Overview of Security Zones
Security Zones let you be confident that your resources in Oracle Cloud Infrastructure, including Compute, Networking, Object Storage, Block Volume and Database resources, comply with your security policies.
A security zone is associated with one or more compartments and a security zone recipe. When you create and update resources in a security zone, Oracle Cloud Infrastructure validates these operations against the list of policies that are defined in the security zone recipe. If any security zone policy is violated, then the operation is denied. By default, a compartment and any subcompartments are in the same security zone, but you can also create a different security zone for a subcompartment.
For example, a security zone policy forbids the creation of public buckets in Object Storage. If you try to create a public bucket in a security zone that has this policy, or if you try to modify an existing storage bucket and make it public, you receive an error message. Similarly, you can't move an existing resource to a compartment in a security zone unless the existing resource meets all policies in the security zone.
Your tenancy has a predefined recipe named Maximum Security Recipe, which includes a number of curated security zone policies. Oracle manages this recipe and you can't modify it. You can, however, create your own recipes that meet your specific security requirements.
You must enable Oracle Cloud Guard before you create Security Zones. Cloud Guard helps you detect policy violations in existing resources that were created before the security zone.
Security Zones Concepts
Understand key concepts and components related to Security Zones.
The following diagram provides a high-level overview of Security Zones.
- Security zone
- An association between a compartment (and zero or more subcompartments) and a security zone recipe. Resource operations in a security zone are validated against all policies in the recipe.
- Security zone recipe
- A collection of security zone policies that Oracle Cloud Infrastructure enforces on security zones that use the recipe.
- Security zone policy
- A security requirement for resources in a security zone. If a security zone enables a policy, then any action that attempts to violate that policy is denied.
- Security zone target (Cloud Guard)
- A compartment in which Cloud Guard periodically checks resources for security zone policy violations.
A security zone policy differs from an IAM policy in the following ways:
- Administrators create IAM policies to grant users the ability to manage certain resources in a compartment.
- A security zone policy ensures that these management operations comply with the Oracle maximum security architecture and best practices.
- A security zone policy is validated regardless of which user is performing the operation.
- A security zone policy denies certain actions; it doesn't grant capabilities.
Security Principles
In general, security zone policies align with the following core security principles.
- Resources in a security zone can't be moved to a compartment outside of the security zone because it might be less secure.
- All the required components for a resource in a security zone must also be located in the same security zone. Resources that are not in a security zone might be vulnerable, and resources in a different security zone might have a lower security posture.
For example, an instance (Compute) in a security zone can't use a boot volume that is not in the same security zone.
- Resources in a security zone must not be accessible from the public internet.
- Resources in a security zone must be encrypted using customer-managed keys.
- Resources in a security zone must be regularly and automatically backed up.
- Data in a security zone is considered privileged and can't be copied outside of the security zone because it might be less secure.
- Resources in a security zone must use only configurations and templates approved by Oracle.
Security Zones and Cloud Guard
Understand the relationships between compartments, security zones, recipes, and targets.
After you create a security zone for a compartment, it automatically prevents operations, such as creating or modifying resources, that violate the security zone's policies. However, existing resources that were created before the security zone might also violate policies. Security Zones integrates with Cloud Guard to identify policy violations in existing resources.
Cloud Guard is an Oracle Cloud Infrastructure service that provides a central dashboard to monitor all of your cloud resources for security weaknesses in configuration, metrics, and logs. When it detects a problem, it can suggest, assist, or take corrective actions, based on your Cloud Guard configuration.
Here are some key Cloud Guard concepts:
- Detector recipe
- Defines the types of cloud resources and security problems that you want Cloud Guard to monitor.
- Target
- A compartment that you want Cloud Guard to monitor, and is associated with a Cloud Guard recipe.
- Security zone target
- A type of Cloud Guard target that is also associated with a security zone. The target monitors resources in the compartment for security zone policy violations.
- Deletes any existing Cloud Guard target for the compartment and for any child compartments
- Creates a security zone target for the compartment
- Adds the default Oracle-managed detector recipes to the security zone target
The following diagram illustrates the Cloud Guard configuration for a new security zone:
When you create a security zone for a subcompartment whose parent compartment is already in a security zone, Cloud Guard performs the following tasks:
- Creates a separate security zone target for the subcompartment
- Adds the default Oracle-managed detector recipes to the new security zone target
No changes are made to the existing Cloud Guard target for the parent compartment.
The following diagram illustrates the Cloud Guard configuration for a new security zone in a subcompartment:
A single compartment can't be in multiple security zones, and also can't be in multiple Cloud Guard targets.
To learn more about Cloud Guard, see Cloud Guard Concepts.
Ways to Access Security Zones
You can access Security Zones using the Console (a browser-based interface), REST APIs, the Command Line Interface (CLI), or SDKs.
Instructions for the Console, API, and CLI are included in topics throughout this guide. For a list of available SDKs, see Software Development Kits and Command Line Interface.
The Security Zones APIs are available from the Cloud Guard endpoints.
To access the Console, you must use a supported browser. To go to the Console sign-in page, open the navigation menu at the top of this page and click Infrastructure Console. You will be prompted to enter your cloud tenant, your user name, and your password.
Authentication and Authorization
Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).
An administrator in your organization needs to set up groups, compartments , and policies that control which users can access which services, which resources, and the type of access. For example, policies control who can create users, create and manage a VCN (virtual cloud network) , launch instances, and create buckets .
- If you're a new administrator, see Getting Started with Policies.
- For specific details about writing policies for this service, see Cloud Guard Policies. The individual resource types for Security Zones are included in the aggregate type
cloud-guard-family
. - For specific details about writing policies for other services, see Policy Reference.
Security
In addition to creating IAM policies, follow these other security best practices for Security Zones.
Limits
When you sign up for Oracle Cloud Infrastructure, a set of service limits is configured for your tenancy. These limits restrict the total number of Security Zones resources that you can create.
See Service Limits for instructions on requesting a limit increase.
Resource Identifiers
Security zone resources, like most types of resources in Oracle Cloud Infrastructure, have a unique, Oracle-assigned identifier called an Oracle Cloud ID (OCID).
For information about the OCID format and other ways to identify your resources, see Resource Identifiers.
Monitoring
Security Zones integrates with other monitoring services in Oracle Cloud Infrastructure.
- The Audit service automatically records calls to all public Cloud Guard API endpoints as log entries. These endpoints include all Security Zones operations. See Overview of Audit.
- The Events service allows your development teams to automatically respond when a Security Zones resource changes its state. See Security Zones Events.
Getting Started
To get started, create a security zone for an existing compartment using either an Oracle-managed or a custom recipe, and then check for any policy violations.