A federated identity is de-provisioned from the external Identity Provider (IdP), but its corresponding cloud identity remains active within the cloud environment. This orphaned identity creates a latent access path that could be exploited if the original username is reactivated or reassigned in the IdP, granting unintended access to a new principal.
Identity / IAM / Threats / DEV
Orphaned Federated Identity Retains Access
CCC.IAM.TH10
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.IAM.CP08 | Federated Identity - SAML | Support for user authentication outside the cloud service provider using SAML. Authenticated federated identities can assume IAM roles. |
| CCC.IAM.CP09 | Federated Identity - OIDC | Support for user authentication outside the cloud service provider using OIDC. Authenticated federated identities can assume IAM roles. |
Related Controls
| ID | Title | Description |
|---|---|---|
| CCC.IAM.CN07 | Automate Identity De-provisioning | Ensure that when an identity is terminated in the central Identity Provider (IdP), ts corresponding access to cloud resources is revoked automatically. |
| CCC.IAM.CN11 | Enable Continuous IAM Access and Usage Analysis | Enable and configure the cloud provider's native access and usage analysis services to continuously monitor for external access paths and internal unused access. |
External Mappings
| Framework | ID | Remarks |
|---|---|---|
| MITRE-ATT&CK | T1078 | Valid Accounts |