Manage Identities and Authorization Policies

Oracle Cloud Infrastructure Identity and Access Management enables you to control who has access to your cloud resources.Credentials for access and authorization include API keys, sign-in password, federated sign-in, and authentication tokens. Use appropriate credentials to protect your cloud account and resources. Oracle encourages you to adopt the following recommendations when implementing identity management in the cloud.

Enforce the Use of Multi-Factor Authentication (MFA)

Enterprise Architect, Security Architect, Application Architect

Restrict access to resources to only users that have been authenticated through a time-limited one-time password.
You should require this at the user level and enforce it at the resources level through IAM. You can enforce MFA for a resource in the access policy that allows access to the resource. For example, the following policy enforces MFA when users in GroupA manage resources that belong to the instance family in any compartment.
allow group GroupA to manage instance-family in tenancy where request.user.mfaTotpVerified='true'

Don't Use the Tenancy Administrator Account for Day-to-Day Operations

Enterprise Architect, Security Architect, Application Architect

Service-level administrators in the tenancy should be created to further limit administrative access. Service-level administrators should only manage resources of a specific service or domain.
For example, the following policy allows users in the VolumeAdmins group to manage only the resources in the block volumes family.
Allow group VolumeAdmins to manage volume-family in tenancy

Create Security Policies to Prevent Administrator Account Lock-out

Enterprise Architect, Security Architect

This is in case the tenancy administrator leaves your organization.

Restrict the Admin Abilities of a Tenancy Administrators Group

Enterprise Architect, Security Architect

Administrator permissions should follow the rule of least privilege, so membership to an Admin group or attachment to an Admin policy should be limited to an as-needed basis.

The following policy allows the users in the UserAdmins group to only inspect the groups in the tenancy.

Allow group UserAdmins to inspect groups in tenancy

Prevent Accidental or Malicious Deletion of (and Changes to) Access Policies

Enterprise Architect, Security Architect, Application Architect

For example, the following policy only allows users in the PolicyAdmins group to create policies, but not to edit or delete them.
Allow group PolicyAdmins to manage policies in tenancy where

Federate Oracle Cloud Infrastructure Identity and Access Management

Enterprise Architect, Security Architect, Application Architect

Where possible and relevant, federate Oracle Cloud Infrastructure Identity and Access Management with your organization's centralized identity provider (IdP).
  • Create a federation administrators group that maps to the federated IdP's administrator group and is governed by the same security policies as the federated IdP's administrator group.
  • Create a local user and assign the user to the default Administrators IAM group. Use this user for break-glass type scenarios (for example, inability to access resources through federation).
  • Define a policy to prevent the federated administrators IAM group from modifying the membership of the default tenancy Administrators group.
  • Detect unauthorized access and operations by monitoring the audit logs for operations by tenancy administrators and changes to the Administrators group.

Monitor and Manage the Activities and Status of All Users

Enterprise Architect, Security Architect, Application Architect

Monitor and manage the activities and status of all users.
  • When an employee leaves the organization, disable access to the tenancy by deleting the user immediately.
  • Enforce rotation of the user password and API keys every 90 days or less.
  • Ensure that Identity and Access Management (IAM) credentials are not hard-coded in any of your software or operations documentation.
  • Create an IAM user for everyone in the organization who needs access to resources in the tenancy. Don't share an IAM user across multiple human users.
  • Review the users in IAM groups periodically, and remove users that no longer need access.
  • Change IAM API Keys at least every 90 days to reduce risk of becoming compromised.