Enable and configure the cloud provider's native access and usage analysis services to continuously monitor for external access paths and internal unused access.
Identity / IAM / Controls / DEV
Enable Continuous IAM Access and Usage Analysis
CCC.IAM.CN11 · Observability
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.IAM.CP02 | IAM Users | Ability to create, manage, list and delete IAM users. IAM user represents a single person or application. |
| CCC.IAM.CP05 | IAM Groups | Ability to create, manage, list and delete IAM groups. IAM group is a collection of users, roles or other groups. |
| CCC.IAM.CP06 | IAM Roles / Service Principals | Ability to create, manage, list and delete IAM roles. IAM role is an identity for applications or services to access resources. |
| CCC.IAM.CP07 | Managed Identities | Identity assigned to cloud resources (e.g., VMs, Functions) which are managed by the cloud vendor. |
| CCC.IAM.CP10 | Custom Roles | Ability to create, manage, list and delete custom roles. Custom roles are user-defined roles that defines what actions are allowed. |
| CCC.IAM.CP12 | Policy Conditions | Ability to use conditions to add additional restrictions to the permission being granted. Allow access control rules to apply only when certain conditions are met. |
| CCC.IAM.CP08 | Federated Identity - SAML | Support for user authentication outside the cloud service provider using SAML. Authenticated federated identities can assume IAM roles. |
| CCC.IAM.CP09 | Federated Identity - OIDC | Support for user authentication outside the cloud service provider using OIDC. Authenticated federated identities can assume IAM roles. |
| CCC.IAM.CP03 | Long-Term Credentials | Ability to create, manage, list and delete long-term credentials such as access keys and service account keys. |
| CCC.IAM.CP04 | Password Management | Ability to create, change and delete IAM user passwords. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.IAM.TH02 | Overly-Permissive IAM Policy | An access control policy attached to an identity or a resource is configured with excessive permissions, violating the principle of least privilege. This can enable unauthorized data access, privilege escalation, or other unintended actions by principals whose credentials might be compromised or who are acting erroneously. |
| CCC.IAM.TH10 | Orphaned Federated Identity Retains Access | A federated identity is de-provisioned from the external Identity Provider (IdP), but its corresponding cloud identity remains active within the cloud environment. This orphaned identity creates a latent access path that could be exploited if the original username is reactivated or reassigned in the IdP, granting unintended access to a new principal. |
| CCC.IAM.TH11 | Unused Credentials | Unused IAM identity that is no longer needed or monitored remains active. Its compromise is less likely to be detected, and it represents a persistent, unnecessary attack surface. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.IAM.CN11.AR01 | When a cloud account or organization is provisioned, the native automated access and usage analysis services MUST be enabled to continuously monitor for external or public access to resources, and unused access. | tlp-clear, tlp-green, tlp-amber, tlp-red |