Security zone policy enforcement in a cloud infrastructure system

What is claimed is: 1. A method comprising: receiving, by a security zone policy enforcement system in a cloud service provider infrastructure, a request to perform an operation on a resource; determining, by the security zone policy enforcement system, a compartment associated with the resource, the compartment associated with a set of one or more compartment policies; determining, by the security zone policy enforcement system, whether the operation on the resource is permitted based on the set of one or more compartment policies associated with the compartment; upon determining that the operation on the resource is permitted based on the set of one or more compartment policies, determining, by the security zone policy enforcement system, whether the operation on the resource is permitted based on a set of one or more security zone policies associated with a security zone associated with the compartment; and allowing, by the security zone policy enforcement system, the operation to be performed on the resource responsive at least to determining that the operation on the resource is permitted based on the set of one or more security zone policies associated with the security zone associated with the compartment and the set of one or more compartment policies associated with the compartment. 2. The method of claim 1 , wherein determining the compartment associated with the resource further comprises determining a compartment identifier of the compartment associated with the resource. 3. The method of claim 2 , wherein the set of one or more compartment policies comprise a union of one or more compartment policies associated with the compartment and one or more compartment policies associated with one or more parent compartments that are hierarchically related to the compartment. 4. The method of claim 1 , further comprising: disallowing, by the security zone policy enforcement system, the operation to be performed on the resource upon determining that the operation on the resource is not permitted based on the set of one or more security zone policies. 5. The method of claim 1 , further comprising: disallowing, by the security zone policy enforcement system, the operation to be performed on the resource upon determining that the operation on the resource is permitted based on the set of one or more compartment policies but not permitted based on the set of one or more security zone policies. 6. The method of claim 1 , wherein the set of one or more security zone policies comprise a union of one or more security zone policies associated with the security zone and one or more security zone policies associated with a parent security zone that is hierarchically related to the security zone. 7. The method of claim 1 , wherein a security zone policy in the set of one or more security zone policies is represented as a set of one or more expressions, wherein each expression in the set of expressions comprises a set of one or more conditions, and each condition in the set of one or more conditions specifies a restriction on the operation to be performed on the resource. 8. The method of claim 7 , wherein the restriction specifies criteria requiring encryption of the resource, criteria that restricts a movement of the resource from the compartment that the resource resides in or criteria that prohibits that resource from being accessible from the public internet. 9. The method of claim 7 , wherein the restriction specifies criteria related to one or more secondary resources associated with the resource, wherein the one or more secondary resources impact the operation of the resource. 10. The method of claim 1 , wherein the set of one or more security zone policies prohibit a specific configuration of the operation to be performed on the resource. 11. The method of claim 1 , further comprising transmitting, by the security zone policy enforcement system, a result to a user, the result indicating that the operation was successfully performed on the resource. 12. The method of claim 1 , further comprising transmitting, by the security zone policy enforcement system, a result to a user, wherein the result indicates that the operation was not successfully performed on the resource. 13. A security zone policy enforcement system in a cloud service provider infrastructure, comprising: a processor; and a memory storing instructions that, when executed by the processor, configure the system to: receiving a request to perform an operation on a resource; determining a compartment associated with the resource, the compartment associated with a set of one or more compartment policies; determining whether the operation on the resource is permitted based on the set of one or more compartment policies associated with the compartment; upon determining that the operation on the resource is permitted based on the set of one or more compartment policies, determining, by the security zone policy enforcement system, whether the operation on the resource is permitted based on a set of one or more security zone policies associated with a security zone associated with the compartment; and allowing the operation to be performed on the resource responsive at least to determining that the operation on the resource is permitted based on the set of one or more security zone policies associated with the security zone associated with the compartment and the set of one or more compartment policies associated with the compartment. 14. The system of claim 13 further comprising instructions to determine a compartment identifier of the compartment associated with the resource and a set of one or more compartment policies applicable to the resource. 15. The system of claim 13 , wherein a security zone policy in the set of one or more security zone policies is represented as a set of one or more expressions, wherein each expression in the set of expressions comprises a set of one or more conditions, and wherein each condition in the set of one or more conditions specifies a restriction on the operation to be performed on the resource. 16. The system of claim 15 , wherein the restriction specifies criteria requiring encryption of the resource, criteria that restricts a movement of the resource from the compartment that the resource resides in or criteria that prohibits that resource from being accessible from the public internet. 17. A non-transitory computer-readable medium having program code that is stored thereon, the program code executable by one or more processing devices for performing operations comprising: receiving a request to perform an operation on a resource; determining a compartment associated with the resource, the compartment associated with a set of one or more compartment policies; determining whether the operation on the resource is permitted based on the set of one or more compartment policies associated with the compartment; upon determining that the operation on the resource is permitted based on the set of one or more compartment policies, determining, by the security zone policy enforcement system, whether the operation on the resource is permitted based on a set of one or more security zone policies associated with a security zone associated with the compartment; and allowing the operation to be performed on the resource responsive at least to determining that the operation on the resource is permitted based on the set of one or more security zone policies associated with the security zone associated with the compartment and the set of one or more compartment policies associated with the