Steampipe mods are now Powerpipe →

Plugins Docs Home

turbot/oci_compliance

blockstorage_block_volume_cmk_encryption_enabled blockstorage_boot_volume_cmk_encryption_enabled cloudguard_enabled core_default_security_list_allow_icmp_only core_instance_encryption_in_transit_enabled core_instance_legacy_metadata_service_endpoint_disabled core_network_security_group_restrict_ingress_rdp_all core_network_security_group_restrict_ingress_ssh_all core_security_list_restrict_ingress_rdp_all core_security_list_restrict_ingress_ssh_all core_subnet_flow_log_enabled events_rule_notification_cloud_guard_problems_detected events_rule_notification_iam_group_changes events_rule_notification_iam_policy_changes events_rule_notification_iam_user_changes events_rule_notification_identity_provider_changes events_rule_notification_idp_group_mapping_changes events_rule_notification_network_gateway_changes events_rule_notification_network_security_list_changes events_rule_notification_route_table_changes events_rule_notification_security_list_changes events_rule_notification_vcn_changes filestorage_filesystem_cmk_encryption_enabled identity_administrator_user_with_no_api_key identity_auth_token_age_90 identity_authentication_password_policy_strong_min_length_14 identity_default_tag identity_iam_administrators_no_update_tenancy_administrators_group_permission identity_only_administrators_group_with_manage_all_resources_permission_in_tenancy identity_tenancy_audit_log_retention_period_365_days identity_tenancy_with_one_active_compartment identity_user_api_key_age_90 identity_user_console_access_mfa_enabled identity_user_customer_secret_key_age_90 identity_user_db_credential_age_90 identity_user_valid_email kms_cmk_rotation_365 manual_control notification_topic_with_subscription objectstorage_bucket_cmk_encryption_enabled objectstorage_bucket_public_access_blocked objectstorage_bucket_versioning_enabled oracle_autonomous_database_not_publicly_accessible

Query: identity_iam_administrators_no_update_tenancy_administrators_group_permission

Usage

powerpipe query oci_compliance.query.identity_iam_administrators_no_update_tenancy_administrators_group_permission

Steampipe Tables

oci_identity_policy

oci_identity_tenancy

Oracle Cloud Infrastructure plugin

SQL

with policies_to_update_tenancy as (
  select
    lower(s) as statement
  from
    oci_identity_policy,
    jsonb_array_elements_text(statements) as s
  where
    lower(s) like '%' || 'to use users in tenancy' || '%'
    or lower(s) like '%' || 'to use groups in tenancy' || '%'
),
policies_to_update_tenancy_without_condition as (
  select
    count(*) as num
  from
    policies_to_update_tenancy
  where
    not statement like '%' || 'where target.group.name != ''administrators'''
)
select
  id as resource,
  case
    when num > 0 then 'alarm'
    else 'ok'
  end as status,
  case
    when num > 0 then title || ' IAM administrators can update tenancy administrators group.'
    else title || ' IAM administrators cannot update tenancy administrators group.'
  end as reason,
  tenant_name as tenant
from
  oci_identity_tenancy,
  policies_to_update_tenancy_without_condition;

Controls

The query is being used by the following controls: