Control: 1.2 Ensure permissions on all resources are given only to the tenancy administrator group

Description

There is a built-in OCI IAM policy enabling the Administrators group to perform any action within a tenancy. In the OCI IAM console, this policy reads:

Allow group Administrators to manage all-resources in tenancy

Administrators create more users, groups, and policies to provide appropriate access to other groups.

Administrators should not allow any-other-group full access to the tenancy by writing a policy like this -

Allow group any-other-group to manage all-resources in tenancy

The access should be narrowed down to ensure the least-privileged principle is applied.

Permission to manage all resources in a tenancy should be limited to a small number of users in the Administrators group for break-glass situations and to set up users/groups/policies when a tenancy is created.

No group other than Administrators in a tenancy should need access to all resources in a tenancy, as this violates the enforcement of the least privilege principle.

Remediation

From Console

1. Login to OCI console.
2. Go to Identity -> Policies, In the compartment dropdown, choose the root compartment. Open each policy to view the policy statements.
3. Remove any policy statement that allows any group other than Administrators or any service access to manage all resources in the tenancy.

From CLI:

The policies can also be updated via OCI CLI, SDK and API, with an example of the CLI commands below:

• Delete a policy via the CLI:

  oci iam policy delete --policy-id <policy-ocid>

• Update a policy via the CLI:

  oci iam policy update --policy-id <policy-ocid> --statements <json-array-of-statements>

Note You should generally not delete the policy that allows the Administrators group the ability to manage all resources in the tenancy.