turbot/oci_compliance

Control: 1.2 Ensure permissions on all resources are given only to the tenancy administrator group

Description

There is a built-in OCI IAM policy enabling the Administrators group to perform any action within a tenancy. In the OCI IAM console, this policy reads:

Allow group Administrators to manage all-resources in tenancy

Administrators create more users, groups, and policies to provide appropriate access to other groups.

Administrators should not allow any-other-group full access to the tenancy by writing a policy like this -

Allow group any-other-group to manage all-resources in tenancy

The access should be narrowed down to ensure the least-privileged principle is applied.

Remediation

From Console

  1. Login to OCI console.
  2. Go to Identity -> Policies, In the compartment dropdown, choose the root compartment. Open each policy to view the policy statements.
  3. Remove any policy statement that allows any group other than Administrators or any service access to manage all resources in the tenancy.

The policies can also be updated via OCI CLI/SDK/API. Note: You should generally not delete the policy that allows the Administrators group the ability to manage all resources in the tenancy.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v110_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v110_1_2 --share

SQL

This control uses a named query:

identity_only_administrators_group_with_manage_all_resources_permission_in_tenancy

Tags