User active API key is rotated within 90 days or less
identity_user_api_keys_rotated_90_days
OCI IAM users with active API signing keys older than 90 days are identified. Key age is derived from each key's creation time; only active keys are considered. Users without API keys are recorded.
Risk
Long-lived API keys widen exposure. If a key leaks, an attacker can sign OCI API calls without MFA, enabling unauthorized changes (integrity), data access (confidentiality), and service outages (availability). Delayed rotation prolongs dwell time and complicates incident response.
prowler oraclecloud --checks identity_user_api_keys_rotated_90_days
Recommendation
Enforce API key rotation every 90 days.
- Issue a new key, confirm workloads use it, then revoke the old key
- Apply least privilege and avoid shared keys
- Limit active keys per user and remove unused ones
- Monitor usage and automate rotation for defense in depth
Remediation
oci iam api-key delete --user-id <user-ocid> --fingerprint <old-key-fingerprint> --force
- Sign in to the OCI Console
- Go to Identity & Security > Users, then select the target user
- Open API Keys and click Add API Key
- Generate API Key Pair (or Upload/Paste Public Key), then click Add and download/copy the private key
- For each API key older than 90 days, click the Actions (three dots) next to its fingerprint and select Delete
- Confirm deletion
Source Code
Resource Type
User