Benchmark: 1 Identity and Access Management
Overview
This section contains recommendations for configuring identity and access management related options.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-oci-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 1 Identity and Access Management.
Run this benchmark in your terminal:
powerpipe benchmark run oci_compliance.benchmark.cis_v120_1Snapshot and share results via Turbot Pipes:
powerpipe benchmark run oci_compliance.benchmark.cis_v120_1 --shareControls
- 1.1 Ensure service level admins are created to manage resources of particular service
- 1.2 Ensure permissions on all resources are given only to the tenancy administrator group
- 1.3 Ensure IAM administrators cannot update tenancy Administrators group
- 1.4 Ensure IAM password policy requires minimum length of 14 or greater
- 1.5 Ensure IAM password policy expires passwords within 365 days
- 1.6 Ensure IAM password policy prevents password reuse
- 1.7 Ensure MFA is enabled for all users with a console password
- 1.8 Ensure user API keys rotate within 90 days or less
- 1.9 Ensure user customer secret keys rotate within 90 days or less
- 1.10 Ensure user auth tokens rotate within 90 days or less
- 1.11 Ensure API keys are not created for tenancy administrator users
- 1.12 Ensure all OCI IAM user accounts have a valid and current email address
- 1.13 Ensure Dynamic Groups are used for OCI instances, OCI Cloud Databases and OCI Function to access OCI resources
- 1.14 Ensure storage service-level admins cannot delete resources they manage