42_Least_Access_Policy_In_Oracle_Cloud_Infrastructure - Nirvan-Pandey/OCI_DOC GitHub Wiki

42_1: What is the Least Access Policy?

The Least Access Policy (also known as Least Privilege Principle) in Oracle Cloud Infrastructure (OCI) is a security best practice that ensures users,

groups, and resources are granted only the minimum level of access necessary to perform their tasks.

This approach reduces the risk of unauthorized access, data breaches, and security vulnerabilities by preventing excessive permissions.

42_2: Why is Least Access Policy Important?

✅ Enhances Security – Limits potential damage from compromised credentials or insider threats.

✅ Minimizes Human Errors – Reduces the risk of accidental modifications or deletions.

✅ Supports Compliance – Aligns with industry standards like ISO 27001, NIST, and CIS benchmarks.

✅ Improves Auditability – Easier tracking of permissions and access logs.

42_3: Key Components of Least Access Policy in OCI

  1. Identity and Access Management (IAM) Policies

  • OCI IAM policies define who can perform what actions on which resources in which compartments.

  • Example IAM policy (Least Privilege):

allow group Developers to read instances in compartment Dev-Compartment

✅ Grants read-only access to instances.

❌ Does not allow modifications or deletions.

  1. Compartments

  • Logical groups for isolating resources (e.g., Dev, Test, Prod).

  • Policies should be applied per compartment to ensure least privilege.

  1. Resource-Level Access

  • Instead of granting broad permissions, limit access to specific resources.

  • Example

allow group StorageAdmins to manage buckets in compartment Storage-Compartment
  • Grants full control over only storage buckets
  1. Dynamic Groups & Instance Principals

  • Allows assigning permissions to specific compute instances instead of all instances.

  • Example

allow dynamic-group WebServers to use object-family in compartment Web-Compartment
  • Grants only the Web Server instances access to storage objects
  1. Network Security Groups (NSGs) & Security Lists

  • Restrict traffic to the minimum necessary ports/IP ranges.

  • Example:

✅ Allow: SSH access only from a trusted IP.

❌ Avoid: Open SSH (0.0.0.0/0).

42_4: Best Practices for Least Access Policy in OCI

🔹 Start with "Deny All" and Grant Only Required Access

Example: Allow users to view resources but not modify them unless needed.

🔹 Use Groups Instead of Individual User Permissions

Assign policies to IAM groups, not individual users.

🔹 Apply Policies at the Lowest Necessary Scope

Use compartment-specific policies instead of account-wide access.

🔹 Regularly Audit Permissions

Use OCI Audit logs and IAM Reports to check excessive permissions.

🔹 Limit Root Compartment Access

Avoid granting permissions at the root level unless absolutely necessary.

🔹 Use MFA and Strong Authentication

Ensure privileged users have Multi-Factor Authentication (MFA) enabled.

42_5: Example Least Access IAM Policies in OCI

image

allow group Viewers to read instances in compartment Dev

allow group ComputeAdmins to manage instances in compartment Prod

allow dynamic-group WebServers to read object-family in compartment Storage

deny group Developers to manage api-keys in tenancy

42_6: Conclusion

The Least Access Policy in Oracle Cloud Infrastructure helps ensure security, compliance, and risk reduction by enforcing minimal permissions for users

and resources. By following best practices such as compartment-based policies, IAM groups, and regular audits, organizations can minimize security risks

while maintaining efficient operations.