Control: 1.12 Ensure API keys are not created for tenancy administrator users
Description
Tenancy administrator users have full access to the organization's OCI tenancy. API keys associated with user accounts are used for invoking the OCI APIs via custom programs or clients like CLI/SDKs. The clients are typically used for performing day-to-day operations and should never require full tenancy access. Service-level administrative users with API keys should be used instead.
For performing day-to-day operations tenancy administrator access is not needed. Service-level administrative users with API keys should be used to apply privileged security principle.
Remediation
From Console
- Login to OCI Console.
- Select
Identity
from Services menu. - Select
Users
from Identity menu, or selectDomains
, select a domain, and selectUsers
. - Select the username of a tenancy administrator user with an API key.
- Select
API Keys
from the menu in the lower left-hand corner. - Delete any associated keys from the
API Keys
table. - Repeat steps 3-6 for all tenancy administrator users with an API key.
From CLI
- For each tenancy administrator user with an API key, execute the following command to retrieve API key details:
oci iam user api-key list --user-id <user_id>
- For each API key, execute the following command to delete the key:
oci iam user api-key delete --user-id <user_id> --fingerprint <api_key_fingerprint>
- The following message will be displayed:
Are you sure you want to delete this resource? [y/N]:
- Type 'y' and press 'Enter'.
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v200_1_12
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v200_1_12 --share
SQL
This control uses a named query:
identity_administrator_user_with_no_api_key