Auditing IAM Policies Across Oracle Cloud Infrastructure Compartments
Oracle Cloud Infrastructure (OCI) uses a hierarchical compartment structure for resource organization and access control. Understanding and auditing your IAM policies across these compartments is crucial for maintaining proper security posture. In this guide, we'll explore a powerful shell script that helps you audit IAM policies across your entire OCI tenancy.
The Challenge
Managing IAM policies across multiple compartments can become complex as your cloud infrastructure grows. Common challenges include:
Tracking policy distributions across compartments
Identifying redundant or conflicting policies
Ensuring proper access controls at each level
Maintaining security compliance requirements
Console Limitations in Policy Visibility
One significant challenge when using the OCI Console is the limited visibility of group permissions across compartments. Here's why this is problematic:
Scattered Policies: Permissions for a single group can be defined in multiple policies across different compartments. The console doesn't provide a unified view of all permissions assigned to a group.
Inheritance Complexity: When compartments are nested, policies inherit from parent compartments. The console shows policies at each level separately, making it difficult to understand the cumulative permissions a group has.
Dynamic Groups: When dynamic groups are involved, it becomes even more challenging to track permissions as they're based on instance principals and other dynamic attributes.
Time-Consuming Manual Review: To understand a group's complete access level, administrators often need to:
Navigate through multiple compartments
Open each policy individually
Mentally compile the permissions
Account for policy inheritance
Consider any conflicting or overlapping statements
This is where our script becomes particularly valuable, as it provides a comprehensive view of all policies across your tenancy in one output.
The Solution
We'll use a Bash script that leverages the OCI CLI to recursively traverse all compartments and list their associated IAM policies. This script can be run directly in OCI Cloud Shell, making it immediately accessible to all OCI users.
Prerequisites
OCI CLI installed and configured
Proper permissions to read compartments and IAM policies
jq
command-line JSON processor (pre-installed in Cloud Shell)
The Script Breakdown
Let's analyze the key components of our script:
# Core function to list IAM policies for a single compartment
list_compartment_iam_policies() {
local compartment_id=$1
oci iam policy list --compartment-id "$compartment_id"
}
This function uses the OCI CLI to fetch all IAM policies for a given compartment ID.
# Get the root compartment (tenancy) ID
local root_compartment=$(oci iam compartment list --all \
--compartment-id-in-subtree true \
--access-level ACCESSIBLE \
--include-root \
--raw-output \
--query "data[?contains(\"id\",'tenancy')].id | [0]")
This command retrieves the tenancy OCID, which serves as our starting point for the recursive traversal.
function _list_compartments() {
local compartment_id=$1
compartment_name=$(oci iam compartment get \
--compartment-id "$compartment_id" \
--query "data.name" \
--raw-output)
echo "Compartment: $compartment_name ($compartment_id)"
list_compartment_iam_policies "$compartment_id"
# Recursive call for sub-compartments
for sub_compartment_id in $(oci iam compartment list \
--compartment-id "$compartment_id" \
--all \
--query "data[].id" | jq -r '.[]'); do
_list_compartments "$sub_compartment_id"
done
}
This recursive function:
Gets the compartment name for better readability
Lists IAM policies for the current compartment
Finds all sub-compartments
Recursively calls itself for each sub-compartment
Using the Script
Save the script to a file (e.g.,
audit_iam_policies.sh
)Make it executable:
chmod +x audit_iam_policies.sh
Run it:
./audit_iam_policies.sh
Output Format
The script produces output in the following format:
Compartment: root_compartment_name (ocid1.tenancy.oc1...)
[IAM policies for root compartment]
Compartment: sub_compartment_name (ocid1.compartment.oc1...)
[IAM policies for sub-compartment]
...
Best Practices for Policy Auditing
When reviewing the output:
Policy Consolidation: Look for similar policies that could be combined at a higher level
Least Privilege: Ensure policies grant only necessary permissions
Documentation: Save the output for compliance and documentation purposes
Regular Audits: Run this script periodically as part of your security routine
Enhancement Opportunities
The script can be enhanced to:
Output in different formats (JSON, CSV, HTML)
Include policy statements analysis
Flag potentially risky permissions
Compare against a baseline configuration
Generate detailed reports with policy recommendations
Group-Centric View: Add functionality to filter and display all policies affecting a specific group across compartments
Permission Matrix: Generate a matrix showing which groups have what permissions across different compartments
Policy Overlap Detection: Identify where multiple policies might be granting similar permissions to the same group
Pro Tips for Policy Analysis
Group-Based Review:
- After running the script, use grep to filter policies for a specific group:
./audit_iam_policies.sh | grep -A 5 "group_name"
Effective Permissions Check:
- Combine the script output with the OCI CLI's policy parser to validate effective permissions:
oci iam policy get --policy-id <policy_id> --query "data.statements[]"
Conclusion
This script provides a foundation for maintaining good security hygiene in your OCI environment. Regular auditing of IAM policies helps ensure proper access controls and compliance with security requirements. While the OCI Console offers many powerful features, using CLI tools like this script can significantly improve visibility into your IAM policy structure and help maintain a secure cloud environment.
Remember to run this script in a controlled manner and during off-peak hours if you have a large number of compartments, as it makes multiple API calls to the OCI service.