Security Zones ensure that OCI resources created by you, such as Compute, Networking, Object Storage, and Database, comply with Oracle security principles.
Security Zone Concepts
Security Zone
An association between a compartment and a security zone recipe. Resource operations in a security zone are validated against all policies in the recipe.
Security Zone Recipe
A collection of security zone policies. Your tenancy has a predefined recipe named Maximum Security Recipe, which includes all available security zone policies. Oracle manages this recipe and you can't modify it.
Security Zone Policy
A security requirement for resources in a security zone.
Security Zone Advantages
Restrict Resource Movement
Resources can’t be moved from a security zone to a standard compartment because it might be less secure.
Ensure Data Security
Data in a security zone can't be copied to a standard compartment because it might be less secure.
Restrict Resource Association
All the required components for a resource in a security zone must also be located in a security zone. Resources that are not in a security zone might be vulnerable. For example, a compute instance in a security zone can't use a boot volume that is not in a security zone.
Deny Public Access
Resources in a security zone must not be accessible from the public internet.
Require Encryption
Resources in a security zone must be encrypted using customer-managed keys.
Ensure Data Durability
Resources in a security zone must be regularly and automatically backed up.
Use Only Configurations Approved by Oracle
Resources in a security zone must use only configurations and templates approved by Oracle.
Enabling Security Zone
Required IAM Policy
To work with Security Zones, an administrator must grant you access to an IAM policy.
For example, the following IAM policy allows users in the group SecurityAdmins to manage security zones in the entire tenancy.
Allow group SecurityAdmins to manage security-zone in tenancy
Creating a Security Zone
Create a security zone by using the Console.
All security zones are assigned the Maximum Security Recipe.
- Open the navigation menu and click Identity & Security. Under Security Zones, click Overview.
- Click Create Security Zone.
- Enter a name and description for the security zone.
Oracle Cloud creates a compartment with the same name and assigns it to this security zone.
- For Create in Compartment, navigate to the compartment that you want to create the new compartment in.
- Click Create Security Zone.
Viewing the Policies for a Security Zone
Identify the recipe for an existing security zone, and then view its policies.
Open the navigation menu and click Identity & Security. Under Security Zones, click Overview.
Click the name of the security zone.
Click the recipe for the security zone. Creating a Security Zone.
Create a security zone by using the Console.
Identify the recipe for an existing security zone, and then view its policies.
Deleting a Security Zone
Delete a security zone by using the Console.
To delete a security zone, you delete the compartment that's associated with the security zone.
Before you can delete a compartment, it must be empty of all resources. Ensure that all the compartment's resources have been moved, deleted, or terminated, including any policies attached to the compartment.
Locate the compartment whose name is the same as the security zone.
Click the Actions icon (three dots) for this compartment, and then click Delete Compartment.
At the prompt, click OK.
Conclusion
In this blog, you have been introduced to the Security Zone feature that is available in the Oracle Cloud. We created the necessary IAM groups and policies to work with it.
When you create and update resources in a security zone, Oracle Cloud Infrastructure validates these operations against the list of policies defined in the security zone recipe. If any security zone policy is violated, then the operation is denied.
To learn more or for a demo of the Security Zone Feature in OCI, schedule a meeting with an Astute team member.