Control: 1.10 Ensure user auth tokens rotate within 90 days or less

Description

Auth tokens are authentication tokens generated by Oracle. You use auth tokens to authenticate with APIs that do not support the Oracle Cloud Infrastructure signature-based authentication. If the service requires an auth token, the service-specific documentation instructs you to generate one and how to use it.

It is important to secure and rotate an auth token every 90 days or less as it provides the same level of access to APIs that do not support the OCI signature-based authentication as the user associated to it.

Remediation

OCI IAM without Identity Domains

From Console

1. Login to OCI Console.
2. Select Identity from the Services menu.
3. Select Users from the Identity menu.
4. Click on an individual user under the Name heading.
5. Click on Auth Tokens in the lower left-hand corner of the page.
6. Delete any auth token with a date of 90 days or older under the Created column of the Auth Tokens.

From CLI

1. Execute the following:

oci iam auth-token delete --user-id <user_OCID> --auth-token-id <id from above>

2. You will then be prompted with the below:

Are you sure you want to delete this resource? [y/N]

3. Type 'y' and press 'Enter'.

OOCI IAM with Identity Domains

From Console

1. Login to OCI Console.
2. Select Identity & Security from the Services menu.
3. Select Domains from the Identity menu.
4. For each domain listed, click on the name and select Users.
5. Click on an individual user under the Username heading.
6. Click on Auth Tokens in the lower left-hand corner of the page.
7. Delete any auth token with a date older than 90 days under the Created column of the Customer Secret Keys.