Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check Tenancy Administrator Users for API Keys

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that Oracle Cloud Infrastructure (OCI) tenancy administrator users are not configured with API keys in order to minimize the potential attack surface. Identities performing day-to-day operations should never require full tenancy access. Instead, it is recommended to use service-level administrative users with API keys.

Security

Tenancy administrator users have complete access to the organization's OCI tenancy. Using API keys for tenancy administrators poses a significant security risk, as the compromise of these credentials could grant unauthorized control over the entire OCI tenancy.

Audit

To determine if OCI tenancy administrator users are configured with API keys, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to examine, listed in the Name column.

05 In the Identity domain navigation panel, choose Groups, and select the Administrators group from the Groups list.

06 In the Users section, click on the name (link) of the OCI tenancy administrator that you want to examine, listed in the Username column.

07 In the Resources navigation panel, choose API keys, and check for any API keys created for the selected user, listed in the API keys section. If one or more keys are listed in this section, API keys are created for the selected OCI tenancy administrator.

08 Repeat steps no. 6 and 7 for each tenancy administrator available in the Administrators group.

09 Repeat steps no. 4 - 8 for each domain available in the selected Oracle Cloud Infrastructure (OCI) compartment.

10 Repeat steps no. 3 – 9 for each compartment available within in your OCI account.

Using OCI CLI

01 Run iam group list command (OSX/Linux/UNIX) to describe the ID of the Administrators group created for your Oracle Cloud Infrastructure (OCI) tenancy: 

oci iam group list
	--query 'data[?"name"==`Administrators`]."id"'

02 The command output should return the requested group identifier (ID): 

[
	"ocid1.group.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run iam group list-users command (OSX/Linux/UNIX) to list the ID of each OCI tenancy administrator available in the Administrators group: 

oci iam group list-users
	--group-id 'ocid1.group.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data[].["name","id"]'
	--output 'table'

04 The command output should return a table with requested admin IDs: 

+---------------------------------------+------------------------------------------------------------------------------+
| Column1                               | Column2                                                                      |
+---------------------------------------+------------------------------------------------------------------------------+
| cc-project5-admin                     | ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd |
| cc-tenancy-sec-admin                  | ocid1.user.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234 |
| cc-operational-admin                  | ocid1.user.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd |
+---------------------------------------+------------------------------------------------------------------------------+

05 Run iam user api-key list command (OSX/Linux/UNIX) with the ID of the OCI tenancy administrator that you want to examine as the identifier parameter, to list the fingerprint of each API key generated for the specified admin user: 

oci iam user api-key list
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data[]."fingerprint"'

06 The command output should return the requested API key fingerprints: 

[
	"00:01:02:20:cd:01:02:03:ab:cd:01:02:03:ab:cd:00"
]

If the iam user api-key list command output returns or more API key fingerprints, API signing keys are created for the selected OCI tenancy administrator.

07 Repeat steps no. 5 and 6 for each tenancy administrator available in the Administrators group.

Remediation / Resolution

To remove the API signing keys from your Oracle Cloud Infrastructure (OCI) tenancy administrators, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to access, listed in the Name column.

05 In the Identity domain navigation panel, choose Groups, and select the Administrators group from the Groups list.

06 In the Users section, click on the name (link) of the OCI tenancy administrator that you want to configure, listed in the Username column.

07 In the Resources navigation panel, choose API keys, select the API signing key that you want to remove, and choose Delete. In the confirmation box, choose Delete to remove the selected API key.

08 Repeat steps no. 6 and 7 for each tenancy administrator that you want to configure, available in the Administrators group.

09 Repeat steps no. 4 - 8 for each domain available in the selected Oracle Cloud Infrastructure (OCI) compartment.

10 Repeat steps no. 3 – 9 for each compartment available within in your OCI account.

Using OCI CLI

01 Run iam customer-secret-key delete command (OSX/Linux/UNIX) to remove the API key specified by --fingerprint from your Oracle Cloud Infrastructure (OCI) tenancy administrator user: 

oci iam user api-key delete
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--fingerprint '00:01:02:20:cd:01:02:03:ab:cd:01:02:03:ab:cd:00'

02 Type y (yes) and press Enter to confirm the key removal: 

Are you sure you want to delete this resource? [y/N]: y

03 Repeat steps no. 1 and 2 for each tenancy administrator available in the Administrators group.

References

Publication date Mar 11, 2025

Related IAM rules