Friday, October 10, 2025

Create and Test OCI Security Zone


Introduction:

  • Security Zones automatically enforce security standards and best practices on resources in selected compartments. Users cannot create or update a resource in a Security Zone if the action violates a Security Zone policy.
  • Security Zones let you be confident that your resources in the Oracle Cloud Infrastructure, including Compute, Networking, Object Storage, and Database resources, comply with Oracle security principles.
  • It helps prevent misconfigurations by applying an Oracle-defined or custom-built collection of security rules, called a "recipe" to a designated compartment. Any attempt to create, update, or move a resource that violates a policy in the recipe is automatically denied.
Importance & Benefit:
  • Risk Reduction: Automatically prevents misconfigurations that could lead to data breaches.
  • Regulatory Compliance: Enforces compliance with frameworks like CIS out of the box.
  • Centralized Governance: Security administrators can define and apply uniform policies across multiple projects or business units.
  • Lower Compliance Costs: Automated compliance enforcement reduces the need for manual audits and external consulting.
  • Operational Productivity: DevOps Security and Cloud Ops teams spend less time on security reviews.
  • Cost Optimization: no extra licensing cost for the feature.

In this blog, I'll demonstrate the following:
  • Create Customer-managed rules recipe 
  • Create OCI Security Zone 
  • Test and review Security Zone rules violation



Prerequisites:
  • A free tier or paid Oracle Cloud account
  • Compartment with resources reside in
  • Enable OCI Cloud Guard in the tenancy

Task #1: Create Customer-managed Rules Recipe 


1. Open the navigation menu and click Identity & Security. Under Security Zones, click Recipes.



















2. Click Create Recipe.


3. On the Recipe information page, enter a name and description for the recipe, and select the right compartment, then click Next.



















4. On the Policies page, by default all predefined policies are enabled in the new recipe. Clear the check box for any policy the you want to disable (not included in the new recipe rules), then click Next.

You can filter the list of policies by selecting a specific policy type or resource type. You can also search for policies by name.

In my example, I'll add rules from Policy type "Deny Public Access".





















5. On the Review page, review the selected rules then click Create


















Task #2: Create Customer-managed Rules Recipe


1. Open the navigation menu and click Identity & Security. Under Security Zones, click Overview.



















2. Click Create Security Zone.
If the selected compartment is already associated with a security zone, this button is disabled.









When you create a security zone for a compartment, Cloud Guard performs the following actions:
  • Deletes any existing Cloud Guard target for the compartment and its sub-compartments
  • Creates a security zone target for the compartment
3. On Create Security Zone page, select "Customer-managed" and select the recipe which was created in task #1, enter a name and description for the zone, and select the right compartment, then click Create Security Zone.























It can take several minutes to associate the compartment and its sub-compartments with the security zone. When finished, the security zone is in the Active state.












Task #3: Create New Resource that Violate Rules


In my example, I'll edit the visibility for OCI object storage bucket, which resides in the same compartment that has the security zone enabled, to be Public. This change will fail because it violates security zone rule "Security Zone Violation: Object Storage buckets in a security zone can't be public. (Forbidden).



















Task #4: Verify Security Zone Policy Violation  


If the compartment for the security zone has any existing resources, you can use the Console to identify the resources that violate the security zone's policies, and take corrective actions.

Cloud Guard routinely scans the resources in your security zones for policy violations. Each policy violation is recorded as a problem in Cloud Guard. For a new security zone, it can take up to three hours before any violations are detected.

1. On Security Zone home page under the Associated compartments section, If the compartment or any sub-compartment has any policy Violations, select View details in Cloud Guard.




















2. The Problems page in Cloud Guard opens and displays problems detected in this security zone only.















3. Select a problem to view details. For example, select the first problem "Bucket is public". You can either click Remediate to resolve the problem (clear violation), Mark as resolved, or Dismiss. 


















4. Click Remediate. 

Notes:
  • Policy must be added to allow the responder to remediate problems. Add the policy statements automatically or update your policies manually.
  • After you add statements to a responder policy, it can take up to 1 minute in the home region, and up to 15 minutes in other regions, before the responder starts acting on the statements.






























Thanks for reading !!!



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Securing Oracle Database with Industry Standards and Best Practices

  Introduction: Oracle Enterprise Manager (OEM) provides solution to secure and ensure compliance with security policies defined by security...