Control: 1.11 Ensure API keys are not created for tenancy administrator users
Description
Tenancy administrator users have full access to the organization's OCI tenancy. API keys associated with user accounts are used for invoking the OCI APIs via custom programs or clients like CLI/SDKs. The clients are typically used for performing day-to-day operations and should never require full tenancy access. Service-level administrative users with API keys should be used instead.
Remediation
OCI Native IAM
From Console
- Login to OCI Console
- Select
Identityfrom Services menu. - Select
Usersfrom Identity menu. - For each tenancy administrator user who has an API key, select
API Keysfrom the menu in the lower left-hand corner. - Delete any associated keys from the
API Keystable.
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v120_1_11Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v120_1_11 --shareSQL
This control uses a named query:
with administrators_users as ( select a.name as admin_user_name from oci_identity_user a, jsonb_array_elements(a.user_groups) as user_group inner join oci_identity_group b on (b.id = user_group ->> 'groupId' ) where b.name = 'Administrators' or a.identity_provider_id is not null)select a.id as resource, case when c.user_name is not null then 'alarm' else 'ok' end as status, case when c.user_name is not null then a.name || ' has API Key.' else a.name || ' has no API Key.' end as reason , a.tenant_name as tenantfrom oci_identity_user a left join administrators_users b on a.name = b.admin_user_name left join oci_identity_api_key c on a.name = c.user_name;