Managing Security Zones

You can create and delete security zones, and identify the policies enforced in your security zone.

A security zone has the following characteristics:

  • Associated with a single compartment that has the same name as the security zone
  • Assigned a security zone recipe

As resources are created or modified in the compartment, Oracle Cloud Infrastructure validates these operations against all policies in the security zone recipe.

Your tenancy has a predefined recipe named Maximum Security Recipe, which includes all available security zone policies. Oracle manages this recipe, and you can’t modify it.

A security zone compartment can only have subcompartments that are also security zone compartments.

  • You can create a security zone in an existing security zone compartment.
  • You can move a security zone compartment to another security zone compartment.
  • You can't create a standard compartment in a security zone compartment.
  • You can't move a standard compartment to a security zone compartment.
Caution

To ensure the integrity of your data, you can't move certain resources from a compartment in a security zone to a compartment that isn't in a security zone.

Required IAM Policy

To work with security zones, an administrator must grant you access in an IAM policy.

If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted.

For example, the following IAM policy allows users in the group SecurityAdmins to manage security zones in the entire tenancy.

Allow group SecurityAdmins to manage security-zone in tenancy

See Security Zone IAM Policies.

Creating a Security Zone

Create a security zone by using the Console.

All security zones are assigned the Maximum Security Recipe.

  1. Open the navigation menu. Under the Governance and Administration group, open Security, and then click Security Zones.
  2. Click Create Security Zone.
  3. Enter a name and description for the security zone.
    Oracle Cloud creates a compartment with the same name and assigns it to this security zone.
  4. For Create in Compartment, navigate to the compartment that you want to create the new compartment in.
  5. Click Create Security Zone.

To create resources such as networks or compute instances in the new security zone, select the compartment with the same name when you create the resources.

Viewing the Policies for a Security Zone

Identify the recipe for an existing security zone, and then view its policies.

  1. Open the navigation menu. Under the Governance and Administration group, open Security, and then click Security Zones.
  2. Click the name of the security zone.
  3. Click the recipe for the security zone.
To learn more about a security zone policy in the recipe, see Security Zone Policies.

Deleting a Security Zone

Delete a security zone by using the Console.

To delete a security zone, you delete the compartment that's associated with the security zone.

Before you can delete a compartment, it must be empty of all resources. Ensure that all the compartment's resources have been moved, deleted, or terminated, including any policies attached to the compartment.

Note

To ensure the integrity of your data, you can't move certain resources from a compartment in a security zone to a compartment that isn't in a security zone.
  1. Open the navigation menu. Under the Governance and Administration group, open Identity, and then click Compartments.
  2. Locate the compartment whose name is the same as the security zone.
  3. Click the Actions icon (three dots) for this compartment, and then click Delete Compartment.
  4. At the prompt, click OK.

For more information, see Deleting Compartments.