IBM Cloud Docs
Managing zones

Managing zones

In IBM Cloud® Security and Compliance Center Workload Protection, a zone is a collection of scopes that represent important areas of your business. For example, a zone might be your production environment or staging environment. You can also define zones as various regions.

Two zones are provided by default:

Entire infrastructure

This zone includes all connected data sources. CIS policies and Workload Protection Kubernetes policies are automatically applied to this zone. Findings are reported on the Compliance page.

To apply other policies, apply them to individual zones.

Entire Git

If you configured integrations with your Git repositories, then Entire Git zone includes those source repositories.

You can create targeted zones for specific data sources or Git repositories as needed.

Creating and configuring zones

A zone is consisted of:

  • The name of the zone.
  • The description of the zone.
  • The scope of the zone.
  • Any applied policies.

To configure a zone, do the following steps:

  1. Open the Workload Protection UI.

  2. Hover over the Policies icon Policies icon and click Zones in the Posture section.

  3. Click New Zone.

  4. Enter a Name and Description for your zone and click Create.

    If necessary, you can update the Name and Description on the next page.

  5. Click Add Scope and select the scope rules for each platform.

    Scope rules for supported platforms are:

    Kubernetes
    Distribution (AKS, GKE, EKS, default Kubernetes), cluster name, namespace, and labels
    Host
    Cluster
    Git
    Git integration and Git sources
    AWS
    Organization, account, region, labels
    Azure
    Organization, subscription, region, labels
    GCP
    Organization, project, region, labels, host (for Docker, Linux hosts), and cluster

  6. Select the policies to be applied to the zone from the Policies list. Multiple policies can be selected by selecting policies from the list one at a time.

  7. Click Save.

The created zone is displayed on the Zones page.

If you created a zone where no relevant resources are available for the selected policies, no results are displayed on the Compliance page.

Applying policies to a zone

To apply policies to a zone, complete the folloing steps:

  1. Open the Workload Protection UI.

  2. Hover over the Policies icon Policies icon and click Zones in the Posture section.

  3. Click the zone where you want to apply the policy.

  4. In Apply Policies, select the configured policy from the list.

  5. Click Save.

When you apply a policy in a zone that does not have in scope resources relevant to that policy, results will not appear on the Compliance page.

Removing policies from a zone

To remove policies to a zone, complete the folloing steps:

  1. Open the Workload Protection UI.

  2. Hover over the Policies icon Policies icon and click Zones in the Posture section.

  3. Click the zone where you want to apply the policy.

  4. Delete the configured policy from the list.

  5. Click Save.

Modifying a zone

To modify a custom zone's configuration, do the following steps:

  1. Open the Workload Protection UI.

  2. Hover over the Policies icon Policies icon and click Zones in the Posture section.

  3. Click the zone that you want to modify.

  4. Make your required changes.

  5. Click Save.

Deleting zones

You can delete a zone that you no longer need.

  1. Open the Workload Protection UI.

  2. Hover over the Policies icon Policies icon and click Zones in the Posture section.

  3. Click the Actions icon Actions icon next to the zone that you want to delete.

  4. Click Delete.

  5. Click Yes, Delete to confirm you want to delete the zone.