Table: oci_identity_policy - Query OCI Identity Policies using SQL
An OCI Identity Policy is a document that specifies who can access which Oracle Cloud Infrastructure resources that your company has, and the type of access. It is an essential part of Oracle Cloud Infrastructure's Identity and Access Management (IAM) service. It allows you to control who has access to your cloud resources.
Table Usage Guide
The oci_identity_policy table provides insights into Identity Policies within Oracle Cloud Infrastructure's Identity and Access Management (IAM). As a Security Analyst, you can explore policy-specific details through this table, including policy statements, and associated metadata. Utilize it to uncover information about policies, such as those with specific permissions and the verification of policy statements.
Examples
Basic info
Explore the lifecycle states and descriptions of various policies within your Oracle Cloud Infrastructure (OCI) to gain insights into their current status and purpose. This can help in managing and understanding your OCI resources effectively.
select name, id, lifecycle_state, descriptionfrom oci_identity_policy;select name, id, lifecycle_state, descriptionfrom oci_identity_policy;Get a specific policy
This query allows you to pinpoint the specific details of a chosen policy within your Oracle Cloud Infrastructure (OCI) environment. It's particularly useful when you need to review the configuration or lifecycle state of a policy, without having to sift through all the policies in your OCI setup.
select name, id, lifecycle_state, descriptionfrom oci_identity_policywhere id = 'ocid1.policy.oc1..aaaaaaaa6nsa2ia2bkr7bx7olpkjuj42yk3rpalwuwvm7fjc7kz7o5wz5pmq';select name, id, lifecycle_state, descriptionfrom oci_identity_policywhere id = 'ocid1.policy.oc1..aaaaaaaa6nsa2ia2bkr7bx7olpkjuj42yk3rpalwuwvm7fjc7kz7o5wz5pmq';List inactive policies
Discover the segments that consist of inactive policies to better manage your resources and maintain an organized, efficient system. This helps in identifying policies that are no longer in use, allowing for effective cleanup and resource optimization.
select name, lifecycle_statefrom oci_identity_policywhere lifecycle_state <> 'ACTIVE';select name, lifecycle_statefrom oci_identity_policywhere lifecycle_state <> 'ACTIVE';List of policy statements
Explore the various policy statements within your Oracle Cloud Infrastructure to better manage and understand your security configuration. This can be particularly useful in identifying potential security loopholes or areas for policy optimization.
select name, jsonb_array_elements_text(statements) as statementfrom oci_identity_policyselect name, json_each.value as statementfrom oci_identity_policy, json_each(statements)Query examples
Control examples
- CIS v1.1.0 > 1 Identity and Access Management > 1.2 Ensure permissions on all resources are given only to the tenancy administrator group
- CIS v1.1.0 > 1 Identity and Access Management > 1.3 Ensure IAM administrators cannot update tenancy Administrators group
- CIS v1.2.0 > 1 Identity and Access Management > 1.2 Ensure permissions on all resources are given only to the tenancy administrator group
- CIS v1.2.0 > 1 Identity and Access Management > 1.3 Ensure IAM administrators cannot update tenancy Administrators group
- CIS v2.0.0 > 1 Identity and Access Management > 1.2 Ensure permissions on all resources are given only to the tenancy administrator group
- CIS v2.0.0 > 1 Identity and Access Management > 1.3 Ensure IAM administrators cannot update tenancy Administrators group
Schema for oci_identity_policy
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| compartment_id | text | = | The OCID of the compartment in Tenant in which the resource is located. |
| defined_tags | jsonb | Defined tags for resource. Defined tags are set up in your tenancy by an administrator. Only users granted permission to work with the defined tags can apply them to resources. | |
| description | text | The description you assign to the policy. Does not have to be unique, and it's changeable. | |
| freeform_tags | jsonb | Free-form tags for resource. This tags can be applied by any user with permissions on the resource. | |
| id | text | = | The OCID of the policy. |
| inactive_status | bigint | The detailed status of INACTIVE lifecycleState. | |
| lifecycle_state | text | = | The policy's current state. |
| name | text | = | The name you assign to the policy during creation. The name must be unique across all policies in the tenancy and cannot be changed. |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| statements | jsonb | An array of one or more policy statements written in the policy language. | |
| tags | jsonb | A map of tags for the resource. | |
| tenant_id | text | =, !=, ~~, ~~*, !~~, !~~* | The OCID of the Tenant in which the resource is located. |
| tenant_name | text | The name of the Tenant in which the resource is located. | |
| time_created | timestamp with time zone | Date and time the policy was created. | |
| title | text | Title of the resource. | |
| version_date | timestamp with time zone | The version of the policy. If null or set to an empty string, when a request comes in for authorization, the policy will be evaluated according to the current behavior of the services at that moment. If set to a particular date (YYYY-MM-DD), the policy will be evaluated according to the behavior of the services on that date. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- ociYou can pass the configuration to the command with the --config argument:
steampipe_export_oci --config '<your_config>' oci_identity_policy