Control: 1.9 Ensure user customer secret keys rotate every 90 days

Description

Object Storage provides an API to enable interoperability with Amazon S3. To use this Amazon S3 Compatibility API, you need to generate the signing key required to authenticate with Amazon S3.

This special signing key is an Access Key/Secret Key pair. Oracle generates the Customer Secret key to pair with the Access Key.

It is important to rotate customer secret keys at least every 90 days, as they provide the same level of object storage access that the user they are associated with has.

Remediation

OCI IAM without Identity Domains

From Console

1. Login to OCI Console.
2. Select Identity from the Services menu.
3. Select Users from the Identity menu.
4. Click on an individual user under the Name heading.
5. Click on Customer Secret Keys in the lower left-hand corner of the page.
6. Delete any Access Keys with a date of 90 days or older under the Created column of the Customer Secret Keys.

From CLI:

1. Execute the following:

oci iam customer-secret-key delete --user-id <user_OCID> --customer-secretkey-id <id from above>

2. You will then be prompted with the below:

Are you sure you want to delete this resource? [y/N]

3. Type 'y' and press 'Enter'.

OCI IAM with Identity Domains

From Console:

1. Login to OCI Console.
2. Select Identity & Security from the Services menu.
3. Select Domains from the Identity menu.
4. For each domain listed, click on the name and select Users.
5. Click on an individual user under the Username heading.
6. Click on Customer Secret Keys in the lower left-hand corner of the page.
7. Delete any Access Keys with a date older than 90 days under the Created column of the Customer Secret Keys.