IAM policies should not allow IAM administrators to update tenancy administrators group
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
This rule verifies that IAM administrators cannot manage users or groups in the tenancy Administrators group. Tenancy administrators can create users, groups, and policies to provide service administrators access to OCI resources. IAM administrators need access to manage resources like compartments, users, groups, and policies, but should not have permissions to modify the tenancy Administrators group. Policy statements that grant access to use or manage users or groups in the tenancy must include a condition to exclude the Administrators group.
Note: Only policy statements that use where clauses with a syntax of where target.group.name != 'Administrators', or where target.group.name = 'OtherGroup' are supported. Statements using pattern matching (e.g. wildcards with /pattern/), or multiple conditions with any{} or all{} blocks are not evaluated by this control, and may cause false positives.
Review and update IAM policies to ensure statements granting use users in tenancy or use groups in tenancy permissions include the condition where target.group.name != 'Administrators' at the end. Note that inspect users in tenancy and inspect groups in tenancy statements do not require this condition as they only provide read access. For guidance on managing IAM policies, refer to the Managing Policies section of the Oracle Cloud Infrastructure documentation.
