prowler-cloud · rchotacode · Apr 2, 2026 · Apr 2, 2026 · Apr 2, 2026 · Apr 2, 2026
@@ -19,6 +19,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - `entra_conditional_access_policy_device_registration_mfa_required` check and `entra_intune_enrollment_sign_in_frequency_every_time` enhancement for M365 provider [(#10222)](https://github.com/prowler-cloud/prowler/pull/10222)
 - `entra_conditional_access_policy_block_elevated_insider_risk` check for M365 provider [(#10234)](https://github.com/prowler-cloud/prowler/pull/10234)
 - `Vercel` provider support with 30 checks [(#10189)](https://github.com/prowler-cloud/prowler/pull/10189)
+- `identity_storage_service_level_admins_scoped` check for OCI Provider CIS v3.1 compliance 1.15 [(#10567)](https://github.com/prowler-cloud/prowler/pull/10568)
 
 ### 🔄 Changed
 

@@ -302,7 +302,9 @@
     {
       "Id": "1.15",
       "Description": "Ensure storage service-level admins cannot delete resources they manage",
-      "Checks": [],
+      "Checks": [
+        "identity_storage_service_level_admins_scoped"
+      ],
       "Attributes": [
         {
           "Section": "1. Identity and Access Management",

@@ -0,0 +1,41 @@
+{
+    "Provider": "oraclecloud",
+    "CheckID": "identity_storage_service_level_admins_scoped",
+    "CheckTitle": "Identity policy does not grant delete to storage service level admins",
+    "CheckType": [],
+    "ServiceName": "identity",
+    "SubServiceName": "",
+    "ResourceIdTemplate": "",
+    "Severity": "high",
+    "ResourceType": "Policy",
+    "ResourceGroup": "IAM",
+    "Description": "To apply the separation of duties security principle, one can restrict service-level administrators from being able to delete resources they are managing. It means service-level administrators can only manage resources of a specific service but not delete resources for that specific service.",
+    "Risk": "Creating service-level administrators without the ability to delete the resource they are managing helps in tightly controlling access to Oracle Cloud Infrastructure (OCI) services by implementing the separation of duties security principle.",
+    "RelatedUrl": "",
+    "AdditionalURLs": [
+        "https://docs.oracle.com/en/solutions/oci-best-practices/protect-data-rest1.html#GUID-939A5EA1-3057-48E0-9E02-ADAFCB82BA3E",
+        "https://docs.oracle.com/en-us/iaas/Content/Identity/policyreference/policyreference.htm",
+        "https://docs.oracle.com/en-us/iaas/Content/Block/home.htm",
+        "https://docs.oracle.com/en-us/iaas/Content/File/home.htm",
+        "https://docs.oracle.com/en-us/iaas/Content/Object/home.htm"
+    ],
+    "Remediation": {
+        "Code": {
+            "Console": "1. Login to OCI console.\n2. Go to Identity -> Policies, In the compartment dropdown, choose the compartment.\n3. Open each policy to view the policy statements.\n4. Verify the policies to ensure that the policy statements that grant access to storage service-level administrators have a condition that excludes access to delete the service they are the administrator for.",
+            "NativeIaC": "",
+            "CLI": "",
+            "Terraform": "",
+            "Other": ""
+        },
+        "Recommendation": {
+            "Text": "Add the appropriate where condition to any policy statement that allows the storage service-level admins to manage the storage service.",
+            "Url": ""
+        }
+    },
+    "Categories": [
+        "identity-access"
+    ],
+    "DependsOn": [],
+    "RelatedTo": [],
+    "Notes": ""
+}
@@ -0,0 +1,109 @@
+from prowler.lib.check.models import Check, Check_Report_OCI
+from prowler.providers.oraclecloud.services.identity.identity_client import (
+    identity_client,
+)
+
+
+class identity_storage_service_level_admins_scoped(Check):
+    """Ensure storage service-level admins cannot delete resources they manage (CIS 1.15)"""
+
+    def execute(self):
+        """Ensure service-level administrators can only manage resources of a specific service but not delete resources.
+
+        This check ensures that policies don't grant delete permission on storage like "manage volumes in tenancy"
+        without restricting delete permissions.
+        """
+        findings = []
+
+        storage_policies = {
+            "FILE-FAMILY": ["FILE-SYSTEMS", "MOUNT-TARGETS", "EXPORT-SETS"],
+            "OBJECT-FAMILY": ["BUCKETS", "OBJECTS"],
+            "VOLUME-FAMILY": ["VOLUMES", "VOLUME-ATTACHMENTS", "VOLUME-BACKUPS"],
+        }
+        all_base_policies = [
+            item for sublist in storage_policies.values() for item in sublist
+        ]
+
+        # Check for policies that violate least privilege by granting manage delete service-level storage privileges
+        for policy in identity_client.policies:
+            # Skip non-active policies
+            if policy.lifecycle_state != "ACTIVE":
+                continue
+
+            # Skip default tenant admin policy
+            if policy.name.upper() == "TENANT ADMIN POLICY":
+                continue
+
+            region = policy.region if hasattr(policy, "region") else "global"
+
+            has_violation = False
+            offending_statements = []
+            for statement in policy.statements:
+                statement_upper = statement.upper()
+                # Only check groups
+                if not statement_upper.startswith("ALLOW GROUP"):
+                    continue
+
+                # Check for "allow group ... to manage *file-service* resources" without restriction (not restricted to certain buckets or non delete)
+                if any(
+                    f"MANAGE {global_storage_policy}" in statement_upper
+                    for global_storage_policy in storage_policies
+                ):
+                    if "WHERE" not in statement_upper:
+                        has_violation = True
+                        offending_statements.append(statement)
+                        break
+                if any(
+                    f"MANAGE {base_storage_policy}" in statement_upper
+                    for base_storage_policy in all_base_policies
+                ):
+                    if "WHERE" not in statement_upper:
+                        has_violation = True
+                        offending_statements.append(statement)
+                        break
+                if "MANAGE ALL-RESOURCES" in statement_upper:
+                    if "WHERE" not in statement_upper:
+                        has_violation = True
+                        offending_statements.append(statement)
+                        break
+
+            report = Check_Report_OCI(
+                metadata=self.metadata(),
+                resource=policy,
+                region=region,
+                resource_id=policy.id,
+                resource_name=policy.name,
+                compartment_id=policy.compartment_id,
+            )
+
+            if has_violation:
+                report.status = "FAIL"
+                report.status_extended = f"Policy '{policy.name}' grants 'manage' permissions with delete. Service-level storage administrators should not be created with delete permissions.\n{offending_statements}"
+            else:
+                report.status = "PASS"
+                report.status_extended = f"Policy '{policy.name}' does not grant storage service level admins delete permissions."
+
+            findings.append(report)
+
+        # If no policies found, that's also a finding
+        if not findings:
+            region = (
+                identity_client.audited_regions[0].key
+                if identity_client.audited_regions
+                else "global"
+            )
+            report = Check_Report_OCI(
+                metadata=self.metadata(),
+                resource={},
+                region=region,
+                resource_id=identity_client.audited_tenancy,
+                resource_name="Tenancy",
+                compartment_id=identity_client.audited_tenancy,
+            )
+            report.status = "PASS"
+            report.status_extended = (
+                "No active storage-level admin policies found with delete permissions."
+            )
+            findings.append(report)
+
+        return findings