v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/ibm_compliance
Overview
1Dashboards
67Controls
20Queries
0Variables
GitHub

Control: 1.5 Ensure no owner account API key exists

Description

API keys by definition allow access to your account and resources in your account. The API key inherits all assigned access for the user identity for which it is created, therefore an API key created by an account owner has account-owner level access to resources in the account.

Remediation

From Console

To delete an API key, complete the following steps:

  1. Login as the account owner at cloud.ibm.com
  2. In the console, go to Manage -> Access (IAM)
  3. Click on API keys
  4. Identify the row of the API key that you want to delete and select Delete from the Actions List of actions icon menu (found on the right hand side of the row).
  5. Then, confirm the deletion by clicking Delete.5. Then, confirm the deletion by clicking Delete.

Usage

Run the control in your terminal:

powerpipe control run ibm_compliance.control.cis_v100_1_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run ibm_compliance.control.cis_v100_1_5 --share

SQL

This control uses a named query:

iam_account_owner_no_api_key

Tags

category = Compliance
cis = true
cis_item_id = 1.5
cis_level = 1
cis_section_id = 1
cis_type = manual
cis_version = v1.0.0
plugin = ibm
service = IBM/IAM