Loading controls...
Control: 1.2 Ensure permissions on all resources are given only to the tenancy administrator group
Description
There is a built-in OCI IAM policy enabling the Administrators group to perform any action within a tenancy. In the OCI IAM console, this policy reads:
Allow group Administrators to manage all-resources in tenancyAdministrators create more users, groups, and policies to provide appropriate access to other groups.
Administrators should not allow any-other-group full access to the tenancy by writing a policy like this -
Allow group any-other-group to manage all-resources in tenancyThe access should be narrowed down to ensure the least-privileged principle is applied.
Remediation
From Console
- Login to OCI console.
- Go to
Identity -> Policies, In the compartment dropdown, choose the root compartment. Open each policy to view the policy statements. - Remove any policy statement that allows any group other than
Administratorsor any service access to manage all resources in the tenancy.
The policies can also be updated via OCI CLI/SDK/API. Note: You should generally not delete the policy that allows the Administrators group the ability to manage all resources in the tenancy.
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v110_1_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v110_1_2 --shareSQL
This control uses a named query:
identity_only_administrators_group_with_manage_all_resources_permission_in_tenancy