Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Rotate User SMTP Credentials

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that SMTP credentials for IAM users are rotated every 90 days or less in order to decrease the likelihood of accidental exposures from code or logs and limit the time window for an attacker to exploit compromised credentials. Each OCI IAM user can have up to two SMTP credentials at a time.

Security

SMTP credentials are an Oracle-generated username and password pair that an OCI IAM user creates to authenticate and send emails through the OCI Email Delivery service. These credentials are used by applications and clients to establish a secure connection using the Simple Mail Transfer Protocol (SMTP). In Oracle Cloud Infrastructure (OCI), SMTP credentials don't have an expiration date, which makes manual rotation essential to mitigate the risk of accidental exposure and limit the window of time an attacker can exploit compromised credentials. Regular rotation is a critical security best practice to enforce least privilege and reduce the potential impact of a leak.

Audit

To determine if your IAM user SMTP credentials are rotated on a periodic basis (i.e., every 90 days or less), perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to examine, listed in the Name column.

05 Select the User management tab to list the IAM users created for your domain.

06 In the Users section, click on the name (link) of the IAM user that you want to examine.

07 Select SMTP credentials tab to access the SMTP credentials created for the selected IAM user.

08 In the SMTP credentials section, check the date available in the Created column to determine when each credential was created. If more than 90 days have passed since the credentials were created, the verified IAM user SMTP credentials are not rotated on a regular basis. If the IAM user SMTP credentials are older than 90 days, the credentials are considered outdated and need to be re-created.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account: 

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs): 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run iam user list command (OSX/Linux/UNIX) to list the ID of each IAM user created for your Oracle Cloud Infrastructure (OCI) compartment: 

oci iam user list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[].["name","id"]'
	--output 'table'

04 The command output should return a table with requested IAM user identifiers: 

+---------------------------------------+------------------------------------------------------------------------------+
| Column1                               | Column2                                                                      |
+---------------------------------------+------------------------------------------------------------------------------+
| cc-project5-developer                 | ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd |
| cc-domain-secops-dev                  | ocid1.user.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234 |
| cc-iam-access-manager                 | ocid1.user.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd |
+---------------------------------------+------------------------------------------------------------------------------+

05 Run iam smtp-credential list command (OSX/Linux/UNIX) with the ID of the IAM user that you want to examine as the identifier parameter, to list the IDs and the creation date/time for the SMTP credentials created for the specified user: 

oci iam smtp-credential list
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--output table
	--query 'data[].["id","time-created"]'

06 The command output should return the requested credential information: 

+------------------------------------------------------------------------------------+----------------------------------+
| Column1                                                                            | Column2                          |
+------------------------------------------------------------------------------------+----------------------------------+
| ocid1.credential.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234 | 2025-12-12T19:17:27.933000+00:00 |
| ocid1.credential.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd | 2025-12-12T19:17:27.933000+00:00 |
+------------------------------------------------------------------------------------+----------------------------------+

Check the timestamp listed in the Column2 column for each entry to determine when the credential was created. If more than 90 days have passed since the credentials were created, the verified IAM user SMTP credentials are not rotated on a regular basis. If the IAM user SMTP credentials are older than 90 days, the credentials are considered outdated and need to be re-created.

Remediation / Resolution

To rotate (re-create) your outdated OCI IAM user SMTP credentials, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to access, listed in the Name column.

05 Select the User management tab to list the IAM users created for your domain.

06 In the Users section, click on the name (link) of the IAM user that you want to configure.

07 Select SMTP credentials tab to access the SMTP credentials created for the selected IAM user.

08 In the SMTP credentials section, select Generate credentials, provide a description, and choose Generate credentials to create a new SMTP credential. Choose Close to close the setup panel. If the selected IAM user has two SMTP credentials, follow the instructions outlined in step no. 11 to remove the outdated credential first.

09 Update all your applications and systems to replace the outdated credentials with the new ones created in the previous step.

10 Test all your applications and systems to make sure that the new SMTP credentials are working as expected.

11 Once you are sure that your applications and systems are no longer using the original SMTP credentials, return to SMTP credentials section, select the outdated credentials, click on the Actions menu (three-dot icon), and choose Delete. In the confirmation box, choose Delete to remove the outdated credentials.

Using OCI CLI

01 Run iam smtp-credential create command (OSX/Linux/UNIX) to create new SMTP credentials for the selected IAM user. An IAM user can have up to two SMTP credentials at a time. If the selected IAM user has two SMTP credentials, follow the instructions outlined in step no. 5 to remove the outdated credentials first: 

oci iam smtp-credential create
	--description 'GB Project5 Email'
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'

02 The command output should return the information available for the new credentials: 

{
	"data": {
		"description": "GB Project5 Email",
		"id": "ocid1.credential.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"inactive-status": null,
		"lifecycle-state": "ACTIVE",
		"password": "abcd1234abcd1234abcd",
		"time-created": "2025-12-02T14:09:18.316000+00:00",
		"time-expires": null,
		"user-id": "ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"username": "ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd@ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
	},
	"etag": "abcd1234abcd1234abcd1234abcd1abcd"
}

03 Update all your applications and systems to replace the outdated credentials with the new ones created in the previous step.

04 Test all your applications and systems to make sure that the new SMTP credentials are working as expected.

05 Once you are sure that your applications and systems are no longer using the original SMTP credentials, run iam smtp-credential delete command (OSX/Linux/UNIX) to delete the outdated credentials: 

oci iam smtp-credential delete
	--smtp-credential-id 'ocid1.credential.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'

06 Type Y (Yes) and press Enter to confirm the resource removal: 

Are you sure you want to delete this resource? [y/N]: Y

References

Publication date Dec 8, 2025

Related OCI-IAM rules