Long-lived static credentials such as access keys for an identity are used and not rotated periodically according to security best practices, extending exposure in the event of credentials compromise.
Identity / IAM / Threats / DEV
Long-Lived Static Credentials
CCC.IAM.TH09
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.IAM.CP02 | IAM Users | Ability to create, manage, list and delete IAM users. IAM user represents a single person or application. |
| CCC.IAM.CP03 | Long-Term Credentials | Ability to create, manage, list and delete long-term credentials such as access keys and service account keys. |
Related Controls
| ID | Title | Description |
|---|---|---|
| CCC.IAM.CN06 | Maximum Age for Long-Term Static Credentials | Ensure that long-lived static credentials like access keys are programmatically rotated within a defined time period to limit the window of opportunity if compromised. |
| CCC.IAM.CN09 | Enforce Federated Single Sign-On (SSO) for Human Users | Ensure that all human users must authenticate through a central, federated Identity Provider (IdP) to access the cloud environment. This eliminates cloud-native user accounts with long-lived passwords, centralizes authentication controls, and simplifies lifecycle management. |