Getting Started with Security Advisor
Before creating secure resources with Oracle Cloud Infrastructure Security Advisor, complete these prerequisite tasks.
To use Oracle Cloud Infrastructure, you must be granted security access in a policy by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment to work in.
For more information about how policies work, see How Policies Work.
Required IAM Policies for Creating Buckets
- The following policy lets the specified group do everything with buckets and objects in the specified compartment:
Allow group CreateSecureOSBucketGroup to manage object-family in compartment CompartmentABC
- The following policy lets the specified group do everything with vaults in the specified compartment, which might not be the same compartment as the bucket compartment. (If you prefer, you can write a policy that grants the
use vaults
permission instead. With that permission, the specified group can use existing vaults, but can't create new ones.)Allow group CreateSecureOSBucketGroup to manage vaults in compartment CompartmentDEF
- The following policy lets the specified group do everything with keys in the specified compartment, which must be the same compartment as the vault compartment:
Allow group CreateSecureOSBucketGroup to manage keys in compartment CompartmentDEF
- The following policy lets the Object Storage service list, view, and perform cryptographic operations with all keys in the specified compartment:
Allow service ObjectStorage-<region_name> to use keys in compartment CompartmentDEF
In the preceding example, replace <region_name> with the appropriate region identifier, for example:
-
objectstorage-us-phoenix-1
-
objectstorage-us-ashburn-1
-
objectstorage-eu-frankfurt-1
-
objectstorage-uk-london-1
-
objectstorage-ap-tokyo-1
To identify the region name value of an Oracle Cloud Infrastructure region, see About Regions and Availability Domains.
-
Required IAM Policies for Creating File Systems
- The following policy lets the specified group do everything with file systems and mount targets in the specified compartment:
Allow group CreateSecureFileStorageGroup to manage file-family in compartment CompartmentABC
- The following policy lets the specified group do everything with vaults in the specified compartment, which might not be the same compartment as the file system compartment. (If you prefer, you can write a policy that grants the
use vaults
permission instead. With that permission, the specified group can use existing vaults, but cannot create new ones.)Allow group CreateSecureFileStorageGroup to manage vaults in compartment CompartmentDEF
- The following policy lets the specified group do everything with keys in the specified compartment, which must be the same compartment as the vault compartment:
Allow group CreateSecureFileStorageGroup to manage keys in compartment CompartmentDEF
- The following policy lets the File Storage service list, view, and perform cryptographic operations with all keys in the specified compartment:
Allow service Fss<realm_key>Prod to use keys in compartment CompartmentDEF
In the preceding example, the policy refers to the File Storage service by the service principal name
FssOc1Prod
.The name of the File Storage service user depends on your realm . For realms with realm key numbers of 10 or less, the pattern for the File Storage service user is
FssOc<n>Prod
, where n is the realm key number. Realms with a realm key number greater than 10 have a service user offssocprod
. For more information about realms, see About Regions and Availability Domains.
Required IAM Policies for Creating Compute Instances
- The following policy lets the specified group list and use all components in Networking in the specified compartment. This includes virtual cloud networks (VCNs), subnets, gateways, virtual circuits, security lists, route tables, and so on.
Allow group CreateSecureVMGroup to use virtual-network-family in compartment CompartmentABC
- The following policy lets the specified group create and manage instance images in the specified compartment:
Allow group CreateSecureVMGroup to manage instance-family in compartment CompartmentABC
- The following policy lets the specified group do everything with vaults in the specified compartment, which might not be the same compartment as the instance compartment. (If you prefer, you can write a policy that grants the
use vaults
permission instead. With that permission, the specified group can use existing vaults, but cannot create new ones.)Allow group CreateSecureVMGroup to manage vaults in compartment CompartmentDEF
- The following policy lets the specified group do everything with keys in the specified compartment, which must be the same compartment as the vault compartment:
Allow group CreateSecureVMGroup to manage keys in compartment CompartmentDEF
- The following policy lets the Block Volume service list, view, and perform cryptographic operations with all keys in the specified compartment. The Block Volume service is responsible for the boot volume attached to the instance.
Allow service blockstorage to use keys in compartment CompartmentDEF
Required IAM Policies for Creating Block Volumes
- The following policy lets the specified group do everything with block storage volumes, volume backups, and volume groups in the specified compartment:
Allow group CreateSecureBlockVolumeGroup to manage volume-family in compartment CompartmentABC
- The following policy lets the specified group do everything with vaults in the specified compartment, which might not be the same compartment as the volume compartment. (If you prefer, you can write a policy that grants the
use vaults
permission instead. With that permission, the specified group can use existing vaults, but can't create new ones.)Allow group CreateSecureBlockVolumeGroup to manage vaults in compartment CompartmentDEF
- The following policy lets the specified group do everything with keys in the specified compartment, which must be the same compartment as the vault compartment:
Allow group CreateSecureBlockVolumeGroup to manage keys in compartment CompartmentDEF
- The following policy lets the Block Volume service list, view, and perform cryptographic operations with all keys in the specified compartment:
Allow service blockstorage to use keys in compartment CompartmentDEF