Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Ensure IAM password policy requires minimum length of 14 or greater

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Identity and Access Management (IAM) users are using a password policy that requires minimum 14 characters for passwords in order to enforce creating strong user passwords.

Security

Enforcing IAM user passwords strength, pattern, and rotation is vital when it comes to maintaining the security of your Oracle Cloud Infrastructure (OCI) account. Having a strong password policy in use will significantly reduce the risk of password-guessing methods and brute-force attacks. The default IAM password policy does not enforce any element in a user password.

Audit

To determine if your password policy enforces a minimum length of 14 characters for IAM user passwords, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to examine, listed in the Name column.

05 In the Identity domain navigation panel, choose Settings, and select Password policy.

06 Click on the name (link) of the password policy that you want to examine.

07 In the Password rules section, check the Password length (minimum) attribute value value to determine if the selected password policy requires minimum 14 characters for user passwords. If the Password length (minimum) value is less than 14, the selected IAM password policy is not compliant.

08 Repeat steps no. 6 and 7 for each password policy created in the selected OCI domain.

09 Repeat steps no. 4 - 8 for each domain available in the selected Oracle Cloud Infrastructure (OCI) compartment.

10 Repeat steps no. 3 – 9 for each compartment available within in your OCI account.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account: 

oci iam compartment list
	--all
	--query 'data[]."compartment-id"'

02 The command output should return the requested OCI compartment identifiers (IDs): 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

03 Run iam authentication-policy get command (OSX/Linux/UNIX) to determine if the IAM password policy configured for the selected Oracle Cloud Infrastructure (OCI) compartment requires minimum 14 characters for user passwords: 

oci iam authentication-policy get
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."password-policy"."minimum-password-length"'

04 The command output should return the number of characters required for IAM user passwords: 

8

If the iam authentication-policy get command output does not return 14 or a greater number than 14, the IAM password policy configured for the selected Oracle Cloud Infrastructure (OCI) compartment is not compliant.

05 Repeat steps no. 3 and 4 for each compartment available within in your OCI account.

Remediation / Resolution

To enforce a minimum length of 14 characters for your OCI IAM user passwords, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to access, listed in the Name column.

05 In the Identity domain navigation panel, choose Settings, and select Password policy.

06 Click on the name (link) of the password policy that you want to configure.

07 In the Password rules section, choose Edit password rules, set Password length (minimum) to 14 or a greater number than 14, then choose Save changes to apply the changes. In the confirmation box, choose whether to force all users to set a new password at next sign in, and choose Save changes.

08 Repeat steps no. 6 and 7 for each password policy created in the selected OCI domain.

09 Repeat steps no. 4 - 8 for each domain available in the selected Oracle Cloud Infrastructure (OCI) compartment.

10 Repeat steps no. 3 – 9 for each compartment available within in your OCI account.

Using OCI CLI

01 Run iam authentication-policy update command (OSX/Linux/UNIX) to update the IAM password policy configured for your Oracle Cloud Infrastructure (OCI) compartment in order to require a minimum of 14 characters for all IAM user passwords: 

oci iam authentication-policy update
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--password-policy '{"minimumPasswordLength":14}'

02 Type y and press Enter to confirm the password policy changes: 

WARNING: Updates to password-policy and network-policy will replace any existing values. Are you sure you want to continue? [y/N]: y

03 The command output should return the information available for the modified IAM password policy: 

{
	"data": {
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"network-policy": {
			"network-source-ids": null
		},
		"password-policy": {
			"is-lowercase-characters-required": false,
			"is-numeric-characters-required": false,
			"is-special-characters-required": false,
			"is-uppercase-characters-required": false,
			"is-username-containment-allowed": false,
			"minimum-password-length": 14
		}
	},
	"etag": "abcd1234abcd1234abcd1234abcd1234abcd1234"
}

04 Repeat steps no. 1 - 3 for each compartment available within in your OCI account.

References

Publication date Mar 11, 2025

Related IAM rules