OCI-Identity-Policy-Least-Privilege

Severity : High

Description: This control ensures that OCI service-level admin policies with full permission doesn’t allows non-admin IAM users. Its is recommended that only service-level admins allowed with full permission policies and non-admin users must be allowed to least privilege access to prevent unintended access to resources by unauthorized users or groups.

Remediation Steps:

Perform following to update users groups and policies :

1. Login to the OCI console at https://www.oracle.com/cloud/sign-in.html .

2. Select Identity from Services.

3. Remove non privilege users from the group with service level admin groups

   1. Under Identity, Select groups.

   2. In the list of groups, find and select service-level groups. click on the group name for details.

   3. Under Group Members, Select the user which should not have admin level access.

   4. Click on the ellipsis (3-dots on the side) of the user row and click Remove member from group.

   5. Click Remove on the confirmation dialog box.

4. Update Policies for its Resources Statements for non privilege user group access permission removed

   1. Under Identity, Select Policies.

   2. From the list of policies, select the reported policies.

   3. Click Edit Policy Statements and select Advanced under the Policy builder .

   4. Update the policy statements with the full permission to ALLOW only Service-level admin group. Also update the policy statement for unprivileged groups for request to restricted read/write requests.

   5. Click Save Changes.

   6. Repeat the process for all reported policies.

Important:

Reference:

• https://docs.oracle.com/en-us/iaas/Content/Security/Reference/configuration_security.htm

• https://docs.oracle.com/en-us/iaas/Content/Identity/policymgmt/managingpolicies.htm