Control: 1.14 Ensure Instance Principal authentication is used for OCI instances, OCI Cloud Databases and OCI Functions to access OCI resources
Description
OCI instances, OCI database and OCI functions can access other OCI resources either via an OCI API key associated to a user or via Instance Principal. Instance Principal authentication can be achieved by inclusion in a Dynamic Group that has an IAM policy granting it the required access or using an OCI IAM policy that has request.principal added to the where clause. Access to OCI Resources refers to making API calls to another OCI resource like Object Storage, OCI Vaults, etc.
Instance Principal reduces the risks related to hard-coded credentials. Hard-coded API keys can be shared and require rotation, which can open them up to being compromised. Compromised credentials could allow access to OCI services outside of the expected radius.
Remediation
OCI IAM without Identity Domains
From Console
- Go to https://cloud.oracle.com/identity/dynamicgroups.
- Select
Dynamic Groups
from Identity menu. - Click Create Dynamic Group.
- Enter a Name.
- Enter a Description.
- Enter Matching Rules to that includes the instances accessing your OCI resources.
- Click Create.
OCI IAM with Identity Domains
From Console (Dynamic Groups):
- Go to https://cloud.oracle.com/identity/domains/.
- Select a Compartment.
- Click on the Domain.
- Click on
Dynamic groups.
- Click Create Dynamic Group.
- Enter a Name.
- Enter a Description.
- Enter Matching Rules to that includes the instances accessing your OCI resources.
- Click Create.
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v200_1_14
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v200_1_14 --share
SQL
This control uses a named query:
manual_control