Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Configure Account Lock Threshold

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: OCI-IAM-014

Ensure that account lock threshold is configured within your OCI IAM password policy to deter brute-force attacks. This threshold defines the number of consecutive, unsuccessful login attempts that will lock an account within the OCI Identity Domain. Implementing a reasonable limit (e.g., 5 failures) is a security best practice that protects accounts while balancing user convenience. You can also specify a period (5 minutes to 24 hours) after which locked accounts automatically unlock.

Security

The account lock threshold dictates the maximum number of consecutive, unsuccessful login attempts permitted before a user's account is locked within the Identity Domain. Setting this threshold to 0 (zero) effectively disables the lock mechanism. This means that any number of failed login attempts can occur without the system enforcing a lock, resulting in the user's account never being locked due to repeated login failures.

Audit

To determine if account lock threshold is configured in your OCI IAM password policy, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to examine, listed in the Name column.

05 Select the Domain policies tab to list the policies defined for your domain.

06 In the Password policy section, click on the name (link) of the IAM password policy that you want to examine.

07 Choose Actions from the top-right menu, select Edit password rules, choose Custom, and check the configuration value available in the Account lock threshold box to determine the number of consecutive, unsuccessful login attempts into the identity domain after which the user account is locked. If the value in the Account lock threshold box is 0 (zero), the IAM user's account is never locked, therefore, the IAM user password policy configured for your Oracle Cloud Infrastructure (OCI) domain is not compliant.

08 Repeat steps no. 6 and 7 for each IAM password policy configured for the selected OCI domain.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account: 

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs): 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run iam domain list command (OSX/Linux/UNIX) to list the OCI domains created for your Oracle Cloud Infrastructure (OCI) compartment: 

oci iam domain list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data[].["display-name","url"]'

04 The command output should return the name and the endpoint of each OCI domain available in the selected compartment: 

[
	[
		"Project5",
		"https://idcs-aaaabbbbccccddddabcd1234abcd1234.identity.oraclecloud.com:443"
	],
	[
		"Default",
		"https://idcs-aaaabbbbccccddddabcdabcd1234abcd.identity.oraclecloud.com:443"
	]
]

05 Run identity-domains password-policies list command (OSX/Linux/UNIX) to list the name of each IAM password policy created for the specified OCI domain: 

oci identity-domains password-policies list
	--endpoint 'https://idcs-aaaabbbbccccddddabcd1234abcd1234.identity.oraclecloud.com'
	--query 'data."resources"[]."id"'

06 The command output should return the requested IAM password policy name(s): 

[
	"PasswordPolicy"
]

07 Run identity-domains password-policy get command (OSX/Linux/UNIX) with the name of the IAM password policy that you want to examine as the identifier parameter, to describe the max-incorrect-attempts parameter value. This will determine the number of consecutive, unsuccessful login attempts into the identity domain after which the user account is locked: 

oci identity-domains password-policy get
	--password-policy-id 'PasswordPolicy'
	--endpoint 'https://idcs-aaaabbbbccccddddabcd1234abcd1234.identity.oraclecloud.com'
	--query 'data.{"max-incorrect-attempts":"max-incorrect-attempts"}'

08 The command output should return the requested parameter value: 

{
	"max-incorrect-attempts": null
}

If the identity-domains password-policy get command output returns 0 (zero) or null for the "max-incorrect-attempts" property, as shown in the example above, the IAM user's account is never locked. As a result, the IAM user password policy configured for your Oracle Cloud Infrastructure (OCI) domain is not compliant.

Remediation / Resolution

To ensure that account lock threshold is configured within your OCI IAM password policy, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to access, listed in the Name column.

05 Select the Domain policies tab to list the policies defined for your domain.

06 In the Password policy section, click on the name (link) of the IAM password policy that you want to configure.

07 Choose Actions from the top-right menu and select Edit password rules.

08 On the Edit password rules configuration panel, choose Custom, and ensure that the value inside the Account lock threshold is a positive number (e.g., 5). Setting a reasonable threshold, such as 5 failed attempts, balances security and user convenience, protecting accounts without causing frequent lockouts. Choose Save changes to apply the configuration changes.

09 (Optional) To force all IAM users to set a new password at the next sign in, select the Force all users to set a new password at next sign in checkbox, and choose Save changes.

10 Repeat steps no. 6 - 9 for each IAM password policy configured for the selected OCI domain.

Using OCI CLI

01 Run identity-domains password-policy put command (OSX/Linux/UNIX) to configure the account lock threshold for your OCI IAM user passwords by setting the --max-incorrect-attempts parameter to a positive value (e.g., 5). The --max-incorrect-attempts parameter value represents the maximum number of failed logins before an account is locked: 

oci identity-domains password-policy put
	--name 'project5-domain-password-policy'
	--password-policy-id 'PasswordPolicy'
	--endpoint 'https://idcs-aaaabbbbccccddddabcd1234abcd1234.identity.oraclecloud.com'
	--schemas '["urn:ietf:params:scim:schemas:oracle:idcs:PasswordPolicy"]'
	--priority 3
	--min-length 6
	--max-length 12
	--password-expires-after 365
	--max-incorrect-attempts 5

02 Type Y and press Enter for confirmation: 

WARNING: Updates to schemas and meta and idcs-created-by and idcs-last-modified-by and idcs-prevented-operations and tags and disallowed-user-attribute-values and disallowed-substrings and groups and configured-password-policy-rules will replace any existing values. Are you sure you want to continue? [y/N]: Y

03 The command output should return the configuration information available for the modified IAM user password policy: 

{
	"data": {
		"allowed-chars": null,
		"compartment-ocid": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"configured-password-policy-rules": null,
		"delete-in-progress": null,
		"description": null,
		"dictionary-delimiter": null,
		"dictionary-location": null,
		"dictionary-word-disallowed": null,
		"disallowed-chars": null,
		"disallowed-substrings": null,
		"disallowed-user-attribute-values": null,
		"distinct-characters": null,
		"domain-ocid": "ocid1.domain.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"groups": null,
		"id": "PasswordPolicy",

		...

		"last-name-disallowed": null,
		"lockout-duration": null,
		"max-length": 12,
		"password-expires-after": 365,
		"max-incorrect-attempts": 5,
		"priority": 3,
		"required-chars": null,
		"schemas": [
			"urn:ietf:params:scim:schemas:oracle:idcs:PasswordPolicy"
		],
		"tenancy-ocid": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"user-name-disallowed": null
	},
	"etag": "abcd1234abcd1234abcd1234abcd1234",
	"opc-total-items": "-1"
}

References

Publication date Dec 8, 2025

Related OCI-IAM rules