Creating a Security Zone

Create a security zone to help ensure that the resources in a compartment comply with security policies.

Before you create a security zone, you must enable Cloud Guard in the tenancy. See Getting Started with Cloud Guard.

When you create a security zone, you can select an Oracle-managed recipe or a custom recipe.

When you create a security zone for a compartment, Cloud Guard performs the following actions:

• Deletes any existing Cloud Guard target for the compartment and its subcompartments
• Creates a security zone target for the compartment
• Adds the default Oracle-managed detector recipe to compartments in the security zone

If you create a security zone for a subcompartment whose parent compartment is already in a security zone, Cloud Guard creates a separate security zone target for the subcompartment. No changes are made to the existing target for the parent compartment.

The following diagram illustrates the Cloud Guard configuration for a new security zone in a subcompartment:

View full-size image.

Caution

For maximum flexibility, avoid assigning a security zone to the root compartment of the tenancy. Security zones applied to the root compartment might constrain the actions that are possible across an entire tenancy. Although this configuration might be preferable for specific use cases, it's too restrictive for most users.

• Console
• CLI
• API

• 1. On the Security Zones list page, select the compartment to create the security zone in. If you need help finding the list page or the compartment filter, see Listing a Security Zone.
  2. Select Create Security Zone.

     If the selected compartment is already associated with a security zone, this button is disabled.

  3. In the Create Security Zone panel, under Security Zone Recipe select one of the following options:
     • Oracle-managed: The security zone uses the Maximum Security Recipe.
     • Customer-managed: The security zone uses a custom recipe that you select.

     If the recipe is in a different compartment, select Change compartment.

  4. Enter a name and description for the security zone.

     Avoid revealing sensitive information when naming or describing security zones.

     You can't change the name of a security zone after you create it.

  5. Verify the compartment for the security zone.
  6. (Optional) Apply tags to the security zone.

     If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. See Resource Tags. You can also apply tags to a security zone after creating it.

  7. Choose one of the following options:
     • To create the security zone now, select Create Security Zone.
     • To save the resource configuration as a Terraform configuration, select Save as Stack.

       For more information about saving stacks from resource definitions, see Creating a Stack from a Resource Creation Page.

  The new security zone is in the Creating state. It can take several minutes to associate the compartment and its subcompartments with the security zone. When finished, the security zone is in the Active state.

  If the compartment for this security zone contains existing resources, you can verify whether any of them violate policies in the zone's recipe.

• Use the oci cloud-guard security-zone create command and required parameters to create a security zone:

  oci cloud-guard security-zone create --compartment-id <compartment_ocid> --display-name <security_zone_name> --security_zone-recipe-id <security_zone_recipe_ocid> [OPTIONS]

  For a complete list of flags and variable options for CLI commands, see the Command Line Reference.

• Run the CreateSecurityZone operation to create a security zone.