Check for Valid IAM User Email Address

Risk Level: Medium (should be achieved)

Rule ID: OCI-IAM-016

Ensure that all Oracle Cloud Infrastructure (OCI) IAM user accounts have a valid and current email address. Having a valid and active email address associated with an OCI IAM user account allows you to tie the account to identity in your organization. It also allows that user to reset their password if it is forgotten or lost.

Security

Having a valid and current email address is crucial for OCI IAM user accounts primarily for security and operational continuity. This ensures the user can receive critical security notifications, such as password reset links or multi-factor authentication setup prompts, and remains accessible for essential administrative communications regarding the account's status or service changes.

Audit

To determine if OCI IAM user accounts have a valid and current email address, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to examine, listed in the Name column.

05 Select the User management tab to list the IAM users created for your domain.

06 In the Users section, click on the name (link) of the IAM user that you want to examine.

07 Select the Details tab to access the IAM user account information and preferences.

08 To ensure the selected IAM user account uses a valid and current primary contact, examine the Email attribute value in the User information section. An IAM user account is considered non-compliant if the associated email address is no longer active.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run iam user list command (OSX/Linux/UNIX) to list the ID of each IAM user created for your Oracle Cloud Infrastructure (OCI) compartment:

oci iam user list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[].["name","id"]'
	--output 'table'

04 The command output should return a table with requested IAM user identifiers:

+---------------------------------------+------------------------------------------------------------------------------+
| Column1                               | Column2                                                                      |
+---------------------------------------+------------------------------------------------------------------------------+
| cc-project5-developer                 | ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd |
| cc-domain-secops-dev                  | ocid1.user.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234 |
| cc-iam-access-manager                 | ocid1.user.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd |
+---------------------------------------+------------------------------------------------------------------------------+

05 Run iam user get command (OSX/Linux/UNIX) with the ID of the IAM user that you want to examine as the identifier parameter, to describe the email address configured for the selected IAM user account:

oci iam user get
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."email"'

06 The command output should return the associated email address:

"invalid_email@domain.com"

To ensure the selected IAM user account uses a valid and current primary contact, examine the email address returned by the iam user get command output. An IAM user account is considered non-compliant if the associated email address is no longer active.

Remediation / Resolution

To ensure that all OCI IAM user accounts have a valid and current email address, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

04 Click on the name (link) of the domain that you want to access, listed in the Name column.

05 Select the User management tab to list the IAM users created for your domain.

06 In the Users section, click on the name (link) of the IAM user that you want to configure.

07 Choose Edit user from the top-right menu to access the IAM user account configuration information and preferences.

08 Enter a valid, current (active) email address in the Email text box, then choose Save changes to apply the changes.

09 Open your email address inbox, access the Verify primary email address of your profile in \ account email, and choose Verify Primary Email to verify the valid email address of the selected IAM user account.

10 Repeat steps no. 6 - 9 for each IAM user account that you want to configure, created for your OCI compartment.

11 Repeat steps no. 3 – 10 for each compartment available within in your OCI account.

Using OCI CLI

01 Run iam user update command (OSX/Linux/UNIX) to replace the invalid email address for the specified OCI IAM user account with a valid, current (active) email address:

oci iam user update
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--email 'valid_email@domain.com'

02 The command output should return the information available for the updated IAM user account:

{
	"data": {
		"capabilities": {
			"can-use-api-keys": true,
			"can-use-auth-tokens": true,
			"can-use-console-password": true,
			"can-use-customer-secret-keys": true,
			"can-use-db-credentials": true,
			"can-use-o-auth2-client-credentials": true,
			"can-use-smtp-credentials": true
		},
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"db-user-name": null,
		"defined-tags": {},
		"description": null,
		"email": "valid_email@domain.com",
		"email-verified": false,
		"freeform-tags": {},
		"id": "ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"identity-provider-id": null,
		"inactive-status": null,
		"is-mfa-activated": false,
		"last-successful-login-time": null,
		"lifecycle-state": "ACTIVE",
		"name": "valid_email@domain.com",
		"previous-successful-login-time": null,
		"time-created": "2025-12-03T17:58:04.604000+00:00"
	},
	"etag": "1234abcd1234abcd1234abcd1234"
}

03 Open your email address inbox, access the Verify primary email address of your profile in \<account-name\> account email, and choose Verify Primary Email to verify the valid email address of the selected IAM user account.

04 Repeat steps no. 1 - 3 for each IAM user account that you want to configure, created for your OCI compartment.

05 Repeat steps no. 1 – 4 for each compartment available within in your OCI account.

References

Oracle Cloud Infrastructure Documentation
Overview of IAM
Managing Users

Oracle Cloud Infrastructure CLI Documentation
compartment list
user list
user get
user update

Publication date Dec 8, 2025

Audit

Using OCI Console

Using OCI CLI

Remediation / Resolution

Using OCI Console

Using OCI CLI

References

Related OCI-IAM rules