Control: 1.14 Ensure Instance Principal authentication is used for OCI instances, OCI Cloud Databases and OCI Functions to access OCI resources

Description

OCI instances, OCI database and OCI functions can access other OCI resources either via an OCI API key associated to a user or via Instance Principal. Instance Principal authentication can be achieved by inclusion in a Dynamic Group that has an IAM policy granting it the required access or using an OCI IAM policy that has request.principal added to the where clause. Access to OCI Resources refers to making API calls to another OCI resource like Object Storage, OCI Vaults, etc.

Instance Principal reduces the risks related to hard-coded credentials. Hard-coded API keys can be shared and require rotation, which can open them up to being compromised. Compromised credentials could allow access to OCI services outside of the expected radius.

Remediation

OCI IAM without Identity Domains

From Console

1. Go to https://cloud.oracle.com/identity/dynamicgroups.
2. Select Dynamic Groups from Identity menu.
3. Click Create Dynamic Group.
4. Enter a Name.
5. Enter a Description.
6. Enter Matching Rules to that includes the instances accessing your OCI resources.
7. Click Create.

OCI IAM with Identity Domains

From Console (Dynamic Groups):

1. Go to https://cloud.oracle.com/identity/domains/.
2. Select a Compartment.
3. Click on the Domain.
4. Click on Dynamic groups.
5. Click Create Dynamic Group.
6. Enter a Name.
7. Enter a Description.
8. Enter Matching Rules to that includes the instances accessing your OCI resources.
9. Click Create.