Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Admin-Only Resource Access

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

To adhere to the Principle of Least Privilege (POLP), ensure that access control on all Oracle Cloud Infrastructure (OCI) resources is exclusively granted to the tenancy "Administrators" group. Avoid granting full access to individual users or groups through the "Administrators" group. Instead, assign only the minimum necessary permissions for their specific tasks.

Security

To ensure least privilege access, tenancy-wide resource management should be exclusive to the "Administrators" group. This access is intended for critical, time-sensitive interventions and the initial setup of users, groups, and access control policies. Allowing other groups full tenancy access introduces unnecessary security risks and violates established security best practices.

Audit

To determine whether permissions for all OCI resources are assigned to any groups other than the "Administrators" group, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Policies, and select an OCI compartment from the Compartment dropdown menu, to list the access policies created for that compartment.

04 Click on the name (link) of the access policy that you want to examine, listed in the Name column.

05 In the Statements section, search for the following policy statement: ALLOW GROUP \<group-name\> to manage all-resources IN TENANCY, where \<group-name\> is the name of the group that has access control over all OCI resources in the tenancy. If such statement exists, ensure that the \<group-name\> is Administrators. If the \<group-name\> is not Administrators, the tenancy-wide resource management is not exclusively given to the "Administrators" group. Therefore, the selected access policy violates the enforcement of the least privilege principle.

06 Repeat steps no. 4 and 5 for each access policy created in the selected Oracle Cloud Infrastructure (OCI) compartment.

07 Repeat steps no. 3 – 6 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account: 

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs): 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run iam policy list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list access policies with the following policy statement: ALLOW GROUP \<group-name\> to manage all-resources IN TENANCY, where \<group-name\> is the name of the group that has access control over all OCI resources in your tenancy: 

oci iam policy list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd' | grep -i -e "to manage all-resources in tenancy" -e "ocid1.policy.oc1"

04 The command output should return the IDs of the access policies that contain the requested policy statement: 

"id": "ocid1.policy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
	"ALLOW GROUP <group-name> to manage all-resources IN TENANCY"

Check the iam policy list command output to determine the name of the group that has access control over all OCI resources in the tenancy. If the \<group-name\> is not Administrators, the tenancy-wide resource management is not exclusively given to the "Administrators" group. As a result, one or more access policies in the selected compartment violate the enforcement of the least privilege principle.

05 Repeat steps no. 3 and 4 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Remediation / Resolution

To ensure that permissions on all OCI resources are given only to the "Administrators" group, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Policies, and select an OCI compartment from the Compartment dropdown menu, to list the access policies created for that compartment.

04 Click on the name (link) of the non-compliant access policy that grants tenancy-wide resource access to non-admin groups.

05 In the Statements section, choose Edit Policy Statements, find the policy statement that allows any group other than "Administrators" to manage all resources in the tenancy, and replace the group name with Administrators. (Optional) If there is another policy that allows tenancy-wide resource access to the "Administrators" group, it is safe to remove the non-compliant statement from the selected policy. Choose Save Changes to apply the changes.

06 Repeat steps no. 4 and 5 for each access policy that you want to configure, available within the selected Oracle Cloud Infrastructure (OCI) compartment.

07 Repeat steps no. 3 – 6 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

01 Run iam policy get command (Windows/macOS/Linux) to describe the policy statements defined for the access policy that grants tenancy-wide resource access to non-admin groups: 

oci iam policy get
	--policy-id 'ocid1.policy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--query 'data."statements"'

02 The command output should return the requested policy statements. Find the policy statement that allows any group other than "Administrators" to manage all resources in the tenancy, as shown in the output example below, and replace the group name with Administrators: 

[
	"ALLOW GROUP <group-name> to manage all-resources IN TENANCY"
]

03 Run iam policy update command (Windows/macOS/Linux) to update the specified access policy with the statement modified in the previous step. IMPORTANT: The value passed to --statements parameter will overwrite all existing statements for the selected policy, therefore, ensure that you add all the existing policy statements to the --statements parameter value. As an example, the following command will add only one statement to the specified policy: 

oci iam policy update
	--policy-id 'ocid1.policy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--statements '["ALLOW GROUP Administrators to manage all-resources IN TENANCY"]'
	--version-date '2025-03-08'

04 Type y and press Enter to confirm the policy changes: 

WARNING: The value passed to statements will overwrite all existing statements for this policy. The existing statements are:

[
	"ALLOW GROUP <group-name> to manage all-resources IN TENANCY"
]

Are you sure you want to continue? [y/N]: y

05 The command output should return the resource information available for the modified access policy: 

{
	"data": {
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"description": "Project5 Access Policy",
		"freeform-tags": {},
		"id": "ocid1.policy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"inactive-status": null,
		"lifecycle-state": "ACTIVE",
		"name": "cc-project5-admin-policy",
		"statements": [
			"ALLOW GROUP Administrators to manage all-resources IN TENANCY"
		],
		"time-created": "2025-03-08T08:26:35.413000+00:00",
		"version-date": "2025-03-08T00:00:00+00:00"
	},
	"etag": "abcd1234abcd1234abcd1234abcd1234abcd1234"
}

06 Repeat steps no. 1 - 5 for each access policy that you want to configure, available within the selected Oracle Cloud Infrastructure (OCI) compartment.

07 Repeat steps no. 1 – 6 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

References

Publication date Mar 11, 2025

Related IAM rules