🛡️ Oracle IAM User has more than one active API key🟢

Contextual name: 🛡️ IAM User has more than one active API key🟢
ID: /ce/ca/oracle/iam/user-has-more-than-one-active-api-key
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 Oracle IAM User
- 🔌 Oracle IAM User API Key - object.extracts.yaml
- 🔌 Oracle IAM User - object.extracts.yaml
- 🧪 test-data.json

Description

Description

This policy identifies active Oracle IAM Users that have more than one active API key. OCI API keys are long-term credentials used to sign programmatic requests to Oracle Cloud Infrastructure APIs.

Rationale

Maintaining multiple active API keys for a single IAM user increases the number of long-lived credentials that can be exposed, misused, or left unmanaged. A second key should normally exist only during a planned rotation or migration window. Removing redundant active keys reduces credential sprawl and simplifies monitoring, ownership, and incident response.

Impact

Removing an API key can disrupt applications, scripts, integrations, or users that still depend on that key for OCI API access. Before deleting a redundant key, identify the workload that uses it, move the workload to the retained key or a more appropriate authentication method, and confirm that access remains functional.

Audit

This policy flags an Oracle IAM User as INCOMPLIANT if the Lifecycle State field is set to ACTIVE and the user has more than one related Oracle IAM User API Key whose Lifecycle State field is set to ACTIVE.

... see more

Remediation

Open File

Remediation

Remove Redundant Active API Keys

Keep only the active API key that is still required for the user. Delete redundant active keys after confirming that dependent workloads, scripts, or integrations no longer use them.

From OCI CLI

List the user's API keys:
oci iam api-key list --user-id {{user-ocid}} --all
After identifying the redundant key fingerprint, delete the key:
oci iam api-key delete \
    --user-id {{user-ocid}} \
    --fingerprint {{fingerprint}}
Run the list command again and confirm that no more than one API key remains in the ACTIVE lifecycle state for the user.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Oracle v3.1.0 → 💼 1.17 Ensure there is only one active API Key for any single OCI IAM user (Automated)			1		no data
💼 Cloudaware Framework → 💼 Credential Lifecycle Management			32		no data

Logic​

Description​

Description​

Rationale​

Impact​

Audit​

Remediation​

Remediation​

Remove Redundant Active API Keys​

From OCI CLI​

policy.yaml​

Linked Framework Sections​

Logic

Description

Description

Rationale

Impact

Audit

Remediation

Remediation

Remove Redundant Active API Keys

From OCI CLI

policy.yaml

Linked Framework Sections