Manage Identities and Authorization

Oracle Cloud Infrastructure Identity and Access Management enables you to control who has access to your cloud resources.

You can control what type of access a group of users have and to which specific resources. Credentials for access and authorization include API keys, sign-in password, federated sign-in, and authentication tokens. Use appropriate credentials to protect your cloud account and resources.

Implement Multi-Factor Authentication

Enforce the use of multi-factor authentication (MFA). You can restrict access to resources to only users that have been authenticated through a time-limited one-time password.

You can enforce MFA for a resource in the access policy that allows access to the resource.

For example, the following policy enforces MFA when users in GroupA manage resources that belong to the instance family in any compartment.
allow group GroupA to manage instance-family in tenancy where request.user.mfaTotpVerified='true'

Harden the Tenancy Administrator Role

Don't sign in as the tenancy administrator for day-to-day operations. Secure the administrator user with a strong password and regular password rotation. Create security policies to prevent administrator account lock-out in case the tenancy administrator leaves your organization.

  • Create service-level administrators in the tenancy to further limit administrative access. Service-level administrators can manage resources of only a specific service.
    For example, the following policy allows users in the VolumeAdmins group to manage only the resources in the block volumes family.
    Allow group VolumeAdmins to manage volume-family in tenancy
  • Restrict the ability to change the membership of the tenancy Administrators group.
    The following policy allows the users in the UserAdmins group to only inspect the groups in the tenancy.
    Allow group UserAdmins to inspect groups in tenancy
  • Prevent accidental or malicious deletion of (and changes to) access policies.
    For example, the following policy allows users in the PolicyAdmins group to only create policies, not to edit or delete them.
    Allow group PolicyAdmins to manage policies in tenancy where request.permission='POLICY_CREATE'

Federate with a Centralized Identity Provider

Where possible and relevant, federate Oracle Cloud Infrastructure Identity and Access Management with your organization's centralized identity provider (IdP).

  • Create a federation administrators group that maps to the federated IdP's administrator group and is governed by the same security policies as the federated IdP's administrator group.
  • Create a local user and assign the user to the default Administrators IAM group. Use this user for break-glass type scenarios (for example, inability to access resources through federation).
  • Define a policy to prevent the federated administrators IAM group from modifying the membership of the default tenancy Administrators group.
  • Detect unauthorized access and operations by monitoring the audit logs for operations by tenancy administrators and changes to the Administrators group.

Manage Users

Monitor and manage the activities and status of all users.

  • When an employee leaves the organization, disable access to the tenancy by deleting the user immediately.
  • Enforce rotation of the user password and API keys every 90 days or less.
  • Ensure that IAM credentials are not hard-coded in any of your software or operations documentation.
  • Create an IAM user for everyone in the organization who needs access to resources in the tenancy. Don't share an IAM user across multiple human users.
  • Review the users in IAM groups periodically, and remove users that no longer need access.