OCI-Database-Database-Policy-Protection

Severity : High

Description: This control ensures that OCI database instances are protected against unintended and malicious deletion by unauthorized groups and users. database users/groups should be able to create database table-spaces but not delete them. Security policies for database users and groups should remove statements for permission for DB_SYSTEM_DELETE, DATABASE_DELETE, DB_HOME_DELETE with where statement request.permission !={DB_SYSTEM_DELETE, DATABASE_DELETE, DB_HOME_DELETE} . It is recommended that minimum possible set of IAM users and groups have database delete permissions . Only give DELETE permissions to tenancy and compartment administrators

Remediation Steps:

Perform following to update bucket access policies :

1. Login to the OCI console at https://www.oracle.com/cloud/sign-in.html .

2. In the navigation, Click Identity & Security.

3. Under Identity, click Policies.

4. Select the compartment and then reported policy .  The policy's details and statements are displayed.

5. Click Edit Policy Statements.

6. In Policy Builder Select Basic or Advance editor to update the policy statements with request.permission != INSTANCE_DELETE.

7. Click Save Changes.

Important:

Reference:

• https://docs.oracle.com/en-us/iaas/Content/Security/Reference/dbaas_security.htm

• https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingpolicies.htm

• https://docs.oracle.com/en-us/iaas/Content/Database/Concepts/security_zones_topic-database_service_integration_overview.htm