turbot/oci_compliance

Control: 1.9 Ensure user customer secret keys rotate within 90 days or less

Description

Object Storage provides an API to enable interoperability with Amazon S3. To use this Amazon S3 Compatibility API, you need to generate the signing key required to authenticate with Amazon S3. This special signing key is an Access Key/Secret Key pair. Oracle generates the Customer Secret key to pair with the Access Key.

Remediation

OCI Native IAM

From Console

  1. Login to OCI Console.
  2. Select Identity from the Services menu.
  3. Select Users from the Identity menu.
  4. Click on an individual user under the Name heading.
  5. Click on Customer Secret Keys in the lower left-hand corner of the page.
  6. Delete any Access Keys with a date of 90 days or older under the Created column of the Customer Secret Keys.

From Command Line

  1. Execute the following:
oci iam customer-secret-key delete --user-id <user_OCID> --customer-secretkey-id <id from above>
  1. You will then be prompted with the below:
Are you sure you want to delete this resource? [y/N]
  1. Type 'y' and press 'Enter'.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v110_1_9

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v110_1_9 --share

SQL

This control uses a named query:

identity_user_customer_secret_key_age_90

Tags