Blog

Create and Test OCI Security Zone

Written by Anas Darkal | Oct 22, 2025 11:00:00 PM

Introduction:

  • Security Zones automatically enforce security standards and best practices on resources in selected compartments. Users cannot create or update a resource in a Security Zone if the action violates a Security Zone policy.
  • Security Zones let you be confident that your resources in the Oracle Cloud Infrastructure, including Compute, Networking, Object Storage, and Database resources, comply with Oracle security principles.
  • It helps prevent misconfigurations by applying an Oracle-defined or custom-built collection of security rules, called a "recipe," to a designated compartment. Any attempt to create, update, or move a resource that violates a policy in the recipe is automatically denied.
Importance & Benefit:
  • Risk Reduction: Automatically prevents misconfigurations that could lead to data breaches.
  • Regulatory Compliance: Enforces compliance with frameworks like CIS out of the box.
  • Centralized Governance: Security administrators can define and apply uniform policies across multiple projects or business units.
  • Lower Compliance Costs: Automated compliance enforcement reduces the need for manual audits and external consulting.
  • Operational Productivity: DevOps Security and Cloud Ops teams spend less time on security reviews.
  • Cost Optimization: No extra licensing cost for the feature.
In this blog, I'll demonstrate the following:
  • Create Customer-managed rules recipe 
  • Create OCI Security Zone 
  • Test and review the Security Zone rules violation
Prerequisites:
  • A free tier or paid Oracle Cloud account
  • The compartment with resources resides in
  • Enable OCI Cloud Guard in the tenancy

Task #1: Create Customer-managed Rules Recipe 

1.  Open the navigation menu and click Identity & Security. Under Security Zones, click Recipes.
 
 
2. Click Create Recipe.
 
 
3.  On the Recipe information page, enter a name and description for the recipe, and select the right compartment, then click Next.
 
 
4. On the Policies page, by default, all predefined policies are enabled in the new recipe. Clear the check box for any policy you want to disable (not included in the new recipe rules), then click Next.
 
You can filter the list of policies by selecting a specific policy type or resource type. You can also search for policies by name.
 
In my example, I'll add rules from Policy type "Deny Public Access".
 

5. On the Review page, review the selected rules, then click Create
 
 
 

Task #2: Create Customer-managed Rules Recipe

1.  Open the navigation menu and click  Identity & Security . Under  Security Zones, click Overview.
 
 
2.  Click  Create Security Zone.
If the selected compartment is already associated with a security zone, this button is disabled.
 
 
When you create a security zone for a compartment, Cloud Guard performs the following actions:
  • Deletes any existing Cloud Guard target for the compartment and its sub-compartments
  • Creates a security zone target for the compartment
3. On the Create Security Zone page, select "Customer-managed" and select the recipe which was created in task #1,  enter a name and description for the zone, and select the right compartment, then click  Create Security Zone .
 

It can take several minutes to associate the compartment and its sub-compartments with the security zone. When finished, the security zone is in the Active state.
 

Task #3: Create a New Resource that Violates Rules

In my example, I'll edit the visibility for the OCI object storage bucket, which resides in the same compartment that has the security zone enabled, to be Public. This change will fail because it violates the security zone rule " Security Zone Violation: Object Storage buckets in a security zone can't be public. (Forbidden).
 
Task #4: Verify Security Zone Policy Violation  
If the compartment for the security zone has any existing resources, you can use the Console to identify the resources that violate the security zone's policies and take corrective actions.
 
Cloud Guard routinely scans the resources in your security zones for policy violations. Each policy violation is recorded as a problem in Cloud Guard. For a new security zone, it can take up to three hours before any violations are detected.
 
1. On the Security Zone home page, under the Associated compartments section,  If the compartment or any sub-compartment has any policy Violations, select View details in Cloud Guard.
 

2.  The Problems page in Cloud Guard opens and displays problems detected in this security zone only.
 

3. Select a problem to view details. For example, select the first problem "Bucket is public". You can either click Remediate to resolve the problem (clear violation), Mark as resolved, or Dismiss. 
 
4. Click Remediate. 
 
Notes:
  • Policy must be added to allow the responder to remediate problems. Add the policy statements automatically or update your policies manually.
  • After you add statements to a responder policy, it can take up to 1 minute in the home region and up to 15 minutes in other regions before the responder starts acting on the statements.
Thanks for reading !!!
View full post