Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-oci-compliance
Overview
3Dashboards
133Benchmarks
43Queries
2Variables
GitHub

Control: 1.2 Ensure permissions on all resources are given only to the tenancy administrator group

Description

There is a built-in OCI IAM policy enabling the Administrators group to perform any action within a tenancy. In the OCI IAM console, this policy reads:

Allow group Administrators to manage all-resources in tenancy

Administrators create more users, groups, and policies to provide appropriate access to other groups.

Administrators should not allow any-other-group full access to the tenancy by writing a policy like this -

Allow group any-other-group to manage all-resources in tenancy

The access should be narrowed down to ensure the least-privileged principle is applied.

Permission to manage all resources in a tenancy should be limited to a small number of users in the Administrators group for break-glass situations and to set up users/groups/policies when a tenancy is created.

No group other than Administrators in a tenancy should need access to all resources in a tenancy, as this violates the enforcement of the least privilege principle.

Remediation

From Console

  1. Login to OCI console.
  2. Go to Identity -> Policies, In the compartment dropdown, choose the root compartment. Open each policy to view the policy statements.
  3. Remove any policy statement that allows any group other than Administrators or any service access to manage all resources in the tenancy.

From CLI:

The policies can also be updated via OCI CLI, SDK and API, with an example of the CLI commands below:

  • Delete a policy via the CLI:

    oci iam policy delete --policy-id <policy-ocid>

  • Update a policy via the CLI:

    oci iam policy update --policy-id <policy-ocid> --statements <json-array-of-statements>

Note You should generally not delete the policy that allows the Administrators group the ability to manage all resources in the tenancy.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_1_2 --share

SQL

This control uses a named query:

with policies_with_manage_all_resource_per as (
  select
    lower(s) as statement
  from
    oci_identity_policy,
    jsonb_array_elements_text(statements) as s
  where
    lower(s) like '%' || 'to manage all-resources in tenancy'
), policies_with_manage_all_resource_per_except_admin as (
    select
      count(*) as num_of_statements
    from
      policies_with_manage_all_resource_per
    where
      not statement ilike '%' || 'administrators' || '%'
)
select
  tenant_id as resource,
  case
    when num_of_statements > 0 then 'alarm'
    else 'ok'
  end as status,
  case
    when num_of_statements > 0 then title || ' permissions on all resources are given to the groups other than administrator group.'
    else title || ' permissions on all resources are given to the administrator group only.'
  end as reason
  
  , tenant_name as tenant
from
  oci_identity_tenancy,
  policies_with_manage_all_resource_per_except_admin;

Tags

category = Compliance
cis = true
cis_item_id = 1.2
cis_level = 1
cis_section_id = 1
cis_type = automated
cis_version = v2.0.0
plugin = oci
service = OCI/Identity