Here are some key recommendations for Identity and Access Management on Oracle Cloud Infrastructure –
- Ensure service level admins are created to manage resources of particular service -Creating service-level administrators helps in tightly controlling access to Oracle Cloud Infrastructure (OCI) services to implement the least-privileged security principle.
- Ensure permissions on all resources are given only to the tenancy administrator group – Permission to manage all resources in a tenancy should be limited to a small number of users in the Administrators group for break-glass situations and to set up users/groups/policies when a tenancy is created. No group other than Administrators in a tenancy should need access to all resources in a tenancy, as this violates the enforcement of the least privilege principle.
- Ensure IAM administrators cannot update tenancy Administrators group – These policy statements ensure that no other group can manage tenancy administrator users or the membership to the ‘Administrators’ group thereby gain or remove tenancy administrator access.
- Ensure IAM password policy requires minimum length of 14 or greater, at least one uppercase letter, at least one lowercase letter, at least one symbol, at least one number – Setting a password complexity policy increases account resiliency against brute force login attempts.
- Ensure IAM password policy expires passwords within 90 days or less – Reducing the life time of a password adds account resiliency. Passwords can be stolen by attackers in various ways and enforcing users to change their password periodically reduces that risk window.
- Ensure IAM password policy prevents password reuse – Enforcing password history ensures that passwords are not reused in a certain period of time. If a user is not allowed to use last 24 passwords, that window of time is greater. This helps maintain the effectiveness of password security.
- Ensure MFA is enabled for all users with a console password – Multi factor authentication adds an extra layer of security during the login process and makes it harder unauthorized users to gain access to OCI resources.
- Ensure user API keys rotate within 90 days or less – It is important to secure and rotate an API key every 90 days or less as it provides the same level of access that a user it is associated with has. In addition to a security engineering best practice, this is also a compliance requirement.
- Ensure API keys are not created for tenancy administrator users – For performing day-to-day operations tenancy administrator access is not needed. Servicelevel administrative users with API keys should be used to apply privileged security principle.
Next article in the series – Best Practices on OCI Part 2: Network