Security should be your top priority when deploying production workloads on Oracle Cloud Infrastructure. This guide covers essential security practices every OCI architect should implement.
1. Identity and Access Management (**IAM
**)
Principle of Least Privilege
Never grant more permissions than necessary. Use OCI's fine-grained **IAM policies to control access.
# Bad: Overly permissive policy
Allow group Developers to manage all-resources in tenancy
# Good: Specific, limited permissions
Allow group Developers tomanage instance-familyin compartmentDevelopment
Allow group Developers to read virtual-network-familyin compartmentDevelopment
Use Compartments for Isolation
Organize resourcesinto compartment**s for better security and governance:
# Example: Creatinga compartmentstructure using OCI Python SDK
import oci
identity = oci.identity.IdentityClient(config)
compartment_details = oci.identity.models.CreateCompartmentDetails(
compartment_id=tenancy_id,
name="Production",
description="Production workloads"
)
production_compartment = identity.create_compartment(compartment_details)
Enable MFA (Multi-Factor Authentication)**Critical
**: Enable MFA for all users, especially administrators.
- Navigate to Identity > Users
- Select a user and click Enable Multi-Factor Authentication
- Use authenticator apps like Google Authenticator or Authy
2. Network Security
Security Lists vs. Network Security Groups
UseNetwork Security Groups (NSGs)for more flexible, scalable security rules:
Example NSG Configuration
# Create NSG for web tier
nsg_details = oci.core.models.CreateNetworkSecurityGroupDetails(
compartment_id=compartment_id,
vcn_id=vcn_id,
display_name="web-tier-nsg"
)
nsg = virtual_network.create_network_security_group(nsg_details)
# Add ingress rule for HTTPS
ingress_rule = oci.core.models.AddSecurityRuleDetails(
direction="INGRESS",
protocol="6", # TCP
source="0.0.0.0/0",
tcp_options=oci.core.models.TcpOptions(
destination_port_range=oci.core.models.PortRange(
min=443,
max=443
)
)
)
virtual_network.add_network_security_group_security_rules(
nsg.id,
oci.core.models.AddNetworkSecurityGroupSecurityRulesDetails(
security_rules=[ingress_rule]
)
)
Use Private Subnets
Keep backend services in private subnets with no internet gateway access:
Public Subnet (DMZ):
- Load Balancers
- Bastion Hosts
Private Subnet (App/DB Tier):
- Application Servers
- Database Systems
- Use NAT Gateway for outbound traffic only
3. Data Encryption
Encryption at Rest
OCI encrypts all data at rest by default using AES-256. For additional control, useVaultservice:
# Create a vault
oci kms management vault create \
--compartment-id <compartment_ocid> \
--display-name "production-vault" \
--vault-type DEFAULT
# Create a masterencryption keyoci kmsmanagement keycreate \
--compartment-id <compartment_ocid> \
--display-name "production-master-key" \
--key-shape '{"algorithm":"AES","length":32}' \
--management-endpoint <vault_management_endpoint>
Encryption in Transit
Always use TLS/SSL for data in transit:
- Enable HTTPS on load balancers
-
Use SSL/TLS for database connections
-
Configure VPN or FastConnect for hybrid connectivity
4. Monitoring and Auditing
Enable Cloud Guard
Cloud Guard provides automated threat detection:
# Enable Cloud Guard (via OCI CLI)
oci cloud-guard configuration update \
--reporting-region us-ashburn-1 \
--status ENABLED
Configure Audit Logging
OCI Audit service automatically records API calls. Set up log retention and analysis:
# Example: Query audit logs
import oci
from datetime import datetime, timedelta
audit = oci.audit.AuditClient(config)
end_time = datetime.now()
start_time = end_time - timedelta(days=1)
# List audit events
audit_events = audit.list_events(
compartment_id=compartment_id,
start_time=start_time,
end_time=end_time
)
for event in audit_events.data:
print(f"Event: {event.event_name}, User: {event.principal_id}")
5. Bastion Service
Use OCI Bastion service instead of jump hosts:
# Create a bastion session
oci bastion session create-managed-ssh \
--bastion-id <bastion_ocid> \
--key-type PUB \
--ssh-public-key-file ~/.ssh/id_rsa.pub \
--target-resource-id <instance_ocid> \
--target-os-username opc
```**Benefits:- No public IPs on private instances**s
- Centralized access control
- Full audit trail
- Time-limited sessions
## 6. Security Zones
Deploy critical workloads in Security Zones for maximum protection:
```python
# Create a security zone
security_zone_details = oci.cloud_guard.models.CreateSecurityZoneDetails(
compartment_id=compartment_id,
display_name="production-security-zone",
security_zone_recipe_id=recipe_id
)
cloud_guard.create_security_zone(security_zone_details)
Security Zones enforce policies like:
- Encryption required for all storage
-
No public IPs allowed
-
MFA required for console access
7. Vulnerability Scanning
UseOCI Vulnerability Scanning Serviceto identify security issues:
# Enable vulnerability scanning forcompute instances
oci vulnerability-scanning host-scan-target create \
--compartment-id <compartment_ocid> \
--target-compartment-id <target_compartment_ocid> \
--display-name "prod-compute-scan"
Security Checklist
- [ ] Enable MFA for all users
- [ ]Use compartments for resource isolation
- [ ] Implement least privilege **IAM policies
- [ ] Use private subnets for backend services
- [ ] Enable Cloud Guard threat detection
- [ ] Configure audit log analysis and retention
- [ ] Use OCI Vault forencryption keymanagement
- [ ] Implement NSGs for granular network security
- [ ] Use Bastion service forsecure instance**access
- [ ] Enable vulnerability scanning
- [ ] Regular security assessments and penetration testing
- [ ] Implement DDoS protection with WAF
Conclusion
Security is not a one-time setup but an ongoing process. Regularly review your security posture, stay updated with OCI security features, and follow these best practices to maintain a robust security stance.