Creating a Security Zone

Create a security zone to help ensure that the resources in a compartment comply with security policies.

Before you create a security zone, you must enable Cloud Guard in the tenancy. See Getting Started with Cloud Guard.

When you create a security zone, you can select an Oracle-managed recipe or a custom recipe.

When you create a security zone for a compartment, Cloud Guard performs the following actions:
  • Deletes any existing Cloud Guard target for the compartment and its subcompartments
  • Creates a security zone target for the compartment
  • Adds the default Oracle-managed detector recipe to compartments in the security zone

If you create a security zone for a subcompartment whose parent compartment is already in a security zone, Cloud Guard creates a separate security zone target for the subcompartment. No changes are made to the existing target for the parent compartment.

The following diagram illustrates the Cloud Guard configuration for a new security zone in a subcompartment:


The parent compartment is in a security zone and the child compartment is in a different security zone. Each compartment is associated with a different security zone target in Cloud Guard. The security zone target for the child compartment is associated with default detector recipes.

View full-size image.

Caution

For maximum flexibility, avoid assigning a security zone to the root compartment of the tenancy. Security zones applied to the root compartment might constrain the actions that are possible across an entire tenancy. Although this configuration might be preferable for specific use cases, it's too restrictive for most users.
    1. Open the navigation menu and click Identity & Security. Under Security Zones, click Overview.
    2. Under List scope, select the compartment that you want to protect with the security zone.

      Select a compartment that's not already associated with a security zone.

      The security zone resource is created in the compartment that you select.

      By default, all subcompartments are assigned the same security zone as the parent compartment.

    3. Click Create Security Zone.

      If the selected compartment is already associated with a security zone, this button is disabled.

    4. In the Create Security Zonepanel, under Security Zone Recipe select one of the following options:
      • Oracle-managed: The security zone uses the Maximum Security Recipe.
      • Customer-managed: The security zone uses a custom recipe that you select.

      If the recipe is in a different compartment, click Change compartment.

    5. Enter a name and description for the security zone.

      Avoid revealing sensitive information when naming or describing security zones.

      You can't change the name of a security zone after creating it.

    6. Verify the compartment for the security zone.
    7. (Optional) Apply tags to the security zone.

      If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. See Resource Tags. You can also apply tags to a security zone after creating it.

    8. Choose one of the following options:
      • To create the security zone now, click Create Security Zone.
      • To save the resource configuration as a Terraform configuration, click Save as Stack.

        For more information about saving stacks from resource definitions, see Creating a Stack from a Resource Creation Page.

    The new security zone is in the Creating state. It can take several minutes to associate the compartment and its subcompartments with the security zone. When finished, the security zone is in the Active state.

    If the compartment for this security zone contains existing resources, you can verify whether any of them violate policies in the zone's recipe.

  • Use the oci cloud-guard security-zone create command and required parameters to create a security zone:

    oci cloud-guard security-zone create --compartment-id <compartment_ocid> --display-name <security_zone_name> --security_zone-recipe-id <security_zone_recipe_ocid> [OPTIONS]

    For a complete list of flags and variable options for CLI commands, see the Command Line Reference.

  • Run the CreateSecurityZone operation to create a security zone.