Skip to main content

lacework-global-212

Identity and Access Management (IAM) group has too many members (Manual)

Description

Alert when an IAM group has more than your specified maximum number of members. Reduce number of group members to be less than your specified maximum number of members. IAM group membership frequently grants access to resources and features. Group memberships that have too many members might represent overly permissive privileges given to too many users.

Remediation

From Console:

  1. Login to OCI console.
  2. Select Identity from Services menu.
  3. Select Groups from Identity menu, or select Domains, select a domain, and select Groups.
  4. Click the name of a group with too many members.
  5. Check the box next to any users to remove from the group.
  6. Click Remove user from group.
  7. Click Remove user from group to confirm the removal.
  8. Repeat steps 3-7 for all groups with too many members.

From CLI:

  1. Execute the following command to locate IDs of users belonging to a group:

    oci iam group list-users --group-id <group_id> --query 'data[].{"ID":id,"Name":name}' --output table

  2. For each group with too many members, execute the following command to remove a user from the group:

    oci iam group remove-user --group-id <group_id> --user-id <user_id>

References

https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__OCI_IAM_GRP_TOO_MANY_MEMBERS_FOUND
https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managinggroups.htm
https://docs.oracle.com/en-us/iaas/Content/Identity/groups/remove-users-from-groups.htm
https://docs.oracle.com/en-us/iaas/tools/oci-cli/3.30.2/oci_cli_docs/cmdref/iam/group/remove-user.html

Last updated on