IAM misconfigurations

IAM policy allows an IAM group to update Tenancy Administrators group

Risk Level

Informational (4)

  • N/A

Compliance Frameworks


Tenancy administrators can create more users, groups, and policies to provide other service administrators access to OCI resources. The policy that gives IAM-Administrators or any other group full access to 'groups' resources should not allow access to the tenancy 'Administrators' group. It was detected that IAM policy {OciIamPolicy} has a policy statement that allows a IAM group to update the tenancy Administrators group. It is advised to create a IAM policy that ensures that no group can manage tenancy administrator users or the membership to the 'Administrators' group thereby gain or remove tenancy administrator access.
  • Recommended Mitigation

    It is recommended to either edit the policy statement to ensure no other group can manage tenancy administrator users or delete the policy statement.