turbot/oci_compliance
Loading controls...

Control: 1.1 Ensure service level admins are created to manage resources of particular service

Description

To apply least-privilege security principle, one can create service-level administrators in corresponding groups and assigning specific users to each service-level administrative group in a tenancy. This limits administrative access in a tenancy.

It means service-level administrators can only manage resources of a specific service.

Example policies for global/tenant level service-administrators

Allow group VolumeAdmins to manage volume-family in tenancy
Allow group ComputeAdmins to manage instance-family in tenancy
Allow group NetworkAdmins to manage virtual-network-family in tenancy
A tenancy with identity domains : An Identity Domain is a container of users, groups, Apps and other security configurations. A tenancy that has Identity Domains available comes seeded with a 'Default' identity domain.
If a group belongs to a domain different than the default domain, use a domain prefix in the policy statements.
Example - Allow group <identity_domain_name>/<group_name> to <verb> <resource-type> in compartment <compartment_name>
If you do not include the <identity_domain_name> before the <group_name>, then the policy statement is evaluated as though the group belongs to the default identity domain.

Organizations have various ways of defining service-administrators. Some may prefer creating service administrators at a tenant level and some per department or per project or even per application environment ( dev/test/production etc.). Either approach works so long as the policies are written to limit access given to the service-administrators.

Example policies for compartment level service-administrators

Allow group NonProdComputeAdmins to manage instance-family in compartment dev
Allow group ProdComputeAdmins to manage instance-family in compartment
production
Allow group A-Admins to manage instance-family in compartment Project-A
Allow group A-Admins to manage volume-family in compartment Project-A
A tenancy with identity domains : An Identity Domain is a container of users, groups, Apps and other security configurations. A tenancy that has Identity Domains available comes seeded with a 'Default' identity domain.
If a group belongs to a domain different than the default domain, use a domain prefix in the policy statements.
Example -
Allow group <identity_domain_name>/<group_name> to <verb> <resource-type> in compartment <compartment_name>
If you do not include the <identity_domain_name> before the <group_name>, then the policy statement is evaluated as though the group belongs to the default identity domain.

Creating service-level administrators helps in tightly controlling access to Oracle Cloud Infrastructure (OCI) services to implement the least-privileged security principle.

Remediation

Refer to the policy syntax document and create new policies if the audit results indicate that the required policies are missing. This can be done via OCI console or OCI CLI/SDK or API.

From Command Line

oci iam policy create [OPTIONS]

Creates a new policy in the specified compartment (either the tenancy or another of your compartments). If you're new to policies, see Getting Started with Policies. You must specify a name for the policy, which must be unique across all policies in your tenancy and cannot be changed. You must also specify a description for the policy (although it can be an empty string). It does not have to be unique, and you can change it anytime with UpdatePolicy. You must specify one or more policy statements in the statements array. For information about writing policies, see How Policies Work and Common Policies.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_1_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_1_1 --share

SQL

This control uses a named query:

manual_control

Tags