Control: 1.17 Ensure there is only one active API Key for any single OCI IAM user
Description
API Keys are long-term credentials for an OCI IAM user. They can be used to make programmatic requests to the OCI APIs directly or via, OCI SDKs or the OCI CLI.
Having a single API Key for an OCI IAM reduces attack surface area and makes it easier to manage.
Remediation
From Console
- Login to OCI Console.
- Select Identity & Security from the Services menu.
- Select
Domainsfrom the Identity menu. - For each domain listed, click on the name and select Users.
- Click on an individual user under the Name heading.
- Click on
API Keysin the lower left-hand corner of the page. - Delete one of the API Keys.
From CLI:
- Follow the audit procedure above.
- For API Key ID to be removed execute the following command:
oci identity-domains api-key delete --api-key-id <id> --endpoint <domainendpoint>
Default Value:
No API Keys
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v300_1_17Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v300_1_17 --shareSQL
This control uses a named query:
with active_keys as ( select user_id, count(*) as active_api_key_count from oci_identity_api_key where lifecycle_state = 'ACTIVE' group by user_id)select u.id as resource, case when u.user_type <> 'IAM' then 'skip' when coalesce(k.active_api_key_count, 0) > 1 then 'alarm' else 'ok' end as status, case when u.user_type <> 'IAM' then u.name || ' is a federated user.' when coalesce(k.active_api_key_count, 0) = 0 then u.name || ' has no active API keys.' when coalesce(k.active_api_key_count, 0) = 1 then name || ' has one active API key.' else format('%s has %s active API keys.', u.name, coalesce(k.active_api_key_count, 0)) end as reason , tenant_name as tenantfrom oci_identity_user u left join active_keys k on k.user_id = u.idwhere u.lifecycle_state = 'ACTIVE';