Skip to main content

lacework-global-675

1.8 Ensure user API keys rotate every 90 days (Automated)

Description

Administrators, developers, services and scripts use API keys for accessing OCI APIs directly or via SDKs/OCI CLI to search, create, update or delete OCI resources. The API key is an RSA key pair, with a public key associated with a local or synchronized user's profile, and a private key that signs the API requests.

Remediation

From Console:

  1. Login to OCI Console.

  2. Select Identity & Security from the Services menu.

  3. Select Domains from the Identity menu.

  4. For each domain listed, click the name and select Users.

  5. Click an individual user under the Username heading.

  6. Click API Keys in the lower left-hand corner of the page.

  7. Delete any API Keys that are older than 90 days under the Created column of the API Key table.

From CLI:

oci iam user api-key delete --user-id <user_ocid> --fingerprint <fingerprint_of_the_key_to_be_deleted>

References

https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__API_KEY_TOO_OLD

Last updated on