Security Zone Policies

When you create and update resources in a security zone, Oracle Cloud Infrastructure validates these operations against the policies associated with the security zone. If any policy is violated, then the operation is denied.

Security zone policies are categorized by security principle. Each policy impacts one or more resources, such as Compute, Networking, Object Storage, and Database resources.

Note

Database policies do not apply to Oracle Exadata Cloud@Customer.

Restrict Resource Movement

To ensure the integrity of your data, you can't move certain resources from a security zone to a standard compartment because it might be less secure. You also can't move an existing resource from a standard compartment to a security zone unless all security zone policies are met.

The following table describes the security zone policies that restrict resource movement.

Policy Services Description
deny block_volume_in_security_zone_​move_to_compartment_​not_in_security_zone Block Volume You can't move a block volume from a security zone to a standard compartment.
deny boot_volume_in_security_zone_​move_to_compartment_​not_in_security_zone Block Volume You can't move a boot volume from a security zone to a standard compartment.
deny instance_in_security_zone_​move_to_compartment_​not_in_security_zone Compute You can't move a compute instance from a security zone to a standard compartment.
deny instance_not_in_security_​zone_move_to_compartment_​in_security_zone Compute You can't move a compute instance from a standard compartment to a compartment that is in a security zone.
deny subnet_in_security_zone_​move_to_compartment_​not_in_security_zone Networking You can't move a subnet from a security zone to a standard compartment.
deny bucket_in_security_zone_​move_to_compartment_​not_in_security_zone Object Storage You can't move a bucket from a security zone to a standard compartment.
deny db_instance_move_to_​compartment_not_in_​security_zone Database (all types) You can't move a database from a security zone to a standard compartment.
deny database_with_dataguard_​association_move_to_​compartment_in_security_zone Database (Bare metal and virtual machine DB systems, Exadata DB systems) You can't move a database from a standard compartment to a security zone if its Data Guard association isn't in a security zone.

Restrict Resource Association

The components of a resource that impact its security posture must also be located in a security zone. Resources that aren't in a security zone might be vulnerable.

The following table describes the security zone policies that restrict resource association.

Policy Services Description
deny block_volume_not_in_security_​zone_attach_to_instance_​in_security_zone Compute, Block Volume All block storage volumes attached to a compute instance in a security zone must themselves be in a security zone.
deny block_volume_in_security_​zone_attach_to_instance_​not_in_security_zone Compute, Block Volume A compute instance that isn't in a security zone can't be attached to block storage volumes that are in a security zone.
deny boot_volume_not_in_security_​zone_attach_to_instance_​in_security_zone Compute, Block Volume The boot volume for a compute instance in a security zone must also be in a security zone.
deny boot_volume_in_security_​zone_attach_to_instance_​not_in_security_zone Compute, Block Volume A compute instance that isn't in a security zone can't be attached to a boot volume that is in a security zone.
deny instance_in_security_zone_​launch_from_boot_volume_​not_in_security_zone Compute, Block Volume The boot volume for a compute instance in a security zone must also be in a security zone.
deny instance_not_in_security_​zone_launch_from_boot_​volume_in_security_zone Compute, Block Volume A compute instance that isn't in a security zone can't use a boot volume that is in a security zone.
deny attached_block_volume_not_​in_security_zone_move_to_​compartment_in_security_zone Compute, Block Volume A block volume can't be moved to a security zone if it's attached to a compute instance that isn't in a security zone.
deny attached_boot_volume_not_in_​security_zone_move_to_​compartment_in_security_zone Compute, Block Volume A boot volume can't be moved to a security zone if it's attached to a compute instance that isn't in a security zone.
deny instance_in_security_zone_​in_subnet_not_in_security_​zone Compute, Networking A compute instance in a security zone must use subnets that are also in a security zone.
deny dataguard_association_​with_db_instances_not_in_​security_zones Database (Bare metal and virtual machine DB systems, Exadata DB systems) A database in a security zone can have a Data Guard association with another database (primary/standby) only if it's also in a security zone.
deny db_instance_subnet_not_​in_security_zone Database (all types) A database in a security zone must use subnets that are also in a security zone.
deny db_resource_association_​not_in_security_zone Database (Exadata DB systems)

Exadata Infrastructure resources in a security zone can't be associated with Container Databases or VM clusters that aren't in security zones.

Deny Public Access

Resources in a security zone must not be accessible from the public internet.

When you create a private subnet, compute instances launched in that subnet can't have public IP addresses. This restriction ensures that compute instances in the subnet have no internet access. For compute instances in a private subnet, a service gateway enables private access to public services such as Object Storage. See Overview of Networking.

The following table describes the security zone policies that restrict network access.

Policy Services Description
deny public_subnets Networking Subnets in a security zone can't be public. All subnets must be private.
deny internet_gateway Networking You can't add an internet gateway to a VCN within the security zone.
deny public_buckets Object Storage Object Storage buckets in a security zone can't be public.
deny db_instance_public_​access Database (all types) Databases in a security zone can't be assigned to public subnets. They must use private subnets.

Require Encryption

Resources in a security zone must be encrypted using customer-managed keys. Data must be encrypted while in transit and at rest.

Oracle Cloud Infrastructure Vault lets you manage the master encryption keys that protect your data and the secret credentials that you use to securely access resources. You can also regularly rotate encryption keys.

Many services integrate with the Vault service for encryption, including Object Storage and Block Volume.

The following table describes the security zone policies that enforce encryption.

Policy Service Description
deny block_volume_without_​vault_key Block Volume Block volumes in a security zone must use a customer-managed master encryption key in the Vault service. They can't use the default encryption key managed by Oracle.
deny boot_volume_without_​vault_key Block Volume Boot volumes in a security zone must use a customer-managed master encryption key in the Vault service. They can't use the default encryption key managed by Oracle.
deny buckets_without_vault_key Object Storage Object Storage buckets in a security zone must use a customer-managed master encryption key in the Vault service. They can't use the default encryption key managed by Oracle.

Ensure Data Durability

Automatic backups must be performed regularly for resources in a security zone.

The following table describes the security zone policy that enforces data durability.

Policy Services Description
deny database_without_backup Database (Bare metal and virtual machine DB systems, Exadata DB systems)

Databases in a security zone must be configured to perform automatic backups.

See Backing Up a Database to Oracle Cloud Infrastructure Object Storage.

Ensure Data Security

Data in a security zone is considered privileged and can't be copied to a standard compartment.

The following table describes the security zone policies that enforce data security.

Policy Services Description
deny database_not_in_security_​zone_create_from_backup_​in_security_zone Database (Bare metal and virtual machine DB systems, Exadata DB systems) You can't use a database backup in a security zone to create a database that isn't in a security zone.
deny database_in_security_​zone_create_clone_not_​in_security_zone Database (Virtual machine DB systems, Autonomous Database) You can't clone a database in a security zone to create a database that isn't in a security zone.

Use Only Configurations Approved by Oracle

Oracle requires certain security features to be enabled and configured for the resources within a security zone. One example is the operating system configuration for a compute instance.

The following table describes the security zone policies that require configurations that are approved by Oracle.

Policy Services Policy Description
deny instance_without_​sanctioned_image Compute

All compute instances in a security zone must be created using an Oracle-provided image.

You can't create a compute instance from a custom image in a security zone.

deny free_database_creation Database (all types) You can't create an Always Free database in a security zone.