Manage Identities and Authorization Policies
Enforce the Use of Multi-Factor Authentication (MFA)
Enterprise Architect, Security Architect, Application Architect
GroupA
manage resources that belong to the instance family in any
compartment.allow group GroupA to manage instance-family in tenancy where request.user.mfaTotpVerified='true'
Don't Use the Tenancy Administrator Account for Day-to-Day Operations
Enterprise Architect, Security Architect, Application Architect
VolumeAdmins
group to manage only the resources in the block
volumes
family.Allow group VolumeAdmins to manage volume-family in tenancy
Create Security Policies to Prevent Administrator Account Lock-out
Enterprise Architect, Security Architect
Restrict the Admin Abilities of a Tenancy Administrators Group
Enterprise Architect, Security Architect
The following policy allows the users in the UserAdmins
group to only
inspect the groups in the tenancy.
Allow group UserAdmins to inspect groups in tenancy
Prevent Accidental or Malicious Deletion of (and Changes to) Access Policies
Enterprise Architect, Security Architect, Application Architect
PolicyAdmins
group to create policies, but not to edit or delete
them.
Allow group PolicyAdmins to manage policies in tenancy where
request.permission='POLICY_CREATE'
Federate Oracle Cloud Infrastructure Identity and Access Management
Enterprise Architect, Security Architect, Application Architect
- Create a federation administrators group that maps to the federated IdP's administrator group and is governed by the same security policies as the federated IdP's administrator group.
- Create a local user and assign the user to the default
Administrators
IAM group. Use this user for break-glass type scenarios (for example, inability to access resources through federation). - Define a policy to prevent the federated administrators IAM group from modifying the membership of the default tenancy
Administrators
group. - Detect unauthorized access and operations by monitoring the audit logs for operations by tenancy administrators and changes to the
Administrators
group.
Monitor and Manage the Activities and Status of All Users
Enterprise Architect, Security Architect, Application Architect
- When an employee leaves the organization, disable access to the tenancy by deleting the user immediately.
- Enforce rotation of the user password and API keys every 90 days or less.
- Ensure that Identity and Access Management (IAM) credentials are not hard-coded in any of your software or operations documentation.
- Create an IAM user for everyone in the organization who needs access to resources in the tenancy. Don't share an IAM user across multiple human users.
- Review the users in IAM groups periodically, and remove users that no longer need access.
- Change IAM API Keys at least every 90 days to reduce risk of becoming compromised.