IAM misconfigurations

IAM policy allows full tenancy access to a non-admin group or a service

Risk Level

Hazardous (3)

Platform(s)
  • N/A

Description

Permission to manage all resources in a tenancy should be limited to a small number of users in the Administrators group for break-glass situations and to set up users/groups/policies when a tenancy is created. It was detected that IAM policy {OciIamPolicy.Name} allows a non-admin group or service full access to the tenancy. No group other than Administrators in a tenancy and no service should need access to all resources in a tenancy, as this violates the enforcement of the least privilege principle.
  • Recommended Mitigation

    It is recommended to remove any policy statement that allows any group other than Administrators or any service access to manage all resources in the tenancy.