Managing Security Zones

You can create and delete security zones, identify the policies enforced in your security zone, and identify any policy violations in your security zone.

A security zone has the following characteristics:

  • Created in a compartment 
  • Associated with a single compartment (and by default all of its subcompartments)
  • Assigned a security zone recipe

A compartment can't be in multiple security zones.

After you create a security zone for a compartment, it automatically prevents operations, such as creating or modifying resources, that violate the security zone's policies. Any operation that violates a policy in the zone's recipe is denied. However, existing resources that were created before the security zone might also violate policies. Security Zones integrates with Oracle Cloud Guard to identify policy violations in existing resources.

You must enable Cloud Guard in your tenancy before creating a security zone. See Getting Started with Cloud Guard.

Your tenancy has a predefined recipe named Maximum Security Recipe, which includes all available security zone policies. Oracle manages this recipe, and you can’t modify it.

You can also create a custom recipe, or clone an existing one. See Managing Recipes.

When you create a security zone for a compartment, any subcompartments are also in the same security zone. You can also:

  • Remove a subcompartment from a security zone
  • Create a different security zone for a subcompartment
Caution

To ensure the integrity of your data, you can't move certain resources from a compartment in a security zone to a compartment that isn't in the security zone.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted the required type of access in an IAM policy written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.

If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you were granted and which compartment  you are supposed to work in.

For example, the following IAM policy  allows users in the group SecurityAdmins to create, update, and delete all security zones and recipes in the entire tenancy.

Allow group SecurityAdmins to manage security-zone in tenancy
Allow group SecurityAdmins to manage security-recipe in tenancy

See Cloud Guard Policies.

Creating a Security Zone

Create a security zone by using the Console.

You must enable Cloud Guard in your tenancy before creating a security zone. See Getting Started with Cloud Guard.

When you create a security zone, you can select an Oracle-managed recipe or a custom recipe.

When you create a security zone for a compartment, Cloud Guard does the following:
  • Delete any existing Cloud Guard target for the compartment and its child compartments
  • Create a security zone target for the compartment
  • Add the default Oracle-managed detector recipes to the security zone target

If you create a security zone for a subcompartment whose parent compartment is already in a security zone, Cloud Guard creates a separate security zone target for the subcompartment. No changes are made to the existing target for the parent compartment.

The following diagram illustrates the Cloud Guard configuration for a new security zone in a subcompartment:


The parent compartment is in a security zone and the child compartment is in a different security zone. Each compartment is associated with a different security zone target in Cloud Guard. The security zone target for the child compartment is associated with default detector recipes.

To create a security zone:

  1. Open the navigation menu and click Identity & Security. Under Security Zones, click Overview.
  2. Select the Compartment that you want to protect with this security zone.

    Select a compartment that is not already associated with a security zone.

    The security zone resource is created in this compartment.

    By default, all subcompartments are also in the same security zone.

  3. Click Create Security Zone.

    This button is disabled if the selected compartment is already associated with a security zone.

  4. Select a Security Zone Recipe.
    • Oracle-managed: The security zone uses the Maximum Security Recipe.
    • Customer-managed: Select your custom recipe.

    If your recipe is in a different compartment, click Change Compartment.

  5. Enter a Name and Description for the security zone.

    Avoid entering confidential information.

    You can't change the name of a security zone after creating it.

  6. (Optional) Apply tags to the security zone.

    If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. See Resource Tags. You can also apply tags to a security zone after creating it.

  7. Click Create Security Zone.

    This button is disabled if the selected compartment is already associated with a security zone.

The new security zone is in the Creating state. It can take several minutes to associate the compartment and its child compartments with the security zone. When finished, the security zone is in the Active state.

If the compartment for this security zone contains existing resources, you can check to see if any of them violate policies in the zone's recipe.

Viewing the Policies for a Security Zone

Identify the recipe for an existing security zone, and then view its policies.

  1. Open the navigation menu and click Identity & Security. Under Security Zones, click Overview.
  2. Select the Compartment associated with the security zone you want to view.
  3. Click the name of the security zone.

    The Security Zone Details page displays.

  4. Click the Recipe for this security zone.

    The Recipe Details page is displayed.

To learn more about a security zone policy in the recipe, see Security Zone Policies.

Viewing Policy Violations in a Security Zone

If the compartment for your security zone has existing resources, you can identify any resources that violate the security zone's policies and take corrective actions.

Cloud Guard routinely scans the resources in your security zones for policy violations. Each policy violation is recorded as a problem in Cloud Guard. For a new security zone, it can take up to 3 hours before any violations are detected.

  1. Open the navigation menu and click Identity & Security. Under Security Zones, click Overview.
  2. Select the Compartment associated with the security zone you want to view.
  3. Click the name of the security zone.

    The Security Zone Details page displays.

  4. From the Associated Compartments table, expand the current compartment to show any subcompartments that are also in this security zone.
  5. If there are policy Violations for a compartment or subcompartment, click View details in Cloud Guard.

    The Problems page in the Cloud Guard console displays only problems detected in this security zone.

  6. Click a problem to view its details, including:
    • A description of the security zone policy
    • The name and location of the resource in violation of the policy
    • The relative risk level of the policy violation (Critical, Major, Minor, and so on)
    • The recommended actions to correct the problem

For descriptions of all available policies, see Security Zone Policies. For more information about using Cloud Guard, see Processing Reported Problems.

Editing a Security Zone

Edit a security zone's description or recipe by using the Console.

Caution

Each recipe enforces a different set of security zone policies. Changing the recipe for a security zone can affect the security posture for resources in the zone.
  1. Open the navigation menu and click Identity & Security. Under Security Zones, click Overview.
  2. Select the Compartment associated with the security zone you want to view.
  3. Click the name of the security zone.

    The Security Zone Details page displays.

  4. Click Edit.
  5. Update the Description for the security zone.

    Avoid entering confidential information.

    You can't change the name of an existing security zone.

  6. (Optional) Select a different Recipe for the security zone.

    If your recipe is in a different compartment, click Change Compartment.

  7. Click Save changes.
  8. (Optional) Click Tags if you want to manage the tags for this security zone.

    If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. See Resource Tags.

Viewing the Compartments in a Security Zone

Use the Console to identify the compartments that are in a security zone.

  1. Open the navigation menu and click Identity & Security. Under Security Zones, click Overview.
  2. Select the Compartment associated with the security zone you want to view.
  3. Click the name of the security zone.

    The Security Zone Details page displays.

  4. Under Associated Compartments, expand the parent compartment to view any subcompartments in this security zone.

Removing a Compartment from a Security Zone

When you remove a subcompartment from a security zone, Oracle Cloud Infrastructure no longer enforces security zone policies on the resources in the subcompartment.

Note

You can't remove the primary compartment that was used to create the security zone. You must delete the security zone.

Removing a subcompartment from a zone creates a standard Cloud Guard target for the compartment. The new target has the same detector recipes as the security zone target for its parent compartment, but it does not detect security zone policy violations. No changes are made to any of your existing Cloud Guard targets and detector recipes.

The following diagram illustrates the Cloud Guard configuration for a subcompartment that is removed from a security zone:


The parent compartment is in a security zone and one of the child compartments is not in a security zone. The parent compartment is associated with a security zone target in Cloud Guard, and the child compartment is associated with a standard target. The security zone target and the standard target are associated with the same detector recipes.

To remove a compartment from a security zone:

  1. Open the navigation menu and click Identity & Security. Under Security Zones, click Overview.
  2. Select the Compartment associated with the security zone you want to modify.
  3. Click the name of the security zone.

    The Security Zone Details page is displayed.

    The compartments in this security zone are listed under Associated Compartments. Expand the parent compartment to view any subcompartments in this security zone.

  4. Click the Actions icon for the subcompartment, and then select Remove Compartment.
  5. When prompted for confirmation, click Remove.

Adding a Removed Compartment to a Security Zone

If you removed a subcompartment from a security zone, you can add it back to the same security zone. As a result, Oracle Cloud Infrastructure ensures that resources in the subcompartment comply with the security zone's policies.

Any existing Cloud Guard target for this subcompartment is deleted. No changes are made to the parent compartment's security zone target, or to any of your existing Cloud Guard detector recipes.

The following diagram illustrates the Cloud Guard configuration for a subcompartment that is added back to a security zone:


The parent compartment and two subcompartments are in a single security zone. The parent compartment is associated with a security zone target in Cloud Guard. The security zone target is associated with detector recipes.

To add a compartment back to a security zone:

  1. Open the navigation menu and click Identity & Security. Under Security Zones, click Overview.
  2. Select the Compartment associated with the security zone you want to modify.
  3. Click the name of the security zone.

    The Security Zone Details page is displayed.

    The compartments in this security zone are listed under Associated Compartments. Expand the parent compartment to view any subcompartments in this security zone.

  4. Click Add Compartment.
  5. Select a Compartment and click Add Compartment.

    You can only select a subcompartment of this zone's parent compartment, and only if the subcompartment is not already in a zone.

Deleting a Security Zone

Delete a security zone for a compartment by using the Console.

When you delete a security zone:

  • Oracle Cloud Infrastructure doesn't enforce security zone policies on resources in the compartment.
  • Cloud Guard doesn't detect policy violations on resources in the compartment.

These changes also affect any subcompartments unless a subcompartment is in a separate security zone.

To ensure the integrity of your data, some policies restrict the movement of certain resources from a compartment in a security zone to a compartment that isn't in a security zone.

  1. Open the navigation menu and click Identity & Security. Under Security Zones, click Overview.
  2. Select the Compartment that's associated with the security zone you want to delete.
  3. Click the security zone.
  4. Click Delete.
  5. When prompted for confirmation, click Delete.

When you delete a zone, your Cloud Guard configuration is modified as well. The specific changes in Cloud Guard depend on the existing targets and security zones in the compartment hierarchy.

Delete a security zone with no dependencies

In the simplest case, the existing security zone target for this zone's parent compartment is replaced with a standard Cloud Guard target.

The new target includes the default Oracle-managed configuration and activity detector recipes, and does not detect security zone policy violations. No changes are made to any of your existing Cloud Guard detector recipes.

The following diagram illustrates the Cloud Guard configuration after the security zone for the parent compartment is deleted:


The parent compartment has two subcompartments. None of the compartments are in a security zone. The parent compartment is associated with a standard target in Cloud Guard. The target is associated with the default detector recipes.
Delete a security zone and the parent compartment is in a different zone

The primary compartment for the deleted security zone has a parent compartment that is in a different zone. Deleting this security zone results in the compartment becoming part of the parent compartment's zone.

The security zone target for the child compartment is deleted in Cloud Guard. No changes are made to the parent compartment's security zone target, or to any of your existing Cloud Guard detector recipes.

The following diagram illustrates the Cloud Guard configuration after the security zone for the child compartment is deleted:


The parent compartment has two child compartments, and all of them are in the same security zone. The parent compartment is associated with a security zone target in Cloud Guard. The target is associated with detector recipes.
Delete a security zone and the parent compartment has a standard Cloud Guard target

The primary compartment for the deleted security zone has a parent compartment that is associated with a standard target in Cloud Guard. Deleting this security zone results in the compartment becoming part of the parent compartment's Cloud Guard target.

The existing security zone target for this zone's primary compartment is deleted in Cloud Guard. This compartment (and any child compartments previously in this zone) inherits the existing Cloud Guard target for the parent compartment. This standard target does not detect security zone policy violations. No changes are made to any of your existing Cloud Guard targets and detector recipes.

The following diagram illustrates the Cloud Guard configuration after the security zone for the child compartment is deleted:


The highlighted compartment has a parent compartment and a child compartment. None of the compartments is in a security zone. The parent compartment is associated with a standard target in Cloud Guard. The target is associated with detector recipes.
Delete a security zone and a child compartment is in a different zone

The compartment for the deleted security zone has one or more child compartments that are in different zones. Deleting this security zone has no effect on the other security zones.

The existing security zone target for this zone's parent compartment is replaced with a standard Cloud Guard target. The new target has the same detector recipes as the deleted security zone target, and does not detect security zone policy violations. The child compartments that are in different Security Zones are unaffected. No changes are made to any of your existing Cloud Guard detector recipes.

The following diagram illustrates the Cloud Guard configuration after the security zone for the parent compartment is deleted:


The parent compartment is not in a security zone, and it has a child compartment that is in a security zone. The parent compartment is associated with a standard Cloud Guard target. The standard target is associated with the same detector recipes that it had previously. The child compartment is associated with a security zone target in Cloud Guard. The security zone target is associated with different detector recipes.
Delete a security zone and a child compartment has a standard Cloud Guard target

The compartment for the deleted security zone has one or more child compartments that are not in a security zone and are associated with standard Cloud Guard targets. Deleting this security zone has no effect on the child compartments.

The existing security zone target for this zone's parent compartment is replaced with a standard Cloud Guard target. The new target has the same detector recipes as the deleted security zone target, and does not detect security zone policy violations. The child compartments that were removed from the security zone and have separate Cloud Guard targets are unaffected. No changes are made to any of your existing Cloud Guard detector recipes.

The following diagram illustrates the Cloud Guard configuration after the security zone for the parent compartment is deleted:


Neither the parent compartment or its child compartment is in a security zone. The parent compartment is associated with a standard Cloud Guard target. The standard target is associated with the same detector recipes that it had previously. The child compartment is associated with a different Cloud Guard target and different detector recipes.