Security Zones

Security Zones let you be confident that your resources in Oracle Cloud Infrastructure, including Compute, Networking, Object Storage, and Database resources, comply with Oracle security principles.

A security zone is associated with a compartment and a security zone recipe. When you create and update resources in a security zone, Oracle Cloud Infrastructure validates these operations against the list of policies defined in the security zone recipe. If any security zone policy is violated, then the operation is denied.

For example, a security zone policy forbids the creation of public buckets in Object Storage. If you try to create a public bucket in a security zone that has this policy, or if you try to modify an existing storage bucket and make it public, you receive an error message. Similarly, you can't move an existing resource from a standard compartment to a security zone unless all policies are met.

Security zone
An association between a compartment and a security zone recipe. Resource operations in a security zone are validated against all policies in the recipe.
Security zone recipe
A collection of security zone policies.
Security zone policy
A security requirement for resources in a security zone.

Your tenancy has a predefined recipe named Maximum Security Recipe, which includes all available security zone policies. Oracle manages this recipe and you can't modify it.

In general, security zone policies align with these security principles:

  • Resources can’t be moved from a security zone to a standard compartment because it might be less secure.
  • Data in a security zone can't be copied to a standard compartment because it might be less secure.
  • All the required components for a resource in a security zone must also be located in a security zone. Resources that are not in a security zone might be vulnerable. For example, a compute instance in a security zone can't use a boot volume that is not in a security zone.
  • Resources in a security zone must not be accessible from the public internet.
  • Resources in a security zone must be encrypted using customer-managed keys.
  • Resources in a security zone must be regularly and automatically backed up.
  • Resources in a security zone must use only configurations and templates approved by Oracle.

To learn more, see Security Zone Policies.

A security zone policy differs from an IAM policy in the following ways:

  • Administrators create IAM policies to grant users the ability to manage certain resources in a compartment.
  • A security zone policy ensures that these management operations comply with the Oracle maximum security architecture and best practices.
  • A security zone policy is validated regardless of which user is performing the operation.
  • A security zone policy denies certain actions; it doesn't grant capabilities.
  • Administrators can't create, modify, or disable security zone policies.

To create a security zone, see Managing Security Zones.