Control: 1.3 Ensure IAM administrators cannot update tenancy Administrators group
Description
Tenancy administrators can create more users, groups, and policies to provide other service administrators access to OCI resources.
For example, an IAM administrator will need to have access to manage resources like compartments, users, groups, dynamic-groups, policies, identity-providers, tenancy tagnamespaces, tag-definitions in the tenancy.
The policy that gives IAM-Administrators or any other group full access to 'groups' resources should not allow access to the tenancy 'Administrators' group.
The policy statements would look like -
Allow group IAMAdmins to inspect users in tenancyAllow group IAMAdmins to use users in tenancy where target.group.name != 'Administrators'Allow group IAMAdmins to inspect groups in tenancyAllow group IAMAdmins to use groups in tenancy where target.group.name != 'Administrators'
Note: You must include separate statements for 'inspect' access, because the target.group.name variable is not used by the ListUsers and ListGroups operations.
These policy statements ensure that no other group can manage tenancy administrator users or the membership to the 'Administrators' group thereby gain or remove tenancy administrator access.
Remediation
From Console
- Login to OCI Console.
- Select
IdentityfromServicesMenu. - Select
PoliciesfromIdentityMenu. - Click on an individual policy under the Name heading.
- Ensure Policy statements look like this -
Allow group IAMAdmins to use users in tenancy where target.group.name != 'Administrators'Allow group IAMAdmins to use groups in tenancy where target.group.name != 'Administrators'
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v200_1_3Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v200_1_3 --shareSQL
This control uses a named query:
identity_iam_administrators_no_update_tenancy_administrators_group_permission