Integrating Oracle Cloud Infrastructure with ShadowMap

Modified on Fri, 23 Jan at 5:49 PM

ShadowMap supports a secure, read-only integration with Oracle Cloud Infrastructure (OCI) to automatically discover and monitor cloud-based internet-exposed assets. This integration allows ShadowMap to ingest authoritative asset and networking data from OCI, ensuring complete and continuously updated visibility of your external attack surface.

This guide walks you through creating an OCI user and API signing key with least-privileged permissions and configuring ShadowMap to use it.

Prerequisites

To integrate OCI with ShadowMap, you will provide:

Tenancy OCID
User OCID
API Signing Key (private key)
Fingerprint
Region

These are standard OCI API authentication components.

Step 1: Create a Dedicated OCI User

Sign in to the Oracle Cloud Console.
Open the navigation menu and go to Identity & Security → Users.
Click Create User.
Provide:
- Name: shadowmap-integration (example)
- Description: Read-only asset discovery for ShadowMap
Click Create.
Open the newly created user and note the User OCID.

Step 2: Create an API Signing Key

Open the User Details page.
Navigate to API Keys.
Click Add API Key.
Choose Generate API Key Pair (recommended).
Download:
- Private key (keep secure)
- Public key
Note the generated Fingerprint.

Step 3: Grant Read-Only Permissions via IAM Policy

ShadowMap requires read-only access to enumerate OCI resources such as compute instances, networking components, and public IPs.

Create a Read-Only Policy

Go to Identity & Security → Policies.
Select the appropriate Compartment (root compartment recommended for full coverage).
Click Create Policy.
Provide:
- Name: ShadowMap-ReadOnly-Policy
- Description: Read-only access for ShadowMap asset discovery
Add the following policy statements:

Allow group ShadowMap-Readers to read instances in tenancy
Allow group ShadowMap-Readers to read virtual-network-family in tenancy
Allow group ShadowMap-Readers to read public-ips in tenancy
Allow group ShadowMap-Readers to read load-balancers in tenancy
Allow group ShadowMap-Readers to read dns in tenancy

Create a Group named ShadowMap-Readers if it does not already exist.
Add the shadowmap-integration user to this group.
Save the policy.

Step 4: Collect Required OCI Identifiers

Before configuring ShadowMap, ensure you have the following:

Tenancy OCID
(Identity & Security → Tenancy Details)
User OCID
API Key Fingerprint
Private API Key
OCI Region (for example: eu-frankfurt-1)

Step 5: Configure Oracle Cloud in ShadowMap

Log in to your ShadowMap dashboard.
Navigate to Settings → Cloud Sources.
Select Oracle Cloud Infrastructure.
Click Create New Configuration.
Enter:
- Configuration Name
- Tenancy OCID
- User OCID
- API Key Fingerprint
- Private API Key
- Region
Click Create Source to enable the integration.

Once enabled, ShadowMap will begin ingesting OCI data automatically.

How OCI Data Is Used in ShadowMap

After the integration is active, ShadowMap retrieves and correlates OCI asset data to enhance your external attack surface inventory.

Compute & Public Infrastructure

Compute Instances
Associated public IP addresses
Instance metadata relevant to exposure analysis

Networking & Exposure Mapping

Virtual Cloud Networks (VCNs)
Subnets and route tables
Public IP allocations
Load Balancers and internet-facing endpoints

DNS & Sub-Domain Discovery

OCI DNS zones
DNS record sets (A, AAAA, CNAME, etc.)
Sub-domains associated with OCI-hosted workloads

These assets are:

Continuously monitored for changes and drift
Automatically included in ShadowMap’s scanning and intelligence workflows
Evaluated for vulnerabilities, misconfigurations, exposed services, and threat indicators

Key Benefits of OCI Integration

Automatic discovery of OCI compute instances and public IPs
Accurate mapping of network exposure and load balancers
DNS-driven sub-domain visibility
Continuous synchronization of OCI-based attack surface changes