Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-oci-compliance
Overview
3Dashboards
133Benchmarks
43Queries
2Variables
GitHub

Control: 1.3 Ensure IAM administrators cannot update tenancy Administrators group

Description

Tenancy administrators can create more users, groups, and policies to provide other service administrators access to OCI resources.

For example, an IAM administrator will need to have access to manage resources like compartments, users, groups, dynamic-groups, policies, identity-providers, tenancy tagnamespaces, tag-definitions in the tenancy.

The policy that gives IAM-Administrators or any other group full access to 'groups' resources should not allow access to the tenancy 'Administrators' group.

The policy statements would look like -

Allow group IAMAdmins to inspect users in tenancy
Allow group IAMAdmins to use users in tenancy where target.group.name != 'Administrators'
Allow group IAMAdmins to inspect groups in tenancy
Allow group IAMAdmins to use groups in tenancy where target.group.name != 'Administrators'

Note: You must include separate statements for 'inspect' access, because the target.group.name variable is not used by the ListUsers and ListGroups operations.

These policy statements ensure that no other group can manage tenancy administrator users or the membership to the 'Administrators' group thereby gain or remove tenancy administrator access.

Remediation

From Console

  1. Login to OCI Console.
  2. Select Identity from Services Menu.
  3. Select Policies from Identity Menu.
  4. Click on an individual policy under the Name heading.
  5. Ensure Policy statements look like this -
Allow group IAMAdmins to use users in tenancy where target.group.name != 'Administrators'
Allow group IAMAdmins to use groups in tenancy where target.group.name != 'Administrators'

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_1_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_1_3 --share

SQL

This control uses a named query:

with policies_to_update_tenancy as (
  select
    lower(s) as statement
  from
    oci_identity_policy,
    jsonb_array_elements_text(statements) as s
  where
    lower(s) like '%' || 'to use users in tenancy' || '%'
    or lower(s) like '%' || 'to use groups in tenancy' || '%'
), policies_to_update_tenancy_without_condition as (
  select
    count(*) as num
  from
    policies_to_update_tenancy
  where
    not statement like '%' || 'where target.group.name != ''administrators'''
)
select
  id as resource,
  case
    when num > 0 then 'alarm'
    else 'ok'
  end as status,
  case
    when num > 0 then title || ' IAM administrators can update tenancy administrators group.'
    else title || ' IAM administrators cannot update tenancy administrators group.'
  end as reason
  
  , tenant_name as tenant
from
  oci_identity_tenancy,
  policies_to_update_tenancy_without_condition;

Tags

category = Compliance
cis = true
cis_item_id = 1.3
cis_level = 1
cis_section_id = 1
cis_type = automated
cis_version = v2.0.0
plugin = oci
service = OCI/Identity