π‘οΈ Oracle IAM Administrator User has an active API keyπ’
- Contextual name: π‘οΈ IAM Administrator User has an active API keyπ’
- ID:
/ce/ca/oracle/iam/administrator-user-has-active-api-key - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
Descriptionβ
Descriptionβ
This policy identifies active Oracle IAM users that are members of the tenancy
Administratorsgroup and have at least one active API key. OCI API keys are long-term credentials used to sign programmatic requests to Oracle Cloud Infrastructure APIs.Rationaleβ
Tenancy administrator users have broad control over OCI resources and identity configuration. Keeping active API keys on these users creates durable programmatic access that can bypass interactive session controls and remain usable until the key is deleted. Removing API keys from administrator users reduces the impact of credential disclosure and encourages privileged operations to use tightly scoped identities.
Impactβ
Deleting an API key can disrupt applications, scripts, integrations, or users that still depend on that key for OCI API access. Before deleting the key, identify its owner and consumers, move required automation to a least-privileged user, instance principal, resource principal, or dynamic group, and confirm that access remains functional.
... see more
Remediationβ
Remediationβ
Remove API Keys From Tenancy Administrator Usersβ
Delete active API keys from users in the tenancy
Administratorsgroup. If programmatic access is required, move the workload to a dedicated least-privileged identity, such as a scoped IAM user, instance principal, resource principal, or dynamic group.From Oracle Cloud Consoleβ
- Open
Identity & Security.- Open
Domains, select the relevant identity domain if applicable, and openUsers.- Select the reported administrator user.
- Open
API Keys.- Delete each active API key that is no longer required.
- Confirm that required automation has been moved to a least-privileged identity.
From OCI CLIβ
List the user's API keys:
oci iam api-key list --user-id {{user-ocid}} --allDelete each active key by fingerprint after confirming that it is no longer required:
oci iam api-key delete \
--user-id {{user-ocid}} \
--fingerprint {{fingerprint}}Run the list command again and confirm that no API keys remain in the
ACTIVElifecycle state for the tenancy administrator user.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ CIS Oracle v3.1.0 β πΌ 1.12 Ensure API keys are not created for tenancy administrator users - Level 1 (Automated) | 1 | no data | |||
| πΌ Cloudaware Framework β πΌ Credential Lifecycle Management | 32 | no data |