turbot/oci_compliance

Control: 1.14 Ensure storage service-level admins cannot delete resources they manage

Description

To apply the separation of duties security principle, one can restrict service-level administrators from being able to delete resources they are managing. It means service- level administrators can only manage resources of a specific service but not delete resources for that specific service.

Example policies for global/tenant level for block volume service-administrators:

Allow group VolumeUsers to manage volumes in tenancy where request.permission!='VOLUME_DELETE'
Allow group VolumeUsers to manage volume-backups in tenancy where request.permission!='VOLUME_BACKUP_DELETE'

Example policies for global/tenant level for file storage system service-administrators:

Allow group FileUsers to manage file-systems in tenancy where request.permission!='FILE_SYSTEM_DELETE'
Allow group FileUsers to manage mount-targets in tenancy where request.permission!='MOUNT_TARGET_DELETE'
Allow group FileUsers to manage export-sets in tenancy where request.permission!='EXPORT_SET_DELETE'

Example policies for global/tenant level for object storage system service- administrators:

Allow group BucketUsers to manage objects in tenancy where request.permission!='OBJECT_DELETE'
Allow group BucketUsers to manage buckets in tenancy where request.permission!='BUCKET_DELETE'

Remediation

From Console

  1. Login to OCI Console.
  2. Go to Identity -> Policies, In the compartment dropdown, choose the compartment. Open each policy to view the policy statements.
  3. Add the appropriate where condition to any policy statement that allows the storage service-level to manage the storage service.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v120_1_14

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v120_1_14 --share

SQL

This control uses a named query:

manual_control

Tags