Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Rotate Customer Secret Keys

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that customer secret keys for IAM users are rotated every 90 days or less in order to decrease the likelihood of accidental exposures and protect your Oracle Cloud Infrastructure (OCI) resources against unauthorized access. Customer secret keys are Access Key/Secret Key pairs necessary to authenticate with Amazon S3. Every IAM user can maintain a maximum of two keys simultaneously.

Security

Customer secret keys do not have an expiration date. Rotating customer secret keys for OCI IAM users periodically will significantly reduce the chances that a compromised set of keys can be used without your knowledge to gain unauthorized access to object storage resources.

Audit

To determine if your IAM customer secret keys are regularly rotated (i.e., every 90 days), perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to examine, listed in the Name column.

05 In the Identity domain navigation panel, choose Users to list the IAM users created for the selected domain.

06 In the Users section, click on the name (link) of the IAM user that you want to examine, listed in the Username column.

07 In the Resources navigation panel, choose Customer secret keys, and check the creation date of each customer secret key generated for the selected user, listed in the Created column. If more than 90 days have passed since the key was created, the verified customer secret key is not rotated on a regular basis. If a customer secret key is older than 90 days, the key is outdated and needs to be regenerated in order to secure the access to your data.

08 Repeat steps no. 6 and 7 for each IAM user created for the selected OCI domain.

09 Repeat steps no. 4 - 8 for each domain available in the selected Oracle Cloud Infrastructure (OCI) compartment.

10 Repeat steps no. 3 – 9 for each compartment available within in your OCI account.

Using OCI CLI

01 Run iam user list command (OSX/Linux/UNIX) to list the ID of each IAM user created for your Oracle Cloud Infrastructure (OCI) tenancy: 

oci iam user list
	--all
	--query 'data[].["name","id"]'
	--output 'table'

02 The command output should return a table with requested user IDs: 

+---------------------------------------+------------------------------------------------------------------------------+
| Column1                               | Column2                                                                      |
+---------------------------------------+------------------------------------------------------------------------------+
| cc-project5-developer                 | ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd |
| cc-domain-secops-dev                  | ocid1.user.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234 |
| cc-iam-access-manager                 | ocid1.user.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd |
+---------------------------------------+------------------------------------------------------------------------------+

03 Run iam customer-secret-key list command (OSX/Linux/UNIX) with the ID of the IAM user that you want to examine as the identifier parameter, to list the ID and the creation date/time for each customer secret key generated for the specified user: 

oci iam customer-secret-key list
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data[].["id","time-created"]'
	--output table

04 The command output should return the requested key information: 

+------------------------------------------+----------------------------------+
| Column1                                  | Column2                          |
+------------------------------------------+----------------------------------+
| abcd1234abcd1234abcd1234abcd1234abcd1234 | 2024-09-08T16:20:10.103000+00:00 |
| 1234abcdabcdabcd1234abcdabcdabcdabcdabcd | 2024-11-10T16:44:11.106000+00:00 |
+------------------------------------------+----------------------------------+

Check the timestamp listed in the Column2 column for each customer secret key to determine when the key was created. If more than 90 days have passed since the key was created, the verified customer secret key is not rotated on a regular basis. If a customer secret key is older than 90 days, the credentials are outdated and need to be regenerated in order to secure the access to your data.

Remediation / Resolution

To rotate (regenerate) outdated customer secret keys for your IAM users, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to access, listed in the Name column.

05 In the Identity domain navigation panel, choose Users to list the IAM users created for the selected domain.

06 In the Users section, click on the name (link) of the IAM user that you want to configure, listed in the Username column.

07 In the Resources navigation panel, select Customer secret keys.

08 Select Generate secret key, provide a unique name for your new key, and choose Generate secret key to create a new customer secret key required for rotation. Copy the key string to a secure location, and choose Close to return to the IAM console. If the selected IAM user has two customer secret keys, follow the instructions outlined in step no. 11 to remove the outdated key first.

09 Update all your applications and systems to replace the outdated key with the new one created in the previous steps.

10 Test all your applications and systems to make sure that the new customer secret key is working as expected.

11 Once you are sure that your applications and systems are no longer using the original key, return to your IAM user page, select the outdated customer secret key, and choose Delete to remove the key from your IAM user. Choose again Delete for confirmation.

12 Repeat steps no. 6 - 11 for each IAM user created for the selected OCI domain.

13 Repeat steps no. 4 - 12 for each domain available in the selected Oracle Cloud Infrastructure (OCI) compartment.

14 Repeat steps no. 3 – 13 for each compartment available within in your OCI account.

Using OCI CLI

01 Run iam customer-secret-key create command (OSX/Linux/UNIX) to create a new customer secret key for the selected IAM user, required for key rotation. An IAM user can have up to two keys at a time. If the IAM user has two customer secret keys, follow the instructions outlined in step no. 5 to remove the outdated key first: 

oci iam customer-secret-key create
	--display-name 'cc-project5-dev-csk'
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'

02 The command output should return the resource information for the new customer secret key: 

{
	"data": {
		"display-name": "cc-project5-dev-csk",
		"id": "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcd",
		"inactive-status": null,
		"key": "abcd ... abcd",
		"lifecycle-state": "ACTIVE",
		"time-created": "2025-03-08T17:51:11.917000+00:00",
		"time-expires": null,
		"user-id": "ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
	},
	"etag": "abcd1234abcd1234abcd1234abcd1234"
}

03 Update all your applications and systems to replace the outdated key with the new one created in the previous steps.

04 Test all your applications and systems to make sure that the new customer secret key is working as expected.

05 Once you are sure that your applications and systems are no longer using the original key, run iam customer-secret-key delete command (OSX/Linux/UNIX) to delete the outdated customer secret key: 

oci iam customer-secret-key delete
	--customer-secret-key-id 'abcd1234abcd1234abcd1234abcd1234abcd1234'
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'

06 Type y (yes) and press Enter to confirm the key removal: 

Are you sure you want to delete this resource? [y/N] y

07 Repeat steps no. 1 - 6 for each IAM user that you want to configure, available in your Oracle Cloud Infrastructure (OCI) tenancy.

References

Publication date Mar 11, 2025

Related IAM rules