Ensure OCI IAM password policy has a minimum length of 14 characters

Error: OCI IAM password policy for local (non-federated) users does not have minimum 14 characters
Bridgecrew Policy ID: BC_OCI_IAM_5
Checkov Check ID: CKV_OCI_18
Severity: HIGH

OCI IAM password policy for local (non-federated) users does not have minimum 14 characters

Description

This policy identifies Oracle Cloud Infrastructure(OCI) accounts that do not have a minimum of 14 characters in the password policy for local (non-federated) users. As a security best practice, configure a strong password policy for secure access to the OCI console.

Fix - Runtime

OCI Console

  1. Login to the OCI Console Page: https://console.ap-mumbai-1.oraclecloud.com/
  2. Go to Identity in the Services menu.
  3. Select Authentication Settings from the Identity menu.
  4. Click Edit Authentication Settings in the middle of the page.
  5. Type the number in range 14-100 into the box below the text: MINIMUM PASSWORD LENGTH (IN CHARACTERS).

Note : The console URL is region specific, your tenancy might have a different home region and thus console URL.

Fix - Buildtime

Terraform

  • Resource: oci_identity_authentication_policy
  • Arguments: password_policy.minimum_password_length
resource "oci_identity_authentication_policy" "pass" {

  compartment_id = var.tenancy_id

  password_policy {
...
    minimum_password_length          = 14
  }
}