Control: 1.5 Ensure no owner account API key exists

Description

API keys by definition allow access to your account and resources in your account. The API key inherits all assigned access for the user identity for which it is created, therefore an API key created by an account owner has account-owner level access to resources in the account.

Remediation

From Console

To delete an API key, complete the following steps:

Login as the account owner at cloud.ibm.com
In the console, go to Manage -> Access (IAM)
Click on API keys
Identify the row of the API key that you want to delete and select Delete from the Actions List of actions icon menu (found on the right hand side of the row).
Then, confirm the deletion by clicking Delete.5. Then, confirm the deletion by clicking Delete.

Usage

Run the control in your terminal:

powerpipe control run ibm_compliance.control.cis_v100_1_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run ibm_compliance.control.cis_v100_1_5 --share

SQL

This control uses a named query:

select
  acc.guid as resource,
  case
    when count(key.iam_id) > 0 then 'alarm'
    else 'ok'
  end as status,
  case
    when count(key.iam_id) > 0 then 'Account owner API keys exist.'
    else 'No account owner API keys exist.'
  end as reason,
  acc.guid
from
  ibm_account as acc,
  ibm_iam_api_key as key
where
  acc.owner_unique_id = split_part(key.iam_id, '-', 2)
group by
  acc.guid;

Control: 1.5 Ensure no owner account API key exists

Description

Remediation

From Console

Usage

SQL

Tags