Control: 1.8 Ensure user API keys rotate within 90 days or less
Description
API keys are used by administrators, developers, services and scripts for accessing OCI APIs directly or via SDKs/OCI CLI to search, create update or delete OCI resources. The API key is an RSA key pair. The private key is used for signing the API requests and the public key is associated with a local or synchronized user's profile.
Remediation
OCI Native IAM
From Console
- Login to OCI Console.
- Select
Identity
from the Services menu. - Select
Users
from the Identity menu. - Click on an individual user under the Name heading.
- Click on
API Keys
in the lower left-hand corner of the page. - Delete any API Keys with a date of
90 days or older
under theCreated
column of the API Key table.
From Command Line
Execute the following:
oci iam user api-key delete --user-id _<user_OCID>_ --fingerprint <fingerprint_of_the_key_to_be_deleted>
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v110_1_8
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v110_1_8 --share
SQL
This control uses a named query:
identity_user_api_key_age_90