- Knowledge Base
- Oracle Cloud Infrastructure
- OCI IAM
- IAM Password Policy Enforces Password Expiration
Ensure that your Identity and Access Management (IAM) users are utilizing a strong password policy that enforces password expiration with a defined threshold of 365 days or less.
Security Enforcing IAM user passwords strength, pattern, and rotation is vital when it comes to maintaining the security of your Oracle Cloud Infrastructure (OCI) account. Having a strong password policy in use will significantly reduce the risk of password-guessing methods and brute-force attacks.
Audit
To determine if your OCI IAM user password policy policy enforces compliant password expiration, perform the following operations:
Using OCI Console
01 Sign in to your Oracle Cloud Infrastructure (OCI) account.
02 Navigate to Identity console available at https://cloud.oracle.com/identity/.
03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list all the domains created for that compartment.
04 Click on the name (link) of the domain that you want to examine, listed in the Name column.
05 Select the Domain policies tab to list the policies defined for your domain.
06 In the Password policy section, click on the name (link) of the IAM password policy that you want to examine.
07 Select the Password rules tab and check the Expires after (days) attribute value to determine the password expiration date (in days) configured for your password policy. If the number of days set for the Expires after (days) configuration attribute is greater than 365, the IAM user password policy configured for your Oracle Cloud Infrastructure (OCI) domain is not compliant.
08 Repeat steps no. 6 and 7 for each IAM password policy configured for the selected OCI domain.
Using OCI CLI
01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:
oci iam compartment list --all --include-root --query 'data[]."id"'
02 The command output should return the requested OCI compartment identifiers (OCIDs):
[ "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd", "ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd" ]
03 Run iam domain list command (OSX/Linux/UNIX) to list the OCI domains created for your Oracle Cloud Infrastructure (OCI) compartment:
oci iam domain list --compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd' --query 'data[].["display-name","url"]'
04 The command output should return the name and the endpoint of each OCI domain available in the selected compartment:
[ [ "Project5", "https://idcs-aaaabbbbccccddddabcd1234abcd1234.identity.oraclecloud.com:443" ], [ "Default", "https://idcs-aaaabbbbccccddddabcdabcd1234abcd.identity.oraclecloud.com:443" ] ]
05 Run identity-domains password-policies list command (OSX/Linux/UNIX) to list the ID of each IAM user created for your Oracle Cloud Infrastructure (OCI) compartment:
oci identity-domains password-policies list --endpoint https://idcs-aaaabbbbccccddddabcd1234abcd1234.identity.oraclecloud.com --query 'data."resources"[]."id"'
06 The command output should return a table with requested IAM user identifiers:
[ "abcd1234abcd1234abcd1234abcd1234", "1234abcd1234abcd1234abcd1234abcd" ]
07 Run identity-domains password-policy get command (OSX/Linux/UNIX) with the ID of the IAM user that you want to examine as the identifier parameter, to list the ID and the creation date/time for each IAM database password created for the specified user:
oci identity-domains password-policy get --password-policy-id 'abcd1234abcd1234abcd1234abcd1234' --endpoint https://idcs-aaaabbbbccccddddabcd1234abcd1234.identity.oraclecloud.com --query 'data."password-expires-after"'
08 The command output should return the requested credential information:
500
If the number returned by the identity-domains password-policy get command output is greater than 365, as shown in the example above, the IAM user password policy configured for the selected Oracle Cloud Infrastructure (OCI) domain is not compliant.
Remediation / Resolution
To enforce password expiration with a threshold of 365 days or less for your OCI IAM user passwords, perform the following operations:
Using OCI Console
01 Sign in to your Oracle Cloud Infrastructure (OCI) account.
02 Navigate to Identity console available at https://cloud.oracle.com/identity/.
03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list all the domains created for that compartment.
04 Click on the name (link) of the domain that you want to access, listed in the Name column.
05 Select the Domain policies tab to list the policies defined for your domain.
06 In the Password policy section, click on the name (link) of the IAM password policy that you want to configure.
07 Choose Actions from the top-right menu, and select Edit password rules.
08 On the Edit password rules configuration panel, choose Custom, and ensure that the value inside the Expires after (days) box is 365 or less. Choose Save changes to apply the configuration changes.
09 (Optional) To force all IAM users to set a new password at the next sign in, select the Force all users to set a new password at next sign in checkbox, and choose Save changes.
10 Repeat steps no. 6 - 9 for each IAM password policy configured for the selected OCI domain.
Using OCI CLI
01 Run identity-domains password-policy put command (OSX/Linux/UNIX) to enforce password expiration for your OCI IAM user passwords to 365 days:
oci identity-domains password-policy put --name 'project5-domain-password-policy' --password-policy-id 'abcd1234abcd1234abcd1234abcd1234' --endpoint https://idcs-aaaabbbbccccddddabcd1234abcd1234.identity.oraclecloud.com --schemas '["urn:ietf:params:scim:schemas:oracle:idcs:PasswordPolicy"]' --priority 3 --min-length 6 --max-length 12 --password-expires-after 365
02 Type Y and press Enter for confirmation:
WARNING: Updates to schemas and meta and idcs-created-by and idcs-last-modified-by and idcs-prevented-operations and tags and disallowed-user-attribute-values and disallowed-substrings and groups and configured-password-policy-rules will replace any existing values. Are you sure you want to continue? [y/N]: Y
03 The command output should return the configuration information available for the modified IAM user password policy:
{
"data": {
"allowed-chars": null,
"compartment-ocid": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
"configured-password-policy-rules": null,
"delete-in-progress": null,
"description": null,
"dictionary-delimiter": null,
"dictionary-location": null,
"dictionary-word-disallowed": null,
"disallowed-chars": null,
"disallowed-substrings": null,
"disallowed-user-attribute-values": null,
"distinct-characters": null,
"domain-ocid": "ocid1.domain.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
"groups": null,
"id": "abcd1234abcd1234abcd1234abcd1234",
...
"last-name-disallowed": null,
"lockout-duration": null,
"max-incorrect-attempts": null,
"max-length": 12,
"password-expires-after": 365,
"priority": 3,
"required-chars": null,
"schemas": [
"urn:ietf:params:scim:schemas:oracle:idcs:PasswordPolicy"
],
"starts-with-alphabet": null,
"tags": null,
"tenancy-ocid": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
"user-name-disallowed": null
},
"etag": "abcd1234abcd1234abcd1234abcd1234",
"opc-total-items": "-1"
}
References
- Oracle Cloud Infrastructure Documentation
- Managing Password Policies
- Modifying the Custom Password Policy
- Oracle Cloud Infrastructure CLI Documentation
- compartment list
- domain list
- password-policies list
- password-policy get
- password-policy put