| ID | Title | Description |
|---|---|---|
| CCC.IAM.TH01 | Valid Cloud Credentials Abuse | Valid identity credentials such as access keys, tokens or passwords are misused or compromised. Examples include public exposure, token theft, unprotected metadata service of a compromised compute instance or brute-force attacks. The use of these credentials can provide unauthorized access to the cloud environment, potentially bypassing other security controls and enabling lateral movement across cloud resources. |
| CCC.IAM.TH02 | Overly-Permissive IAM Policy | An access control policy attached to an identity or a resource is configured with excessive permissions, violating the principle of least privilege. This can enable unauthorized data access, privilege escalation, or other unintended actions by principals whose credentials might be compromised or who are acting erroneously. |
| CCC.IAM.TH03 | Overly-Permissive Identity Trust Policy | An IAM role or service principal's trust policy is configured to allow principals from untrusted or overly broad scopes, such as any identity in any account, to assume or impersonate it. This can allow an external or unauthorized identity to gain access to the cloud environment, completely bypassing internal identity controls. |
| CCC.IAM.TH04 | Additional Cloud Credentials Creation | An adversary with access to a sufficiently privileged cloud account may create additional credentials such as access keys, service accounts and temporary credentials to establish persistance or elevate their privileges. |
| CCC.IAM.TH05 | Additional IAM Roles Creation | An adversary with access to a sufficiently privileged cloud account may create additional IAM roles to establish persistance or elevate their privileges. |
| CCC.IAM.TH06 | IAM Policies Modification | An adversary with access to a sufficiently privileged cloud account may modify IAM policies to establish persistance or elevate their privileges. |
| CCC.IAM.TH07 | Identity Inherits Excessive Permissions Through Group Membership | An identity principal becomes a member of one or more IAM groups, and the combined policies of these groups grant permissions beyond what is necessary for the principal's function. This "privilege creep" through group inheritance complicates auditing and can lead to an identity having standing access to sensitive resources. |
| CCC.IAM.TH08 | Privilege Escalation via Indirect Role Usage | An identity principal possesses specific, highly privileged permissions, such as the ability to pass roles or impersonate service accounts, that allow it to leverage the permissions of a different, more privileged role. Even without being able to directly assume the target role, the principal can attach it to a new resource they control and then use that resource to perform unauthorized actions. |
| CCC.IAM.TH09 | Long-Lived Static Credentials | Long-lived static credentials such as access keys for an identity are used and not rotated periodically according to security best practices, extending exposure in the event of credentials compromise. |
| CCC.IAM.TH10 | Orphaned Federated Identity Retains Access | A federated identity is de-provisioned from the external Identity Provider (IdP), but its corresponding cloud identity remains active within the cloud environment. This orphaned identity creates a latent access path that could be exploited if the original username is reactivated or reassigned in the IdP, granting unintended access to a new principal. |
| CCC.IAM.TH11 | Unused Credentials | Unused IAM identity that is no longer needed or monitored remains active. Its compromise is less likely to be detected, and it represents a persistent, unnecessary attack surface. |
| CCC.IAM.TH12 | IAM Role is Coerced into Unauthorized Cross-Account Actions (Confused Deputy) | An external actor tricks a legitimate, authorized third-party application into making requests to the cloud environment. A role in the cloud account (the "deputy"), which trusts that third-party application, then performs unauthorized actions on behalf of the actor. |
Identity / IAM
Threats
Version: