Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-oci-compliance
Overview
4Dashboards
187Benchmarks
49Queries
2Variables
GitHub

Control: 1.16 Ensure OCI IAM credentials unused for 45 days or more are disabled

Description

OCI IAM Local users can access OCI resources using different credentials, such as passwords or API keys. It is recommended that credentials that have been unused for 45 days or more be deactivated or removed.

Disabling or removing unnecessary OCI IAM local users will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.

Remediation

From Console

  1. Login to OCI Console.
  2. Select Identity & Security from the Services menu.
  3. Select Domains from the Identity menu.
  4. For each domain listed, click on the name and select Users.
  5. Click on an individual user under the Username heading.
  6. Click More action.
  7. Select Deactivate.

From CLI:

  1. Create a input.json:
{
 "operations": [
  { "op": "replace", "path": "active","value": false}
 ],
 "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
 "userId": "<user-ocid>"
}
  1. Execute the below:
oci identity-domains user patch --from-json file://file.json --endpoint <identity-domain-endpoint>

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v300_1_16

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v300_1_16 --share

SQL

This control uses a named query:

select
  u.id as resource,
  case
    when u.user_type <> 'IAM' then 'skip'
    when coalesce(u.can_use_console_password, false)
        or coalesce(u.can_use_api_keys, false)
        or coalesce(u.can_use_auth_tokens, false)
        or coalesce(u.can_use_smtp_credentials, false)
        or coalesce(u.can_use_customer_secret_keys, false)
        or coalesce(u.can_use_o_auth2_client_credentials, false)
      then case
        when u.last_successful_login_time is null
          then 'alarm'
        when u.last_successful_login_time <= (current_timestamp - interval '45 day')
          then 'alarm'
        else 'ok'
      end
    else 'ok'
  end as status,
  case
    when u.user_type <> 'IAM' then name || ' is a federated user.'
    when not (
        coalesce(u.can_use_console_password, false)
      or coalesce(u.can_use_api_keys, false)
      or coalesce(u.can_use_auth_tokens, false)
      or coalesce(u.can_use_smtp_credentials, false)
      or coalesce(u.can_use_customer_secret_keys, false)
      or coalesce(u.can_use_o_auth2_client_credentials, false)
    ) then name || ' user all console/API credentials already disabled.'
    when u.last_successful_login_time is null
      then name || ' credentials enabled but has never logged in.'
    when u.last_successful_login_time <= (current_timestamp - interval '45 day')
      then name || ' credentials enabled and last successful login over 45 days ago.'
    else name || ' credentials enabled and last successful login within 45 days.'
  end as reason
  , tenant_name as tenant
from
  oci_identity_user u
where
  u.lifecycle_state = 'ACTIVE';

Tags

category = Compliance
cis = true
cis_item_id = 1.16
cis_level = 1
cis_section_id = 1
cis_type = automated
cis_version = v3.0.0
plugin = oci
service = OCI/Identity