IAM policies should not allow IAM administrators to update tenancy administrators group

oracle-cloud-infrastructure
Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Description

This rule verifies that IAM administrators cannot manage users or groups in the tenancy Administrators group. Tenancy administrators can create users, groups, and policies to provide service administrators access to OCI resources. IAM administrators need access to manage resources like compartments, users, groups, and policies, but should not have permissions to modify the tenancy Administrators group. Policy statements that grant access to use or manage users or groups in the tenancy must include a condition to exclude the Administrators group.

Note: Only policy statements that use where clauses with a syntax of where target.group.name != 'Administrators', or where target.group.name = 'OtherGroup' are supported. Statements using pattern matching (e.g. wildcards with /pattern/), or multiple conditions with any{} or all{} blocks are not evaluated by this control, and may cause false positives.

Remediation

Review and update IAM policies to ensure statements granting use users in tenancy or use groups in tenancy permissions include the condition where target.group.name != 'Administrators' at the end. Note that inspect users in tenancy and inspect groups in tenancy statements do not require this condition as they only provide read access. For guidance on managing IAM policies, refer to the Managing Policies section of the Oracle Cloud Infrastructure documentation.