v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/oci_compliance
Overview
3Dashboards
133Controls
43Queries
2Variables
GitHub

Control: 1.11 Ensure user IAM Database Passwords rotate within 90 days

Description

Users can create and manage their database password in their IAM user profile and use that password to authenticate to databases in their tenancy. An IAM database password is a different password than an OCI Console password. Setting an IAM database password allows an authorized IAM user to sign in to one or more Autonomous Databases in their tenancy.

Users can create and manage their database password in their IAM user profile and use that password to authenticate to databases in their tenancy. An IAM database password is a different password than an OCI Console password. Setting an IAM database password allows an authorized IAM user to sign in to one or more Autonomous Databases in their tenancy.

It is important to secure and rotate an IAM Database password 90 days or less as it provides the same access the user would have a using a local database user.

Remediation

OCI IAM without Identity Domains

From Console

  1. Login to OCI Console.
  2. Select Identity & Security from the Services menu.
  3. Select Users from the Identity menu.
  4. Click on an individual user under the Name heading.
  5. Click on Database Passwords in the lower left-hand corner of the page.
  6. Ensure the date of the Database Passwords under the Created column of the Database Passwords is no more than 90 days old.

From CLI

  1. Execute the following:
oci iam user list-db-credentials --user-id <user-ocid> --output table --query "data [*].{description:description, Created:\"time-created\",id:id}"
  1. You will then be prompted with the below:
Are you sure you want to delete this resource? [y/N]
  1. Type 'y' and press 'Enter'

OCI IAM with Identity Domains

From Console

  1. Login to OCI Console.
  2. Select Identity & Security from the Services menu.
  3. Select Domains from the Identity menu.
  4. For each domain listed, click on the name and select Users.
  5. Click on an individual user under the Username heading.
  6. Click on IAM Database Passwords in the lower left-hand corner of the page.
  7. Delete any Database Passwords with a date older than 90 days under the Created column of the Database Passwords.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_1_11

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_1_11 --share

SQL

This control uses a named query:

identity_user_db_credential_age_90

Tags

category = Compliance
cis = true
cis_item_id = 1.11
cis_level = 1
cis_section_id = 1
cis_type = manual
cis_version = v2.0.0
plugin = oci
service = OCI/Identity