Getting Started with Security Zones

After creating IAM policies and enabling Cloud Guard, create a security zone for a compartment and check for any security zone policy violations.

Create IAM Policies

To use Security Zones and Cloud Guard, you must be granted the required type of access in an IAM policy written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.

If you are not an administrator for your tenancy, then ask your administrator to perform these steps.

  1. Open the navigation menu and click Identity & Security. Under Security Zones, click Overview.
  2. From the Overview page, in the Get Started section, copy the list of required IAM policy statements.
    Allow group <group> to use cloud-guard-config in tenancy
    Allow group <group> to read cloud-guard-targets in tenancy
    Allow group <group> to inspect cloud-guard-problems in tenancy
    Allow group <group> to manage security-zone in tenancy
  3. Open the navigation menu and click Identity & Security. Under Identity, click Policies.
  4. Select the root Compartment for your tenancy.
  5. Click Create Policy.
  6. Enter a Name and Description for the policy.

    For example:

    • Name: Security Zones Policy
    • Description: Enable the creation of security zones
  7. Click Show manual editor.
  8. Paste the policy statements from the Security Zones console.

    Replace <group> with the name of an existing group.

  9. Click Create.

To learn more about Security Zones and Cloud Guard IAM policies, see Cloud Guard Policies.

Enable Cloud Guard

Enable Cloud Guard in your tenancy before you create Security Zones. If Cloud Guard is already enabled, you can skip this task.

Cloud Guard is an Oracle Cloud Infrastructure service that provides a central dashboard to monitor all of your cloud resources for security weaknesses in configuration, metrics, and logs. When it detects a problem, it can suggest, assist, or take corrective actions, based on your Cloud Guard configuration.

Security Zones works with Cloud Guard to identify security zone policy violations in your existing resources.

Enabling Cloud Guard involves the following tasks:

  • Creating IAM policies that allow Cloud Guard to monitor resources within your tenancy
  • Choosing a reporting region
  • Optionally creating targets for the compartments that you want Cloud Guard to monitor
  • Optionally choosing the detector recipes for the targets

To enable Cloud Guard, you must have administrator privileges.

Note

You do not have to create a Cloud Guard target for a compartment before creating a security zone for the same compartment. When you create a security zone, a new Cloud Guard target is created automatically.

See Getting Started with Cloud Guard for detailed instructions.

Create a Security Zone Recipe (Optional)

Security Zones provides an Oracle-managed recipe called Maximum Security Recipe, which enforces all available security zone policies. If you want to disable certain policies, you can clone this recipe.

Before creating a custom security zone recipe, understand the available security zone policies.

  1. Open the navigation menu and click Identity & Security. Under Security Zones, click Recipes.
  2. Click the Actions icon for the recipe Maximum Security Recipe, and then select Clone.
  3. Update the Name and Description for the new recipe.

    Avoid entering confidential information.

  4. Select the Compartment in which you want to create the recipe.

    You can create security zone recipes and security zones in different compartments.

  5. Click Next.
  6. (Optional) From the Policies page, select a check box to enable a policy, or clear a check box to disable a policy.

    You can filter the list of policies by selecting a specific Policy type. You can also Search for policies by name.

  7. Click Next.
  8. From the Review page, review the number of policies that are enabled and disabled in this recipe, and then click Create.

    The Recipe Details page is displayed.

Create a Security Zone

After you complete all prerequisite tasks, you can create a security zone for an existing compartment.

Caution

For maximum flexibility, avoid assigning a security zone to the root compartment of the tenancy. Security zones applied to the root compartment might constrain the actions that are possible across an entire tenancy. Although this configuration might be preferable for specific use cases, it's too restrictive for most users.
  1. Open the navigation menu and click Identity & Security. Under Security Zones, click Overview.
  2. Under List scope, select the compartment that you want to protect with the security zone.

    Select a compartment that's not already associated with a security zone.

    The security zone resource is created in the compartment that you select.

    By default, all subcompartments are assigned the same security zone as the parent compartment.

  3. Click Create Security Zone.

    If the selected compartment is already associated with a security zone, this button is disabled.

  4. Select a Security Zone Recipe.
    • Oracle-managed: Select this option if you did not create a customer-managed recipe. The security zone uses the Maximum Security Recipe.
    • Customer-managed: Select your custom recipe.

    If your recipe is in a different compartment, click Change Compartment.

  5. Enter a name and description for the security zone.

    Avoid revealing sensitive information when naming or describing security zones.

    You can't change the name of a security zone after creating it.

  6. Click Create Security Zone.

    If the selected compartment is already associated with a security zone, this button is disabled.

When you create a security zone for a compartment, Cloud Guard completes the following tasks:
  • Deletes any existing Cloud Guard target for the compartment and for any child compartments
  • Creates a security zone target for the compartment
  • Adds the default Oracle-managed detector recipes to the security zone target

If you create a security zone for a subcompartment whose parent compartment is already in a security zone, Cloud Guard creates a separate security zone target for the subcompartment. No changes are made to the existing target for the parent compartment.

View Security Zone Policy Violations

If the compartment for your security zone has existing resources, you can identify any resources that violate the security zone's policies and take corrective actions.

Cloud Guard routinely scans the resources in your security zones for policy violations. Each policy violation is recorded as a problem in Cloud Guard. For a new security zone, it can take up to three hours before any violations are detected.

  1. From the Overview page, click your new security zone.
    The Security Zone Details page displays.
  2. On the Security Zone details page, in the Associated compartments table, expand the current compartment to show any subcompartments that are also in this security zone.
  3. If the compartment or any subcompartment has any policy Violations, click View details in Cloud Guard.

    The Problems page in Cloud Guard displays only problems detected in this security zone.

  4. Click a problem to view the following details:
    • A description of the security zone policy
    • The name and location of the resource in violation of the policy
    • The relative risk level of the policy violation (Critical, Major, Minor, and so on)
    • The recommended actions to take to correct the problem

See Security Zone Policies for descriptions of all available policies.

Next Steps

After enabling Cloud Guard and creating your first security zone, you can test the zone, customize the zone, or create other zones.

Task More Information
Test a zone by attempting to violate one of the zone's policies

Choose a security zone policy that is enabled in the zone's recipe.

For example, verify that you can't create a public subnet or a public Object Storage bucket. See Security Zone Policies.

Create a separate zone in a subcompartment Creating a Security Zone
Remove a subcompartment from the zone Removing a Subcompartment from a Security Zone
Delete a zone Deleting a Security Zone
Customize the Cloud Guard detector recipes in a security zone target Customizing Cloud Guard Configuration
Check for other security problems detected by Cloud Guard Processing Reported Problems
Create IAM policies so that other groups can manage security zones Cloud Guard Policies

If you aren't able to create or test a security zone successfully, see Troubleshooting Security Zones.