Control: 1.11 Ensure user IAM Database Passwords rotate within 90 days
Description
Users can create and manage their database password in their IAM user profile and use that password to authenticate to databases in their tenancy. An IAM database password is a different password than an OCI Console password. Setting an IAM database password allows an authorized IAM user to sign in to one or more Autonomous Databases in their tenancy.
Users can create and manage their database password in their IAM user profile and use that password to authenticate to databases in their tenancy. An IAM database password is a different password than an OCI Console password. Setting an IAM database password allows an authorized IAM user to sign in to one or more Autonomous Databases in their tenancy.
It is important to secure and rotate an IAM Database password 90 days or less as it provides the same access the user would have a using a local database user.
Remediation
OCI IAM with Identity Domains
From Console
- Login to OCI Console.
- Select
Identity & Securityfrom the Services menu. - Select Domains from the Identity menu.
- For each domain listed, click on the name and select
Users. - Click on an individual user under the
Usernameheading. - Click on
IAM Database Passwordsin the lower left-hand corner of the page. - Delete any Database Passwords with a date older than 90 days under the
Createdcolumn of the Database Passwords.
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v300_1_11Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v300_1_11 --shareSQL
This control uses a named query:
select id as resource, case when time_created <= (current_date - interval '90' day) then 'alarm' else 'ok' end as status, title || ' API key' || ' created ' || to_char(time_created , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - time_created) || ' days).' as reason , tenant_name as tenantfrom oci_identity_db_credential;