Auditing IAM Policies Across Oracle Cloud Infrastructure Compartments

·

4 min read

Oracle Cloud Infrastructure (OCI) uses a hierarchical compartment structure for resource organization and access control. Understanding and auditing your IAM policies across these compartments is crucial for maintaining proper security posture. In this guide, we'll explore a powerful shell script that helps you audit IAM policies across your entire OCI tenancy.

The Challenge

Managing IAM policies across multiple compartments can become complex as your cloud infrastructure grows. Common challenges include:

  • Tracking policy distributions across compartments

  • Identifying redundant or conflicting policies

  • Ensuring proper access controls at each level

  • Maintaining security compliance requirements

Console Limitations in Policy Visibility

One significant challenge when using the OCI Console is the limited visibility of group permissions across compartments. Here's why this is problematic:

  1. Scattered Policies: Permissions for a single group can be defined in multiple policies across different compartments. The console doesn't provide a unified view of all permissions assigned to a group.

  2. Inheritance Complexity: When compartments are nested, policies inherit from parent compartments. The console shows policies at each level separately, making it difficult to understand the cumulative permissions a group has.

  3. Dynamic Groups: When dynamic groups are involved, it becomes even more challenging to track permissions as they're based on instance principals and other dynamic attributes.

  4. Time-Consuming Manual Review: To understand a group's complete access level, administrators often need to:

    • Navigate through multiple compartments

    • Open each policy individually

    • Mentally compile the permissions

    • Account for policy inheritance

    • Consider any conflicting or overlapping statements

This is where our script becomes particularly valuable, as it provides a comprehensive view of all policies across your tenancy in one output.

The Solution

We'll use a Bash script that leverages the OCI CLI to recursively traverse all compartments and list their associated IAM policies. This script can be run directly in OCI Cloud Shell, making it immediately accessible to all OCI users.

Prerequisites

  1. OCI CLI installed and configured

  2. Proper permissions to read compartments and IAM policies

  3. jq command-line JSON processor (pre-installed in Cloud Shell)

The Script Breakdown

Full script

Let's analyze the key components of our script:

# Core function to list IAM policies for a single compartment
list_compartment_iam_policies() {
    local compartment_id=$1
    oci iam policy list --compartment-id "$compartment_id"
}

This function uses the OCI CLI to fetch all IAM policies for a given compartment ID.

# Get the root compartment (tenancy) ID
local root_compartment=$(oci iam compartment list --all \
    --compartment-id-in-subtree true \
    --access-level ACCESSIBLE \
    --include-root \
    --raw-output \
    --query "data[?contains(\"id\",'tenancy')].id | [0]")

This command retrieves the tenancy OCID, which serves as our starting point for the recursive traversal.

function _list_compartments() {
    local compartment_id=$1
    compartment_name=$(oci iam compartment get \
        --compartment-id "$compartment_id" \
        --query "data.name" \
        --raw-output)

    echo "Compartment: $compartment_name ($compartment_id)"
    list_compartment_iam_policies "$compartment_id"

    # Recursive call for sub-compartments
    for sub_compartment_id in $(oci iam compartment list \
        --compartment-id "$compartment_id" \
        --all \
        --query "data[].id" | jq -r '.[]'); do
        _list_compartments "$sub_compartment_id"
    done
}

This recursive function:

  1. Gets the compartment name for better readability

  2. Lists IAM policies for the current compartment

  3. Finds all sub-compartments

  4. Recursively calls itself for each sub-compartment

Using the Script

  1. Save the script to a file (e.g., audit_iam_policies.sh)

  2. Make it executable:

     chmod +x audit_iam_policies.sh
    
  3. Run it:

     ./audit_iam_policies.sh
    

Output Format

The script produces output in the following format:

Compartment: root_compartment_name (ocid1.tenancy.oc1...)
[IAM policies for root compartment]

Compartment: sub_compartment_name (ocid1.compartment.oc1...)
[IAM policies for sub-compartment]
...

Best Practices for Policy Auditing

When reviewing the output:

  1. Policy Consolidation: Look for similar policies that could be combined at a higher level

  2. Least Privilege: Ensure policies grant only necessary permissions

  3. Documentation: Save the output for compliance and documentation purposes

  4. Regular Audits: Run this script periodically as part of your security routine

Enhancement Opportunities

The script can be enhanced to:

  1. Output in different formats (JSON, CSV, HTML)

  2. Include policy statements analysis

  3. Flag potentially risky permissions

  4. Compare against a baseline configuration

  5. Generate detailed reports with policy recommendations

  6. Group-Centric View: Add functionality to filter and display all policies affecting a specific group across compartments

  7. Permission Matrix: Generate a matrix showing which groups have what permissions across different compartments

  8. Policy Overlap Detection: Identify where multiple policies might be granting similar permissions to the same group

Pro Tips for Policy Analysis

  1. Group-Based Review:

    • After running the script, use grep to filter policies for a specific group:
    ./audit_iam_policies.sh | grep -A 5 "group_name"
  1. Effective Permissions Check:

    • Combine the script output with the OCI CLI's policy parser to validate effective permissions:
    oci iam policy get --policy-id <policy_id> --query "data.statements[]"

Conclusion

This script provides a foundation for maintaining good security hygiene in your OCI environment. Regular auditing of IAM policies helps ensure proper access controls and compliance with security requirements. While the OCI Console offers many powerful features, using CLI tools like this script can significantly improve visibility into your IAM policy structure and help maintain a secure cloud environment.

Remember to run this script in a controlled manner and during off-peak hours if you have a large number of compartments, as it makes multiple API calls to the OCI service.