Welcome to this demo on Security Zone and Security Advisor. Security Zone basically configures a location in which you cannot disable security. Security is enforced at resource creation time and cannot be disabled at any point in the future. It comes with its own set of predefined rules and we'll take a look at that. Security Advisor is a service that unified Security Zones, Cloud Guard and other security services together in a cohesive whole. To start off, it's really a combination service that takes the functionality provided by these various services, Cloud Guard and Security Zone, as well as other security portfolio services and brings them together. We'll take a look at that as well. To get started, click on the "Service Navigation Menu" here, click on "Identity and Security". First thing we are going to do is we're going to create a Security Zone. Click on, "Security Zone" here and we need to give it a name. We'll say it's Max Security Zone and there's a description you can provide here. I will create this in the root compartment. I'm using this particular account, so I'll create the Security Zone. As you would see, as I created the zone, I have a couple of other Security Zones running as well, it comes with its own recipe and what are these recipe? These recipes are basically policies, dictates certain security posture. It says, for example, you cannot have a block volume without using the vault keys from the vault service, and so on and so forth. If you scroll down here, you can see there are policies on database, there are policies on block volumes, they have both policies on objects storage buckets, and compute instances, and network and so on, so forth. As you can see here, there's a policy which says, we cannot create public buckets. There's a policy which also says, we cannot create buckets without using the keys from the vault as we just saw with the block volume as well. These are some of the recipes which are provided by Oracle. Over time, there will be things, custom recipes, but right now these are the recipes which are provided by Oracle and you can see here, these are the two policies we are going to test. You cannot create buckets without assigning vault keys and you cannot have public bucket, so these are all denying operations here. Let's go through this really quickly. Go to storage first, and let's try to create a bucket. I come in storage here, I'll say I want to create a bucket and actually first thing we need to do is choose the right compartment. We'll go to the Max Security Zones, because other compartments, they should be able to create, for example, a public bucket, but not in this zone because of the recipes we just saw. So, I'll click on, "Create Bucket". Name is fine, all the default options here are okay. As you can see, we are using Oracle managed keys or using for encryption for data at rest. When I click "Create" here, it should error out because in this compartment, I'm not allowed to have this encryption. The keys are managed by Oracle, I have to use the keys which are customer managed. I click "Create" here and it says that encrypt the bucket with a customer managed encryption key, or use the following workflow to create a new key and bucket. It gives me a recommendation on how to go about it and it says, create secure bucket here. If you click on this, "Create Secure Bucket", it now basically brings up Security Advisor. Security Advisor is as we discussed earlier, brings these things together from Security Zones and Cloud Guard and other services. So, the first step is we have to write some policies for this to work and the first three policies are basically, giving permissions to manage object, families and vaults and keys. We have those permissions because this particular user has the ability to manage all resources in this particular compartment, the Max Security Zone, but it doesn't have these at least the last policy here. Let me just quickly copy this and create a new policy with this. I'll go back to identity and security, I'll go back to policies and I'll create a policy here, call it a Security Zone Policy, then I'll do a manual. It says allow service object storage and the region name, we are in the San Jose region. I believe this is the right region to use keys in compartment and the compartment name here is Max Security Zone. I believe this is the right statement, but if it is not, it will remain error, so let's try that. All right, it went through. Looks like this worked and I should be able to run from. Let me go back to the workflow and try to create a public bucket again, Max Security Zone. I'll try to create a bucket with Oracle managed keys and it will give me an error, create secure bucket. We'll follow through this workflow, so hit, "Next" here and it says there is no vault which are available in this particular compartment. Let's create a new vault here. Provide a name for the vault and we would say it's a vault in Max Security Zone. I'm okay with the software defined vault. I don't want SSM vault because it's more expensive, so I don't want to make it a virtual private part and you can read more on the pricing. The vault which is software managed is actually free, so I'll just use that. Click, "Next". I need to provide a name for a key. I'll say this is my master key for Max Security Zone and I'm happy with the key shape et cetera, so I'll click, "Next". Now it asks me for a bucket name and it says it's creating this compartment. I can choose the storage tier and I can choose some other options, object versioning and all that. I'm happy with these choices, so I'll click, "Create Secure Bucket". This would take a few minutes and as the work flow completes, you will see that we would have created a storage bucket where we are not using Oracle managed keys for data encryption at first, we are using customer managed keys because that's the recipe which this particular Security Zone enforces. Let me pause the video here and as the workflow is over, we'll come back and take a look. This took a couple of minutes and as you can see here, vault is created. We created a master key and then we created a bucket. Now, I can go to the bucket and I can see that the bucket is created and you can see some details. It's a private bucket and it's encryption is done by the key which we just created in our vault. It's not using the Oracle managed keys and I can use this bucket. Quickly, let me just show you, if I just change the visibility to public, it would not let me do that because it says it's a Security Zone violation. Objects storage buckets cannot be public. We just turn to our object storage, but Security Zone, Security Advisor as you saw in the policies, it has policies for object storage, database, networking, and compute and other services would be added over time as well. Hopefully, this was a quick demo to show you how Security Zones and Security Advisor works.
