lacework-global-669
1.2 Give permissions on all resources only to the tenancy administrator group (Automated)
Description
There is a built-in OCI Identity and Access Management (IAM) policy enabling the Administrators group to perform any action within a tenancy. In the OCI IAM console, this policy reads:
Allow group Administrators to manage all-resources in tenancy
Administrators create more users, groups, and policies to provide appropriate access to other groups.
Administrators should not allow any other group full access to the tenancy by creating a policy such as:
Allow group any-other-group to manage all-resources in tenancy
Narrow down the access to apply the least-privileged principle.
Remediation
From Console:
- Login to OCI console.
- Go to Identity -> Policies, In the compartment dropdown, choose the root compartment. Open each policy to view the policy statements.
- Remove any policy statement that allows any group other than Administrators or any service access to manage all resources in the tenancy.
Note: You should generally not delete the policy that allows the Administrators group the ability to manage all resources in the tenancy.
It is also possible to update the policies via OCI CLI, SDK and API, with an example of the CLI commands below:
Delete a policy via the CLI
oci iam policy delete --policy-id <policy-ocid>
Update a policy via the CLI
oci iam policy update --policy-id <policy-ocid> --statements <json-array-of-statements>