v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/oci_compliance
Overview
3Dashboards
133Controls
43Queries
2Variables
GitHub

Control: 1.11 Ensure API keys are not created for tenancy administrator users

Description

Tenancy administrator users have full access to the organization's OCI tenancy. API keys associated with user accounts are used for invoking the OCI APIs via custom programs or clients like CLI/SDKs. The clients are typically used for performing day-to-day operations and should never require full tenancy access. Service-level administrative users with API keys should be used instead.

Remediation

OCI Native IAM

From Console

  1. Login to OCI Console.
  2. Select Identity from Services menu.
  3. Select Users from Identity menu.
  4. For each tenancy administrator user who has an API key, select API Keys from the menu in the lower left-hand corner.
  5. Delete any associated keys from the API Keys table

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v110_1_11

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v110_1_11 --share

SQL

This control uses a named query:

identity_administrator_user_with_no_api_key

Tags

category = Compliance
cis = true
cis_item_id = 1.11
cis_level = 1
cis_section_id = 1
cis_type = automated
cis_version = v1.1.0
plugin = oci
service = OCI/Identity