Unused IAM Users

Risk Level: Medium (should be achieved)

Ensure that your OCI IAM local users are not using credentials such as passwords older than 45 days to access cloud resources in order to decrease the likelihood of accidental exposures and protect your Oracle Cloud Infrastructure (OCI) environment against unauthorized access.

Security

Disabling unused OCI IAM local users will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.

This rule should exclude OCI administrators and service accounts since these are reserved for daily operations and are likely to be inactive for up to 45 days.

Audit

To determine if your OCI IAM local users have unused IAM credentials (unused for 45 days or more), perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, select an OCI compartment from the Compartment dropdown menu, and choose Domains to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to examine, listed in the Name column.

05 Select the User management tab to list the IAM users created for the selected domain.

06 In the Users section, click inside the Search and Filter box, select Status, choose Active, and select Apply filter to list only the active IAM local users available for the specified domain.

07 Select the IAM user that you want to examine and check the date in the Last access column to determine the last successful login date for the selected user. If the last successful login was more than 45 days ago or the Last access column is empty, the selected Oracle Cloud Infrastructure (OCI) IAM user is considered unused and can be safely decommissioned.

08 Repeat step no. 7 for each IAM local user created for the selected OCI domain.

09 Repeat steps no. 4 - 8 for each domain available in the selected Oracle Cloud Infrastructure (OCI) compartment.

10 Repeat steps no. 3 – 9 for each compartment available within in your OCI account.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run iam user list command (OSX/Linux/UNIX) to list the ID of each IAM user created for your Oracle Cloud Infrastructure (OCI) compartment:

oci iam user list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[].["name","id"]'
	--output 'table'

04 The command output should return a table with requested IAM user identifiers:

+---------------------------------------+------------------------------------------------------------------------------+
| Column1                               | Column2                                                                      |
+---------------------------------------+------------------------------------------------------------------------------+
| cc-project5-developer                 | ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd |
| cc-domain-secops-dev                  | ocid1.user.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234 |
| cc-iam-access-manager                 | ocid1.user.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd |
+---------------------------------------+------------------------------------------------------------------------------+

05 Run iam user get command (OSX/Linux/UNIX) with the ID of the IAM user that you want to examine as the identifier parameter, to describe the last successful login date for the selected IAM user:

oci iam user get
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."last-successful-login-time"'

06 The command output should return the requested login date:

"2024-12-03T02:00:42.962000+00:00"

Check the date (timestamp) returned by the iam user get command output to determine the last successful login date for the selected user. If the last successful login was more than 45 days ago, the selected Oracle Cloud Infrastructure (OCI) IAM user is considered unused and can be safely decommissioned. If the iam user get command returns the following message: Query returned empty result, no output to show, the selected IAM user has have never been logged in using a password, therefore, the user is considered unused and can be safely deactivated.

07 Repeat steps no. 3 and 4 for each IAM local user created for your OCI compartment.

08 Repeat steps no. 3 – 7 for each compartment available within in your OCI account.

Remediation / Resolution

To deactivate OCI IAM local users with unused IAM credentials (unused for 45 days or more), perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, select an OCI compartment from the Compartment dropdown menu, and choose Domains to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to access, listed in the Name column.

05 Select the User management tab to list the IAM users created for the selected domain.

07 Select the unused IAM local user that you want to decommission, choose Actions, and select Deactivate. In the confirmation box, choose again Deactivate to confirm your action.

08 Repeat step no. 7 for each unused IAM local user created for the selected OCI domain.

09 Repeat steps no. 4 - 8 for each domain available in the selected Oracle Cloud Infrastructure (OCI) compartment.

10 Repeat steps no. 3 – 9 for each compartment available within in your OCI account.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run iam domain list command (OSX/Linux/UNIX) to list the OCI domains created for your Oracle Cloud Infrastructure (OCI) compartment:

oci iam domain list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data[].["display-name","url"]'

04 The command output should return the name and the endpoint of each OCI domain available in the selected compartment:

[
	[
		"Default",
		"https://idcs-aaaabbbbccccddddabcdabcd1234abcd.identity.oraclecloud.com:443"
	]
]

05 Run iam user list command (OSX/Linux/UNIX) to list the ID of each IAM user created for your Oracle Cloud Infrastructure (OCI) compartment:

oci iam user list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[].["name","id"]'
	--output 'table'

06 The command output should return a table with requested IAM user identifiers:

+---------------------------------------+------------------------------------------------------------------------------+
| Column1                               | Column2                                                                      |
+---------------------------------------+------------------------------------------------------------------------------+
| cc-project5-developer                 | ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd |
| cc-domain-secops-dev                  | ocid1.user.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234 |
| cc-iam-access-manager                 | ocid1.user.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd |
+---------------------------------------+------------------------------------------------------------------------------+

07 Define the configuration file that will deactivate the unused IAM local user. For "userId", specify the IAM user that you want to decommission:

{
	"operations": [
		{
			"op": "replace",
			"path": "active",
			"value": false
		}
	],
	"schemas": [
		"urn:ietf:params:scim:api:messages:2.0:PatchOp"
	],
	"userId": "ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

08 Run identity-domains user patch command (OSX/Linux/UNIX) to deactivate the unused OCI IAM local user specified in the configuration file defined in the previous step (i.e., cc-user-config.json). For --endpoint, specify the OCI domain of the unused IAM user, returned in step no. 4:

oci identity-domains user patch
	--endpoint 'https://idcs-aaaabbbbccccddddabcdabcd1234abcd.identity.oraclecloud.com:443'
	--from-json file://cc-user-config.json
	--query 'data.active'

09 The command output should return the IAM user lifecycle state (true for active, false for inactive):

false

10 Repeat steps no. 7 - 9 for each unused IAM local user created for the selected OCI compartment.

11 Repeat steps no. 3 – 10 for each compartment available within in your OCI account.

References

Oracle Cloud Infrastructure Documentation
Overview of Identity and Access Management
Managing Users
Deactivate and reactivate user profiles

Oracle Cloud Infrastructure CLI Documentation
compartment list
domain list
user list
user get
user patch

Publication date Jun 5, 2025

Audit

Using OCI Console

Using OCI CLI

Remediation / Resolution

Using OCI Console

Using OCI CLI

References

Related OCI-IAM rules