Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-oci-compliance
Overview
3Dashboards
133Benchmarks
43Queries
2Variables
GitHub

Control: 1.8 Ensure user API keys rotate within 90 days or less

Description

API keys are used by administrators, developers, services and scripts for accessing OCI APIs directly or via SDKs/OCI CLI to search, create update or delete OCI resources. The API key is an RSA key pair. The private key is used for signing the API requests and the public key is associated with a local or synchronized user's profile.

Remediation

OCI Native IAM

From Console

  1. Login to OCI Console.
  2. Select Identity from the Services menu.
  3. Select Users from the Identity menu.
  4. Click on an individual user under the Name heading.
  5. Click on API Keys in the lower left-hand corner of the page.
  6. Delete any API Keys with a date of 90 days or older under the Created column of the API Key table.

From Command Line

Execute the following:

oci iam user api-key delete --user-id _<user_OCID>_ --fingerprint <fingerprint_of_the_key_to_be_deleted>

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v110_1_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v110_1_8 --share

SQL

This control uses a named query:

select
  user_id as resource,
  case
    when time_created <= (current_date - interval '90' day) then 'alarm'
    else 'ok'
  end as status,
  user_name || ' API key' || ' created ' || to_char(time_created , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - time_created) || ' days).'
  as reason
  , tenant_name as tenant
from
  oci_identity_api_key

Tags

category = Compliance
cis = true
cis_item_id = 1.8
cis_level = 1
cis_section_id = 1
cis_type = automated
cis_version = v1.1.0
plugin = oci
service = OCI/Identity