ovhcloud-iam-policy-review

OVHcloud IAM Policy Review

Purpose

Audit OVHcloud IAM policies for over-permissive access, missing conditional controls, and identity-group hygiene gaps. Produce an evidence-backed verdict with least-privilege recommendations.

When to use

Use this skill for:

• Auditing ovh_iam_policy Terraform resources for scope and condition gaps
• Reviewing OAuth2 service account permissions against the principle of least privilege
• Assessing identity groups for membership sprawl or excessive aggregated permissions
• Evaluating conditional access blocks: IP CIDR restrictions, resource tag conditions, expiration dates
• Pre-deployment review of new IAM policies or policy changes

Lean operating rules

• Prefer OVHcloud IAM docs and Terraform provider docs; if MCP tooling is unavailable, fall back to https://help.ovhcloud.com/ and Context7.
• Separate confirmed policy state from inference. If the policy was not shown, say so.
• Challenge policies with wildcarded URNs (urn:v1:eu:resource:*), missing condition blocks, or allow rules that supersede deny rules unexpectedly.
• Recommend least-privilege: scope to narrowest URN prefix, add IP condition, set expiration where supported.
• Keep recommendations reversible and explicit about blast radius.

References

Load these only when needed:

• Workflow and output contract — use when executing the full IAM audit or formatting the final answer.
• Safety checklist — use before privileged, access-granting, or production-impacting recommendations.
• Official sources — use when grounding OVHcloud IAM service behavior or checking the source list.

Response minimum

Return, at minimum:

• the policy verdict and evidence level,
• specific URN scope and condition gaps found,
• the blast radius of the current policy,
• safe remediation recommendations with rollback notes,
• blockers or unknowns that prevent stronger conclusions.