Control: 1.1 Ensure service level admins are created to manage resources of particular service

Description

To apply least-privilege security principle, one can create service-level administrators in corresponding groups and assigning specific users to each service-level administrative group in a tenancy. This limits administrative access in a tenancy.

It means service-level administrators can only manage resources of a specific service.

Example policies for global/tenant level service-administrators

Allow group VolumeAdmins to manage volume-family in tenancy

Allow group ComputeAdmins to manage instance-family in tenancy

Allow group NetworkAdmins to manage virtual-network-family in tenancy

Organizations have various ways of defining service-administrators. Some may prefer creating service administrators at a tenant level and some per department or per project or even per application environment ( dev/test/production etc.). Either approach works so long as the policies are written to limit access given to the service-administrators.

Example policies for compartment level service-administrators

Allow group NonProdComputeAdmins to manage instance-family in compartment dev

Allow group ProdComputeAdmins to manage instance-family in compartment production

Allow group A-Admins to manage instance-family in compartment Project-A

Allow group A-Admins to manage volume-family in compartment Project-A

Remediation

Refer to the policy syntax document and create new policies if the audit results indicate that the required policies are missing. This can be done via OCI console or OCI CLI/SDK or API.

From Command Line

oci iam policy create [OPTIONS]

Creates a new policy in the specified compartment (either the tenancy or another of your compartments). If you're new to policies, see Getting Started with Policies You must specify a name for the policy, which must be unique across all policies in your tenancy and cannot be changed. You must also specify a description for the policy (although it can be an empty string). It does not have to be unique, and you can change it anytime with UpdatePolicy. You must specify one or more policy statements in the statements array. For information about writing policies, see How Policies Work and Common Policies.