Protect the Tenancy “Administrators” Group

Risk Level: High (not acceptable risk)

Rule ID: OCI-IAM-013

Ensure that service administrators cannot update the "Administrators" group available in your OCI tenancy. In Oracle Cloud Infrastructure (OCI), the "Administrators" group is a predefined group with full administrative privileges over all resources in the tenancy. Members of this group can perform any action on any resource, including managing policies, compartments, and other IAM entities. The access policy that grants service administrators, such as IAM administrators, full access to "GROUPS" resources should not allow access to the tenancy "Administrators" group.

Security

Generally, service administrators have broad permissions. For example, IAM administrators require access to manage OCI resources such as compartments, users, groups, policies, identity providers, and so on. However, these administrators must be restricted from altering the core administrative group (i.e., the tenancy "Administrators" group) in order to prevent privilege escalation and maintain secure tenancy-level control.

Audit

To determine whether permissions for all OCI resources are assigned to any groups other than the "Administrators" group, perform the following operations:

Using OCI Console

Sign in to your Oracle Cloud Infrastructure (OCI) account.
Navigate to Identity console available at https://cloud.oracle.com/identity/.
In the left navigation panel, choose Policies, and select an OCI compartment from the Compartment dropdown menu, to list the access policies created for that compartment.
Click on the name (link) of the access policy that you want to examine, listed in the Name column.
In the Statements section, search for the following policy statements: Allow group \<group-name\> to use users in tenancy and/or Allow group \<group-name\> to use groups in tenancy, where \<group-name\> is the name of the service administrators group (e.g., IAMAdmins group). If the access policy has such statements, service administrators can modify the tenancy "Administrators" group and this can lead to privilege escalation.
Repeat steps no. 4 and 5 for each access policy created in the selected Oracle Cloud Infrastructure (OCI) compartment.
Repeat steps no. 3 – 6 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:
```
oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'
```

The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run iam policy list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list access policies with the following policy statements: Allow group \<group-name\> to use users in tenancy and/or Allow group \<group-name\> to use groups in tenancy, where \<group-name\> is the name of the service administrators group:
```
oci iam policy list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd' | grep -i -e "to use users in tenancy" -e 'to use groups in tenancy' -e "ocid1.policy.oc1"
```
The command output should return the IDs of the access policies that contain the requested policy statements:
```
"id": "ocid1.policy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
	"Allow group <group-name> to use users in tenancy",
	"Allow group <group-name> to use groups in tenancy"
```
Check the iam policy list command output for the following policy statements: Allow group \<group-name\> to use users in tenancy and/or Allow group \<group-name\> to use groups in tenancy, where \<group-name\> is the name of the service administrators group (e.g., IAMAdmins group). If your access policies have such statements, service administrators can modify the tenancy "Administrators" group and this can lead to privilege escalation.
Repeat steps no. 3 and 4 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Remediation / Resolution

To ensure that service administrators cannot update the tenancy "Administrators" group, perform the following operations:

Using OCI Console

Sign in to your Oracle Cloud Infrastructure (OCI) account.
Navigate to Identity console available at https://cloud.oracle.com/identity/.
In the left navigation panel, choose Policies, and select an OCI compartment from the Compartment dropdown menu, to list the access policies created for that compartment.
Click on the name (link) of the non-compliant access policy that allows service administrators to update the tenancy "Administrators" group.
In the Statements section, choose Edit Policy Statements, find the policy statements that allow updates to the "Administrators" group, i.e., Allow group \<group-name\> to use users in tenancy and/or Allow group \<group-name\> to use groups in tenancy, and replace them with the following statements: Allow group \<group-name\> to use users in tenancy where target.group.name !='Administrators' and Allow group \<group-name\> to use groups in tenancy where target.group.name !='Administrators'. Choose Save Changes to apply the changes.
Repeat steps no. 4 and 5 for each access policy that you want to configure, available within the selected Oracle Cloud Infrastructure (OCI) compartment.
Repeat steps no. 3 – 6 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

Run iam policy get command (Windows/macOS/Linux) to describe the policy statements defined for the access policy that grants tenancy-wide resource access to non-admin groups:
```
oci iam policy get
	--policy-id 'ocid1.policy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--query 'data."statements"'
```

The command output should return the requested policy statements:

[
	"Allow group <group-name> to inspect users in tenancy",
	"Allow group <group-name> to use users in tenancy",
	"Allow group <group-name> to inspect groups in tenancy",
	"Allow group <group-name> to use groups in tenancy"
]

Identify the policy statements that allows service administrators to update the tenancy "Administrators" group, i.e., Allow group \<group-name\> to use users in tenancy and/or Allow group \<group-name\> to use groups in tenancy, and replace them with the following statements: Allow group \<group-name\> to use users in tenancy where target.group.name !='Administrators' and Allow group \<group-name\> to use groups in tenancy where target.group.name !='Administrators', as shown in the example below:
```
[
	"Allow group <group-name> to inspect users in tenancy"
	"Allow group <group-name> to use users in tenancy where target.group.name !='Administrators'"
	"Allow group <group-name> to inspect groups in tenancy"
	"Allow group <group-name> to use groups in tenancy where target.group.name !='Administrators'"
]
```

Run iam policy update command (Windows/macOS/Linux) to update the specified access policy with the statements modified in the previous step. IMPORTANT: The value passed to --statements parameter will overwrite all existing statements for the selected policy, therefore, ensure that you add all the existing policy statements to the --statements parameter value. Replace \<group-name\> with the name of your service administrator group:

oci iam policy update
	--policy-id 'ocid1.policy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--statements '["Allow group <group-name> to inspect users in tenancy","Allow group <group-name> to use users in tenancy where target.group.name !='Administrators'","Allow group <group-name> to inspect groups in tenancy","Allow group <group-name> to use groups in tenancy where target.group.name !='Administrators'"]'
	--version-date '2025-03-08'

Type y and press Enter to confirm the policy changes:

WARNING: The value passed to statements will overwrite all existing statements for this policy. The existing statements are:

[
	"Allow group <group-name> to inspect users in tenancy",
	"Allow group <group-name> to use users in tenancy",
	"Allow group <group-name> to inspect groups in tenancy",
	"Allow group <group-name> to use groups in tenancy"
]

Are you sure you want to continue? [y/N]: y

The command output should return the resource information available for the modified access policy:

{
	"data": {
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"description": "Access Policy For IAM Admins",
		"freeform-tags": {},
		"id": "ocid1.policy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"inactive-status": null,
		"lifecycle-state": "ACTIVE",
		"name": "cc-project5-iam-admin-policy",
		"statements": [
			"Allow group <group-name> to inspect users in tenancy",
			"Allow group <group-name> to use users in tenancy where target.group.name !=Administrators",
			"Allow group <group-name> to inspect groups in tenancy",
			"Allow group <group-name> to use groups in tenancy where target.group.name !=Administrators"
		],
		"time-created": "2025-03-08T11:05:42.290000+00:00",
		"version-date": "2025-03-08T00:00:00+00:00"
	},
	"etag": "abcd1234abcd1234abcd1234abcd1234abcd1234"
}

Repeat steps no. 1 - 6 for each access policy that you want to configure, available within the selected Oracle Cloud Infrastructure (OCI) compartment.
Repeat steps no. 1 – 7 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

References

Oracle Cloud Infrastructure Documentation
Identity and Access Management FAQ
Managing Policies
Updating a Policy's Statements

Oracle Cloud Infrastructure CLI Documentation
compartment list
policy list
policy get
policy update

Publication date Mar 11, 2025

Audit

Using OCI Console

Using OCI CLI

Remediation / Resolution

Using OCI Console

Using OCI CLI

References

Related OCI-IAM rules