OCI IAM best practices

Best practice rules for OCI IAM

• Check Tenancy Administrator Users for API Keys

  Ensure that API keys are not created for tenancy administrator users.

• Check for Admin-Only Resource Access

  Ensure that permissions on all OCI resources are given only to the "Administrators" group.

• Check for Cloud Resources in the Root Compartment

  Ensure there are no cloud resources within the OCI root compartment.

• Check for Non-Root Compartments

  Ensure there is at least one non-root compartment in your OCI tenancy to store cloud resources.

• Check for Service-Level Administrators

  Ensure that service-level administrators are enforced to manage resources of particular OCI service.

• Check for Valid IAM User Email Address

  Ensure that all Oracle Cloud Infrastructure (OCI) IAM user accounts have a valid and current email address.

• Configure Account Lock Threshold

  Ensure that account lock threshold is configured in your OCI IAM password policy.

• Enable Identity Domain Diagnostics

  Set the diagnostics type to capture operational logs within your OCI Identity Domain.

• Enable Multi-Factor Authentication for User Accounts

  Ensure that the Multi-Factor Authentication (MFA) feature is enabled for all users with a console password.

• Ensure IAM password policy requires minimum length of 14 or greater

  Ensure that IAM password policy requires minimum 14 characters for passwords.

• IAM Password Policy Enforces Password Expiration

  Ensure that IAM password policy enforces password expiration within 365 days or less.

• Prevent Critical Storage Resource Deletion

  Ensure that storage service-level administrators can't delete the resources they manage.

• Prevent Password Reuse

  Ensure that OCI IAM password policy prevents password reuse.

• Protect the Tenancy "Administrators" Group

  Ensure that service administrators cannot update the tenancy "Administrators" group.

• Rotate Customer Secret Keys

  Ensure that customer secret keys are rotated on a periodic basis to follow security best practices.

• Rotate IAM Database Passwords

  Ensure that IAM database passwords are rotated on a periodic basis to follow security best practices.

• Rotate User API Keys

  Ensure that IAM user API keys are rotated on a periodic basis to follow security best practices.

• Rotate User Auth Tokens

  Ensure that IAM user auth tokens are rotated on a periodic basis to follow security best practices.

• Rotate User SMTP Credentials

  Ensure that IAM user SMTP credentials are rotated on a periodic basis to follow security best practices.

• Unnecessary API Keys

  Ensure there is a maximum of one active API key pair available for any single OCI IAM user.

• Unused IAM Users

  Ensure that unused OCI IAM local users are disabled to follow cloud security best practices.

• Use Default Tags for Cloud Resources

  Ensure that your Oracle Cloud Infrastructure (OCI) resources are using default tags.

• Use Network Perimeters

  Enable and configure network perimeters for Oracle Cloud Infrastructure (OCI) identity domains.