Creating a Secure Virtual Machine Instance
This topic describes how to use Security Advisor to create a secure virtual machine (VM) instance. In this context, a secure instance is one with a boot volume that is encrypted with a customer-managed key and therefore meets minimum security requirements established by security zones. The process involves creating not only the instance and associated boot volume, but also the Vault key that you want to use to encrypt the volume, and then assigning the key to the volume. (You cannot use Security Advisor to assign existing encryption keys, but you can use an existing vault to create a new key.)
- You cannot configure private or public IP addresses for an instance.
- You cannot change the image build. It will always use the latest version.
- You cannot launch the instance on a dedicated virtual machine host, which lets you run the instance in isolation so that it is not running on shared infrastructure.
- You cannot specify the volume performance settings for the boot volume.
- You cannot use Security Advisor to generate SSH keys for you if you want to remotely connect to the instance by using Secure Shell (SSH). You must generate your own SSH keys and have the public key available when you create the instance.
Other security considerations exist outside Security Advisor, particularly regarding the use of resources after you create them. We strongly encourage you to learn more about Oracle Cloud Infrastructure Compute and Oracle Cloud Infrastructure Block Volume security features and best practices, and then implement them with your newly created resources. For more information, see Securing Compute, Securing Block Volume, and Best Practices for Your Compute Instance.
Required IAM Policy
To use Oracle Cloud Infrastructure, you must be granted security access in a policy by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment to work in.
- The following policy lets the specified group list and use all components in Networking in the specified compartment. This includes
virtual cloud networks (VCNs), subnets, gateways, virtual circuits, security lists,
route tables, and so
Allow group CreateSecureVMGroup to use virtual-network-family in compartment CompartmentABC
- The following policy lets the specified group create and manage instance images in
Allow group CreateSecureVMGroup to manage instance-family in compartment CompartmentABC
- The following policy lets the specified group do everything with vaults in the
specified compartment, which might not be the same compartment as the instance
compartment. (If you prefer, you can write a policy that grants the
use vaultspermission instead. With that permission, the specified group can use existing vaults, but cannot create new ones.)
Allow group CreateSecureVMGroup to manage vaults in compartment CompartmentDEF
- The following policy lets the specified group do everything with keys in the
specified compartment, which must be the same compartment as the vault
Allow group CreateSecureVMGroup to manage keys in compartment CompartmentDEF
- The following policy lets the Block Volume service
list, view, and perform cryptographic operations with all keys in the specified
compartment. The Block Volume service is
responsible for the boot volume attached to the
Allow service blockstorage to use keys in compartment CompartmentDEF
For more information about how policies work, see How Policies Work.
Using the Console
To create a secure virtual machine instance
- Open the navigation menu, click Identity & Security, and then click Security Advisor.
- Click Create Secure Bucket.
- Review the prerequisites for getting started, and then click Next when you're ready.
- Do one of the following:
- To create a master encryption key in an existing vault, click Choose existing vault.
- To create a master encryption key in a new vault click Create new vault.
- Then, do one of the following:
- If you chose to use an existing vault in the previous step, choose the compartment where the vault resides, and then choose the vault.
- If you chose to create a new vault in the previous step, choose the compartment where you want to create the vault, and then enter a display name to identify the vault. Avoid entering confidential information. Optionally, make the vault a virtual private vault by selecting the Make it a virtual private vault check box. For more information about vault types, see Key and Secret Management Concepts.
- Click Key Name, and then enter a name to identify the key. Avoid entering confidential information.
- Regarding Key Shape: Length, the key length value is fixed at 256 bits to maximize security based on key length.
- Optionally, if you want to import key material to create a key, select the Import external key check box. Importing key material requires you to first generate the key material and wrap it using a vault's public wrapping key. This means that you cannot use Security Advisor to create a key using imported key material without an existing vault. For more information about importing keys, see Importing Keys and Key Versions.
- Optionally, to apply tags, click Show Tagging Options. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator. When you're ready, click Next.
- On the Create Compute Instance page, specify the attributes of the
- Name: A display name for the instance. You can add or change the name later. The name doesn't need to be unique, because an Oracle Cloud Identifier (OCID) uniquely identifies the instance. Avoid entering confidential information.
- Create in Compartment: The compartment where you want to create the instance. This does not need to be the same compartment as the vault and key.
Image or Operating System: By default, an Oracle Linux 7.x image is used to boot the instance. You cannot use Security Advisor to create a virtual machine instance with a different image.
- Availability Domain: The availability domain where you want to create the instance.
- Shape: The default shape for the selected image and availability domain combination. You cannot use Security Advisor to create a virtual machine instance with a different shape. For more information about shapes, see Compute Shapes.
In the Configure networking section, configure the network details for the instance:
- Virtual cloud network compartment: The compartment containing the network in which to create the instance.
- Virtual cloud network: The network in which to create the instance. You can only choose an existing virtual cloud network (VCN). You cannot use Security Advisor to create a new VCN. If you have a VCN in a different compartment, click Change compartment, and then select a different compartment.
- Subnet: A subnet within the cloud network to attach the instance to. Subnets are either public or private. Private means the instances in that subnet can't have public IP addresses. For a more secure instance, we recommend that you choose a private subnet. For more information, see Access to the Internet. Subnets can also be either AD-specific or regional (regional ones have "regional" after the name). We recommend using regional subnets. For more information, see About Regional Subnets.
- By default, when you create an instance in a public subnet, you can optionally assign the instance a public IP address. A public IP address makes the instance accessible from the internet. You cannot use Security Advisor to create a virtual machine instance with a public IP address.
In the Boot volume section, configure the size and encryption options for the instance's boot volume:
- To specify a custom size for the boot volume, select the Specify a custom boot volume size check box. Then, enter a custom size from 50 GB to 32 TB. The specified size must be larger than the default boot volume size for the selected image. See Custom Boot Volume Sizes for more information.
- To encrypt data while the data is in transit between the instance and the attached boot volume, select the Use in-transit encryption check box. The Vault service encryption key that you use to encrypt the boot volume data at rest will also be used for in-transit encryption. For more information, see Block Volume Encryption. Security zones require data to be encrypted in-transit, so you must select this check box to comply with security zone requirements.
In the Add SSH keys section, generate an SSH key pair or upload your own public key. Select one of the following options:
Generate a key pair for me: Oracle Cloud Infrastructure generates an RSA key pair for the instance. Click Save Private Key, and then save the private key on your computer. Optionally, click Save Public Key and then save the public key.Caution
Anyone who has access to the private key can connect to the instance. Store the private key in a secure location.Important
To use a key pair that is generated by Oracle Cloud Infrastructure, you must access the instance from a system that has OpenSSH installed. UNIX-based systems (including Linux and OS X), Windows 10, and Windows Server 2019 should have OpenSSH. For more information, see Managing Key Pairs on Linux Instances.
- Upload public key files (.pub): Upload the public key portion of your key pair. Either browse to the key file that you want to upload, or drag and drop the file into the box. To provide multiple keys, press and hold down the Command key (on Mac) or the Ctrl key (on Windows) while selecting files.
- Paste public keys: Paste the public key portion of your key pair in the box.
- No SSH keys: Select this option only if you do not want to connect to the instance using SSH. You cannot provide a public key or save the key pair that is generated by Oracle Cloud Infrastructure after the instance is created.
- Optionally, to configure tags, click Show Tagging Options. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
- Review the summary of the resources that Security Advisor will create, and then click Create Secure Instance.