Compute Instance Security
Make sure that your compute instances are secure, and control access to them. We recommend using key-based SSH to access your compute instances. Password-based SSH could be susceptible to brute-forcing attacks, and is not recommended.
Use the following checklist to protect your compute instances:
Done? | Security Controls and Recommendations |
---|---|
![]() |
Apply the latest operating system patches.
Use the OS management service to manage updates and patches for the operating system environment of your compute instances. See OS Management. |
![]() |
Manage SSH keys and their rotation. |
![]() |
Disable password login. |
![]() |
Disable root login. |
![]() |
Change the SSH port to a nonstandard port. |
![]() |
Harden the operating system of your compute instances. |
![]() |
Use host-based intrusion detection and prevention systems (IDS and IPS). |
![]() |
Use host-based firewalls, such as iptables , to restrict network access to instances including ports, protocols, and packet types.
|
![]() |
Apply the latest security patches for applications. |
![]() |
Limit instance metadata access to only privileged users on the instance. For example, iptables can be used to restrict instance metadata access to only privileged users, such as root .
|
![]() |
Use instance principals and dynamic groups. |
The following graphic illustrates how you can designate compute instances as instance principals, to enable the instances to make API calls to Oracle Cloud Infrastructure services. This example shows a dynamic group consisting of three compute instances. An IAM policy is defined to authorize the dynamic group to send Oracle Cloud Infrastructure API requests.