1. Enable credential expiry notification for OCI Identity and Access Management
  2. Learn About Enabling Credential Expiry Notification for OCI

Learn About Enabling Credential Expiry Notification for OCI

It's challenging for a Security Operations (SecOps) team to track and ensure of timely rotation of IAM secrets. This automation solution helps to improve security by enabling early expiry notification of Oracle Cloud Infrastructure (OCI) credentials.

OCI Identity and Access Management secrets are credentials like API keys, database and cloud credentials, certificates, SSH keys, or authentication tokens that are stored, accessed, and distributed.

Community best practices recommends rotating secrets regularly. The more data you encrypt with one key, the more data is exposed if that key is compromised. The longer you use the key, the more likely it will be leaked through some means. By rotating keys, you compartmentalize the data, limiting the impact of a key being leaked. Therefore, getting early notification is a key for the user and SecOps team.

Rotating OCI Identity and Access Management credentials reduces the window of opportunity for an access key associated with a compromised or terminated account to be used. Oracle Cloud Guard is a cloud native service to monitor the security posture and trigger events on expiry of OCI Identity and Access Management secrets. We recommend rotating IAM credentials every 90 days.

Architecture

With advanced notification, users can rotate their secrets and update application workload. This OCI architecture uses OCI Functions, a serverless compute service, to read JSON data from the OCI Identity and Access Management service.

The following diagram illustrates the workflow for sending reports to the SecOps team and early email notification to users.

Description of credential-expiry-notif-workflow.png follows
Description of the illustration credential-expiry-notif-workflow.png

credential-expiry-notif-workflow-oracle.zip

The workflow has two sections: The SecOps team and Automation. After the SecOps team completes the configuration, the OCI Functions and OCI Resource Scheduler services handle the Automation.

  1. The SecOps team starts the workflow by configuring the thresholds, exempted users, and other parameters for OCI Functions. After the SecOps team configures the parameters for OCI Functions, the workflow occurs entirely in Automation.
  2. The OCI Scheduler sends data to OCI Functions.
  3. OCI Functions validates the expiry by polling the API Key, Auth Code, and Customer secret key and determining if it exceeds the threshold.
  4. The Exceed Threshold decision determines if the expiry is a warning, critical, or expired and sends that to the next decision to determine the report required.
  5. The Opt-in weekly/monthly report decision determines the reporting.
    • Yes: If the configuration opts in for a weekly or monthly report, then an email report is automatically sent to the SecOps team, which ends the workflow.
    • No: If the configuration doesn't include a weekly or monthly report, then the automation determines if the user is exempted.
  6. The User Exempted decision determines the automation:
    • Yes: If the user is exempted, then automation sends an email report to the user. The workflow is ended.
    • No: If the user is not exempted, then automation deletes the expired secrets and sends an email report to the user. The workflow is ended.

This architecture supports the following components:

  • Identity and Access Management (IAM)

    Oracle Cloud Infrastructure Identity and Access Management (IAM) is the access control plane for Oracle Cloud Infrastructure (OCI) and Oracle Cloud Applications. The IAM API and the user interface enable you to manage identity domains and the resources within the identity domain. Each OCI IAM identity domain represents a standalone identity and access management solution or a different user population.

  • OCI Resource Scheduler

    Oracle Cloud Infrastructure Resource Scheduler service is integrated with OCI Identity and Access Management service, providing easy authentication with native OCI identity functionality. OCI Resource Scheduler acts on resources in a tenancy or group of managed tenancies on a scheduled basis at the root compartment level.

    The service enables you to create and manage schedules that perform actions on a collection of database and compute OCI resources in your tenancy so that their lifecycle and operating times are managed.

  • Cloud Guard

    You can use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for certain risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.

  • Monitoring

    Oracle Cloud Infrastructure Monitoring service actively and passively monitors your cloud resources using metrics to monitor resources and alarms to notify you when these metrics meet alarm-specified triggers.

  • Functions

    Oracle Cloud Infrastructure Functions is a fully managed, multitenant, highly scalable, on-demand, Functions-as-a-Service (FaaS) platform. It is powered by the Fn Project open source engine. OCI Functions enables you to deploy your code, and either call it directly or trigger it in response to events. OCI Functions uses Docker containers hosted in Oracle Cloud Infrastructure Registry.

  • Email Delivery

    Oracle Cloud Infrastructure Email Delivery is a highly scalable, cost effective, and reliable email delivery service for sending high-volume, application-generated emails for mission-critical marketing, notification, and transactional communications such as receipts, fraud detection alerts, multifactor identity verification, and password resets.

About Required Services and Roles

This solution requires the following Oracle Cloud Infrastructure (OCI) services and roles:

  • OCI Vault

  • OCI Functions

  • OCI Resource Scheduler

  • OCI Identity and Access Management
  • OCI Monitoring
  • Oracle Cloud Guard

These are the roles needed for each service.

Service Name: Role Required to ...
OCI Vault: Secret manage permission.
OCI Functions: Functions developer with an OCI user account that belongs to groups to which appropriate policies grant access to function-related resources create and deploy OCI Functions.
OCI Resource Scheduler: Schedule create and manage schedules.
OCI Identity and Access Management: Policies create required policies.

See Oracle Products, Solutions, and Services to get what you need.

Considerations for Security

When designing this solution, consider the following security requirements:

Recommended
  1. Send the user a single email for all identity domains in the tenancy after exceeding the threshold for each severity (warning, critical or expiry).
  2. Send a consolidated report to SecOps, per the configured parameter. For example, weekly or monthly.
Required
  1. Automation must delete the secret post expiry unless the user added it in the exempted list.
  2. Send a consolidated report to SecOps for each configured parameter. For example, weekly or monthly.
  3. Store the SMTP (Simple Mail Transfer Protocol) password in Oracle Cloud Infrastructure Vault.
  4. Accept various configuration parameters to avoid redeployment of automation solution.