🛡️ Oracle IAM User API keys are not rotated every 90 days🟢

Contextual name: 🛡️ IAM User API keys are not rotated every 90 days🟢
ID: /ce/ca/oracle/iam/user-api-keys-are-not-rotated-every-90-days
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 Oracle IAM User API Key
- 🔌 Oracle IAM User API Key - object.extracts.yaml
- 🧪 test-data.json

Description

Description

This policy identifies active Oracle IAM User API keys that are older than 90 days. Oracle API keys are long-term credentials used to sign programmatic requests to Oracle Cloud Infrastructure APIs.

Rationale

Long-lived API keys increase the exposure window for credential theft, accidental disclosure, and misuse. Rotating API keys at least every 90 days limits the time a compromised key can be used and supports a predictable credential lifecycle for users, scripts, and integrations.

Impact

Rotating an API key can disrupt applications, scripts, integrations, or users that still depend on the old key. Before deleting the stale key, create a replacement key, update all dependent workloads, and confirm that Oracle API access works with the new key.

Audit

This policy flags an Oracle IAM User API Key as INCOMPLIANT if the Lifecycle State field is set to ACTIVE and the Time Created field is older than 90 days.

API keys whose Lifecycle State field is not set to ACTIVE are marked as INAPPLICABLE. Active API keys with a Time Created value within the last 90 days are marked as COMPLIANT.

Remediation

Open File

Remediation

Rotate Stale API Keys

Create a replacement API key, update every dependent workload to use the new key, and delete the stale key after confirming that the old key is no longer required.

From OCI CLI

List the user's API keys:
oci iam api-key list --user-id {{user-ocid}} --all
Upload a replacement public key for the user:
oci iam api-key upload \
    --user-id {{user-ocid}} \
    --key-file {{public-key-file}}
Update dependent workloads to use the replacement key. After confirming that the stale key is no longer used, delete it by fingerprint:
oci iam api-key delete \
    --user-id {{user-ocid}} \
    --fingerprint {{stale-key-fingerprint}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Oracle v3.1.0 → 💼 1.8 Ensure user API keys rotate within 90 days - Level 1 (Automated)			1		no data
💼 Cloudaware Framework → 💼 Credential Lifecycle Management			32		no data

Logic​

Description​

Description​

Rationale​

Impact​

Audit​

Remediation​

Remediation​

Rotate Stale API Keys​

From OCI CLI​

policy.yaml​

Linked Framework Sections​

Logic

Description

Description

Rationale

Impact

Audit

Remediation

Remediation

Rotate Stale API Keys

From OCI CLI

policy.yaml

Linked Framework Sections