• Resources in a security zone can't be moved to a compartment outside of the security zone because it might be less secure.
• All the required components for a resource in a security zone must also be located in the same security zone. Resources that are not in a security zone might be vulnerable, and resources in a different security zone might have a lower security posture.

  For example, an instance (Compute)  in a security zone can't use a boot volume  that is not in the same security zone.

• Resources in a security zone must not be accessible from the public internet.
• Resources in a security zone must be encrypted using customer-managed keys.
• Resources in a security zone must be regularly and automatically backed up.
• Data in a security zone is considered privileged and can't be copied outside of the security zone because it might be less secure.
• Resources in a security zone must use only configurations and templates approved by Oracle.

Understand the relationships between compartments, security zones, recipes, and targets.

After you create a security zone for a compartment, it automatically prevents operations, such as creating or modifying resources, that violate the security zone's policies. However, existing resources that were created before the security zone might also violate policies. Security Zones integrates with Cloud Guard to identify policy violations in existing resources.

Cloud Guard is an Oracle Cloud Infrastructure service that provides a central dashboard to monitor all of your cloud resources for security weaknesses in configuration, metrics, and logs. When it detects a problem, it can suggest, assist, or take corrective actions, based on your Cloud Guard configuration.

Here are some key Cloud Guard concepts:

Detector recipe

Defines the types of cloud resources and security problems that you want Cloud Guard to monitor.

Cloud Guard provides some default Oracle-managed detector recipes, and you can also create custom recipes.

Target

A compartment that you want Cloud Guard to monitor, and is associated with a Cloud Guard recipe.

A target can be associated with multiple detector recipes, but only one of each type (configuration, activity, and so on).

Security zone target

A type of Cloud Guard target that is also associated with a security zone. The target monitors resources in the compartment for security zone policy violations.

The following diagram illustrates the Cloud Guard configuration for a new security zone:

When you create a security zone for a subcompartment whose parent compartment is already in a security zone, Cloud Guard performs the following tasks:

• Creates a separate security zone target for the subcompartment
• Adds the default Oracle-managed detector recipes to the new security zone target

No changes are made to the existing Cloud Guard target for the parent compartment.

The following diagram illustrates the Cloud Guard configuration for a new security zone in a subcompartment:

A single compartment can't be in multiple security zones, and also can't be in multiple Cloud Guard targets.

To learn more about Cloud Guard, see Cloud Guard Concepts.

You can access Security Zones using the Console (a browser-based interface), REST APIs, the Command Line Interface (CLI), or SDKs.

Instructions for the Console, API, and CLI are included in topics throughout this guide. For a list of available SDKs, see Software Development Kits and Command Line Interface.

To access the Console, you must use a supported browser. To go to the Console sign-in page, open the navigation menu at the top of this page and click Infrastructure Console. You will be prompted to enter your cloud tenant, your user name, and your password.

Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).

An administrator in your organization needs to set up groups, compartments , and policies  that control which users can access which services, which resources, and the type of access. For example, policies control who can create users, create and manage a VCN (virtual cloud network) , launch instances, and create buckets .

• If you're a new administrator, see Getting Started with Policies.
• For specific details about writing policies for this service, see Cloud Guard Policies. The individual resource types for Security Zones are included in the aggregate type cloud-guard-family.
• For specific details about writing policies for other services, see Policy Reference.

In addition to creating IAM policies, follow these other security best practices for Security Zones.

See Securing Security Zones.

When you sign up for Oracle Cloud Infrastructure, a set of service limits is configured for your tenancy. These limits restrict the total number of Security Zones resources that you can create.

• Cloud Guard Limits

See Service Limits for instructions on requesting a limit increase.

Security zone resources, like most types of resources in Oracle Cloud Infrastructure, have a unique, Oracle-assigned identifier called an Oracle Cloud ID (OCID).

For information about the OCID format and other ways to identify your resources, see Resource Identifiers.

Security Zones integrates with other monitoring services in Oracle Cloud Infrastructure.

• The Audit service automatically records calls to all public Cloud Guard API endpoints as log entries. These endpoints include all Security Zones operations. See Overview of Audit.
• The Events service allows your development teams to automatically respond when a Security Zones resource changes its state. See Security Zones Events.