Skip to main content

lacework-global-670

1.3 Ensure Identity and Access Management (IAM) administrators cannot update tenancy Administrators group (Automated)

Description

Tenancy administrators can create more users, groups, and policies to provide other service administrators access to OCI resources.

For example, an IAM administrator needs to have access to manage resources like compartments, users, groups, dynamic-groups, policies, identity-providers, tenancy tag-namespaces, tag-definitions in the tenancy.

The policy that gives IAM-Administrators or any other group full access to 'groups' resources should not allow access to the tenancy 'Administrators' group.

The policy statements would look like -

Allow group IAMAdmins to inspect users in tenancy
Allow group IAMAdmins to use users in tenancy where target.group.name != 'Administrators'
Allow group IAMAdmins to inspect groups in tenancy
Allow group IAMAdmins to use groups in tenancy where target.group.name != 'Administrators'
note

You must include separate statements for 'inspect' access, because the target.group.name variable is not used by the ListUsers and ListGroups operations

Remediation

From Console:

  1. Login to OCI Console.

  2. Select Identity from Services Menu.

  3. Select Policies from Identity Menu.

  4. Click an individual policy under the Name heading.

  5. Ensure Policy statements look like this:

    Allow group IAMAdmins to use users in tenancy where target.group.name != 'Administrators'
    Allow group IAMAdmins to use groups in tenancy where target.group.name != 'Administrators'

References

https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__POLICY_TENANCY_ADMIN_GROUP_PRIVILEGES

Last updated on