AIDetectLab
Detection Library
criticalproductionOCICloudT1098T1078.004

OCI IAM Policy Change by Non-Admin Principal

Detects creation, modification, or deletion of OCI IAM policies by principals that are not designated IAM administrators.

Updated Dec 10, 2024 · Detection Engineering Team

ociiamprivilege-escalationpolicy-changecloud

Problem Statement

OCI IAM policy changes represent a critical privilege escalation path. An attacker with write access to IAM can grant themselves or others administrator-level permissions across an entire tenancy.

Sample Logs

{"eventTime":"2024-12-10T11:45:22Z","eventName":"CreatePolicy","requestAction":"POST","principalId":"ocid1.user.oc1..aaaaadev9999","principalName":"dev-user@corp.com","compartmentId":"ocid1.compartment.oc1..root","requestParameters":{"name":"escalation-policy","statements":["Allow group Administrators to manage all-resources in tenancy"]},"sourceIPAddress":"10.0.5.88","responseStatus":"200"}
{"eventTime":"2024-12-10T11:47:05Z","eventName":"UpdatePolicy","requestAction":"PUT","principalId":"ocid1.user.oc1..aaaaadev9999","principalName":"dev-user@corp.com","compartmentId":"ocid1.compartment.oc1..aaaa5678","requestParameters":{"statements":["Allow any-user to manage buckets in tenancy"]},"sourceIPAddress":"10.0.5.88","responseStatus":"200"}

Required Fields

eventName
requestAction
principalId
principalName
compartmentId
requestParameters.statements
sourceIPAddress
responseStatus

False Positives

  • ·Authorized IAM admins performing planned policy updates
  • ·Terraform or Ansible automation using service principals
  • ·OCI IAM administrator role assignments

Tuning Guidance

Maintain an allowlist of authorized IAM admin OCIDs and service account names. Alert specifically on human user principals. Cross-reference with change management records for scheduled updates.