- Knowledge Base
- Oracle Cloud Infrastructure
- OCI Events
- Enable Notification Alerts for IAM User Changes
Ensure there is an Oracle Cloud Infrastructure (OCI) Event Rule created and configured to fire each time an IAM user change is made. This Event Rule must send an alert notification every time a request is performed to create, update, delete, or modify the state and capabilities of an IAM user.
Security Using Oracle Cloud Infrastructure (OCI) Event Rules to detect IAM user changes will effectively prevent both accidental and intentional changes that could result in unauthorized access, maintaining an elevated security posture.
Audit
To determine if IAM user changes are being monitored using Oracle Cloud Infrastructure (OCI) Event Rules, perform the following operations:
Using OCI Console
01 Sign in to your Oracle Cloud Infrastructure (OCI) account.
02 Navigate to Events console available at https://cloud.oracle.com/events/.
03 In the left navigation panel, select Rules under Events, choose an OCI compartment from the Compartment dropdown menu and select Active from the State dropdown menu, to list the active Event Rules created in the selected compartment.
04 Click on the name (link) of the Event Rule that you want to examine and select Edit Rule.
05 On the Edit Rule page, perform the following actions:
- In the Rule Conditions section, search for a rule condition with the following configuration: Condition set to Event Type, Service Name set to Identity, and Event Type set to User - Create, User - Delete, User - Update, User Capabilities – Update, and User State – Update.
- In the Actions section, search for an action with the following configuration: Action Type set to Notifications, and Topic set to a valid OCI topic.
06 If the search criteria outlined in step no. 5 are not met, the selected Event Rule is not configured to send notification alerts when IAM user changes are made within your Oracle Cloud Infrastructure (OCI) compartment.
07 Repeat steps no. 4 - 6 for each Event Rule available in the selected Oracle Cloud Infrastructure (OCI) compartment.
08 Repeat steps no. 3 – 7 for each OCI compartment created in your Oracle Cloud Infrastructure (OCI) account.
Using OCI CLI
01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:
oci iam compartment list --all --include-root --query 'data[]."id"'
02 The command output should return the requested OCI compartment identifiers (OCIDs):
[ "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd", "ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd" ]
03 Run events rule list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID and state of each Event Rule created in the selected OCI compartment:
oci events rule list --compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd' --all --query 'data[].["id","lifecycle-state"]'
04 The command output should return the ID and status for each rule created in the selected compartment. An active Event Rule has the lifecycle status set to "ENABLED":
[ [ "ocid1.eventrule.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd", "ACTIVE" ], [ "ocid1.eventrule.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234", "ACTIVE" ] ]
05 Run events rule get command (Windows/macOS/Linux) with the ID of the OCI Event Rule that you want to examine as the identifier parameter and custom output filters to describe the configuration information available for the selected rule:
oci events rule get --rule-id 'ocid1.eventrule.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd' --query 'data'
06 The command output should return the requested configuration information. Examine the output of the events rule get command, listed below, and perform the following actions:
- Search "condition"."eventType" for the following conditions: "com.oraclecloud.identitycontrolplane.createuser", "com.oraclecloud.identitycontrolplane.deleteuser", "com.oraclecloud.identitycontrolplane.updateuser", "com.oraclecloud.identitycontrolplane.updateusercapabilities", and "com.oraclecloud.identitycontrolplane.updateuserstate".
- Search "actions" for an action with the following configuration: "action-type" set to "ONS", "is-enabled" set to true, and "topic-id" set to a valid OCI topic ID.
{ "condition": "{\"eventType\":[\"com.oraclecloud.identitycontrolplane.createauthtoken\",\"com.oraclecloud.identitycontrolplane.deleteauthtoken\",\"com.oraclecloud.identitycontrolplane.updateauthtoken\"],\"data\":{}}", "actions": { "actions": [ { "action-type": "ONS", "description": null, "id": "ocid1.eventaction.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd", "is-enabled": true, "lifecycle-message": null, "lifecycle-state": "ACTIVE", "topic-id": "ocid1.onstopic.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234" } ] }, "compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd", "description": null, "display-name": "cc-project5-event-rule", "freeform-tags": {}, "id": "ocid1.eventrule.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd", "is-enabled": true, "lifecycle-message": null, "lifecycle-state": "ACTIVE", "time-created": "2025-03-04T16:21:58.355000+00:00" }
07 If the search criteria outlined in step no. 6 are not met, the selected Event Rule is not configured to send notification alerts when IAM user changes are made within your Oracle Cloud Infrastructure (OCI) compartment.
08 Repeat steps no. 5 - 7 for each Event Rule available in the selected Oracle Cloud Infrastructure (OCI) compartment.
09 Repeat steps no. 3 – 8 for each OCI compartment created in your Oracle Cloud Infrastructure (OCI) account.
Remediation / Resolution
Step 1: Create and configure an OCI notification topic and a subscription to deliver notification alerts for IAM user changes:
Using OCI Console
01 Sign in to your Oracle Cloud Infrastructure (OCI) account.
02 Navigate to Notifications console available at https://cloud.oracle.com/notification/.
03 In the left navigation panel, choose Topics, and select the appropriate OCI compartment from the Compartment dropdown menu.
04 Choose Create Topic and provide the following information to create a new OCI notification topic:
- For Name, enter a unique name for the new topic.
- (Optional) For Description, provide a short description for the resource.
- (Optional) Choose Show advanced options and use Tag key and Tag value fields to add tags to organize your resource.
- Choose Create to deploy your new OCI notification topic.
05 Click on the name (link) of the newly created topic, choose Create Subscription, and perform the following actions to create a new subscription for the selected topic:
- For Protocol, select the protocol that you want to use. As an example, this guide will use Email for the subscription protocol.
- For Email, provide a valid email address for receiving notification alerts.
- (Optional) Choose Show advanced options and use Tag key and Tag value fields to add tags to your subscription.
- Choose Create to add the new subscription to your OCI notification topic.
- The Notifications service sends a confirmation URL to the email address provided in step no. 2. To activate the new subscription, open the Oracle Cloud Infrastructure Notifications Service Subscription Confirmation email and click on the Confirm subscription link.
06 Repeat steps no. 3 – 5 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.
Using OCI CLI
01 Run ons topic create command (Windows/macOS/Linux) to create a new Oracle Cloud Infrastructure (OCI) notification topic in the selected OCI compartment:
oci ons topic create --name 'cc-event-notifications-topic' --description 'OCI Event Notifications Topic' --compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd' --query 'data."topic-id"'
02 The command output should return the identifier (ID) of the new topic:
"ocid1.onstopic.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
03 Run ons subscription create command (Windows/macOS/Linux) to create a new subscription for the specified OCI topic. As an example, the following command is using the EMAIL subscription protocol:
oci ons subscription create --protocol "EMAIL" --subscription-endpoint 'user@domain.com' --topic-id 'ocid1.onstopic.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234' --compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd' --query 'data."id"'
04 The command output should return the identifier (ID) of the new subscription:
"ocid1.onssubscription.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
05 The Notifications service sends a confirmation URL to the email address provided for the --subscription-endpoint parameter in step no. 3. To activate the new subscription, open the Oracle Cloud Infrastructure Notifications Service Subscription Confirmation email and click on the Confirm subscription link.
06 Repeat steps no. 1 – 5 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.
Step 2: Create and configure an OCI Event Rule to detect IAM user changes made within your Oracle Cloud Infrastructure (OCI) compartment:
Using OCI Console
01 Sign in to your Oracle Cloud Infrastructure (OCI) account.
02 Navigate to Events console available at https://cloud.oracle.com/events/.
03 In the left navigation panel, select Rules under Events, and choose your OCI compartment from the Compartment dropdown menu.
04 Choose Create Rule and perform the following operations to create an OCI Event Rule that detects IAM user changes:
- For Display Name, enter a unique name for the Event Rule.
- For Description, provide a short description to explain what the rule does.
- For Rule Conditions, perform the following actions:
- For Condition choose Event Type.
- For Service Name select Identity.
- For Event Type choose User - Create, User - Delete, User - Update, User Capabilities – Update, and User State – Update.
- For Actions, perform the following actions:
- For Action Type choose Notifications.
- For Notifications Compartment select your OCI compartment.
- For Topic choose the name of the OCI notification topic created in Step 1.
- (Optional) Choose Show advanced options and use the Tag key and Tag value fields to add tags to your Event Rule.
- Choose Create Rule to deploy your new OCI Event Rule.
05 Repeat steps no. 3 and 4 for each OCI compartment created in your Oracle Cloud Infrastructure (OCI) account.
Using OCI CLI
01 Specify the parameters and settings for an OCI Event Rule designed to monitor IAM user changes, and save this configuration to a JSON file named cc-event-rule-definition.json. Replace "topicId" with the ID of your own OCI notification topic created in Step 1 and "compartmentId" with the ID of your OCI compartment:
{
"displayName": "cc-detect-iam-user-changes",
"description": "OCI Event Rule to Detect IAM User Changes",
"condition": "{\"eventType\":[\"com.oraclecloud.identitycontrolplane.createuser\",\"com.oraclecloud.identitycontrolplane.deleteuser\",\"com.oraclecloud.identitycontrolplane.updateuser\",\"com.oraclecloud.identitycontrolplane.updateusercapabilities\",\"com.oraclecloud.identitycontrolplane.updateuserstate\"],\"data\":{}}",
"actions": {
"actions": [
{
"actionType": "ONS",
"isEnabled": true,
"topicId": "ocid1.onstopic.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
}
]
},
"isEnabled": true,
"compartmentId": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}
02 Run events rule create command (Windows/macOS/Linux) to create the required OCI Event Rule, using the JSON configuration file defined in the previous step (i.e., cc-event-rule-definition.json):
oci events rule create --from-json file://cc-event-rule-definition.json
03 The command output should return the configuration information available for the new OCI Vault:
{
"data": {
"actions": {
"actions": [
{
"action-type": "ONS",
"description": null,
"id": "ocid1.eventaction.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
"is-enabled": true,
"lifecycle-message": null,
"lifecycle-state": "ACTIVE",
"topic-id": "ocid1.onstopic.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
}
]
},
"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
"condition": "{\"eventType\":[\"com.oraclecloud.identitycontrolplane.createuser\",\"com.oraclecloud.identitycontrolplane.deleteuser\",\"com.oraclecloud.identitycontrolplane.updateuser\",\"com.oraclecloud.identitycontrolplane.updateusercapabilities\",\"com.oraclecloud.identitycontrolplane.updateuserstate\"],\"data\":{}}",
"defined-tags": {
"Oracle-Tags": {
"CreatedBy": "default/user@domain.com",
"CreatedOn": "2025-03-04T19:09:45.392Z"
}
},
"description": "OCI Event Rule to Detect IAM User Changes",
"display-name": "cc-detect-iam-user-changes",
"freeform-tags": {},
"id": "ocid1.eventrule.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
"is-enabled": true,
"lifecycle-message": null,
"lifecycle-state": "ACTIVE",
"time-created": "2025-03-04T19:09:45.606000+00:00"
},
"etag": "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"
}
04 Repeat steps no. 1 – 3 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.
References
- Oracle Cloud Infrastructure Documentation
- Overview of Events
- Managing Rules for Events
- Getting Started with Events
- Creating an Events Rule
- Oracle Cloud Infrastructure CLI Documentation
- compartment list
- events rule list
- events rule get
- events rule create
- topic create
- subscription create