Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-oci-compliance
Overview
3Dashboards
133Benchmarks
43Queries
2Variables
GitHub

Control: 1.12 Ensure API keys are not created for tenancy administrator users

Description

Tenancy administrator users have full access to the organization's OCI tenancy. API keys associated with user accounts are used for invoking the OCI APIs via custom programs or clients like CLI/SDKs. The clients are typically used for performing day-to-day operations and should never require full tenancy access. Service-level administrative users with API keys should be used instead.

For performing day-to-day operations tenancy administrator access is not needed. Service-level administrative users with API keys should be used to apply privileged security principle.

Remediation

From Console

  1. Login to OCI Console.
  2. Select Identity from Services menu.
  3. Select Users from Identity menu, or select Domains, select a domain, and select Users.
  4. Select the username of a tenancy administrator user with an API key.
  5. Select API Keys from the menu in the lower left-hand corner.
  6. Delete any associated keys from the API Keys table.
  7. Repeat steps 3-6 for all tenancy administrator users with an API key.

From CLI

  1. For each tenancy administrator user with an API key, execute the following command to retrieve API key details:
oci iam user api-key list --user-id <user_id>
  1. For each API key, execute the following command to delete the key:
oci iam user api-key delete --user-id <user_id> --fingerprint <api_key_fingerprint>
  1. The following message will be displayed:
Are you sure you want to delete this resource? [y/N]:
  1. Type 'y' and press 'Enter'.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_1_12

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_1_12 --share

SQL

This control uses a named query:

with administrators_users as (
  select
    a.name as admin_user_name
  from
    oci_identity_user a,
    jsonb_array_elements(a.user_groups) as user_group
    inner join oci_identity_group b on (b.id = user_group ->> 'groupId' )
  where
    b.name = 'Administrators' or a.identity_provider_id is not null
)
select
  a.id as resource,
  case
    when c.user_name is not null then 'alarm'
    else 'ok'
  end as status,
  case
    when c.user_name is not null then a.name || ' has API Key.'
    else a.name || ' has no API Key.'
  end as reason
  
  , a.tenant_name as tenant
from
  oci_identity_user a
  left join administrators_users b on a.name = b.admin_user_name
  left join oci_identity_api_key c on a.name = c.user_name;

Tags

category = Compliance
cis = true
cis_item_id = 1.12
cis_level = 1
cis_section_id = 1
cis_type = automated
cis_version = v2.0.0
plugin = oci
service = OCI/Identity