Auto rotation of OCI Identity and Access Management credentials

February 23, 2024 | 3 minute read
Dipesh Rathod
Master Principal Cloud Architect
Bhanu Prakash Lohumi
Senior Cloud Engineer
Text Size 100%:

Oracle Cloud Guard is a cloud native service to monitor the security posture of an Oracle Cloud Infrastructure (OCI) tenancy and triggering events for remediation of problems. It provides a set of responders with default rules as specific actions to take. No responders are natively offered to rotate Identity and Access Management (IAM) credentials, such as API keys, customer secret keys, and auth tokens.

In this post, we walk you through how to enable automatic rotation of OCI IAM credentials from Cloud Guard events.

Use cases

We recommend rotating your IAM credential every 90 days. Rotating IAM credentials reduces the window of opportunity for an access key associated with a compromised or terminated account to be used.

The following Cloud Guard problems apply to this solution:

  • API key is too old.
  • IAM auth token is too old.
  • IAM customer secret key is too old.
  • Password is too old.

Solution Overview

This solution uses OCI Functions, a serverless compute service to read JSON data from OCI Events to rotate IAM credential and store new credentials in an OCI Vault secret.

A graphic depicting the process flow of solution

Figure 1. Flow diagram for automatic rotation of IAM credentials

Figure 1 illustrates the cloud native, high-level process flow. Security operations (SecOps) teams review and resolve the problem with comments that trigger an automation.

When you mark a problem as resolved, you're telling Cloud Guard that it was in fact a problem, but you’ve taken an action that handled it. If another example of this same problem occurs, it’s detected again.

A graphic depicting the deployment architecture of solution

Figure 2. Solution architecture

Figure 2 illustrates the deployment of solution in OCI region.

  1. The SecOps team reviews the problem in Cloud Guard and follows the change control process to initiate the remediation.
  2. An event is triggered as soon as the SecOps team resolves the problem with comments.
  3. The function is invoked and validates the problem information.
  4. OCI Functions processes the information to rotate the credentials.
  5. New credentials are stored in an OCI Vault secret.
  6. The SecOps team are notified.

For detailed steps about automatic rotation of IAM credentials from OCI Cloud Guard events, visit our tutorial on the Learning page.

About the OCI Services in this Solution

OCI Functions is a fully managed, multitenant, highly scalable, on-demand, functions-as-a-service platform. To learn more about Oracle Functions, see the OCI Functions documentation. The OCI Events service produces structured messages that indicate changes in resources. It follows the Cloud Events industry-standard format hosted by the Cloud Native Computing Foundation (CNCF). To learn more about OCI events, see the OCI Events documentation.

Cloud Guard examines your OCI resources for security weakness related to configuration, and your operators and users for risky activities, see the Cloud Guard documentation. OCI Notifications broadcasts messages to distributed components through a publish-subscribe pattern, delivering secure, highly reliable, low-latency, and durable messages for applications hosted on OCI and externally.

Conclusion

In this post, we demonstrated powerful ways to auto rotate OCI IAM credentials from Cloud Guard problem to minimize the risk of compromised credentials.

For more details on Cloud Guard, see our blog posts, How Oracle is helping you maintain a strong security posture in the cloud and Discovering and fixing weak cloud security posture with Oracle Cloud Guard.

Also see Automatic Secret Rotation features in OCI Secret Management, which help manage the secrets rotation. With Automatic Secret Rotation, enable auto rotation of secrets for connected Autonomous Database and Oracle Cloud Infrastructure Functions.

Dipesh Rathod

Master Principal Cloud Architect

Dipesh Rathod joined Oracle in 2022. He is a Master Principal Cloud Architect, Infrastructure for the North America Cloud Engineering team at Oracle, where his focus spans OCI cloud infrastructure design and solution architecture.

He extensively worked in managed cloud services and understands the group realities of building and supporting a cloud infrastructure from the ground up.

Finally, Dipesh loves nature walk and socializing connections.

Bhanu Prakash Lohumi

Senior Cloud Engineer

Bhanu Prakash Lohumi is a member of North America Cloud Infrastructure DevSecOps Team. He works on the DevOps front and provides solutions to customer on various automation requirements. 


Previous Post

From HQ to the edge: Enabling tactical 4G/5G for military operations

Kashif Mahmood | 4 min read

Next Post


Oracle Cloud for Telcos: Key updates and highlights

Himanshu Shukla | 7 min read