OCI IAM Policy Drift Auditor

 


Description

As OCI environments grow across multiple compartments, teams often accumulate IAM policies over time. While these policies enable teams to move quickly, they can also introduce configuration drift, privilege creep or inconsistencies between intended and actual access controls.

The OCI IAM Policy Drift Auditor is a lightweight Python automation tool built on top of the OCI SDK to systematically audit IAM policies across compartments and detect drift. It captures a structured snapshot of IAM policies, compares them against a defined baseline or expected configuration and produces human-readable and machine-readable outputs for review and automation.

The project is intentionally designed to be safe and read only, focusing purely on inspection and reporting. It does not modify or enforce changes. Instead, it helps security teams and cloud administrators gain visibility into policy state and identify potential deviations early.

I thought it would be useful to share this codebase for anyone managing IAM governance in OCI environments.

Codebase

GitHub Code: Click Here

Why This Is Useful

In many Oracle Cloud Infrastructure environments, IAM policies are created by multiple teams over time. As projects scale, new compartments are added and services evolve, policy sprawl can become difficult to manage.

Common challenges include:

  • Policies that differ from a security baseline

  • Overly broad permissions that were meant to be temporary

  • Policies added in emergency scenarios and never reviewed

  • Inconsistencies across compartments

  • Difficulty understanding what changed and when

Without automation, reviewing IAM policies manually is time consuming and error prone.

The OCI IAM Policy Drift Auditor addresses this by providing:

  • A repeatable method to snapshot IAM policies

  • A structured way to detect deviations from expected configurations

  • Clear, auditable reporting artifacts

  • A foundation for governance and compliance workflows

This is especially helpful for security reviews, internal audits, regulated environments and DevSecOps workflows where least privilege access matters.


What The Tool Does

The tool connects to OCI using the OCI Python SDK and retrieves IAM policy definitions across one or more compartments.

At a high level, it performs the following steps:

  1. Authenticates using standard OCI configuration

  2. Enumerates IAM policies within the target tenancy or compartments

  3. Captures policy metadata and statements

  4. Compares policies against a baseline (if configured)

  5. Flags potential drift or unexpected changes

  6. Generates structured reports

The output includes both:

  • A human readable summary for quick review

  • A structured JSON artifact suitable for automation, diffing or CI/CD pipelines

Because the output is structured, you can:

  • Track policy evolution over time

  • Integrate with Git-based workflows

  • Feed the results into dashboards or compliance systems

  • Trigger alerts if drift is detected


High Level Architecture

The OCI IAM Policy Drift Auditor is intentionally simple and portable. It can be executed from:

  • A local developer machine

  • OCI Cloud Shell

  • A CI/CD pipeline runner

  • A scheduled automation job

The workflow looks like this:

  1. Authentication Layer
    Uses the OCI SDK with standard configuration (~/.oci/config) or compatible authentication methods.

  2. Policy Collection Layer
    Calls OCI IAM APIs to retrieve policy definitions and statements across target compartments.

  3. Drift Analysis Layer
    Normalizes and compares collected policies against a known baseline or expected state.

  4. Reporting Layer
    Generates JSON and optionally Markdown summaries for review and archival.


Prerequisites

To run this project, you will need:

  • Python 3.x

  • An OCI account with IAM read permissions

  • Access to the compartments you wish to audit

  • OCI authentication configured (e.g., ~/.oci/config)

Depending on your workflow, you may optionally integrate this tool with:

  • Git repositories for policy baselines

  • CI/CD systems for scheduled audits

  • Object Storage buckets for snapshot archiving


Expected Output

Each execution produces structured artifacts that reflect the IAM policy state at the time of the run.

Typical outputs include:

  • A JSON snapshot containing full policy definitions

  • A drift report highlighting differences from baseline

  • A human-readable summary for quick inspection

The JSON artifact enables:

  • Git-based diffing across runs

  • Change tracking over time

  • Automated validation checks

  • Compliance reporting

This makes it easy to answer questions like:

  • What policies exist right now?

  • What changed since last week?

  • Which statements differ from our security baseline?

  • Are any new permissions broader than expected?







Comments

Post a Comment

Popular posts from this blog

Your Cloud Is Talking Are You Listening OCI Logging Events and Notifications

Image
  Your Cloud Is Talking Are You Listening OCI Logging Events and Notifications A practical, human guide to how Oracle Cloud Infrastructure can collect what is happening, spot what matters and alert the right people before small issues turn into big ones. The problem with modern cloud is not lack of data Cloud platforms produce a huge amount of signals. Logs, metrics, state changes, access activity and service health updates are happening all the time. The problem is not that nothing is visible. The problem is that everything is visible in too many places and when something goes wrong, you do not know where to look first. This is why good teams still get surprised. Not because they are careless, but because attention is limited. You can only watch so many dashboards. You can only skim so many notifications. And when an incident starts, the first five minutes matter most. The goal of observability is simple. Make it easier to answer three questions quickly. What happened. Where ...
Read more

OCI Network Exposure Scanner

Image
OCI Network Exposure Scanner Introduction Of A Python Tool That Scans OCI Security Lists And NSGs For Internet Exposed Ingress Rules And Risky Open Ports Description I built the OCI Network Exposure Scanner as a lightweight Python auditing tool to quickly identify internet exposed ingress rules in OCI. It scans Security Lists and Network Security Groups (NSGs) for inbound TCP rules that allow traffic from 0.0.0.0/0 on common ports like SSH (22), RDP (3389), HTTP (80), and HTTPS (443) , then generates timestamped JSON + Markdown reports and uploads them to OCI Object Storage so the results are easy to review, share, and keep as audit evidence.  Codebase GitHub Code: Click Here Why This Is Useful In most OCI environments, network rules evolve quickly as teams ship features, open temporary access for troubleshooting or create new subnets and services. Over time, it becomes easy to accidentally leave behind world open ingress rules , especially on ports like SSH and RDP. This ...
Read more

When Your Apps Refuse to Talk Oracle Integration Cloud for the Rest of Us

Image
  When Your Apps Refuse to Talk Oracle Integration Cloud for the Rest of Us Oracle Integration Cloud is the Grown Up Way to Make Those Systems Cooperate. The quiet chaos of modern work Most companies do not run on one system. They run on a collection of tools that grew over time. Finance has one platform, sales has another, HR has its own portal and operations lives inside a mix of email, shared drives and service tickets. On paper, everything is digital. In reality, people still spend their days doing digital manual work. They export a spreadsheet, paste values into another system, forward approvals through email and hope everyone is looking at the latest version. It works until it does not. Then someone asks why the customer record is inconsistent, why invoices are delayed or why a new employee is not provisioned correctly. This is exactly the kind of problem Oracle Integration Cloud is meant to reduce. Oracle positions it as an integration service that helps connect applicati...
Read more