OCI tenancy administrator users are associated with API keys
Description
This policy is checking to ensure that administrator users are not associated with API keys. This is important because, if an administrator's API key is compromised, it can give the attacker extensive privileges that can potentially lead to critical consequences. Access via API keys should be given to services and applications, not to users, in order to maintain proper access control and minimize risk.
Code Example
go
resource "oci_identity_user" "user1" {
#Required
compartment_id = "var.tenancy_ocid"
description = "var.user_description"
name = "user1"
#Optional
defined_tags = {"Operations.CostCenter"= "42"}
email = "var.user_email"
freeform_tags = {"Department"= "Finance"}
}
- resource "oci_identity_api_key" "user1_api_key" {
- #Required
- key_value = "var.api_key_key_value"
- user_id = oci_identity_user.user1.id
- }
resource "oci_identity_user_group_membership" "user1_in_admin_group" {
#Required
group_id = oci_identity_group.admin_group.id
user_id = oci_identity_user.user1.id
}Remediation
Terraform
- Resource: oci_identity_group, oci_identity_user
To fix this issue, do not associate API keys with administrator users. Instead, use instance principals or dynamic groups. Also, keep a regular rotation of API keys and deprecate old ones to maintain better security.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1251 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_OCI_1 |