IAM policy allows full tenancy access to a non-admin group or a service

IAM misconfigurations

IAM policy allows full tenancy access to a non-admin group or a service

Risk Level

Hazardous (3)

Platform(s)

Compliance Frameworks

CCPA
CPRA
Data Security Posture Management (DSPM) Best Practices
ISO/IEC 27001
Mitre ATT&CK
New Zealand Information Security Manual
NIST 800-171
NIST 800-53
OCI CIS
PDPA
UK Cyber Essentials

Description

Permission to manage all resources in a tenancy should be limited to a small number of users in the Administrators group for break-glass situations and to set up users/groups/policies when a tenancy is created. It was detected that IAM policy {OciIamPolicy.Name} allows a non-admin group or service full access to the tenancy. No group other than Administrators in a tenancy and no service should need access to all resources in a tenancy, as this violates the enforcement of the least privilege principle.

Recommended Mitigation

It is recommended to remove any policy statement that allows any group other than Administrators or any service access to manage all resources in the tenancy.

IAM policy allows full tenancy access to a non-admin group or a service

Description

Need help?

CLOUD SECURITY PLATFORM

TECHNOLOGY ECOSYSTEM

By Solution

By Industry

COMPARISONS