Control: 1.14 Ensure storage service-level admins cannot delete resources they manage
Description
To apply the separation of duties security principle, one can restrict service-level administrators from being able to delete resources they are managing. It means service- level administrators can only manage resources of a specific service but not delete resources for that specific service.
Example policies for global/tenant level for block volume service-administrators:
Allow group VolumeUsers to manage volumes in tenancy where request.permission!='VOLUME_DELETE'Allow group VolumeUsers to manage volume-backups in tenancy where request.permission!='VOLUME_BACKUP_DELETE'
Example policies for global/tenant level for file storage system service-administrators:
Allow group FileUsers to manage file-systems in tenancy where request.permission!='FILE_SYSTEM_DELETE'Allow group FileUsers to manage mount-targets in tenancy where request.permission!='MOUNT_TARGET_DELETE'Allow group FileUsers to manage export-sets in tenancy where request.permission!='EXPORT_SET_DELETE'
Example policies for global/tenant level for object storage system service- administrators:
Allow group BucketUsers to manage objects in tenancy where request.permission!='OBJECT_DELETE'Allow group BucketUsers to manage buckets in tenancy where request.permission!='BUCKET_DELETE'
Remediation
From Console
- Login to OCI Console.
- Go to Identity -> Policies, In the compartment dropdown, choose the compartment. Open each policy to view the policy statements.
- Add the appropriate
where
condition to any policy statement that allows the storage service-level to manage the storage service.
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v120_1_14
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v120_1_14 --share
SQL
This control uses a named query:
manual_control