Securing Service Connector Hub

This topic provides security information and recommendations for the Oracle Cloud Infrastructure Service Connector Hub service.

Security Responsibilities

To use Service Connector Hub securely, learn about your security and compliance responsibilities.

In general, Oracle provides security of cloud infrastructure and operations, such as cloud operator access controls and infrastructure security patching. You are responsible for securely configuring your cloud resources. Security in the cloud is a shared responsibility between you and Oracle.

Oracle is responsible for the following security requirements:

  • Physical Security: Oracle is responsible for protecting the global infrastructure that runs all services offered in Oracle Cloud Infrastructure. This infrastructure consists of the hardware, software, networking, and facilities that run Oracle Cloud Infrastructure services.

Your security responsibilities are described on this page, which include the following areas:

  • Access Control: Limit privileges as much as possible. Users should be given only the access necessary to perform their work.

Initial Security Tasks

Use this checklist to identify the tasks you perform to secure Service Connector Hub in a new Oracle Cloud Infrastructure tenancy.

Task More Information
Use IAM policies to grant access to users and resources IAM Policies

Routine Security Tasks

After getting started with Service Connector Hub, use this checklist to identify security tasks that we recommend you perform regularly.

Service Connector Hub does not have any security tasks that you need to perform regularly.

IAM Policies

Use policies to limit access to Service Connector Hub.

A policy specifies who can access Oracle Cloud Infrastructure resources and how. For more information, see How Policies Work.

Assign a group the least privileges that are required to perform their responsibilities. Each policy has a verb that describes what actions the group is allowed to do. From the least amount of access to the most, the available verbs are: inspect, read, use, and manage.

User Access Policies

Create this policy to allow group ConnectorUsers to create, update, and delete service connectors in the ABC compartment.

Allow group ConnectorUsers to manage serviceconnectors in compartment ABC

Create this policy to allow group ConnectorUsers to update service connectors only (not allowing the group to create or delete service connectors) in the ABC compartment.

Allow group ConnectorUsers to use serviceconnectors in compartment ABC

For more information about Service Connector Hub policies, see Details for Service Connector Hub.

Service Access Policies

Note

Ensure that any policy you create complies with your company guidelines.

To move data, your service connector must have authorization to access the specified resources in the source , task , and target  services. Some resources are accessible without policies. Default policies providing the required authorization are offered when you use the Console to define a service connector. These policies are limited to the context of the service connector. You can either accept the default policies or ensure that you have the proper authorizations in group-based policies.

For example, the following default policy is offered when you create or edit a service connector that moves data from Logging to Monitoring.

allow any-user to use metrics in compartment id <target_metric_compartment_OCID>
where all {
    request.principal.type='serviceconnector',
    target.metrics.namespace='<metric_namespace>',
    request.principal.compartment.id='<serviceconnector_compartment_OCID>'
}

For more information, including default policies, see Access to Source, Task, and Target Services.