Rotate User API Keys

Risk Level: High (not acceptable risk)

Ensure that your IAM user API keys are rotated every 90 days or less in order to decrease the likelihood of accidental exposures and protect your Oracle Cloud Infrastructure (OCI) resources against unauthorized access. API keys are RSA key pairs which can be utilized by administrators, developers, and services for the direct access of OCI APIs, as well as through SDKs or the OCI Command Line Interface (CLI), to perform operations such as listing, creating, updating, or deleting OCI resources.

Security

Rotating IAM user credentials periodically will significantly reduce the chances that a compromised set of API keys can be used without your knowledge to access certain components and resources within your Oracle Cloud Infrastructure (OCI) tenancy.

Audit

To determine if your IAM user API keys are regularly rotated (i.e., every 90 days), perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to examine, listed in the Name column.

05 In the Identity domain navigation panel, choose Users to list the IAM users created for the selected domain.

06 In the Users section, click on the name (link) of the IAM user that you want to examine, listed in the Username column.

07 In the Resources navigation panel, choose API keys, and check the creation date of each API key deployed for the selected user, listed in the Created column. If more than 90 days have passed since the API key was created, the verified API signing key is not rotated on a regular basis. If an API key is older than 90 days, the key is outdated and needs to be regenerated in order to secure the access to the OCI resources.

08 Repeat steps no. 6 and 7 for each IAM user created for the selected OCI domain.

09 Repeat steps no. 4 - 8 for each domain available in the selected Oracle Cloud Infrastructure (OCI) compartment.

10 Repeat steps no. 3 – 9 for each compartment available within in your OCI account.

Using OCI CLI

01 Run iam user list command (OSX/Linux/UNIX) to list the ID of each IAM user created for your Oracle Cloud Infrastructure (OCI) tenancy:

oci iam user list
	--all
	--query 'data[].["name","id"]'
	--output 'table'

02 The command output should return a table with requested user IDs:

+---------------------------------------+------------------------------------------------------------------------------+
| Column1                               | Column2                                                                      |
+---------------------------------------+------------------------------------------------------------------------------+
| cc-project5-developer                 | ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd |
| cc-domain-secops-dev                  | ocid1.user.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234 |
| cc-iam-access-manager                 | ocid1.user.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd |
+---------------------------------------+------------------------------------------------------------------------------+

03 Run iam user api-key list command (OSX/Linux/UNIX) with the ID of the IAM user that you want to examine as the identifier parameter, to list the fingerprint and the creation date/time for each API signing key generated for the specified user:

oci iam user api-key list
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data[].["fingerprint","time-created"]'
	--output 'table'

04 The command output should return the requested API key information:

+-------------------------------------------------+----------------------------------+
| Column1                                         | Column2                          |
+-------------------------------------------------+----------------------------------+
| 12:83:35:4b:5b:c2:20:76:65:67:30:18:8e:a6:e9:00 | 2024-09-08T16:20:10.103000+00:00 |
| 00:01:02:ab:cd:01:02:03:ab:cd:01:02:03:ab:cd:03 | 2024-11-10T16:44:11.106000+00:00 |
+-------------------------------------------------+----------------------------------+

Check the timestamp listed in the Column2 column for each API signing key to determine when the key was created. If more than 90 days have passed since the API key was created, the verified API signing key is not rotated on a regular basis. If an API key is older than 90 days, the credentials are outdated and need to be regenerated in order to secure the API access to the OCI resources.

Remediation / Resolution

To rotate (regenerate) outdated API signing keys for your IAM user, perform the following operations:

Rotating API signing keys for IAM users using Oracle Cloud Infrastructure (OCI) CLI is not currently supported.

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to access, listed in the Name column.

05 In the Identity domain navigation panel, choose Users to list the IAM users created for the selected domain.

06 In the Users section, click on the name (link) of the IAM user that you want to configure, listed in the Username column.

07 In the Resources navigation panel, select API keys.

08 Choose Add API key, select Generate API Key Pair, download the private key, and choose Add to create a new set of API signing keys required for key rotation. Copy the configuration file to a secure location, and choose Close to return to the IAM console. If the selected IAM user has three API keys, follow the instructions outlined in step no. 11 to remove the outdated key first.

09 Update all your applications and systems to replace the outdated API key with the new one created in the previous steps.

10 Test all your applications and systems to make sure that the new key pair is working as expected.

11 Once you are sure that your applications and systems are no longer using the original API key, return to your IAM user page, select the outdated API key, and choose Delete to remove the API key from your IAM user. Choose again Delete for confirmation.

12 Repeat steps no. 6 - 11 for each IAM user created for the selected OCI domain.

13 Repeat steps no. 4 - 12 for each domain available in the selected Oracle Cloud Infrastructure (OCI) compartment.

14 Repeat steps no. 3 – 13 for each compartment available within in your OCI account.

References

Oracle Cloud Infrastructure Documentation
Overview of Identity and Access Management
Managing User Credentials

Oracle Cloud Infrastructure CLI Documentation
user list
user api-key list

Publication date Mar 11, 2025

Audit

Using OCI Console

Using OCI CLI

Remediation / Resolution

Using OCI Console

References

Related IAM rules