OCI Hardening

This section covers Oracle Cloud Infrastructure hardening across the six security domains. Each domain page maps cross-cutting principles (covered in the General section) onto specific OCI services and configuration primitives.

Content is authored progressively: IAM ships first as a pilot (Phase 5), followed by Network, Data Protection, Logging & Detection, Workloads, and Incident Response in subsequent phases.

Domains

• IAM — compartment hierarchy, tenancy admin separation, IAM policies, domains/federation, MFA, instance principals
• Network — VCN design, security lists vs NSGs, Service Gateway, Private Endpoint, WAF, Bastion service
• Data Protection — Object Storage visibility, Vault for KMS/BYOK, Block Volume encryption, Data Safe, Autonomous DB hardening
• Logging & Detection — Audit retention, Logging service, Logging Analytics, Cloud Guard, Vulnerability Scanning, Security Zones
• Workloads — Compute hardening, OS Management Hub, OKE hardening, Functions identity, Bastion sessions, image signing
• Incident Response — Cloud Guard remediation, Notifications + Functions automation, forensic snapshots, tenant lockdown
• GenAI Security — compartment isolation, IAM least privilege, AI Guardrails content moderation, private endpoints, Vault CMK, Audit Logs, Dedicated AI Cluster isolation, Security Zone policy
• Kubernetes — OKE Enhanced Cluster baseline, OKE Workload Identity, OCI Vault CMK, least-privilege IAM dynamic groups, OCI Audit + Logging, NSGs on node subnets, image verification policy, network policy default-deny, hardened node OS, add-on lifecycle management

This page is a Phase 2 stub. Section overview content arrives in later phases.