Recommendations 1.5 and 1.6 returns N/A

[G3N1J4L4C]

Recommendations 1.5 (Ensure IAM password policy expires passwords within 365 days) and 1.6 (Ensure IAM password policy prevents password reuse) return N/A even though both are fulfilled.
We get the same result no matter what is written in Password policy.
It's added to non-compliant recommendations, giving false negative.

Also, item 1.7 (Ensure MFA is enabled for all users with a console password) returns false negative for users who never logged in. We forced MFA on tenancy level, but newly created users (or users who never logged in) are marked as non-compliant although they do not have any console passwords created.

Is there a way to improve these 3 items, or some workaround?

[oheimburger]

Thank you for filing this issue.

• For 1.5 and 1.6: I will check the tooling.
• For 1.7: This is correct. If a user has never looged in, chances are that the user credentials can be stolen and and the attacker setup a factor that the real user is not aware of. If that happened the real user cannot login and the attacker can act on the user's behalf.

Dormant users, i.e., users that have never logged in or for some time are a security risk and should be deactivated.

[G3N1J4L4C]

Thank you very much for your reply.

[oheimburger]

I will keep you posted for 1.5 and 1.6.