Control: 1.8 Ensure user API keys rotate within 90 days

Description

API keys are used by administrators, developers, services and scripts for accessing OCI APIs directly or via SDKs/OCI CLI to search, create update or delete OCI resources.

The API key is an RSA key pair. The private key is used for signing the API requests and the public key is associated with a local or synchronized user's profile.

It is important to secure and rotate an API key every 90 days or less as it provides the same level of access that a user it is associated with has.

In addition to a security engineering best practice, this is also a compliance requirement. For example, PCI-DSS Section 3.6.4 states, "Verify that key-management procedures include a defined cryptoperiod for each key type in use and define a process for key changes at the end of the defined crypto period(s)."

Remediation

From Console

1. Login to OCI Console.
2. Select Identity & Security from the Services menu.
3. Select Domains from the Identity menu.
4. For each domain listed, click on the name and select Users.
5. Click on an individual user under the Name heading.
6. Click on API Keys in the lower left-hand corner of the page.
7. Delete any API Keys that are older than 90 days under the Created column of the API Key table.

From CLI:

oci iam user api-key delete --user-id _<user_ocid>_ --fingerprint <fingerprint_of_the_key_to_be_deleted>