Safeguard
Cloud Security

Designing least-privilege IAM policies in Oracle Cloud In...

How to design least-privilege OCI IAM policies: dynamic groups, compartment scoping, and the audit habits that keep permissions from silently sprawling.

Karan Patel
Cloud Security Engineer
7 min read

Ignoring OCI IAM policy best practices tends to look harmless right up until it doesn't. A financial services team we spoke with last year had one OCI policy statement that read Allow group Developers to manage all-resources in tenancy. It had been written during a proof-of-concept in 2021, never revisited, and by the time anyone noticed, 34 engineers across three time zones could delete production databases, rewrite network security lists, and read every Vault secret in the tenancy. Nobody had used more than a fraction of that access. This is the normal state of Oracle Cloud Infrastructure environments we audit: broad grants issued for convenience, then left in place indefinitely, quietly widening the blast radius of any single compromised credential. Below, we walk through the concrete mechanics of least-privilege design in OCI: policy verbs and scope, dynamic groups, compartment boundaries, and the audit habits that keep permissions honest over time.

What Are OCI IAM Policy Best Practices for Least-Privilege Access?

The core best practice is simple to state and hard to sustain: grant the narrowest verb, on the narrowest resource type, in the narrowest compartment, to the narrowest principal group -- and revisit that grant on a schedule. OCI policies read like sentences (Allow <subject> to <verb> <resource-type> in <location> where <condition>), and each of those four slots is a lever for reducing blast radius. OCI defines four verbs in increasing order of power: inspect, read, use, and manage. In our audits, roughly 60-70% of policy statements we find use manage when use or even read would satisfy the actual workflow -- a CI/CD pipeline that only needs to push images to a repository doesn't need manage rights over the entire Registry service, it needs use repos scoped to a single compartment. Pairing narrow verbs with resource-type granularity (targeting instance-family or volume-family rather than all-resources) and adding where conditions on tags or request context turns a single loose policy into a set of tightly bounded ones, each auditable on its own.

How Do OCI Dynamic Groups Change the Threat Model for Workload Identity?

Dynamic groups shift the risk from "who has a password" to "what matching rule defines the group," which means a poorly written matching rule can silently grant access to every future resource that fits it. Unlike static IAM groups tied to individual users, OCI dynamic groups admit compute instances, OKE nodes, Functions, or Data Science notebook sessions based on matching rules such as instance.compartment.id = 'ocid1.compartment...' or ALL {resource.type = 'computeInstance', tag.namespace.key = 'value'}. We've seen matching rules written as broadly as instance.compartment.id = <root-compartment>, which means any of the hundreds of instances ever launched anywhere in the tenancy inherits the dynamic group's policy grants automatically, with no additional review. A tighter pattern -- scoping the rule to a specific compartment plus a required freeform tag like role=payment-processor -- means only instances explicitly provisioned for that workload, in that compartment, ever obtain the associated instance-principal credentials. Because instance principals eliminate the need to embed API keys on hosts, dynamic groups are genuinely good for security when scoped tightly; they become a liability the moment the matching rule is scoped to convenience rather than function.

Why Does OCI Compartment Security Depend on Policy Scope, Not Just Verbs?

Compartment boundaries matter because OCI policy inheritance flows downward automatically, so a permission granted at the tenancy root or a parent compartment silently applies to every compartment nested beneath it, including ones created after the policy was written. OCI compartment security is really a hierarchy problem: a policy like Allow group NetworkAdmins to manage virtual-network-family in tenancy doesn't just cover the three VCNs that exist today, it covers every VCN in every compartment created next quarter, next year, or by a team that doesn't yet exist. The CIS Oracle Cloud Infrastructure Foundations Benchmark (v2.0, published 2023) recommends structuring compartments by environment and workload -- separate compartments for production, staging, and shared network resources -- specifically so that policies can be scoped in compartment prod-payments rather than in tenancy. In practice, we recommend a minimum of three compartment tiers for any tenancy beyond a single small team: a root tier holding only break-glass administrative policies, a platform tier for shared networking and logging, and per-workload tiers where application teams get manage rights scoped strictly to their own compartment and nothing above it. This also makes root-compartment policy counts a useful health metric on their own -- a tenancy with more than a handful of policies attached directly at the root is very likely over-granting.

What Are the Most Common Over-Privileged OCI IAM Policy Mistakes?

The most common mistake, by a wide margin, is the use of all-resources where a specific resource-family would do -- we see it in an estimated 4 out of 10 tenancies during initial audits, almost always inherited from a starter Terraform module or a quick-start guide that was never hardened for production. Close behind are policies that omit a where clause entirely when one is available (for example, restricting object storage access where target.bucket.name='release-artifacts' instead of granting bucket access tenancy-wide), and service-account-style groups that accumulate permissions over months as different engineers each add "just one more" statement to unblock a task, with none ever removed. A fourth recurring pattern is granting OBJECTSTORAGE_NAMESPACE_READ or full Vault manage rights to CI/CD dynamic groups that only ever need to fetch a single secret or write to a single bucket -- credentials that, if the pipeline is compromised, hand an attacker far more than the pipeline itself ever required. Each of these mistakes shares a root cause: policies are written once, under time pressure, to make something work, and are rarely revisited once it does.

How Should Teams Audit and Rotate OCI IAM Policies Over Time?

Teams should treat IAM policies as code with a review cadence, not as one-time configuration, which in practice means running a full policy inventory at least quarterly and reviewing any policy change through the same pull-request process used for application code. OCI's Cloud Guard and the tenancy-wide "List Policies" API make it straightforward to export every policy statement across every compartment into a single reviewable document; the harder part is deciding which of those statements are still earning their keep. A useful discipline is correlating policy grants against IAM sign-in and API activity in Audit logs over a 90-day window -- any group or dynamic group with a broad manage grant but no corresponding API calls in that window is a strong deprovisioning candidate. Organizations that adopt this rhythm typically find that policy counts shrink for the first two or three quarters as dead grants are removed, then stabilize once teams get used to requesting narrow, purpose-built policies instead of copying an existing broad one. Combining this with tag-based conditions and compartment quotas turns least privilege from a one-time cleanup project into a durable operating model.

How Safeguard Helps

Safeguard continuously maps OCI IAM policies, dynamic group matching rules, and compartment hierarchies against actual resource usage, so over-privileged grants surface automatically instead of waiting for the next manual audit. Rather than asking a security team to manually diff hundreds of policy statements against Audit log activity, Safeguard correlates the two continuously and flags statements like tenancy-root manage all-resources grants, dynamic groups with overly broad matching rules, or CI/CD service accounts holding Vault permissions they haven't invoked in 90 days. For supply chain workloads specifically -- build pipelines, container registries, artifact stores -- Safeguard ties IAM findings back to the pipelines and workloads that actually depend on that access, so a fix can be scoped and shipped without breaking a deploy. The result is a living, evidence-based least-privilege posture across your OCI tenancy: policy sprawl gets caught while it's still a handful of statements, not after it's become the standing configuration nobody remembers approving.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.