Securing Block Volume
This topic provides security information and recommendations for Block Volume.
The Block Volume service lets you dynamically provision and manage block storage volumes . You can create, attach, connect, and move volumes, as well as change volume performance, as needed, to meet your storage, performance, and application requirements. After you attach and connect a volume to an instance, you can use the volume like a regular hard drive. You can also disconnect a volume and attach it to another instance without the loss of data.
Security Responsibilities
To use Block Volume securely, learn about your security and compliance responsibilities.
Oracle is responsible for the following security requirements:
- Physical Security: Oracle is responsible for protecting the global infrastructure that runs all services offered in Oracle Cloud Infrastructure. This infrastructure consists of the hardware, software, networking, and facilities that run Oracle Cloud Infrastructure services.
Your security responsibilities are described on this page, which include the following areas:
- Access Control: Limit privileges as much as possible. Users should be given only the access necessary to perform their work.
- Encryption and Confidentiality: Use encryption keys and secrets to protect your data and connect to secured resources. Rotate these keys regularly.
Initial Security Tasks
Use this checklist to identify the tasks you perform to secure Block Volume in a new Oracle Cloud Infrastructure tenancy.
| Task | More Information |
|---|---|
| Use IAM policies to grant access to users and resources | IAM Policies |
| Encrypt resources using a custom key | Data Encryption |
| Enable and configure Cloud Guard (optional) | Cloud Guard |
| Create a security zone (optional) | Security Zones |
Routine Security Tasks
After getting started with Block Volume use this checklist to identify security tasks that we recommend you perform regularly.
| Task | More Information |
|---|---|
| Rotate encryption keys | Data Encryption |
| Respond to problems detected in Cloud Guard | Cloud Guard |
| Take regular backups | Data Durability |
| Perform a security audit | Auditing |
IAM Policies
Use policies to limit access to Block Volume.
A policy specifies who can access Oracle Cloud Infrastructure resources and how. For more information, see How Policies Work.
Assign a group the least privileges that are required to perform their responsibilities. Each policy has a verb that describes what actions the group is allowed to do. From the least amount of access to the most, the available verbs are: inspect, read, use, and manage.
We recommend that you give DELETE permissions to a minimum set of IAM users and groups. This practice minimizes loss of data from inadvertent deletes by authorized users or from malicious actors. Only give DELETE permissions to tenancy and compartment administrators.
Oracle Cloud Infrastructure supports two types of volumes: block volumes and boot volumes. Block volumes allow instance storage capacity to be expanded dynamically. A boot volume contains the image used to boot the compute instance. The IAM service groups the family of related volume resource types into a combined resource type called volume-family.
Assign least privilege access for IAM users and groups to resource types in volume-family. The resource types in volume-family are volumes,volume-attachments, and volume-backups.
- The
volumesresources are detachable block volume devices that allow dynamic expansion of instance storage capacity or contain the image for booting the instance. - The
volume-attachmentsresources are attachments between volumes and instances. - The
volume-backupsresources are point-in-time copies of volumes that can be used to create block volumes or recover block volumes.
The following example policy allows group VolumeUsers to perform all actions on volumes and backups, except deleting them.
Allow group VolumeUsers to manage volumes in tenancy
where request.permission!='VOLUME_DELETE'
Allow group VolumeUsers to manage volume-backups in tenancy
where request.permission!='VOLUME_BACKUP_DELETE'If VolumeUsers can't detach volumes from instances, you can add the following policy to the previous example.
Allow group VolumeUsers to manage volume-attachments in tenancy
where request.permission!='VOLUME_ATTACHMENT_DELETE'For more information about Block Volume policies and to view more examples, see Details for the Core Services.
Cloud Guard
Enable Cloud Guard and use it to detect and respond to security issues in Block Volume.
Upon detecting a problem, Cloud Guard suggests corrective actions. You can also configure Cloud Guard to automatically take certain actions. Cloud Guard includes the following detector rules for Block Volume.
- Block Volume is encrypted with Oracle-managed key
- Block Volume is not attached
For a list of all available detector rules in Cloud Guard, see Detector Recipe Reference.
If you haven't done so already, enable Cloud Guard and configure it to monitor the compartments that contain your resources. You can configure Cloud Guard targets to examine your entire tenancy (root compartment and all subcompartments), or to check only specific compartments. See Getting Started with Cloud Guard.
After enabling Cloud Guard, you can view and resolve detected security problems. See Processing Reported Problems.
Security Zones
Using Security Zones ensures your resources in Block Volume comply with security best practices.
A security zone is associated with one or more compartments and a security zone recipe. When you create and update resources in a security zone's compartment, Oracle Cloud Infrastructure validates these operations against the list of security zone policies in the recipe. If any policy in the recipe is violated, then the operation is denied. The following security zone policies are available for resources in Block Volume.
deny block_volume_not_in_security_zone_attach_to_instance_in_security_zonedeny block_volume_in_security_zone_attach_to_instance_not_in_security_zonedeny boot_volume_not_in_security_zone_attach_to_instance_in_security_zonedeny boot_volume_in_security_zone_attach_to_instance_not_in_security_zonedeny attached_block_volume_not_in_security_zone_move_to_compartment_in_security_zonedeny attached_boot_volume_not_in_security_zone_move_to_compartment_in_security_zonedeny block_volume_without_vault_keydeny boot_volume_without_vault_key
For a list of all security zone policies, see Security Zone Policies.
To move existing resources to a compartment that is in a security zone, the resources must comply with all security zone policies in the zone's recipe. Similarly, resources in a security zone can’t be moved to a compartment outside of the security zone because it might be less secure. See Managing Security Zones.
Data Encryption
The Block Volume service always encrypts all block volumes, boot volumes, and volume backups at rest by using the Advanced Encryption Standard (AES) algorithm with 256-bit encryption. You can use an Oracle-provided encryption key or a custom key in the Vault service. You can also encrypt your data volumes using tools like dm-crypt, veracrypt, and Bit-Locker.
By default all volumes and their backups are encrypted using the Oracle-provided encryption keys. Each time a volume is cloned or restored from a backup the volume is assigned a new unique encryption key.
Encrypting Volumes with the Vault Service
Although default encryption keys can be generated automatically when you create certain Oracle Cloud Infrastructure resources, we recommend that you create and manage your own custom encryption keys in the Vault service.
A vault is a logical entity that stores the encryption keys you use to protect your data. Depending on the protection mode, keys are either stored on the server, or they are stored on highly available and durable hardware security modules (HSMs). Our HSMs meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification. See Managing Vaults and Managing Keys.
Create and rotate encryption keys in the Vault service to protect your resources in Block Volume. See Creating a Volume and Editing a Key to a Block Volume.
Each master encryption key is automatically assigned a key version. When you rotate a key, the Vault service generates a new key version. Periodically rotating keys limits the amount of data encrypted or signed by one key version. If a key is ever comprised, key rotation reduces the risk to your data. See Managing Keys.
We recommend that you use IAM policies to strictly limit the creation, rotation, and deletion of encryption keys. See Details for the Vault Service.
Encrypting Non-root Volumes with dm-crypt
dm-crypt is a kernel-level encryption mechanism (part of Linux devicemapper framework) to provide encrypted volumes. It encrypts data passed from the filesystem (for example, ext4 and NTFS), and stores it on a storage device in Linux Unified Key Setup (LUKS) format.
The encrypted volumes can be stored on a complete disk, disk partition, logical volume, or a file-backed storage created using loopback devices. Cryptsetup is the user-level utility used to manage dm-crypt, and used to encrypt partitions and files. dm-crypt uses the Linux crypto APIs for encryption routines.
If you need to access the encrypted volume:
cryptsetup luksOpen /dev/sdb <dev_name> --key-file=/home/opc/keyfile
mount /dev/mapper/<dev_name> /home/encrypt_fsIf you lose the keyfile, or if the keyfile or passphrase gets corrupted, you can't decrypt the encrypted volume. The result is a permanent loss of data. We recommend that you store durable copies of the keyfile on an on-premises host.
Remotely Mounting Data Volumes Encrypted with dm-crypt
The following steps assume that the keyfile is on an on-premises host (SRC_IP) and that <OCI_SSH_KEY> is the SSH private key of the instance.
Data Durability
Take regular backups of your data in Block Volume. We recommend that you give a minimum set of users and groups permission to delete backups.
To minimize loss of data caused by deletes or corruption, we recommend that you make periodic backups of volumes. Oracle Cloud Infrastructure allows automated scheduled backups. For more information about scheduled backups, see Policy-Based Backups.
To minimize loss of data caused by inadvertent deletes by an authorized user or by malicious deletes, we recommend that you grant VOLUME_DELETE, VOLUME_ATTACHMENT_DELETE, and VOLUME_BACKUP_DELETE permissions to a minimum possible set of IAM users and groups. Grant DELETE permissions only to tenancy and compartment administrators.
Auditing
Locate access logs and other security data for Block Volume.
The Audit service automatically records all API calls to Oracle Cloud Infrastructure resources. You can achieve your security and compliance goals by using the Audit service to monitor all user activity within your tenancy. Because all Console, SDK, and command line (CLI) calls go through our APIs, all activity from those sources is included. Audit records are available through an authenticated, filterable query API or they can be retrieved as batched files from Object Storage. Audit log contents include what activity occurred, the user that initiated it, the date and time of the request, as well as source IP, user agent, and HTTP headers of the request. See Viewing Audit Log Events.
{
"datetime": 1642993213028,
"logContent": {
"data": {
"additionalDetails": {
"X-Real-Port": 55984
},
"availabilityDomain": "AD3",
"compartmentId": "ocid1.compartment.oc1..<unique_ID>",
"compartmentName": "mycompartment",
"definedTags": null,
"eventGroupingId": "<unique_ID>",
"eventName": "ListBootVolumes",
"freeformTags": null,
"identity": {
"authType": null,
"callerId": null,
"callerName": null,
"consoleSessionId": null,
"credentials": "<key>",
"ipAddress": "<IP_address>",
"principalId": "<user_ID>",
"principalName": "<user_name>",
"tenantId": "ocid1.tenancy.oc1..<unique_ID>",
"userAgent": "Oracle-JavaSDK/1.37.1 (Linux/4.14.35-2047.510.4.1.el7uek.x86_64; Java/1.8.0_301; Java HotSpot(TM) 64-Bit Server VM GraalVM EE 20.3.3/25.301-b09-jvmci-20.3-b18)"
},
"message": "ListBootVolumes succeeded",
"request": {
"action": "GET",
"headers": {
"Accept": [
"application/json"
],
"Authorization": [
"Signature headers=\"date (request-target) host\",keyId=<key>"
],
"Connection": [
"keep-alive"
],
"Date": [
"Mon, 24 Jan 2022 03:00:12 GMT"
],
"User-Agent": [
"Oracle-JavaSDK/1.37.1 (Linux/4.14.35-2047.510.4.1.el7uek.x86_64; Java/1.8.0_301; Java HotSpot(TM) 64-Bit Server VM GraalVM EE 20.3.3/25.301-b09-jvmci-20.3-b18)"
],
"opc-client-info": [
"Oracle-JavaSDK/1.37.1"
],
"opc-request-id": [
"<unique_ID>"
]
},
"id": "<unique_ID>",
"parameters": {
"availabilityDomain": [
"EMIr:PHX-AD-3"
],
"compartmentId": [
"ocid1.compartment.oc1..<unique_ID>"
],
"limit": [
"1000"
]
},
"path": "/20160918/bootVolumes"
},
"resourceId": null,
"response": {
"headers": {
"Connection": [
"close"
],
"Content-Length": [
"2"
],
"Content-Type": [
"application/json"
],
"Date": [
"Mon, 24 Jan 2022 03:00:13 GMT"
],
"X-Content-Type-Options": [
"nosniff"
],
"opc-request-id": [
"<unique_ID>"
]
},
"message": null,
"payload": {},
"responseTime": "2022-01-24T03:00:13.028Z",
"status": "200"
},
"stateChange": {
"current": null,
"previous": null
}
},
"dataschema": "2.0",
"id": "<unique_ID>",
"oracle": {
"compartmentid": "ocid1.compartment.oc1..<unique_ID>",
"ingestedtime": "2022-01-24T03:00:45.483Z",
"loggroupid": "_Audit",
"tenantid": "ocid1.tenancy.oc1..<unique_ID>"
},
"source": "",
"specversion": "1.0",
"time": "2022-01-24T03:00:13.028Z",
"type": "com.oraclecloud.BlockVolumes.ListBootVolumes"
}
}If you enabled Cloud Guard in your tenancy, then it reports any user activities that are potential security concerns. Upon detecting a problem, Cloud Guard suggests corrective actions. You can also configure Cloud Guard to automatically take certain actions. See Getting Started with Cloud Guard and Processing Reported Problems.