{"id":733,"date":"2026-04-15T09:09:06","date_gmt":"2026-04-15T09:09:06","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-security-zones-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security-identity-and-compliance\/"},"modified":"2026-04-15T09:09:06","modified_gmt":"2026-04-15T09:09:06","slug":"oracle-cloud-security-zones-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security-identity-and-compliance","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-security-zones-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security-identity-and-compliance\/","title":{"rendered":"Oracle Cloud Security Zones Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Security, Identity, and Compliance"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Security, Identity, and Compliance<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Oracle Cloud <strong>Security Zones<\/strong> is a governance and preventive-security service that helps you create \u201clocked-down\u201d compartments where Oracle Cloud Infrastructure (OCI) automatically <strong>enforces security best practices<\/strong>. Instead of only detecting misconfigurations after the fact, Security Zones can <strong>block<\/strong> risky operations (create\/update\/move) that would violate your organization\u2019s security requirements.<\/p>\n\n\n\n<p>In simple terms: you place sensitive workloads (production data, regulated systems, crown-jewel services) into a Security Zone compartment, choose a Security Zone <strong>recipe<\/strong> (a set of security policies), and OCI prevents actions that could make those resources insecure\u2014such as allowing public exposure or weakening encryption controls\u2014based on what the recipe enforces.<\/p>\n\n\n\n<p>Technically, Security Zones works as a <strong>policy enforcement layer<\/strong> around OCI resources in a compartment. When someone calls OCI APIs (from the Console, CLI, SDKs, Terraform, or CI\/CD), OCI evaluates the request against the Security Zone\u2019s recipe policies. If the request violates a policy, OCI denies it with an error explaining the violation. This makes Security Zones a strong fit for \u201cguardrails,\u201d platform governance, and compliance-by-default in Oracle Cloud\u2019s <strong>Security, Identity, and Compliance<\/strong> portfolio.<\/p>\n\n\n\n<p><strong>What problem it solves:<\/strong> Cloud teams often struggle with configuration drift, inconsistent security across projects, and accidental exposure (public storage, overly permissive networking, missing encryption controls). Security Zones addresses this by providing <strong>preventive controls<\/strong> that reduce the chance of insecure changes reaching production.<\/p>\n\n\n\n<blockquote>\n<p>Service name status: As of current OCI documentation, <strong>Security Zones<\/strong> is an active service name in Oracle Cloud. If Oracle later merges or rebrands it (for example under broader governance tooling), <strong>verify in official docs<\/strong> before adopting any new naming or workflows.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Security Zones?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose<\/h3>\n\n\n\n<p>Security Zones is designed to help you <strong>enforce Oracle-defined security best practices<\/strong> for OCI resources by applying a <strong>Security Zone recipe<\/strong> to a compartment. The recipe contains security policies that OCI uses to prevent noncompliant operations.<\/p>\n\n\n\n<p>Primary documentation (start here):<br\/>\nhttps:\/\/docs.oracle.com\/en-us\/iaas\/Content\/SecurityZones\/home.htm<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities<\/h3>\n\n\n\n<p>Security Zones typically provides these capabilities:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Compartment-level security guardrails<\/strong>: designate a compartment as a Security Zone.<\/li>\n<li><strong>Recipe-driven policies<\/strong>: apply an Oracle-managed or configurable set of security policies (\u201crecipe\u201d) to the compartment.<\/li>\n<li><strong>Preventive enforcement<\/strong>: block operations that violate the recipe policies.<\/li>\n<li><strong>Move checks<\/strong>: when you move resources into (or sometimes out of) a Security Zone compartment, OCI evaluates whether they meet the policies.<\/li>\n<li><strong>Visibility into violations<\/strong>: users get explicit error messages when an operation is denied due to a Security Zone policy.<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>Exact policies included in a recipe can change over time and differ by recipe. Always review the recipe in your OCI Console and <strong>verify in official docs<\/strong> for the most up-to-date list.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Major components<\/h3>\n\n\n\n<p>Security Zones is usually discussed in terms of these components:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Security Zone<\/strong>: a compartment designated to have Security Zones enforcement.<\/li>\n<li><strong>Security Zone recipe<\/strong>: a named set of security policies (Oracle-managed or configurable depending on OCI capabilities in your tenancy\/region).<\/li>\n<li><strong>Policies (controls)<\/strong>: enforceable rules that prevent insecure resource configurations.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<p>Security Zones is a <strong>governance and preventive control<\/strong> service (control-plane feature). It is not a firewall, IDS, or endpoint agent. It enforces security at the OCI API\/control plane level.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Scope (regional\/global\/compartment)<\/h3>\n\n\n\n<p>Security Zones is <strong>compartment-scoped<\/strong>: it applies to resources in a specific compartment (the Security Zone compartment). OCI is a region-based cloud, but compartment governance is tenancy-wide. In practice:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You create\/manage Security Zones at the tenancy level.<\/li>\n<li>The enforcement applies when managing resources in any region <strong>within<\/strong> the Security Zone compartment.<\/li>\n<\/ul>\n\n\n\n<p>If any region-specific limitations apply (policy enforcement coverage differs by region or resource type), <strong>verify in official docs<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Oracle Cloud ecosystem<\/h3>\n\n\n\n<p>Security Zones works alongside other OCI Security, Identity, and Compliance services:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>IAM (Identity and Access Management)<\/strong>: controls <em>who can do what<\/em>. Security Zones controls <em>what is allowed at all<\/em> inside the protected compartment.<\/li>\n<li><strong>Cloud Guard<\/strong>: generally provides detection (and response automation) for security posture issues. Security Zones focuses on prevention. (There is conceptual overlap; <strong>verify in official docs<\/strong> how your tenancy links them operationally.)<\/li>\n<li><strong>Audit<\/strong>: captures API calls; useful to investigate blocked actions.<\/li>\n<li><strong>Vault \/ Keys<\/strong>: recipes frequently require encryption and\/or customer-managed keys for certain resource types (depending on recipe).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Security Zones?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduce breach risk from misconfiguration<\/strong>: many cloud incidents start with public data exposure or weak security settings.<\/li>\n<li><strong>Compliance alignment<\/strong>: helps enforce baseline controls required by regulated environments (finance, healthcare, government, ISO\/SOC-aligned internal controls).<\/li>\n<li><strong>Faster approvals<\/strong>: security teams can pre-approve a security baseline (\u201cthis compartment enforces our controls\u201d), reducing friction for delivery teams.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Guardrails at the API level<\/strong>: works regardless of whether requests come from Console, CLI, SDK, Terraform, or automation.<\/li>\n<li><strong>Consistency<\/strong>: enforces a standardized baseline across teams and projects.<\/li>\n<li><strong>Defense-in-depth<\/strong>: complements IAM (permissions), network controls, and detective monitoring.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Fewer \u201cwho changed this?\u201d incidents<\/strong>: risky changes are blocked immediately.<\/li>\n<li><strong>Less drift<\/strong>: policies apply continuously; there\u2019s less need to constantly run \u201cfix-up\u201d scripts.<\/li>\n<li><strong>Safer multi-team environments<\/strong>: platform teams can enable Security Zones for production compartments.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Prevent public exposure where prohibited<\/strong>: common controls include restricting public access patterns.<\/li>\n<li><strong>Encryption enforcement<\/strong>: recipes often require strong encryption configurations (depending on resource type and recipe).<\/li>\n<li><strong>Separation of duties<\/strong>: platform\/security teams define the baseline; app teams operate within the boundary.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<p>Security Zones is not a data-plane service; it does not handle runtime traffic and should not be a performance bottleneck for applications. The \u201cscaling\u201d benefit is governance scaling: the same baseline can apply across many projects without manual review.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<p>Choose Security Zones when you need:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Strong <strong>preventive<\/strong> governance in production compartments<\/li>\n<li>A consistent baseline for sensitive workloads<\/li>\n<li>Control-plane guardrails that cannot be bypassed by using different tooling<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<p>Avoid or delay Security Zones when:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You need full flexibility for experimentation (early R&amp;D), where guardrails slow iteration<\/li>\n<li>Your workload requires configurations that conflict with Security Zones policies (for example, intentionally public-facing storage or networking patterns)<\/li>\n<li>You haven\u2019t standardized your platform yet\u2014Security Zones can \u201csurface\u201d hidden dependencies by blocking previously allowed configurations<\/li>\n<\/ul>\n\n\n\n<p>A common pattern is to use Security Zones for <strong>production<\/strong> and <strong>regulated<\/strong> compartments, while leaving dev\/sandbox compartments out (or applying a less strict recipe, if available).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Security Zones used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<p>Security Zones is most commonly used in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Financial services (PCI-aligned controls, strict data handling)<\/li>\n<li>Healthcare\/life sciences (sensitive data governance)<\/li>\n<li>Government\/public sector (policy-driven posture)<\/li>\n<li>SaaS providers (multi-tenant security baselines)<\/li>\n<li>Education and research (protecting sensitive datasets)<\/li>\n<li>Retail\/e-commerce (customer data protection)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform engineering teams building OCI \u201clanding zones\u201d<\/li>\n<li>Cloud security teams defining guardrails<\/li>\n<li>DevOps\/SRE teams operating production environments<\/li>\n<li>Compliance and risk teams requiring enforceable baselines<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Production applications with sensitive data (PII, financial, healthcare)<\/li>\n<li>Data platforms (data lakes, analytics) that must prevent accidental public exposure<\/li>\n<li>CI\/CD shared services and artifact stores (protect from misconfig)<\/li>\n<li>Core shared infrastructure (network hubs, logging, identity integrations)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multi-compartment enterprises with centralized governance<\/li>\n<li>Hub-and-spoke tenancy layouts<\/li>\n<li>Shared services compartments + application compartments<\/li>\n<li>Multi-region deployments where governance must be consistent<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production<\/strong>: enforce strict guardrails (strongly recommended for sensitive systems).<\/li>\n<li><strong>Dev\/test<\/strong>: use selectively\u2014Security Zones can be used to ensure parity with production security posture, but it may block common developer shortcuts (public endpoints, permissive configs).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic Security Zones use cases. For each, the \u201cwhy it fits\u201d is specifically about <strong>preventive enforcement<\/strong> at the OCI control plane.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Prevent public Object Storage buckets in production<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Teams accidentally configure buckets with public access.<\/li>\n<li><strong>Why this fits:<\/strong> Security Zones can block operations that would make buckets publicly accessible (depending on the recipe).<\/li>\n<li><strong>Example:<\/strong> A developer tries to set a bucket to allow anonymous reads; OCI denies it in the production Security Zone compartment.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Enforce encryption requirements for regulated data stores<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Some workloads must meet encryption controls (at rest and sometimes key management requirements).<\/li>\n<li><strong>Why this fits:<\/strong> Recipes can enforce encryption-related configurations for supported resources (verify exact coverage).<\/li>\n<li><strong>Example:<\/strong> A data platform team tries to create storage without required encryption posture; it\u2019s blocked.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Protect \u201clogging and audit\u201d compartments from weakening changes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Logging pipelines are security-critical; misconfigs reduce visibility.<\/li>\n<li><strong>Why this fits:<\/strong> Put logging resources into a Security Zone compartment to prevent risky configuration changes.<\/li>\n<li><strong>Example:<\/strong> An operator attempts to reduce logging\/security settings; the operation is denied.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Build a production landing zone with built-in guardrails<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Enterprises need a standardized, safe \u201cplace\u201d to deploy production workloads.<\/li>\n<li><strong>Why this fits:<\/strong> Security Zones helps create a compartment that enforces the baseline and reduces platform drift.<\/li>\n<li><strong>Example:<\/strong> All production apps must deploy into Security Zone compartments created from a standard recipe.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Ensure shared artifact repositories cannot be exposed publicly<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Build artifacts and images must not be publicly exposed.<\/li>\n<li><strong>Why this fits:<\/strong> Security Zones can prevent configurations that violate exposure policies.<\/li>\n<li><strong>Example:<\/strong> A team accidentally makes an artifact store public; Security Zones blocks the change.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Reduce risk in multi-team tenancy operations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Many teams share OCI tenancy; inconsistent practices cause risk.<\/li>\n<li><strong>Why this fits:<\/strong> Security Zones provides a consistent baseline that applies no matter which team runs the change.<\/li>\n<li><strong>Example:<\/strong> Central security mandates Security Zones for all customer-data compartments.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Govern \u201cbreak-glass\u201d operational workflows<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Emergency changes can unintentionally lower security.<\/li>\n<li><strong>Why this fits:<\/strong> Even break-glass operators can be prevented from making certain noncompliant changes (depending on how IAM is configured; some tenancy admins might still override\u2014verify).<\/li>\n<li><strong>Example:<\/strong> During an outage, someone tries to open public access broadly; the zone blocks it.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Prevent insecure networking patterns in restricted environments<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Regulated workloads require limited public exposure and strict routing.<\/li>\n<li><strong>Why this fits:<\/strong> Recipes may enforce network-related restrictions (exact controls vary; verify).<\/li>\n<li><strong>Example:<\/strong> A team attempts to attach an Internet Gateway or assign public endpoints; blocked if recipe forbids it.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Standardize compliance posture across environments<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Compliance audits find inconsistent configurations.<\/li>\n<li><strong>Why this fits:<\/strong> Security Zones makes compliance controls consistently enforceable.<\/li>\n<li><strong>Example:<\/strong> Audit requires \u201cno public storage\u201d and \u201cencryption enforced\u201d; Security Zones supports evidence of preventive controls.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Safe onboarding of new teams\/projects<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> New teams may not know OCI security best practices.<\/li>\n<li><strong>Why this fits:<\/strong> Guardrails prevent common mistakes while teams ramp up.<\/li>\n<li><strong>Example:<\/strong> A new project is given a Security Zone compartment; their deployment pipeline must comply from day one.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Protect backup and recovery assets<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Backup storage misconfiguration can cause data leakage.<\/li>\n<li><strong>Why this fits:<\/strong> Put backup buckets\/volumes in a Security Zone to reduce risk.<\/li>\n<li><strong>Example:<\/strong> A backup bucket cannot be made public; blocked by policy.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Control high-risk \u201cdata export\u201d patterns<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Teams may expose export endpoints or storage accidentally.<\/li>\n<li><strong>Why this fits:<\/strong> Security Zones can block certain configuration changes that create exposure paths (depending on policy coverage).<\/li>\n<li><strong>Example:<\/strong> A dataset export bucket cannot be configured for anonymous access.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Note: OCI adds and adjusts enforcement coverage over time. Always confirm what your chosen <strong>Security Zone recipe<\/strong> enforces in your region\/tenancy.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">1) Security Zone compartments (compartment as enforcement boundary)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Lets you designate a compartment as a Security Zone so policies apply to resources in it.<\/li>\n<li><strong>Why it matters:<\/strong> Compartments are OCI\u2019s primary isolation and governance unit.<\/li>\n<li><strong>Practical benefit:<\/strong> You can apply strict controls to production without impacting dev.<\/li>\n<li><strong>Caveats:<\/strong> Not all resource types may be covered equally; enforcement is only for resources in the zone.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Security Zone recipes (policy sets)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Recipes define the set of security policies enforced in the zone.<\/li>\n<li><strong>Why it matters:<\/strong> You get a repeatable, auditable baseline.<\/li>\n<li><strong>Practical benefit:<\/strong> Standardize security posture across multiple compartments.<\/li>\n<li><strong>Caveats:<\/strong> If you need exceptions, recipes may not support fine-grained allowlists; design accordingly.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Preventive enforcement (deny noncompliant operations)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Blocks create\/update operations that violate recipe policies.<\/li>\n<li><strong>Why it matters:<\/strong> Prevents insecure configurations from ever being applied.<\/li>\n<li><strong>Practical benefit:<\/strong> Reduces reactive cleanup work and risk exposure windows.<\/li>\n<li><strong>Caveats:<\/strong> Can break existing automation pipelines if they attempt disallowed configurations\u2014test in non-prod first.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) \u201cMove into zone\u201d compliance checks<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> When you move resources into a Security Zone compartment, OCI evaluates whether they comply.<\/li>\n<li><strong>Why it matters:<\/strong> Prevents importing insecure resources into protected areas.<\/li>\n<li><strong>Practical benefit:<\/strong> Forces teams to remediate before promoting resources to production compartments.<\/li>\n<li><strong>Caveats:<\/strong> Moving resources between compartments may require downtime or careful planning depending on resource type.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Clear violation feedback in Console\/API errors<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> When denied, the user gets an error indicating Security Zone policy violation.<\/li>\n<li><strong>Why it matters:<\/strong> Engineers need actionable feedback to remediate.<\/li>\n<li><strong>Practical benefit:<\/strong> Faster troubleshooting: \u201cwhat policy blocked this?\u201d<\/li>\n<li><strong>Caveats:<\/strong> Error messages vary by service; not all tools display them equally.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Works with all provisioning tools (Console\/CLI\/SDK\/Terraform)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Enforcement happens at the OCI API level.<\/li>\n<li><strong>Why it matters:<\/strong> Prevents bypass by using different tooling.<\/li>\n<li><strong>Practical benefit:<\/strong> Strong platform guardrails for CI\/CD and IaC.<\/li>\n<li><strong>Caveats:<\/strong> Your pipelines must be designed to handle \u201cdeny\u201d errors cleanly.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Baseline alignment with OCI security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Recipes represent Oracle-recommended best practices.<\/li>\n<li><strong>Why it matters:<\/strong> Reduces need to design every control from scratch.<\/li>\n<li><strong>Practical benefit:<\/strong> Faster governance adoption.<\/li>\n<li><strong>Caveats:<\/strong> \u201cBest practice\u201d is not the same as your policy; validate against your internal standards.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Separation of duties support (guardrails independent of IAM intent)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Even if an engineer has permissions, the zone can still block disallowed actions.<\/li>\n<li><strong>Why it matters:<\/strong> Helps avoid accidental misconfigurations by privileged users.<\/li>\n<li><strong>Practical benefit:<\/strong> Stronger governance in shared environments.<\/li>\n<li><strong>Caveats:<\/strong> Tenancy admins may be able to reconfigure governance; treat governance configuration as high-privilege.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Auditability through OCI Audit<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> API calls are logged; denied requests can be investigated (exact audit detail varies; verify).<\/li>\n<li><strong>Why it matters:<\/strong> Security and operations teams need traceability.<\/li>\n<li><strong>Practical benefit:<\/strong> Evidence for incident response and compliance.<\/li>\n<li><strong>Caveats:<\/strong> Audit logging retention and search capabilities have their own limits and costs (indirect).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Supports standardized \u201clanding zone\u201d patterns<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Enables consistent secure compartments for production workloads.<\/li>\n<li><strong>Why it matters:<\/strong> Many organizations adopt a multi-compartment landing zone architecture.<\/li>\n<li><strong>Practical benefit:<\/strong> Repeatable deployments with fewer security exceptions.<\/li>\n<li><strong>Caveats:<\/strong> Requires organizational adoption and developer enablement.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>Security Zones sits in the control plane and evaluates management operations against a policy set (recipe):<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>A user or automation calls OCI APIs to create\/update a resource in a compartment.<\/li>\n<li>OCI IAM authorizes the caller (permissions).<\/li>\n<li>If the target compartment is a Security Zone, OCI evaluates the request against Security Zone policies.<\/li>\n<li>If compliant, OCI performs the action; if not, OCI denies it with a violation error.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/control flow (conceptual)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Identity<\/strong>: OCI IAM authenticates users\/services (API keys, auth tokens, instance principals, etc.).<\/li>\n<li><strong>Authorization<\/strong>: OCI IAM policy determines whether the principal can perform the API action.<\/li>\n<li><strong>Security Zones enforcement<\/strong>: if authorized, the request is still checked against Security Zone recipe policies.<\/li>\n<li><strong>Execution<\/strong>: only then is the resource created\/updated\/moved.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<p>Common integrations in real environments:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>IAM<\/strong>: to restrict who can create\/modify Security Zones and recipes.<\/li>\n<li><strong>Audit<\/strong>: to investigate denied operations and track changes.<\/li>\n<li><strong>Cloud Guard<\/strong>: for posture monitoring and detection; Security Zones for prevention. (Verify the current relationship in your tenancy\/docs.)<\/li>\n<li><strong>Vault<\/strong>: recipes often require encryption and\/or customer-managed keys for certain services (depending on policy coverage).<\/li>\n<li><strong>Networking (VCN)<\/strong>: Security Zones may restrict configurations that increase exposure (verify exact controls in recipe).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Compartments<\/strong> are fundamental, because Security Zones is compartment-based.<\/li>\n<li><strong>IAM<\/strong> is required for access control.<\/li>\n<li><strong>Supported OCI services<\/strong>: enforcement depends on which resource types Security Zones currently supports in your region.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security Zones does not introduce a separate authentication system; it uses OCI\u2019s standard identity model.<\/li>\n<li>Control of Security Zones configuration should be limited to a small admin group.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security Zones is not a data-plane network service.<\/li>\n<li>Networking restrictions (if present in your recipe) are enforced by denying control-plane operations that would create insecure network exposure.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>Audit<\/strong> to track:<\/li>\n<li>Who created\/modified a Security Zone<\/li>\n<li>Who attempted blocked operations<\/li>\n<li>Use Cloud Guard (or similar tooling) for detective controls and reporting.<\/li>\n<li>Use tagging and naming conventions to clearly distinguish Security Zone compartments.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  U[User \/ CI Pipeline] --&gt;|Console \/ CLI \/ Terraform| API[OCI API]\n  API --&gt; IAM[IAM AuthN\/AuthZ]\n  IAM --&gt; SZ{Security Zone?}\n  SZ --&gt;|No| EXEC[Provision Resource]\n  SZ --&gt;|Yes| POL[Evaluate Recipe Policies]\n  POL --&gt;|Compliant| EXEC\n  POL --&gt;|Violation| DENY[Deny with Violation Error]\n  EXEC --&gt; AUDIT[OCI Audit Logs]\n  DENY --&gt; AUDIT\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Tenancy[OCI Tenancy]\n    subgraph Governance[Governance &amp; Security (Security, Identity, and Compliance)]\n      IAM[IAM Policies &amp; Groups]\n      SZ[Security Zones (Recipe Enforcement)]\n      AUD[Audit]\n      CG[Cloud Guard (Detect\/Respond)\\n(verify linkage)]\n      VAULT[Vault \/ Keys]\n    end\n\n    subgraph Compartments[Compartment Structure]\n      ROOT[Root Compartment]\n      SHARED[Shared Services Compartment\\n(logging, vault, networking)]\n      ZPROD[Prod Security Zone Compartment\\n(Security Zone Recipe Applied)]\n      DEV[Dev\/Test Compartment\\n(non-zone or different baseline)]\n    end\n\n    subgraph Workloads[Workloads]\n      APP[Compute \/ OKE \/ Functions\\nApps]\n      DATA[Databases \/ Object Storage\\nData]\n      NET[VCN \/ Subnets \/ Gateways]\n    end\n  end\n\n  IAM --&gt; SZ\n  SZ --&gt; ZPROD\n  ZPROD --&gt; APP\n  ZPROD --&gt; DATA\n  ZPROD --&gt; NET\n\n  APP --&gt; AUD\n  DATA --&gt; AUD\n  NET --&gt; AUD\n\n  AUD --&gt; CG\n  VAULT --&gt; DATA\n  VAULT --&gt; APP\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Tenancy\/account requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An active <strong>Oracle Cloud (OCI) tenancy<\/strong>.<\/li>\n<li>Access to the OCI Console for your region(s).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM roles<\/h3>\n\n\n\n<p>For a smooth lab experience, use one of the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A user in the <strong>Administrators<\/strong> group (tenancy admin), or<\/li>\n<li>A user\/group with explicit policies that allow:<\/li>\n<li>Creating and managing compartments \/ Security Zones<\/li>\n<li>Creating Object Storage buckets (for the tutorial)<\/li>\n<li>Viewing Audit logs (optional but recommended)<\/li>\n<\/ul>\n\n\n\n<p>OCI policy syntax and resource-type names can be specific. If you\u2019re not using a tenancy admin, <strong>verify required IAM policies in official docs<\/strong>:\nhttps:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Identity\/Concepts\/policies.htm<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security Zones itself is commonly offered without a separate metered charge, but <strong>verify in official pricing<\/strong> for your tenancy.<\/li>\n<li>The tutorial provisions low-cost resources (Object Storage buckets) and uses free control-plane operations where possible.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Tools needed<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI Console (required for creating the Security Zone in this lab).<\/li>\n<li>Optional:<\/li>\n<li>OCI CLI (for verifying bucket operations)<ul>\n<li>CLI docs: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/Concepts\/cliconcepts.htm<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security Zones availability can vary by region and tenancy features. <strong>Verify in official docs<\/strong> and in the OCI Console service list for your region.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Compartment and Object Storage limits can apply.<\/li>\n<li>Some Security Zones policy enforcement may apply only to certain resource types\/services. Plan for gaps.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Compartments<\/strong><\/li>\n<li><strong>Object Storage<\/strong> (for the hands-on validation)<\/li>\n<li>Optional: <strong>Audit<\/strong> (enabled by default in many tenancies), <strong>Cloud Guard<\/strong>, <strong>Vault<\/strong><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Current pricing model (how to think about it)<\/h3>\n\n\n\n<p>Security Zones is a governance\/control-plane feature. In many OCI setups, <strong>there is no separate line-item charge<\/strong> for using Security Zones itself, but pricing and entitlement can change.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Action:<\/strong> Verify the current pricing for Security Zones in official sources:<\/li>\n<li>OCI Pricing \/ Cost info: https:\/\/www.oracle.com\/cloud\/price-list\/<\/li>\n<li>OCI Cost Estimator: https:\/\/www.oracle.com\/cloud\/costestimator.html<\/li>\n<li>Security Zones docs: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/SecurityZones\/home.htm<\/li>\n<\/ul>\n\n\n\n<p>If Security Zones is free, your costs will still come from the resources you place inside zones (compute, storage, network egress, logging, keys, etc.).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (direct and indirect)<\/h3>\n\n\n\n<p>Even if Security Zones is not directly billed, consider:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Object Storage<\/strong>: storage GB-month, requests, retrieval, and replication (if enabled).<\/li>\n<li><strong>Network egress<\/strong>: traffic leaving OCI can incur costs.<\/li>\n<li><strong>Logging\/Monitoring<\/strong>:<\/li>\n<li>Audit logs are control-plane; costs and retention depend on OCI\u2019s model and any exports you configure.<\/li>\n<li>If you export logs to Object Storage or Logging Analytics, those services have their own costs.<\/li>\n<li><strong>Vault \/ Keys<\/strong>:<\/li>\n<li>Customer-managed keys and HSM-backed key options may incur charges (verify).<\/li>\n<li><strong>Cloud Guard<\/strong> (if used): may have its own pricing model.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost drivers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Number of protected production compartments (organizational overhead, not metered cost)<\/li>\n<li>Data volume stored in protected resources<\/li>\n<li>Key management choice (software vs HSM)<\/li>\n<li>Log retention, export, and analytics<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden\/indirect costs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Engineering time<\/strong>: remediating noncompliant patterns and updating pipelines.<\/li>\n<li><strong>Operational friction<\/strong>: blocked operations during incidents if procedures aren\u2019t designed for it.<\/li>\n<li><strong>Architecture changes<\/strong>: migrating to private patterns may require NAT gateways, private endpoints, or additional network architecture.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<p>Security Zones does not generate data-plane traffic, but policies may push you to:\n&#8211; Use private endpoints and private access patterns\n&#8211; Avoid public endpoints and reduce exposure\nThese can change your architecture and egress paths, affecting cost.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start with Security Zones in <strong>a small number of high-value production compartments<\/strong>.<\/li>\n<li>Use a \u201cpromotion\u201d workflow:<\/li>\n<li>Dev\/test outside the zone (or a less strict baseline if available)<\/li>\n<li>Production inside the zone<\/li>\n<li>Standardize IaC modules that are Security Zones-compliant to reduce rework.<\/li>\n<li>If recipes require customer-managed keys, choose the right key tier for your compliance needs (verify Vault pricing and tiers).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (conceptual, no fabricated numbers)<\/h3>\n\n\n\n<p>A starter lab using:\n&#8211; 1 Security Zone compartment\n&#8211; 1\u20132 Object Storage buckets (private)\n&#8211; No additional compute<\/p>\n\n\n\n<p>\u2026should typically cost <strong>near zero<\/strong> beyond minimal Object Storage request\/storage usage. Exact billing depends on region, free tier eligibility, and account agreements. Use the OCI Cost Estimator for your region:\nhttps:\/\/www.oracle.com\/cloud\/costestimator.html<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>In production, Security Zones commonly correlates with:\n&#8211; More private networking (NAT, private endpoints)\n&#8211; More logging and longer retention\n&#8211; Increased use of Vault keys for encryption control\nThese can materially affect monthly spend. Treat Security Zones adoption as a <strong>platform architecture and governance<\/strong> initiative, not just a toggle.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Create an OCI <strong>Security Zone<\/strong> compartment and validate preventive enforcement by attempting to create an <strong>Object Storage bucket with public access<\/strong>, which should be denied by the Security Zone recipe (depending on your recipe\u2019s policies). Then create a compliant private bucket successfully.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Create a new Security Zone compartment using an Oracle-managed recipe (or the default recipe available in your tenancy).<\/li>\n<li>Attempt a noncompliant action (public bucket) and observe the denial.<\/li>\n<li>Perform a compliant action (private bucket) and confirm it succeeds.<\/li>\n<li>Optionally review <strong>Audit<\/strong> logs for the request.<\/li>\n<li>Clean up by deleting buckets and then deleting the compartment.<\/li>\n<\/ol>\n\n\n\n<p><strong>Estimated time:<\/strong> 30\u201360 minutes<br\/>\n<strong>Cost:<\/strong> Low (Object Storage requests\/storage). Security Zones governance actions are typically not billed separately\u2014<strong>verify in pricing<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Confirm you have the right access and pick a region<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Sign in to the <strong>OCI Console<\/strong> with a user that can create compartments and Security Zones.<\/li>\n<li>Select a region where <strong>Security Zones<\/strong> is available (check the Console navigation).<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> You can see OCI services and have admin-level access or equivalent.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; In the Console, confirm you can navigate to <strong>Identity &amp; Security<\/strong> (or <strong>Governance &amp; Administration<\/strong>, depending on your Console layout) and see <strong>Compartments<\/strong>.\n&#8211; If you cannot find Security Zones, it might not be enabled\/available in your region\/tenancy. <strong>Verify in official docs<\/strong> and tenancy settings.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create a Security Zone compartment<\/h3>\n\n\n\n<blockquote>\n<p>The Console flow can vary slightly as OCI updates UI. Follow the closest matching steps in your Console.<\/p>\n<\/blockquote>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the OCI Console, open the navigation menu.<\/li>\n<li>Go to the Security Zones area (commonly under <strong>Identity &amp; Security<\/strong> or <strong>Governance &amp; Administration<\/strong>) and select <strong>Security Zones<\/strong>.<\/li>\n<li>Click <strong>Create security zone<\/strong>.<\/li>\n<li>\n<p>Provide:\n   &#8211; <strong>Name<\/strong>: <code>sz-lab-prod<\/code> (example)\n   &#8211; <strong>Description<\/strong>: <code>Security Zone lab compartment<\/code>\n   &#8211; <strong>Parent compartment<\/strong>: choose a safe parent (often the root compartment for labs)\n   &#8211; <strong>Recipe<\/strong>: select an Oracle-managed recipe (choose the default \/ recommended one)<\/p>\n<\/li>\n<li>\n<p>Create the Security Zone.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> A new compartment is created and designated as a <strong>Security Zone<\/strong>, with a recipe attached.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Open the Security Zone details page and confirm:\n  &#8211; The compartment is created\n  &#8211; A recipe is associated\n&#8211; Open the compartment list and confirm <code>sz-lab-prod<\/code> exists.<\/p>\n\n\n\n<p><strong>Common issue:<\/strong>\n&#8211; If you don\u2019t have permission: use a tenancy admin or update IAM policies (see Prerequisites).  <\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Attempt to create a public Object Storage bucket (should be blocked)<\/h3>\n\n\n\n<p>Now you\u2019ll try an operation that is often disallowed in Security Zones: making a bucket public.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Option A: Using the OCI Console<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Navigate to <strong>Storage<\/strong> \u2192 <strong>Object Storage &amp; Archive Storage<\/strong> \u2192 <strong>Buckets<\/strong>.<\/li>\n<li>Ensure you are in the <strong>sz-lab-prod<\/strong> compartment.<\/li>\n<li>Click <strong>Create bucket<\/strong>.<\/li>\n<li>Set:\n   &#8211; <strong>Bucket name<\/strong>: <code>sz-lab-public-test<\/code>\n   &#8211; Any defaults are fine unless your recipe requires specific encryption settings (read the UI prompts).<\/li>\n<li>After creation, attempt to modify the bucket\u2019s public access settings to allow public access (the UI labels vary, for example \u201cPublic Access Type\u201d).\n   &#8211; If the UI allows setting public access at creation time, attempt it there.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> The action to make the bucket public is <strong>denied<\/strong> with a Security Zone violation message.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Option B: Using OCI CLI (more explicit)<\/h4>\n\n\n\n<p>If you have OCI CLI configured:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Get the compartment OCID for <code>sz-lab-prod<\/code> from the Console (Compartment details \u2192 OCID).<\/li>\n<li>Try to create a bucket with public access:<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">oci os bucket create \\\n  --compartment-id &lt;COMPARTMENT_OCID&gt; \\\n  --name sz-lab-public-test \\\n  --public-access-type ObjectRead\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> The request is denied. The exact error code\/message can vary; it typically indicates a policy violation related to Security Zones.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Console: You should see an error banner\/toast with details.\n&#8211; CLI: you should see a non-zero exit and an error response.<\/p>\n\n\n\n<p><strong>If it is NOT blocked:<\/strong>\n&#8211; Your selected recipe might not enforce \u201cno public buckets,\u201d or the policy might be different for your tenancy\/region.\n&#8211; Go back to the Security Zone recipe details and review which policies it enforces.\n&#8211; <strong>Verify in official docs<\/strong> and choose a stricter recipe if available.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create a compliant private bucket (should succeed)<\/h3>\n\n\n\n<p>Create a bucket that aligns with Security Zones rules.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Option A: Console<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In <strong>Buckets<\/strong> (still in <code>sz-lab-prod<\/code>), click <strong>Create bucket<\/strong>.<\/li>\n<li>Use:\n   &#8211; <strong>Bucket name<\/strong>: <code>sz-lab-private-ok<\/code>\n   &#8211; Ensure <strong>public access<\/strong> is disabled \/ set to \u201cNo public access\u201d (exact wording varies).\n   &#8211; If the recipe requires encryption\/key settings, follow the UI prompts accordingly.<\/li>\n<\/ol>\n\n\n\n<p>Click <strong>Create<\/strong>.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> Bucket creation succeeds.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Option B: CLI<\/h4>\n\n\n\n<pre><code class=\"language-bash\">oci os bucket create \\\n  --compartment-id &lt;COMPARTMENT_OCID&gt; \\\n  --name sz-lab-private-ok \\\n  --public-access-type NoPublicAccess\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> The bucket is created successfully.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Console: bucket appears in list.\n&#8211; CLI:<\/p>\n\n\n\n<pre><code class=\"language-bash\">oci os bucket get \\\n  --name sz-lab-private-ok \\\n  --compartment-id &lt;COMPARTMENT_OCID&gt;\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5 (Optional): Check Audit logs for denied and allowed actions<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Navigate to <strong>Governance &amp; Administration<\/strong> \u2192 <strong>Audit<\/strong> (Console navigation may differ).<\/li>\n<li>Filter by:\n   &#8211; <strong>Compartment<\/strong>: <code>sz-lab-prod<\/code>\n   &#8211; <strong>Time window<\/strong>: last 15\u201330 minutes<\/li>\n<li>Look for events related to Object Storage bucket creation or update attempts.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> You can correlate the attempted action with an Audit event. Some denied actions may still appear as audit records (behavior can vary; verify in your tenancy).<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Confirm timestamps match your attempts.\n&#8211; Confirm the principal (user or CLI) matches.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>You have successfully validated Security Zones when:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You created a Security Zone compartment with a recipe attached.<\/li>\n<li>A noncompliant operation (making a bucket public) was blocked <strong>or<\/strong> you confirmed your recipe does not enforce that particular control.<\/li>\n<li>A compliant bucket (private) was created successfully.<\/li>\n<li>(Optional) Audit logs show relevant activity.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: \u201cSecurity Zones\u201d is not visible in the Console<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Confirm you are in a region where the service is available.<\/li>\n<li>Confirm your user has access to see governance services.<\/li>\n<li>Check OCI docs for service availability and tenancy settings:\n  https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/SecurityZones\/home.htm<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: Permission denied when creating a Security Zone<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use a tenancy admin for the lab, or update IAM policies.<\/li>\n<li>Ensure your group has permissions to manage compartments and Security Zones (<strong>verify exact policy statements in official docs<\/strong>).<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: The public bucket action was not blocked<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Your recipe might not include that control.<\/li>\n<li>Review recipe policy list in the Security Zone details.<\/li>\n<li>Try a different policy test that your recipe definitely enforces (based on what the recipe lists in your Console).<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: IaC pipeline fails after enabling Security Zones<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Your Terraform\/CI is attempting disallowed configurations.<\/li>\n<li>Update modules to be Security Zones-compliant:<\/li>\n<li>private-by-default resources<\/li>\n<li>encryption posture aligned to recipe<\/li>\n<li>avoid public exposure patterns<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Delete the test buckets in <code>sz-lab-prod<\/code>:\n   &#8211; <code>sz-lab-private-ok<\/code>\n   &#8211; <code>sz-lab-public-test<\/code> (if created at all)<\/li>\n<li>If you uploaded objects, delete objects first (bucket deletion requires it).<\/li>\n<li>Delete the Security Zone compartment:\n   &#8211; Compartments \u2192 <code>sz-lab-prod<\/code> \u2192 <strong>Delete<\/strong>\n   &#8211; OCI compartments are deleted asynchronously; it can take time.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> All lab resources are removed and billing stops for those resources.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use Security Zones as part of a <strong>landing zone<\/strong> design:<\/li>\n<li>Separate compartments for dev\/test, staging, and production<\/li>\n<li>Use Security Zones for production and sensitive data compartments<\/li>\n<li>Keep shared services (logging, Vault, networking hub) in well-governed compartments; decide whether they should also be Security Zones based on operational needs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Restrict who can:<\/li>\n<li>Create\/modify Security Zones<\/li>\n<li>Change recipes (if configurable in your tenancy)<\/li>\n<li>Move resources across compartments<\/li>\n<li>Use least privilege for application teams; let them deploy inside the zone without being able to weaken guardrails.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start small: apply Security Zones to the <strong>highest-risk compartments<\/strong> first.<\/li>\n<li>Reduce rework by publishing Security Zone-compliant IaC modules.<\/li>\n<li>If recipe requires customer-managed keys, choose the correct Vault tier (software key vs HSM) based on compliance needs and cost (<strong>verify pricing<\/strong>).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security Zones is control-plane enforcement and should not impact runtime performance.<\/li>\n<li>The performance risk is indirect: stricter network patterns (private endpoints, NAT) might affect latency and architecture. Validate end-to-end paths.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid last-minute enablement in production. Instead:<\/li>\n<li>Test recipe enforcement in a staging compartment<\/li>\n<li>Validate CI\/CD flows<\/li>\n<li>Document operational runbooks for blocked changes during incidents<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitor denied operations:<\/li>\n<li>Use Audit searches and alerts (where available)<\/li>\n<li>Integrate with SIEM by exporting logs if required<\/li>\n<li>Document:<\/li>\n<li>What controls are enforced<\/li>\n<li>Common failure modes<\/li>\n<li>Approved patterns and reference architectures<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Name Security Zone compartments clearly:<\/li>\n<li><code>prod-sz-payments<\/code><\/li>\n<li><code>prod-sz-customerdata<\/code><\/li>\n<li>Tag Security Zone compartments with:<\/li>\n<li><code>environment=prod<\/code><\/li>\n<li><code>data_classification=restricted<\/code><\/li>\n<li><code>compliance=...<\/code> (internal taxonomy)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security Zones uses OCI IAM for authentication and authorization.<\/li>\n<li>Treat \u201cmanage Security Zones\u201d and \u201cmanage compartments\/moves\u201d permissions as <strong>high privilege<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Recipes often enforce encryption-related posture for supported services.<\/li>\n<li>If customer-managed keys are required:<\/li>\n<li>Use OCI Vault<\/li>\n<li>Define key rotation policies<\/li>\n<li>Control key admin permissions tightly<\/li>\n<\/ul>\n\n\n\n<p>Because enforcement differs by recipe and resource type, <strong>verify encryption requirements<\/strong> in the recipe details and official docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If your recipe includes restrictions on public endpoints, design network architecture accordingly:<\/li>\n<li>Private subnets for sensitive systems<\/li>\n<li>Controlled ingress via load balancers or WAF (if permitted by policy)<\/li>\n<li>Controlled egress via NAT or service gateways (depending on recipe)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Don\u2019t store secrets in user data, instance metadata, or source control.<\/li>\n<li>Prefer OCI Vault secrets for credentials and tokens (where applicable).<\/li>\n<li>Ensure CI\/CD uses secure credential stores.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use OCI Audit to investigate:<\/li>\n<li>Blocked actions<\/li>\n<li>Changes to governance configuration<\/li>\n<li>Consider exporting logs to centralized storage\/analytics if you need longer retention or SIEM integration.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<p>Security Zones can support compliance objectives by providing:\n&#8211; Preventive controls (strong evidence for auditors)\n&#8211; Consistency across environments<\/p>\n\n\n\n<p>But it does not replace:\n&#8211; Compliance mapping\n&#8211; Control testing and evidence gathering\n&#8211; Runtime detection\/response<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Assuming Security Zones replaces IAM least privilege (it does not).<\/li>\n<li>Enabling Security Zones in production without testing pipelines.<\/li>\n<li>Using Security Zones but allowing too many admins to modify the recipe or zone configuration.<\/li>\n<li>Not documenting which patterns are allowed vs blocked.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Establish a standard:<\/li>\n<li>\u201cAll production PII must live in a Security Zone compartment.\u201d<\/li>\n<li>Provide paved-road modules:<\/li>\n<li>Private bucket modules<\/li>\n<li>Approved network patterns<\/li>\n<li>Encryption\/key patterns<\/li>\n<li>Implement change management for recipe changes and compartment moves.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<blockquote>\n<p>Treat this section as a practical checklist; always validate against the current OCI docs and your recipe list.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Coverage limitations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Not all OCI resource types may be governed by Security Zones policies.<\/li>\n<li>Some services might have partial enforcement (for example, some configuration fields are enforced while others are not). <strong>Verify in official docs<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Recipe-specific behavior<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The controls enforced depend entirely on the recipe.<\/li>\n<li>Two Security Zones can behave very differently if recipes differ.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational gotchas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Blocked deployments<\/strong>: existing Terraform modules may fail immediately after moving to Security Zones.<\/li>\n<li><strong>Compartment move friction<\/strong>: moving resources into a Security Zone can be blocked if they don\u2019t comply, which can complicate migrations.<\/li>\n<li><strong>Incident response<\/strong>: emergency \u201cquick fixes\u201d may be blocked. Pre-plan compliant emergency procedures.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Regional\/tenancy constraints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security Zones may not be available in every region or might have feature differences. <strong>Verify in official docs<\/strong>.<\/li>\n<li>Some organizations have strict governance; you may need tenancy-level enablement or admin action.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing surprises (indirect)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Recipes that enforce private-by-default patterns can increase reliance on NAT, private endpoints, logging, and Vault keys\u2014each with its own cost model.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compatibility issues<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Some third-party tooling assumes it can create public endpoints\/buckets temporarily\u2014Security Zones can break these workflows.<\/li>\n<li>If you use a central \u201cnetwork hub\u201d pattern, confirm your recipe doesn\u2019t block required gateway\/routing patterns.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Vendor-specific nuances<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security Zones uses OCI compartments as the boundary; organizations coming from AWS\/Azure\/GCP should not expect a 1:1 mapping to accounts\/subscriptions\/projects.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Security Zones is one tool in a broader governance toolkit. Here\u2019s how it compares to nearby services and analogous cloud features.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Key comparisons (conceptual)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>OCI IAM Policies<\/strong>: allow\/deny <em>who<\/em> can call APIs; Security Zones restricts <em>what configurations are allowed<\/em> inside a compartment even for authorized callers.<\/li>\n<li><strong>OCI Cloud Guard<\/strong>: primarily detective (find misconfigurations) and responsive; Security Zones is preventive (block misconfigurations).<\/li>\n<li><strong>AWS Organizations SCPs \/ Control Tower<\/strong>: preventive governance at org\/account level; similar concept, different implementation boundary.<\/li>\n<li><strong>Azure Policy<\/strong>: policy-based governance for Azure resources; similar spirit.<\/li>\n<li><strong>GCP Organization Policy<\/strong>: org constraints; similar spirit.<\/li>\n<li><strong>OPA\/Gatekeeper\/Policy-as-code<\/strong>: can enforce policies in Kubernetes or CI pipelines; Security Zones enforces at OCI control plane.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Oracle Cloud Security Zones<\/strong><\/td>\n<td>Preventive guardrails for sensitive OCI compartments<\/td>\n<td>API-level prevention; compartment-based; aligns to OCI best practices<\/td>\n<td>Coverage depends on recipe\/resource types; can block workflows<\/td>\n<td>You need enforced baseline controls for production\/regulatory workloads in OCI<\/td>\n<\/tr>\n<tr>\n<td><strong>Oracle Cloud IAM Policies<\/strong><\/td>\n<td>Access control and least privilege<\/td>\n<td>Strong authorization model; fundamental OCI control<\/td>\n<td>Doesn\u2019t prevent insecure configs if authorized user can set them<\/td>\n<td>Always; use with Security Zones<\/td>\n<\/tr>\n<tr>\n<td><strong>Oracle Cloud Guard<\/strong><\/td>\n<td>Detecting and responding to security posture issues<\/td>\n<td>Visibility, reporting, detector\/responder patterns<\/td>\n<td>Often detective rather than preventive; may require tuning<\/td>\n<td>Use with Security Zones for defense-in-depth<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS Organizations SCPs \/ Control Tower<\/strong><\/td>\n<td>Org-wide preventive governance in AWS<\/td>\n<td>Strong org-level guardrails; mature ecosystem<\/td>\n<td>Different boundary model; not OCI<\/td>\n<td>If you are in AWS and need org guardrails<\/td>\n<\/tr>\n<tr>\n<td><strong>Azure Policy<\/strong><\/td>\n<td>Policy enforcement in Azure<\/td>\n<td>Broad policy library; governance at scale<\/td>\n<td>Not OCI; mapping differs<\/td>\n<td>If you are in Azure and need policy governance<\/td>\n<\/tr>\n<tr>\n<td><strong>GCP Organization Policy<\/strong><\/td>\n<td>Org constraints in GCP<\/td>\n<td>Clear org-level constraints<\/td>\n<td>Not OCI; mapping differs<\/td>\n<td>If you are in GCP and need org constraints<\/td>\n<\/tr>\n<tr>\n<td><strong>OPA\/Gatekeeper \/ CI Policy-as-code<\/strong><\/td>\n<td>Kubernetes\/IaC policy enforcement<\/td>\n<td>Flexible; shift-left controls<\/td>\n<td>Can be bypassed if not integrated everywhere; not OCI control plane<\/td>\n<td>Use when you need custom policies and pipeline enforcement; combine with Security Zones for strongest posture<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: Regulated customer-data platform<\/h3>\n\n\n\n<p><strong>Problem:<\/strong><br\/>\nA financial services company runs customer analytics on OCI. Auditors require proof that customer datasets cannot be publicly exposed and that security baselines are enforced consistently across multiple teams.<\/p>\n\n\n\n<p><strong>Proposed architecture:<\/strong>\n&#8211; Tenancy uses a hub-and-spoke compartment model:\n  &#8211; <code>shared-security<\/code> (Vault, logging, SIEM exports)\n  &#8211; <code>shared-network<\/code> (core VCN patterns)\n  &#8211; <code>prod-customerdata-sz<\/code> (Security Zone compartment for customer datasets)\n  &#8211; <code>prod-apps-sz<\/code> (Security Zone compartment for production apps)\n&#8211; CI\/CD pipelines deploy into the Security Zone compartments using approved Terraform modules.\n&#8211; Audit logs exported for long-term retention and correlation.<\/p>\n\n\n\n<p><strong>Why Security Zones was chosen:<\/strong>\n&#8211; Provides preventive guardrails at OCI API level.\n&#8211; Reduces risk of accidental public exposure.\n&#8211; Supports audit evidence: \u201cthis compartment enforces the baseline.\u201d<\/p>\n\n\n\n<p><strong>Expected outcomes:<\/strong>\n&#8211; Fewer security incidents due to misconfiguration.\n&#8211; Reduced audit findings related to inconsistent configuration.\n&#8211; Faster onboarding of new teams into compliant patterns.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: SaaS with strict production guardrails<\/h3>\n\n\n\n<p><strong>Problem:<\/strong><br\/>\nA SaaS startup runs lean operations and cannot afford security regressions. A small mistake like a public bucket could cause a major incident.<\/p>\n\n\n\n<p><strong>Proposed architecture:<\/strong>\n&#8211; <code>dev<\/code> compartment for experimentation\n&#8211; <code>prod-sz<\/code> Security Zone compartment for production\n&#8211; Simple IaC modules that always create private storage and minimal exposure\n&#8211; Audit checks during releases<\/p>\n\n\n\n<p><strong>Why Security Zones was chosen:<\/strong>\n&#8211; Preventive control reduces reliance on manual review.\n&#8211; Protects production even when the team moves fast.<\/p>\n\n\n\n<p><strong>Expected outcomes:<\/strong>\n&#8211; Fewer production misconfigurations.\n&#8211; More confidence in automation and rapid iteration.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1) What exactly is enforced by Oracle Cloud Security Zones?<\/h3>\n\n\n\n<p>Security Zones enforces the policies included in the <strong>Security Zone recipe<\/strong> attached to the Security Zone compartment. The exact controls vary by recipe and can evolve\u2014review the recipe details in the OCI Console and <strong>verify in official docs<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2) Is Security Zones a replacement for IAM?<\/h3>\n\n\n\n<p>No. IAM controls <strong>who<\/strong> can do something. Security Zones controls <strong>what configurations are allowed<\/strong> in a compartment even for authorized users. Use both.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3) Is Security Zones a replacement for Cloud Guard?<\/h3>\n\n\n\n<p>No. Cloud Guard is generally used for detection\/response across your tenancy. Security Zones focuses on <strong>prevention<\/strong> in specific compartments. They are complementary.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4) Does Security Zones block actions from Terraform and CI\/CD?<\/h3>\n\n\n\n<p>Yes\u2014because enforcement occurs at the OCI API level, it applies to Console, CLI, SDKs, and Terraform equally.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5) Can I create a custom Security Zone recipe?<\/h3>\n\n\n\n<p>OCI capabilities evolve. Some tenancies may support configurable recipes, others may rely on Oracle-managed recipes. <strong>Verify in your OCI Console and official docs<\/strong> for current options.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">6) What happens if I try to move an existing resource into a Security Zone?<\/h3>\n\n\n\n<p>OCI typically evaluates the resource against the Security Zone policies. If it\u2019s noncompliant, the move may be blocked until remediated. Exact behavior can vary by resource type; verify.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">7) Can I \u201cexempt\u201d a single resource from Security Zones policies?<\/h3>\n\n\n\n<p>Security Zones is designed for consistent compartment-level enforcement. Per-resource exemptions may not be supported. If you need exceptions, use a separate non-zone compartment or adjust architecture (or recipe, if customizable). Verify current feature support.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">8) Does Security Zones enforce runtime traffic filtering?<\/h3>\n\n\n\n<p>No. Security Zones is a control-plane governance feature; it does not inspect or filter runtime packets. Use networking controls (NSGs, security lists) and security services (WAF, firewalls) for data-plane protection.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9) What\u2019s the best way to roll out Security Zones in an existing tenancy?<\/h3>\n\n\n\n<p>Start with:\n&#8211; One non-production compartment to test\n&#8211; Update IaC modules to be compliant\n&#8211; Document allowed patterns\nThen roll out to production compartments incrementally.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">10) What if a production incident requires a change that Security Zones blocks?<\/h3>\n\n\n\n<p>Pre-plan incident runbooks that remain compliant. If you anticipate needing \u201ctemporary\u201d insecure configurations, redesign to avoid that need; don\u2019t depend on weakening guardrails during outages.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">11) How do I know why an operation was blocked?<\/h3>\n\n\n\n<p>OCI returns an error message indicating a Security Zone policy violation. You can also check <strong>Audit<\/strong> for related events and context.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">12) Does Security Zones impact application performance?<\/h3>\n\n\n\n<p>Not directly. It affects management operations (create\/update\/move), not runtime traffic.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">13) Can I use Security Zones in dev\/test?<\/h3>\n\n\n\n<p>Yes, but it can slow experimentation by blocking common shortcuts. Many organizations use it primarily for staging\/production or regulated environments.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">14) Can I apply Security Zones to an entire tenancy?<\/h3>\n\n\n\n<p>Security Zones is compartment-based. You can create multiple Security Zone compartments, but it\u2019s not a single \u201ctenancy-wide toggle\u201d for all compartments.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">15) What\u2019s the first validation test I should run after enabling a Security Zone?<\/h3>\n\n\n\n<p>Attempt a configuration that your recipe explicitly forbids (for example, public Object Storage access if the recipe lists that control) and confirm it is blocked. Then validate that compliant patterns succeed.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Security Zones<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>OCI Security Zones docs \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/SecurityZones\/home.htm<\/td>\n<td>Primary reference for concepts, workflows, and current behavior<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>OCI IAM Policies \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Identity\/Concepts\/policies.htm<\/td>\n<td>Required to safely delegate Security Zones administration and usage<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>OCI Audit overview \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Audit\/home.htm<\/td>\n<td>Helps investigate blocked actions and governance changes<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>OCI CLI concepts \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/Concepts\/cliconcepts.htm<\/td>\n<td>Useful for repeatable validation and scripting<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>Oracle Cloud price list \u2014 https:\/\/www.oracle.com\/cloud\/price-list\/<\/td>\n<td>Verify whether Security Zones has direct charges and understand indirect cost drivers<\/td>\n<\/tr>\n<tr>\n<td>Official pricing tool<\/td>\n<td>Oracle Cloud Cost Estimator \u2014 https:\/\/www.oracle.com\/cloud\/costestimator.html<\/td>\n<td>Build region-accurate estimates for production architecture<\/td>\n<\/tr>\n<tr>\n<td>Architecture guidance<\/td>\n<td>OCI Architecture Center \u2014 https:\/\/docs.oracle.com\/en\/solutions\/<\/td>\n<td>Reference architectures and best practices that can complement Security Zones governance<\/td>\n<\/tr>\n<tr>\n<td>Community (verify)<\/td>\n<td>Oracle Cloud community blogs\/forums \u2014 https:\/\/community.oracle.com\/<\/td>\n<td>Practical experiences and troubleshooting; validate against official docs<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, SREs, platform teams<\/td>\n<td>OCI DevOps, cloud governance basics, automation practices (verify course details)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate engineers<\/td>\n<td>SCM\/DevOps foundations, cloud learning paths (verify OCI coverage)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud operations teams<\/td>\n<td>Cloud ops practices, monitoring, governance (verify OCI modules)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs and reliability engineers<\/td>\n<td>Reliability engineering, operations, incident management (verify OCI relevance)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops teams exploring AIOps<\/td>\n<td>AIOps concepts, automation, operational analytics (verify OCI alignment)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training content (verify specifics)<\/td>\n<td>Engineers seeking practical coaching<\/td>\n<td>https:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training services (verify course catalog)<\/td>\n<td>Beginners to intermediate DevOps engineers<\/td>\n<td>https:\/\/devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps help\/training platform (verify offerings)<\/td>\n<td>Teams needing short-term expertise<\/td>\n<td>https:\/\/devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and enablement (verify scope)<\/td>\n<td>Ops\/DevOps teams needing guided support<\/td>\n<td>https:\/\/devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company Name<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify service catalog)<\/td>\n<td>Cloud adoption, platform engineering, governance<\/td>\n<td>Landing zone design, IaC standardization, governance workflows<\/td>\n<td>https:\/\/cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps consulting and training (verify offerings)<\/td>\n<td>DevOps transformation, enablement<\/td>\n<td>CI\/CD design, cloud governance training, operational runbooks<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify offerings)<\/td>\n<td>Toolchain, automation, operations<\/td>\n<td>Pipeline hardening, observability setup, governance adoption support<\/td>\n<td>https:\/\/devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before Security Zones<\/h3>\n\n\n\n<p>To use Security Zones effectively in Oracle Cloud, learn:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI fundamentals: regions, compartments, VCN basics<\/li>\n<li>OCI IAM: users, groups, dynamic groups, policies<\/li>\n<li>Object Storage basics and access models<\/li>\n<li>Logging\/Audit fundamentals<\/li>\n<li>Infrastructure as Code basics (Terraform preferred in many OCI environments)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after Security Zones<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Guard: detectors, responders, posture management<\/li>\n<li>Vault and key management (KMS\/HSM options; rotation)<\/li>\n<li>Network security in OCI (NSGs, security lists, routing, gateways)<\/li>\n<li>Organization-wide governance patterns (tagging strategy, compartment hierarchy)<\/li>\n<li>CI\/CD hardening for compliance<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud security engineer<\/li>\n<li>Platform engineer \/ cloud foundation engineer<\/li>\n<li>DevOps engineer \/ SRE working in regulated production<\/li>\n<li>Cloud architect \/ solutions architect<\/li>\n<li>Governance, risk, and compliance (GRC) technical roles<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Oracle\u2019s certification offerings change over time. Use Oracle University to find OCI security\/governance learning paths and certifications, and <strong>verify current certification names<\/strong>:\nhttps:\/\/education.oracle.com\/<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Build a \u201cproduction landing zone\u201d with:<\/li>\n<li>Security Zone production compartment<\/li>\n<li>Standard IaC modules that comply<\/li>\n<li>Audit-based alerting for denied actions<\/li>\n<li>Create a CI pipeline that:<\/li>\n<li>Deploys a private bucket and private network patterns<\/li>\n<li>Fails fast with clear logs when a Security Zone blocks a change<\/li>\n<li>Write an internal \u201callowed patterns\u201d catalog for teams deploying into zones<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>OCI (Oracle Cloud Infrastructure)<\/strong>: Oracle Cloud\u2019s IaaS\/PaaS platform.<\/li>\n<li><strong>Security Zones<\/strong>: OCI service for preventive security governance using recipes applied to compartments.<\/li>\n<li><strong>Security Zone<\/strong>: A compartment designated to have Security Zones enforcement.<\/li>\n<li><strong>Recipe<\/strong>: A predefined set of security policies enforced within a Security Zone.<\/li>\n<li><strong>Policy (Security Zones policy)<\/strong>: A control that blocks noncompliant resource operations in a zone.<\/li>\n<li><strong>Compartment<\/strong>: OCI\u2019s primary logical isolation boundary for resources, access control, and governance.<\/li>\n<li><strong>IAM (Identity and Access Management)<\/strong>: OCI service for identity, authentication, authorization, and policies.<\/li>\n<li><strong>Audit<\/strong>: OCI service that records API calls for governance and investigation.<\/li>\n<li><strong>Cloud Guard<\/strong>: OCI security posture management service (detection\/response) used for visibility and remediation workflows.<\/li>\n<li><strong>Vault<\/strong>: OCI service for managing encryption keys and secrets.<\/li>\n<li><strong>Customer-managed keys<\/strong>: Keys controlled by the customer (often via Vault) rather than Oracle-managed defaults.<\/li>\n<li><strong>Object Storage bucket<\/strong>: Container for objects (files) in OCI Object Storage.<\/li>\n<li><strong>Public access<\/strong>: Configuration allowing anonymous\/unrestricted access; often forbidden in regulated environments.<\/li>\n<li><strong>IaC (Infrastructure as Code)<\/strong>: Managing infrastructure with code (for example, Terraform).<\/li>\n<li><strong>Control plane<\/strong>: Management APIs and services used to provision\/configure resources.<\/li>\n<li><strong>Data plane<\/strong>: Runtime data path (application traffic, storage IO).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Oracle Cloud <strong>Security Zones<\/strong> is a <strong>preventive governance<\/strong> service in the <strong>Security, Identity, and Compliance<\/strong> category that enforces security best practices by applying a <strong>recipe<\/strong> to a compartment. It helps organizations prevent common cloud misconfigurations\u2014especially in production and regulated environments\u2014by <strong>blocking<\/strong> noncompliant create\/update\/move operations at the OCI API level.<\/p>\n\n\n\n<p>Security Zones fits best as part of an OCI landing zone strategy: combine it with <strong>IAM least privilege<\/strong>, <strong>Audit<\/strong> for traceability, and <strong>Cloud Guard<\/strong> for detective controls. Cost is usually indirect: the guardrails often push architectures toward private networking, stronger encryption, and better logging\u2014each of which may have its own OCI charges depending on usage and region, so always verify with the official price list and cost estimator.<\/p>\n\n\n\n<p>Use Security Zones when you need strong production guardrails and compliance-by-default; avoid enabling it blindly in environments where teams need unrestricted experimentation. Next step: review the Security Zone recipe controls in your tenancy, then standardize compliant IaC modules so your deployments succeed consistently.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security, Identity, and Compliance<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[62,39],"tags":[],"class_list":["post-733","post","type-post","status-publish","format-standard","hentry","category-oracle-cloud","category-security-identity-and-compliance"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/733","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=733"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/733\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=733"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=733"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=733"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}