chore: add oraclecloud/identity metadata update to changelog

prowler/CHANGELOG.md

@@ -83,6 +83,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS ECS service metadata to new format [(#8888)](https://github.com/prowler-cloud/prowler/pull/8888)
 - Update AWS Kinesis service metadata to new format [(#9262)](https://github.com/prowler-cloud/prowler/pull/9262)
 - Update AWS DocumentDB service metadata to new format [(#8862)](https://github.com/prowler-cloud/prowler/pull/8862)
+- Update oraclecloud identity service metadata to new format [(#9375)](https://github.com/prowler-cloud/prowler/pull/9375)
+
 
 ### Fixed
 - Check `check_name` has no `resource_name` error for GCP provider [(#9169)](https://github.com/prowler-cloud/prowler/pull/9169)

prowler/providers/oraclecloud/services/identity/identity_iam_admins_cannot_update_tenancy_admins/identity_iam_admins_cannot_update_tenancy_admins.metadata.json

@@ -1,30 +1,30 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "identity_iam_admins_cannot_update_tenancy_admins",
-  "CheckTitle": "Ensure IAM administrators cannot update tenancy Administrators group",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "All IAM policies granting manage/use on groups or users in the tenancy restrict access to the Administrators group",
+  "CheckType": [],
   "ServiceName": "identity",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:identity:user",
-  "Severity": "high",
-  "ResourceType": "OciIamUser",
-  "Description": "IAM administrators should not be able to update the tenancy Administrators group.",
-  "Risk": "Not meeting this IAM requirement increases security risk.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm",
+  "ResourceIdTemplate": "",
+  "Severity": "critical",
+  "ResourceType": "Policy",
+  "Description": "**OCI IAM policies** granting **manage/use** on **groups or users** in the tenancy are evaluated for a condition that excludes the **Administrators** group, such as `target.group.name != 'Administrators'`.\n\nPolicies missing this restriction are identified.",
+  "Risk": "Ability to modify the **Administrators** group enables **privilege escalation** to full tenancy control. This threatens confidentiality (broad data access), integrity (policy/user changes), and availability (resource deletion). Attackers could add persistence accounts, disable safeguards, and evade oversight.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-IAM/protect-administrators-group-with-access-policies.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "oci iam policy update --policy-id <example_resource_id> --statements \"[\\\"Allow group <example_resource_name> to manage groups, users in tenancy where target.group.name != 'Administrators'\\\"]\"",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-IAM/protect-administrators-group-with-access-policies.html",
-      "Terraform": ""
+      "Other": "1. In OCI Console, go to Identity & Security > Policies\n2. Open any policy that allows a group to manage or use groups/users in the tenancy\n3. Click Edit policy and update each affected statement to append exactly:\n   where target.group.name != 'Administrators'\n4. Save changes\n5. Repeat for all such policies",
+      "Terraform": "```hcl\nresource \"oci_identity_policy\" \"<example_resource_name>\" {\n  name           = \"<example_resource_name>\"\n  compartment_id = \"<example_resource_id>\"\n  description    = \"<example_resource_name>\"\n  statements = [\n    # Critical: Protect the Administrators group from modification by this policy\n    # Adds a where clause so the policy can't target the Administrators group\n    \"Allow group <example_resource_name> to manage groups, users in tenancy where target.group.name != 'Administrators'\"\n  ]\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure IAM administrators cannot update tenancy Administrators group",
-      "Url": "https://hub.prowler.com/check/oci/identity_iam_admins_cannot_update_tenancy_admins"
+      "Text": "Apply **least privilege**: avoid tenancy-wide manage/use on groups or users. When delegation is required, include a condition excluding the **Administrators** group (e.g., `target.group.name != 'Administrators'`). Enforce **segregation of duties**, require approvals for group changes, and monitor/audit identity policy activity.",
+      "Url": "https://hub.prowler.com/check/identity_iam_admins_cannot_update_tenancy_admins"
     }
   },
   "Categories": [

prowler/providers/oraclecloud/services/identity/identity_instance_principal_used/identity_instance_principal_used.metadata.json

@@ -1,30 +1,29 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "identity_instance_principal_used",
-  "CheckTitle": "Ensure Instance Principal authentication is used for OCI instances, OCI Cloud Databases and OCI Functions to access OCI resources",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Instance principal authentication is configured for OCI instances, OCI Cloud Databases, and OCI Functions",
+  "CheckType": [],
   "ServiceName": "identity",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:identity:user",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "OciIamUser",
-  "Description": "Instance Principal authentication should be used instead of user credentials.",
-  "Risk": "Not meeting this IAM requirement increases security risk.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm",
+  "ResourceType": "DynamicResourceGroup",
+  "Description": "OCI dynamic groups configured for **instance principal** access to workloads like **Compute instances**, **Functions**, and **Autonomous Databases**. The evaluation looks for matching rules that target these resources (e.g., `instance`, `fnfunc`, `autonomousdatabase`) to confirm workload identity usage.",
+  "Risk": "Using user credentials or long-lived keys instead of **instance principals** exposes secrets and weakens **least privilege** and **accountability**. Stolen keys from code or pipelines enable unauthorized API calls, data exfiltration, and privilege abuse, impacting **confidentiality** and **integrity** of OCI resources.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "oci iam dynamic-group create --compartment-id <example_resource_id> --name <example_resource_name> --matching-rule \"ALL {resource.type = 'instance'}\"",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. In the OCI Console, go to Identity & Security > Dynamic Groups\n2. Click Create Dynamic Group\n3. Enter Name: <example_resource_name>\n4. Set Matching Rule to: ALL {resource.type = 'instance'}\n5. Click Create",
+      "Terraform": "```hcl\nresource \"oci_identity_dynamic_group\" \"dg\" {\n  compartment_id = \"<example_resource_id>\"\n  name           = \"<example_resource_name>\"\n  description    = \"Enable instance principals\"\n  matching_rule  = \"ALL {resource.type = 'instance'}\" # Critical: creates a Dynamic Group for instances to enable instance principal auth\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure Instance Principal authentication is used for OCI instances, OCI Cloud Databases and OCI Functions to access OCI resources",
-      "Url": "https://hub.prowler.com/check/oci/identity_instance_principal_used"
+      "Text": "Adopt **workload identities** with **instance principals** and granular dynamic groups. Apply **least privilege** policies to those groups, avoid long-lived user keys, and remove embedded credentials from code and CI/CD. Monitor access patterns and favor short-lived, auditable tokens as part of a **zero trust** approach.",
+      "Url": "https://hub.prowler.com/check/identity_instance_principal_used"
     }
   },
   "Categories": [

prowler/providers/oraclecloud/services/identity/identity_no_resources_in_root_compartment/identity_no_resources_in_root_compartment.metadata.json

@@ -1,29 +1,34 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "identity_no_resources_in_root_compartment",
-  "CheckTitle": "Ensure no resources are created in the root compartment",
+  "CheckTitle": "No resources exist in the root compartment",
   "CheckType": [],
   "ServiceName": "identity",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:identity:tenancy",
+  "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "OciTenancy",
-  "Description": "The root compartment is the top-level compartment in your tenancy and should be used only for management purposes. All other cloud resources should be created in child compartments to maintain proper organization, access control, and resource isolation.",
-  "Risk": "Creating resources in the root compartment bypasses the benefits of compartmentalization, makes access control management difficult, violates the principle of least privilege, and increases the risk of unauthorized access to resources. It also makes it harder to implement effective IAM policies and resource governance.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcompartments.htm",
+  "ResourceType": "Compartment",
+  "Description": "**OCI root compartment** is evaluated for the presence of **user resources**. The finding highlights any assets created at the tenancy root and provides a count per `resource_type`.",
+  "Risk": "**Resources in the root compartment** inherit broad tenancy-level policies, weakening **least privilege**. Compromise or error can enable wide **unauthorized access**, **lateral movement**, and destructive changes, degrading **confidentiality** and **integrity**, while complicating audits and quota governance.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcompartments.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-IAM/check-for-root-compartment-resources.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-IAM/check-for-root-compartment-resources.html",
-      "Terraform": ""
+      "Other": "1. In the OCI Console, go to Governance & Administration > Tenancy Explorer\n2. Set Compartment to the root compartment and enable \"Show resources in subcompartments\" off\n3. Note each resource listed in the root compartment\n4. For each resource: navigate to its service page (e.g., Compute > Instances), select the resource, click Actions (three dots) > Move resource\n5. Choose a non-root compartment and confirm\n6. If a resource type cannot be moved, delete it and recreate it in a non-root compartment\n7. Repeat until Tenancy Explorer shows 0 resources in the root compartment",
+      "Terraform": "```hcl\n# Place resources in a non-root compartment to avoid creating them in the root\nresource \"oci_core_vcn\" \"<example_resource_name>\" {\n  compartment_id = \"<example_compartment_id>\" # CRITICAL: ensure this is a non-root compartment OCID to pass the check\n  cidr_block     = \"10.0.0.0/16\"\n  display_name   = \"<example_resource_name>\"\n}\n```"
     },
     "Recommendation": {
-      "Text": "Move all resources from the root compartment to appropriate child compartments. From OCI Console: 1. Identify resources in the root compartment. 2. Create or select appropriate child compartments. 3. Move resources to child compartments using the 'Move Resource' option available for most resource types. 4. Update any policies or automation that reference root compartment resources.",
-      "Url": "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcompartments.htm"
+      "Text": "Reserve the **root compartment** for governance only.\n- Create workload-specific child compartments\n- Scope IAM to them per **least privilege** and **separation of duties**\n- Enforce boundaries with quotas and tags\n- Update automation to avoid root placement\n- Regularly audit and relocate stray resources",
+      "Url": "https://hub.prowler.com/check/identity_no_resources_in_root_compartment"
     }
   },
   "Categories": [
+    "trust-boundaries",
     "identity-access"
   ],
   "DependsOn": [],

prowler/providers/oraclecloud/services/identity/identity_non_root_compartment_exists/identity_non_root_compartment_exists.metadata.json

@@ -1,30 +1,39 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "identity_non_root_compartment_exists",
-  "CheckTitle": "Create at least one non-root compartment in your tenancy to store cloud resources",
+  "CheckTitle": "Tenancy has at least one active non-root compartment",
   "CheckType": [],
   "ServiceName": "identity",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:identity:tenancy",
+  "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "OciTenancy",
-  "Description": "Compartments are used to organize and isolate your cloud resources. Creating at least one compartment is a fundamental best practice for organizing resources in your tenancy. The root compartment should not be used directly for resource creation.",
-  "Risk": "Without proper compartmentalization, resource management becomes difficult, access control is harder to implement, and it violates the principle of least privilege. Using only the root compartment makes it impossible to implement proper resource isolation and access controls.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcompartments.htm",
+  "ResourceType": "Compartment",
+  "Description": "**OCI tenancy** includes at least one **active non-root compartment**. Only compartments below the `root` level are considered, indicating that resources are organized outside the root scope.",
+  "Risk": "Using only the `root` compartment removes segmentation and forces broad tenancy-wide access. This endangers **confidentiality** and **integrity** through cross-project visibility, mis-scoped policies, and accidental changes with global impact, and can affect **availability** via bulk deletions or misconfigurations.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-IAM/create-non-root-compartment.html",
+    "https://oci-ansible-modules.readthedocs.io/en/latest/modules/oci_compartment_module.html",
+    "https://dasini.net/blog/2021/08/10/discovering-mysql-database-service-episode-2-create-a-compartment/",
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcompartments.htm",
+    "https://climbtheladder.com/10-oci-compartment-best-practices/",
+    "https://www.ateam-oracle.com/post/oracle-cloud-infrastructure-compartments"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "oci iam compartment create --compartment-id <tenancy_ocid> --name <compartment_name> --description '<description>'",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-IAM/create-non-root-compartment.html",
-      "Terraform": ""
+      "Other": "1. In the OCI Console, go to Identity & Security > Compartments\n2. Click Create Compartment\n3. Enter Name: <example_resource_name> and a Description\n4. Ensure the Parent Compartment is the tenancy (root) or desired non-root parent\n5. Click Create",
+      "Terraform": "```hcl\n# Creates a non-root compartment under the tenancy to pass the check\nresource \"oci_identity_compartment\" \"<example_resource_name>\" {\n  compartment_id = \"<example_resource_id>\" # Critical: parent OCID (tenancy) for non-root compartment\n  name           = \"<example_resource_name>\" # Critical: compartment name\n  description    = \"compartment\"             # Critical: required to create\n}\n```"
     },
     "Recommendation": {
-      "Text": "Create at least one compartment to organize your cloud resources. From OCI Console: 1. Navigate to Identity & Security -> Compartments. 2. Click 'Create Compartment'. 3. Enter a name and description. 4. Select the parent compartment (typically the root). 5. Click 'Create Compartment'.",
-      "Url": "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcompartments.htm"
+      "Text": "Create dedicated **non-root compartments** per workload, environment, or team; avoid placing resources in the `root` compartment.\n\nApply granular policies at the compartment level to enforce **least privilege** and **separation of duties**. Use a clear hierarchy and tags, and review the design regularly as the tenancy evolves.",
+      "Url": "https://hub.prowler.com/check/identity_non_root_compartment_exists"
     }
   },
   "Categories": [
-    "identity-access"
+    "identity-access",
+    "trust-boundaries"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/identity/identity_password_policy_expires_within_365_days/identity_password_policy_expires_within_365_days.metadata.json

@@ -1,30 +1,31 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "identity_password_policy_expires_within_365_days",
-  "CheckTitle": "Ensure IAM password policy expires passwords within 365 days",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Identity Domain password policy expires passwords within 365 days",
+  "CheckType": [],
   "ServiceName": "identity",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:identity:user",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "OciIamUser",
-  "Description": "Password policy should expire passwords within 365 days.",
-  "Risk": "Not meeting this IAM requirement increases security risk.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm",
+  "ResourceType": "Policy",
+  "Description": "**OCI Identity Domain password policies** are evaluated to confirm **password expiration** is configured and set to `<= 365` days (`password_expires_after`).\n\n*Legacy IAM lacks password expiration; tenancies without Identity Domains require manual assessment.*",
+  "Risk": "Missing or >`365`-day **password expiration** extends the window for **credential stuffing**, **brute force**, and use of leaked passwords. This enables unauthorized access, data exposure, and configuration changes, harming **confidentiality** and **integrity**, and allowing attacker persistence after staff turnover.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/tools/terraform-provider-oci/7.16.0/docs/r/identity_domains_password_policy.html",
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm",
+    "https://www.pulumi.com/registry/packages/oci/api-docs/identity/domainspasswordpolicy/"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. Sign in to the OCI Console\n2. Go to Identity & Security > Domains and select your identity domain\n3. In the domain, open Security (or Domain settings) > Password policies\n4. Edit the relevant password policy\n5. Set \"Password expires after (days)\" to 365 or less\n6. Click Save",
+      "Terraform": "```hcl\nresource \"oci_identity_domains_password_policy\" \"<example_resource_name>\" {\n  idcs_endpoint = \"<example_resource_id>\"\n  name          = \"<example_resource_name>\"\n  schemas       = [\"urn:ietf:params:scim:schemas:oracle:idcs:PasswordPolicy\"]\n\n  password_expires_after = 365 # Critical: ensures passwords expire within 365 days to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure IAM password policy expires passwords within 365 days",
-      "Url": "https://hub.prowler.com/check/oci/identity_password_policy_expires_within_365_days"
+      "Text": "Enforce **password rotation** at `<= 365` days in Identity Domains. Combine with **MFA**, strong composition rules, history, and minimum password age to prevent reuse. Apply **least privilege**, disable dormant accounts, and regularly review credential policies. *If on legacy IAM, adopt Identity Domains to gain expiration controls.*",
+      "Url": "https://hub.prowler.com/check/identity_password_policy_expires_within_365_days"
     }
   },
   "Categories": [

prowler/providers/oraclecloud/services/identity/identity_password_policy_minimum_length_14/identity_password_policy_minimum_length_14.metadata.json

@@ -1,30 +1,30 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "identity_password_policy_minimum_length_14",
-  "CheckTitle": "Ensure IAM password policy requires minimum length of 14 or greater",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "IAM password policy requires passwords to be at least 14 characters long",
+  "CheckType": [],
   "ServiceName": "identity",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:identity:tenancy",
-  "Severity": "medium",
-  "ResourceType": "OciIamPasswordPolicy",
-  "Description": "Ensure IAM password policy requires minimum length of 14 or greater. Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a certain length. It is recommended that the password policy require a minimum password length 14.",
-  "Risk": "Setting a password complexity policy increases account resiliency against brute force login attempts.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "Policy",
+  "Description": "**OCI IAM password policies** are evaluated to confirm a **minimum password length** of `>= 14` characters is enforced. The assessment considers policies defined in **Identity Domains** and the legacy tenancy policy, and also detects when no password policy exists.",
+  "Risk": "Short or missing password requirements weaken authentication, enabling **brute-force**, **password spraying**, and faster **offline cracking**. Compromised accounts can enable unauthorized console/API use, leading to **data exfiltration** (C), **unauthorized changes** (I), and service disruption via destructive actions (A).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-IAM/require-14-characters-password-policy.html",
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci iam authentication-policy update --compartment-id <tenancy-ocid> --password-policy '{\"minimumPasswordLength\": 14}'",
+      "CLI": "oci iam authentication-policy update --compartment-id <tenancy-ocid> --password-policy '{\"minimumPasswordLength\":14}'",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-IAM/require-14-characters-password-policy.html",
-      "Terraform": ""
+      "Other": "1. In the OCI Console, go to Identity & Security > Domains\n2. Select <identity_domain_name> > Security > Password policy\n3. Set Minimum length to 14 and click Save\n4. If you do not use Identity Domains: go to Identity & Security > Authentication settings, edit Password policy, set Minimum password length to 14, and Save",
+      "Terraform": "```hcl\nresource \"oci_identity_authentication_policy\" \"<example_resource_name>\" {\n  compartment_id = \"<example_resource_id>\"\n\n  password_policy {\n    minimum_password_length = 14  # Critical: enforces minimum password length of 14\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Make sure IAM password policy requires a minimum password length of 14 or more characters.",
-      "Url": "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm"
+      "Text": "Enforce a **minimum password length** of `>= 14`, preferably using passphrases. Combine with **MFA**, complexity and reuse limits, lockout/throttling, and routine policy reviews. Apply **least privilege** to limit blast radius and monitor authentication events. *If using external IdPs, require equivalent policies there.*",
+      "Url": "https://hub.prowler.com/check/identity_password_policy_minimum_length_14"
     }
   },
   "Categories": [

prowler/providers/oraclecloud/services/identity/identity_password_policy_prevents_reuse/identity_password_policy_prevents_reuse.metadata.json

@@ -1,30 +1,30 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "identity_password_policy_prevents_reuse",
-  "CheckTitle": "Ensure IAM password policy prevents password reuse",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Identity Domain password policy prevents password reuse by remembering at least 24 previous passwords",
+  "CheckType": [],
   "ServiceName": "identity",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:identity:user",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "OciIamUser",
-  "Description": "Password policy should prevent password reuse.",
-  "Risk": "Not meeting this IAM requirement increases security risk.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm",
+  "ResourceType": "User",
+  "Description": "**OCI Identity Domains** password policies are evaluated for **password reuse prevention** via the **password history** setting. The finding expects a configured policy with `num_passwords_in_history` set to at least `24`. *Legacy IAM password policies lack password history; only Identity Domains support this setting.*",
+  "Risk": "Without **password history**, users can reuse old passwords. Compromised credentials remain valid after resets, enabling account takeover, unauthorized changes, and **lateral movement**, degrading **confidentiality** and **integrity** and weakening recovery from password-related incidents.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm",
+    "https://www.pulumi.com/registry/packages/oci/api-docs/identity/getdomainspasswordpolicies/"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. Sign in to the OCI Console\n2. Go to Identity & Security > Domains and select <identity_domain_name>\n3. Open Security > Password policies\n4. Edit the affected policy (e.g., Default Password Policy)\n5. Set \"Number of passwords in history\" (Remember previous passwords) to 24\n6. Click Save\n7. Repeat for any other password policies in the domain",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Ensure IAM password policy prevents password reuse",
-      "Url": "https://hub.prowler.com/check/oci/identity_password_policy_prevents_reuse"
+      "Text": "Enforce **password history** in Identity Domains with `num_passwords_in_history >= 24`. Pair with `min_password_age` to prevent rapid cycling, and maintain strong complexity and expiration rules. *If using legacy IAM, migrate to Identity Domains.* Complement with **MFA** for defense in depth.",
+      "Url": "https://hub.prowler.com/check/identity_password_policy_prevents_reuse"
     }
   },
   "Categories": [

prowler/providers/oraclecloud/services/identity/identity_service_level_admins_exist/identity_service_level_admins_exist.metadata.json

@@ -1,26 +1,36 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "identity_service_level_admins_exist",
-  "CheckTitle": "Ensure service level admins are created to manage resources of particular service",
+  "CheckTitle": "Identity policy does not grant broad 'manage all-resources' permissions",
   "CheckType": [],
   "ServiceName": "identity",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "OciIdentityPolicy",
-  "Description": "To apply least-privilege security principle, create service-level administrators in corresponding groups and assign specific users to each service-level administrative group in a tenancy. This limits administrative access to specific services.",
-  "Risk": "Without service-level administrators, there is a risk of excessive permissions being granted, violating the principle of least privilege.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policygetstarted.htm",
+  "Severity": "high",
+  "ResourceType": "Policy",
+  "Description": "**OCI IAM policies** are reviewed for **overly broad entitlements**, specifically statements granting `manage all-resources` without scoping to particular services or compartments. Only **active policies** are considered; the default tenant admin policy is excluded.",
+  "Risk": "Broad `manage all-resources` grants erode **least privilege**, enabling access across the tenancy. A compromised user or misused token could cause **privilege escalation**, **data exfiltration**, destructive changes, and service disruption, impacting confidentiality, integrity, and availability.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.linkedin.com/pulse/identity-access-management-oracle-cloud-control-authentication-mklqc",
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/getstarted/identity-domains.htm",
+    "https://docs.prowler.com/checks/oci/oci-iam-policies/identity_service_level_admins_exist",
+    "https://dbarepository.wordpress.com/2025/03/14/identity-and-access-management-policies-in-oci/",
+    "https://monowar-mukul.medium.com/cloud-identity-and-access-management-iam-for-the-beginner-392ba6de238",
+    "https://diversedaily.com/iam-policy-optimization-fine-tuned-iam-policies-prevent-costly-accidental-resource-usage/",
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policygetstarted.htm",
+    "https://www.ateam-oracle.com/post/oracle-cloud-infrastructure-compartments"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci iam policy create --compartment-id <compartment-ocid> --name <policy-name> --description '<policy-description>' --statements '[\"Allow group <GroupName> to manage <service>-family in compartment <CompartmentName>\"]'",
+      "CLI": "oci iam policy update --policy-id <policy-ocid> --statements '[\"Allow group <GroupName> to manage instance-family in compartment <CompartmentName>\"]'",
       "NativeIaC": "",
-      "Other": "1. Navigate to Identity → Policies\n2. Click 'Create Policy'\n3. Create policies granting service-level admin permissions to specific groups in specific compartments\n4. Example: 'Allow group VolumeAdmins to manage volume-family in compartment Production'",
-      "Terraform": "resource \"oci_identity_policy\" \"service_admin_policy\" {\n  compartment_id = var.compartment_id\n  name = \"ServiceLevelAdminPolicy\"\n  description = \"Service-level admin policy\"\n  statements = [\n    \"Allow group VolumeAdmins to manage volume-family in compartment Production\"\n  ]\n}"
+      "Other": "1. In OCI Console, go to Identity & Security > Policies\n2. Open the policy that contains a statement with \"manage all-resources\"\n3. Click Edit policy statements\n4. Remove the statement(s) containing \"manage all-resources\"\n5. Add a service-specific statement, e.g.: Allow group <GroupName> to manage instance-family in compartment <CompartmentName>\n6. Click Save changes",
+      "Terraform": "```hcl\nresource \"oci_identity_policy\" \"<example_resource_name>\" {\n  compartment_id = \"<example_resource_id>\"\n  name           = \"<example_resource_name>\"\n  description    = \"<policy-description>\"\n\n  # Critical: restrict to a specific service family to avoid broad 'manage all-resources'\n  statements = [\n    \"Allow group <GroupName> to manage instance-family in compartment <CompartmentName>\"\n  ]\n}\n```"
     },
     "Recommendation": {
-      "Text": "Create service-level administrators with limited permissions to specific services within compartments.",
-      "Url": "https://docs.prowler.com/checks/oci/oci-iam-policies/identity_service_level_admins_exist"
+      "Text": "Apply **least privilege** and **separation of duties**:\n- Replace `manage all-resources` with service-scoped permissions and compartment limits\n- Create service-level admin groups for specific families\n- Use tags/regions for conditions, *when applicable*\n- Employ time-bound elevation and periodic reviews",
+      "Url": "https://hub.prowler.com/check/identity_service_level_admins_exist"
     }
   },
   "Categories": [

prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_permissions_limited/identity_tenancy_admin_permissions_limited.metadata.json

@@ -1,30 +1,34 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "identity_tenancy_admin_permissions_limited",
-  "CheckTitle": "Ensure permissions on all resources are given only to the tenancy administrator group",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "OCI IAM policy does not grant 'manage all-resources in tenancy' unless it is the Tenant Admin Policy",
+  "CheckType": [],
   "ServiceName": "identity",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:identity:user",
-  "Severity": "high",
-  "ResourceType": "OciIamUser",
-  "Description": "Only the tenancy administrator group should have permissions to manage all resources in the tenancy.",
-  "Risk": "Not meeting this IAM requirement increases security risk.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm",
+  "ResourceIdTemplate": "",
+  "Severity": "critical",
+  "ResourceType": "Policy",
+  "Description": "**OCI IAM policies** are analyzed for statements granting `manage all-resources in tenancy` to groups. Only the `Tenant Admin Policy` for the Administrators group should include this broad verb. Any other active policy containing this tenancy-wide permission is identified.",
+  "Risk": "Tenancy-wide `manage` rights for non-admins allow complete control of identities and resources. A compromised account can escalate privileges, exfiltrate data across compartments, alter or delete workloads and backups, and disable monitoring-impacting **confidentiality**, **integrity**, and **availability** of the entire tenancy.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://speakerdeck.com/ocise/ociji-shu-zi-liao-idoyobiakusesuguan-li-iam-gai-yao",
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm",
+    "https://blog.rishoradev.com/2025/05/12/enabling-oracle-generative-ai-rag-agent-for-oci-regions/",
+    "https://speakerdeck.com/ocise/oci-design-guide-for-csps",
+    "https://www.thatfinnishguy.blog/2018/04/27/deep-dive-into-oci-with-compartments-users-groups-and-policies/",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-IAM/tenancy-administrator-group-access.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "oci iam policy delete --policy-id <POLICY_OCID> --force",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-IAM/tenancy-administrator-group-access.html",
-      "Terraform": ""
+      "Other": "1. In OCI Console, go to Identity & Security > Policies\n2. Open each ACTIVE policy that is NOT named \"Tenant Admin Policy\"\n3. Click Edit policy\n4. Remove any statement containing: to manage all-resources in tenancy; or change it to: in compartment <compartment_name>\n5. Click Save",
+      "Terraform": "```hcl\nresource \"oci_identity_policy\" \"<example_resource_name>\" {\n  name           = \"<POLICY_NAME>\"\n  compartment_id = \"<example_compartment_id>\"\n  description    = \"Replace tenancy-wide admin with scoped permissions\"\n\n  statements = [\n    # FIX: Replace \"in tenancy\" with compartment scope to remove overly broad permission\n    \"allow group <group_name> to manage all-resources in compartment <compartment_name>\"\n  ]\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure permissions on all resources are given only to the tenancy administrator group",
-      "Url": "https://hub.prowler.com/check/oci/identity_tenancy_admin_permissions_limited"
+      "Text": "Restrict `manage all-resources in tenancy` to the **Administrators** group only. Apply **least privilege** by scoping access to compartments and specific resource families, using conditions to narrow rights. Enforce **separation of duties**, maintain a *break-glass* admin model, and review policies regularly to prevent privilege drift.",
+      "Url": "https://hub.prowler.com/check/identity_tenancy_admin_permissions_limited"
     }
   },
   "Categories": [

prowler/providers/oraclecloud/services/identity/identity_tenancy_admin_users_no_api_keys/identity_tenancy_admin_users_no_api_keys.metadata.json

@@ -1,34 +1,34 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "identity_tenancy_admin_users_no_api_keys",
-  "CheckTitle": "Ensure API keys are not created for tenancy administrator users",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Tenancy administrator user has no API keys",
+  "CheckType": [],
   "ServiceName": "identity",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:identity:user",
+  "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "OciIamUser",
-  "Description": "Tenancy administrator users should not have API keys.",
-  "Risk": "Not meeting this IAM requirement increases security risk.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm",
+  "ResourceType": "User",
+  "Description": "OCI tenancy administrator accounts (members of the `Administrators` group) are inspected for configured user **API keys** tied to those identities.",
+  "Risk": "**Admin API keys** are long-lived secrets that can be stolen from endpoints or repos, enabling non-interactive, MFA-less access. Attackers could run privileged API calls, exfiltrate data, modify policies, or delete resources, impacting **confidentiality**, **integrity**, and **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. Sign in to the Oracle Cloud Console\n2. Open the navigation menu and go to Identity & Security > Domains\n3. Select your domain (<example_resource_name>), then click Users\n4. Click the tenancy administrator user (<example_resource_name>)\n5. Open the API Keys tab\n6. For each API key, click Actions > Delete and confirm\n7. Repeat until the API Keys list is empty",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Ensure API keys are not created for tenancy administrator users",
-      "Url": "https://hub.prowler.com/check/oci/identity_tenancy_admin_users_no_api_keys"
+      "Text": "Do not issue **API keys** to tenancy administrators. Apply **least privilege** and **separation of duties**: use non-admin service accounts or principals with narrowly scoped rights and short-lived credentials. Require **SSO/MFA** for admin access, and enforce rapid key revocation and rotation for any programmatic identities.",
+      "Url": "https://hub.prowler.com/check/identity_tenancy_admin_users_no_api_keys"
     }
   },
   "Categories": [
-    "identity-access"
+    "identity-access",
+    "secrets"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/identity/identity_user_api_keys_rotated_90_days/identity_user_api_keys_rotated_90_days.metadata.json

@@ -1,30 +1,30 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "identity_user_api_keys_rotated_90_days",
-  "CheckTitle": "Ensure user API keys rotate within 90 days or less",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "User active API key is rotated within 90 days or less",
+  "CheckType": [],
   "ServiceName": "identity",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:identity:user",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "OciIamApiKey",
-  "Description": "Ensure user API keys rotate within 90 days or less. API keys are used to authenticate API calls. For security purposes, it is recommended that API keys be rotated regularly.",
-  "Risk": "Having API keys that have not been rotated in over 90 days increases the risk of unauthorized access if the key is compromised.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm",
+  "ResourceType": "User",
+  "Description": "OCI IAM users with **active API signing keys** older than `90` days are identified. Key age is derived from each key's creation time; only active keys are considered. Users without API keys are recorded.",
+  "Risk": "Long-lived API keys widen exposure. If a key leaks, an attacker can sign OCI API calls without MFA, enabling unauthorized changes (**integrity**), data access (**confidentiality**), and service outages (**availability**). Delayed rotation prolongs dwell time and complicates incident response.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-IAM/rotate-user-api-keys.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci iam api-key upload --user-id <user-ocid> --key-file <path-to-new-public-key> && oci iam api-key delete --user-id <user-ocid> --fingerprint <old-key-fingerprint>",
+      "CLI": "oci iam api-key delete --user-id <user-ocid> --fingerprint <old-key-fingerprint> --force",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-IAM/rotate-user-api-keys.html",
+      "Other": "1. Sign in to the OCI Console\n2. Go to Identity & Security > Users, then select the target user\n3. Open API Keys and click Add API Key\n4. Generate API Key Pair (or Upload/Paste Public Key), then click Add and download/copy the private key\n5. For each API key older than 90 days, click the Actions (three dots) next to its fingerprint and select Delete\n6. Confirm deletion",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Rotate API keys that are older than 90 days by creating a new key and deleting the old one.",
-      "Url": "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm"
+      "Text": "Enforce **API key rotation** every `90` days.\n- Issue a new key, confirm workloads use it, then revoke the old key\n- Apply **least privilege** and avoid shared keys\n- Limit active keys per user and remove unused ones\n- Monitor usage and automate rotation for **defense in depth**",
+      "Url": "https://hub.prowler.com/check/identity_user_api_keys_rotated_90_days"
     }
   },
   "Categories": [

prowler/providers/oraclecloud/services/identity/identity_user_auth_tokens_rotated_90_days/identity_user_auth_tokens_rotated_90_days.metadata.json

@@ -1,34 +1,35 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "identity_user_auth_tokens_rotated_90_days",
-  "CheckTitle": "Ensure user auth tokens rotate within 90 days or less",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "User auth token age is 90 days or less",
+  "CheckType": [],
   "ServiceName": "identity",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:identity:user",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "OciIamUser",
-  "Description": "Auth tokens should be rotated within 90 days.",
-  "Risk": "Not meeting this IAM requirement increases security risk.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm",
+  "ResourceType": "User",
+  "Description": "**Oracle Cloud Infrastructure (OCI) IAM user auth tokens** are evaluated for **rotation age** against a `90-day` threshold using each token's creation time. Tokens older than this window indicate the token has not been recently rotated.",
+  "Risk": "Stale **auth tokens** increase exposure of **confidential data** and enable **persistent unauthorized API access** if compromised. Long-lived tokens can outlast password resets and role changes, weakening **least privilege** and enabling **lateral movement** and data exfiltration.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-IAM/rotate-user-auth-tokens.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "oci iam user delete-auth-token --user-id <example_resource_id> --auth-token-id <example_resource_id> --force",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-IAM/rotate-user-auth-tokens.html",
+      "Other": "1. In the OCI Console, go to Identity & Security > Users\n2. Open the user with the failing auth token\n3. In the Auth Tokens tab, find tokens older than 90 days (check Created date)\n4. Select the old token and click Delete\n5. Confirm deletion\n6. Repeat for any other tokens older than 90 days",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Ensure user auth tokens rotate within 90 days or less",
-      "Url": "https://hub.prowler.com/check/oci/identity_user_auth_tokens_rotated_90_days"
+      "Text": "Enforce routine **token rotation** at `<= 90 days` and prefer **short-lived, scoped credentials**. Apply **least privilege**, revoke unused tokens, set **automatic expirations**, and monitor usage. *When possible*, replace static tokens with federated or session-based access to reduce exposure.",
+      "Url": "https://hub.prowler.com/check/identity_user_auth_tokens_rotated_90_days"
     }
   },
   "Categories": [
-    "identity-access"
+    "identity-access",
+    "secrets"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/identity/identity_user_customer_secret_keys_rotated_90_days/identity_user_customer_secret_keys_rotated_90_days.metadata.json

@@ -1,34 +1,37 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "identity_user_customer_secret_keys_rotated_90_days",
-  "CheckTitle": "Ensure user customer secret keys rotate within 90 days or less",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "User customer secret key is rotated within 90 days or less",
+  "CheckType": [],
   "ServiceName": "identity",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:identity:user",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "OciIamUser",
-  "Description": "Customer secret keys should be rotated within 90 days.",
-  "Risk": "Not meeting this IAM requirement increases security risk.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm",
+  "ResourceType": "User",
+  "Description": "OCI IAM **customer secret keys** are assessed by creation timestamp to determine whether their age exceeds `90` days.",
+  "Risk": "Long-lived **customer secret keys** keep compromised or brute-forced credentials valid.\nAttackers can use them to list, read, write, or delete Object Storage data, enabling exfiltration, tampering, and disruption-impacting confidentiality, integrity, and availability.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.public.content.oci.oraclecloud.com/en-us/iaas/Content/cloud-guard/using/detect-recipes.htm",
+    "https://blogs.oracle.com/cloud-infrastructure/post/auto-rotation-of-oci-iam-credentials",
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-IAM/rotate-customer-secret-keys.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "oci iam customer-secret-key delete --user-id <example_resource_id> --customer-secret-key-id <example_resource_id> --force",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-IAM/rotate-customer-secret-keys.html",
+      "Other": "1. Sign in to the Oracle Cloud Console\n2. Go to Identity & Security > Domains > <example_resource_name> > Users > select <example_resource_name>\n3. Open the Customer secret keys tab and click Generate secret key; save the Access Key and Secret\n4. Delete any key older than 90 days: select the old key and click Delete",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Ensure user customer secret keys rotate within 90 days or less",
-      "Url": "https://hub.prowler.com/check/oci/identity_user_customer_secret_keys_rotated_90_days"
+      "Text": "Rotate **customer secret keys** every `<= 90` days. Apply **least privilege**, remove unused keys, and prefer short-lived identities (instance/resource principals) over static secrets. Automate rotation and alerts, avoid embedding keys in code, and continuously monitor key usage.",
+      "Url": "https://hub.prowler.com/check/identity_user_customer_secret_keys_rotated_90_days"
     }
   },
   "Categories": [
-    "identity-access"
+    "identity-access",
+    "secrets"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/identity/identity_user_db_passwords_rotated_90_days/identity_user_db_passwords_rotated_90_days.metadata.json

@@ -1,34 +1,34 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "identity_user_db_passwords_rotated_90_days",
-  "CheckTitle": "Ensure user IAM Database Passwords rotate within 90 days",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "User IAM database password was created within the last 90 days",
+  "CheckType": [],
   "ServiceName": "identity",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:identity:user",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "OciIamUser",
-  "Description": "Database passwords should be rotated within 90 days.",
-  "Risk": "Not meeting this IAM requirement increases security risk.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm",
+  "ResourceType": "User",
+  "Description": "**OCI IAM user database passwords** are evaluated for **age**. Passwords are compared to a rotation window of `90 days`, flagging credentials that have not been refreshed within that period for the associated user accounts and regions.\n\n*Covers each user's active database passwords tracked by IAM.*",
+  "Risk": "Stale **database credentials** increase exposure to **brute-force**, **credential stuffing**, and reuse of leaked passwords. If compromised, attackers can gain direct DB access, enabling **data exfiltration** (C), unauthorized changes to schemas or data (I), and service disruption via destructive queries (A). Long-lived secrets can bypass offboarding.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "oci iam db-credential create --user-id <example_resource_id>",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. Sign in to the OCI Console\n2. Go to Identity & Security > Domains and select your domain\n3. Click Users and open the target user\n4. In the user's page, open DB passwords (Database passwords)\n5. Click Create DB password (or Reset) and confirm\n6. Copy the generated password and update any services using it",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Ensure user IAM Database Passwords rotate within 90 days",
-      "Url": "https://hub.prowler.com/check/oci/identity_user_db_passwords_rotated_90_days"
+      "Text": "Enforce rotation of **IAM database passwords** at or below `90 days` and expire old credentials. Automate issuance and revocation, and remove unused DB passwords.\n\nPrefer **short-lived auth** (tokens or certificates) where supported, apply **least privilege** to DB roles, and monitor credential age to prevent drift.",
+      "Url": "https://hub.prowler.com/check/identity_user_db_passwords_rotated_90_days"
     }
   },
   "Categories": [
-    "identity-access"
+    "identity-access",
+    "secrets"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/identity/identity_user_mfa_enabled_console_access/identity_user_mfa_enabled_console_access.metadata.json

@@ -1,30 +1,34 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "identity_user_mfa_enabled_console_access",
-  "CheckTitle": "Ensure MFA is enabled for all users with a console password",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "User with console password has MFA enabled for console access",
+  "CheckType": [],
   "ServiceName": "identity",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:identity:user",
+  "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "OciIamUser",
-  "Description": "Ensure MFA is enabled for all users with a console password. Multi-factor authentication is a method of authentication that requires the use of more than one factor to verify a user's identity.",
-  "Risk": "Enabling MFA provides increased security by requiring two methods of verification at sign-in. With MFA enabled, a user must possess a device that emits a time-sensitive key and have knowledge of a username and password.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/usingmfa.htm",
+  "ResourceType": "User",
+  "Description": "**OCI IAM users** with **console password access** are expected to have **multifactor authentication** enabled. The evaluation inspects each local user allowed to sign in to the Console and identifies those without an active second factor.",
+  "Risk": "Console-password accounts without **MFA** are exposed to **phishing**, **credential stuffing**, and **brute force**.\n\nA stolen password can grant Console access, enabling privilege escalation, key creation, and data access-compromising **confidentiality**, **integrity**, and **availability** across OCI.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Security/Reference/iam_security_topic-IAM_MFA.htm",
+    "https://docs.oracle.com/en-us/iaas/Content/Security/Reference/iam_security_topic-iam_mfa_identity_domains_signon_policy.htm",
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/usingmfa.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-IAM/enable-mfa-for-user-accounts.html",
+    "https://dzone.com/articles/strengthening-iam-security-for-cloud-iaas-accounts",
+    "https://docs.oracle.com/en-us/iaas/tools/oci-cli/3.63.3/oci_cli_docs/cmdref/iam/mfa-totp-device.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "oci iam user update-user-capabilities --user-id <USER_OCID> --can-use-console-password false",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-IAM/enable-mfa-for-user-accounts.html",
+      "Other": "1. Enable MFA (user action):\n   - Sign in to the OCI Console as the affected user\n   - Click your profile icon > User settings\n   - Click \"Enable Multi-Factor Authentication\"\n   - Scan the QR code with an authenticator app and enter the verification code, then click \"Enable\"\n2. Or, remove console access (admin action) if the user doesn't need it:\n   - In the Console, go to Identity & Security > Users\n   - Open the user's page > Edit user capabilities\n   - Uncheck \"Can use Console password\" and Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Enable MFA for all users with console password access.",
-      "Url": "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/usingmfa.htm"
+      "Text": "Require **MFA** for all users with Console passwords; prefer **phishing-resistant authenticators** (e.g., FIDO). Enforce via sign-on policies, prioritizing admins. Apply **least privilege**, disable Console passwords for service or federated users, and monitor auth logs to confirm ongoing MFA coverage.",
+      "Url": "https://hub.prowler.com/check/identity_user_mfa_enabled_console_access"
     }
   },
   "Categories": [

prowler/providers/oraclecloud/services/identity/identity_user_valid_email_address/identity_user_valid_email_address.metadata.json

@@ -1,30 +1,29 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "identity_user_valid_email_address",
-  "CheckTitle": "Ensure all OCI IAM user accounts have a valid and current email address",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "OCI IAM user has a valid email address",
+  "CheckType": [],
   "ServiceName": "identity",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:identity:user",
+  "ResourceIdTemplate": "",
   "Severity": "low",
-  "ResourceType": "OciIamUser",
-  "Description": "All user accounts should have valid email addresses.",
-  "Risk": "Not meeting this IAM requirement increases security risk.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm",
+  "ResourceType": "User",
+  "Description": "**OCI IAM user accounts** are evaluated for a populated `email` attribute that resembles an address (contains `@`). Accounts missing this attribute or with malformed values are identified.",
+  "Risk": "Missing or invalid emails break **account recovery** and **MFA** flows, silencing security notifications. This degrades **availability** for legitimate users and enables attacker **persistence** on compromised or orphaned accounts, delaying containment and risking unauthorized data access.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "oci iam user update --user-id <example_resource_id> --email <example_email@example.com>",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. Sign in to the OCI Console\n2. Go to Identity & Security > Users\n3. Select the user without a valid email\n4. Click Edit (or Update)\n5. Enter a valid email address (must include '@')\n6. Click Save",
+      "Terraform": "```hcl\n# Ensure the user has a valid email address\nresource \"oci_identity_user\" \"<example_resource_name>\" {\n  compartment_id = \"<example_resource_id>\"\n  name           = \"<example_resource_name>\"\n  email          = \"<example_email@example.com>\" # Critical: sets a valid email (contains '@') to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure all OCI IAM user accounts have a valid and current email address",
-      "Url": "https://hub.prowler.com/check/oci/identity_user_valid_email_address"
+      "Text": "Ensure every user has a unique, verified, and monitored `email`. Enforce this at creation and through periodic reviews; disable or remove accounts with invalid addresses. Prefer **federated identities** to minimize local users, and apply **least privilege** with clear ownership to support lifecycle management.",
+      "Url": "https://hub.prowler.com/check/identity_user_valid_email_address"
     }
   },
   "Categories": [