IAM misconfigurations

IAM policy allows an IAM group to update Tenancy Administrators group


Tenancy administrators can create more users, groups, and policies to provide other service administrators access to OCI resources. The policy that gives IAM-Administrators or any other group full access to 'groups' resources should not allow access to the tenancy 'Administrators' group. It was detected that IAM policy {OciIamPolicy} has a policy statement that allows a IAM group to update the tenancy Administrators group. It is advised to create a IAM policy that ensures that no group can manage tenancy administrator users or the membership to the 'Administrators' group thereby gain or remove tenancy administrator access.