Isolate Resources and Control Access

Resource isolation is a key consideration when organizing your cloud resources. Compartments enable you to logically organize your resources and control access to them in a manner that's meaningful to your business. For example, you can isolate the resources used by each department of your company in a separate compartment. You can also use virtual cloud networks (VCNs) to isolate resources at the network layer.

Plan your compartments and VCNs carefully, keeping in mind the current and future security requirements of your organization.

Organize Resources Using Compartments and Tags

  • Create and designate compartments for specific categories of resources, and write IAM policies to allow access to the resources to only the groups of users that need access to them.
  • Create and use child compartments to isolate resources for additional organizational layers. Write separate policies for each compartment level.
  • Allow only authorized users to move compartments to different parent compartments and to move resources from one compartment to another. Write suitable policies to enforce this restriction.
  • Limit the number of resources of each type that can be created in a compartment by setting compartment-level quotas.
  • Avoid writing IAM policies at the level of the root compartment.
  • Limit the resources that an instance principal can manage by specifying a compartment in the IAM policy.
  • Assign tags to resources to organize and identify them based on your business needs.

Implement Role-Based Access Control

  • Limit the access privileges for users in each group to only the compartments that they need to access, by writing compartment-level policies.
  • Write policies that are as granular as possible in terms of the target resources and the required access privileges.
  • Create groups with permissions to do tasks that are common to all your deployed workloads (such as, network administration and volume administration), and assign appropriate admin users to these groups.

Don't Store User Credentials on Compute Instances

When you want to authorize a compute instance to make calls to the Oracle Cloud Infrastructure APIs, don't store any user credentials on the instance. Instead, designate the instance as an instance principal.

The certificates required for the instance to authenticate itself are created automatically, assigned to the instance, and rotated. You can group such instances in logical sets, called dynamic groups, and write policies to allow the dynamic groups to perform specific actions on specific resources.

Harden Login Access to Compute Instances

Ensure that only secure methods are used to log in to compute instances.
  • Disable password-based login.
  • Disable root login.
  • Use only SSH key-based authentication.
  • Designate a non-standard port for SSH access, instead of the default port 22.

Secure Cross-Resource Access

If you designate any instances as principals, then review the users and groups that have access to such instances. Make sure that only the appropriate users and groups can access them.

Isolate Resources at the Network Layer

Virtual cloud networks provide the first level of network isolation between resources in Oracle Cloud Infrastructure. If you have multiple workloads or different departments/organizations, use different VCNs for each to isolate the resources at the network layer. Use VCN-peering where required. In addition, use public and private subnets carefully, after evaluating which resources require public access.