Skip to main content

lacework-global-211

Identity and Access Management (IAM) group has too few members (Automated)

Description

Alert when an IAM group has no members. Increase the number of group members. IAM group membership frequently grants access to resources and features. Group memberships that have too few members might represent excess privileges being "orphaned" (no longer available to any users).

Remediation

From Console:

  1. Login to OCI console.
  2. Select Identity from Services menu.
  3. Select Groups from Identity menu, or select Domains, select a domain, and select Groups.
  4. Click the name of a group with no members.
  5. Click Assign user to groups.
  6. Select users to assign to the group.
  7. Click Add.
  8. Repeat steps 3-7 for all groups with no members.

From CLI:

  1. Execute the following command to locate user IDs:

    oci iam user list --query 'data[].{"ID":id,"Name":name}' --output table

  2. For each group with no members, execute the following command to assign a user to the group:

    oci iam group add-user --group-id <group_id> --user-id <user_id>

References

https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__OCI_IAM_GRP_FEW_MEMBERS_FOUND
https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managinggroups.htm
https://docs.oracle.com/en-us/iaas/Content/Identity/groups/add-users-to-groups.htm
https://docs.oracle.com/en-us/iaas/tools/oci-cli/3.30.1/oci_cli_docs/cmdref/iam/group/add-user.html

Last updated on