CCC Identity and Access Management
Service is designed to manage users, groups, roles and policies for controlling access to cloud services and resources in a secure manner. It also provides capabilities such as Multi-Factor Authentication (MFA) and identity protection.
Release Details
Version:
DEV
Assurance Level:
Release Manager:
DB
Development Build
Contributors
DT
Development Team
Change Log
- Development build - no formal changelog available
Capabilities
| ID | Title | Description | Threat Mappings |
|---|---|---|---|
| CCC.IAM.F01 | Global Identities | IAM identities are global across all regions. They are created and managed from a single global namespace. | 0 |
| CCC.IAM.F02 | IAM Users | Ability to create, manage, list and delete IAM users. IAM user represents a single person or application. | 7 |
| CCC.IAM.F03 | Long-Term Credentials | Ability to create, manage, list and delete long-term credentials such as access keys and service account keys. | 4 |
| CCC.IAM.F04 | Password Management | Ability to create, change and delete IAM user passwords. | 3 |
| CCC.IAM.F05 | IAM Groups | Ability to create, manage, list and delete IAM groups. IAM group is a collection of users, roles or other groups. | 2 |
| CCC.IAM.F06 | IAM Roles / Service Principals | Ability to create, manage, list and delete IAM roles. IAM role is an identity for applications or services to access resources. | 7 |
| CCC.IAM.F07 | Managed Identities | Identity assigned to cloud resources (e.g., VMs, Functions) which are managed by the cloud vendor. | 2 |
| CCC.IAM.F08 | Federated Identity - SAML | Support for user authentication outside the cloud service provider using SAML. Authenticated federated identities can assume IAM roles. | 3 |
| CCC.IAM.F09 | Federated Identity - OIDC | Support for user authentication outside the cloud service provider using OIDC. Authenticated federated identities can assume IAM roles. | 3 |
| CCC.IAM.F10 | Custom Roles | Ability to create, manage, list and delete custom roles. Custom roles are user-defined roles that defines what actions are allowed. | 4 |
| CCC.IAM.F11 | Resource-Level Access | Ability to restrict where actions are allowed, rather than the entire service. Defines the scope of the assignment. | 1 |
| CCC.IAM.F12 | Policy Conditions | Ability to use conditions to add additional restrictions to the permission being granted. Allow access control rules to apply only when certain conditions are met. | 2 |
| CCC.IAM.F13 | Temporary Credentials | Ability to grant short-lived security credentials that provide access to resources for a limited period of time. These credentials are typically issued for a specific session or task and expire after a predefined duration. | 0 |
| CCC.IAM.F14 | Multi-Factor Authentication (MFA) | Support for enforcing MFA on user accounts and roles. Essential for securing root/admin users. | 0 |
| CCC.IAM.F15 | Role Assumption / Delegation | Ability to temporarily assume another role or delegate access. Commonly used for user impersonation or temporary privilege elevation. | 4 |
| CCC.IAM.F16 | Access Boundaries | Ability to define a boundary around the maximum effective permissions allowed for an identity at a higher level. | 0 |
| CCC.IAM.F17 | Deny Permissions by Default | By default, no identity (user, group, role, service) has access to any resource, unless explicit permissions are granted. | 0 |
| CCC.IAM.F18 | Audit Tooling | Provide tools to simulate or analyze permission used by a roles, and ability to export reports of who has access and whether it's being used, etc. These tools will increase the visibility, auditability and compliance of identities. | 0 |
| CCC.Core.F03 | Access Log Publication | The service automatically publishes structured, verbose records of activities performed within the scope of the service by external actors. | 3 |
| CCC.Core.F06 | Access Control | The service automatically enforces user configurations to restrict or allow access to a specific component or a child resource based on factors such as user identities, roles, groups, or attributes. | 1 |
| CCC.Core.F07 | Event Publication | The service automatically publishes a structured state-change record upon creation, deletion, or modification of data, configuration, components, or child resources. | 2 |
| CCC.Core.F14 | API Access | The service exposes a port enabling external actors to interact programmatically with the service and its resources using HTTP protocol methods such as GET, POST, PUT, and DELETE. | 1 |
| CCC.Core.F17 | Alerting | The service may be configured to emit a notification based on a user-defined condition related to the data published by a child or networked resource. | 2 |
| CCC.Core.F20 | Resource Tagging | The service provides users with the ability to tag a child resource with metadata that can be reviewed or queried. | 1 |
Threats
| ID | Title | Description | External Mappings | Capability Mappings | Control Mappings |
|---|---|---|---|---|---|
| CCC.IAM.TH01 | Valid Cloud Credentials Abuse | Valid identity credentials such as access keys, tokens or passwords are misused or compromised. Examples include public exposure, token theft, unprotected metadata service of a compromised compute instance or brute-force attacks. The use of these credentials can provide unauthorized access to the cloud environment, potentially bypassing other security controls and enabling lateral movement across cloud resources. | 1 | 1 | 7 |
| CCC.IAM.TH02 | Overly-Permissive IAM Policy | An access control policy attached to an identity or a resource is configured with excessive permissions, violating the principle of least privilege. This can enable unauthorized data access, privilege escalation, or other unintended actions by principals whose credentials might be compromised or who are acting erroneously. | 1 | 1 | 3 |
| CCC.IAM.TH03 | Overly-Permissive Identity Trust Policy | An IAM role or service principal's trust policy is configured to allow principals from untrusted or overly broad scopes, such as any identity in any account, to assume or impersonate it. This can allow an external or unauthorized identity to gain access to the cloud environment, completely bypassing internal identity controls. | 1 | 1 | 1 |
| CCC.IAM.TH04 | Additional Cloud Credentials Creation | An adversary with access to a sufficiently privileged cloud account may create additional credentials such as access keys, service accounts and temporary credentials to establish persistance or elevate their privileges. | 1 | 1 | 0 |
| CCC.IAM.TH05 | Additional IAM Roles Creation | An adversary with access to a sufficiently privileged cloud account may create additional IAM roles to establish persistance or elevate their privileges. | 1 | 1 | 0 |
| CCC.IAM.TH06 | IAM Policies Modification | An adversary with access to a sufficiently privileged cloud account may modify IAM policies to establish persistance or elevate their privileges. | 1 | 1 | 1 |
| CCC.IAM.TH07 | Identity Inherits Excessive Permissions Through Group Membership | An identity principal becomes a member of one or more IAM groups, and the combined policies of these groups grant permissions beyond what is necessary for the principal's function. This "privilege creep" through group inheritance complicates auditing and can lead to an identity having standing access to sensitive resources. | 1 | 1 | 0 |
| CCC.IAM.TH08 | Privilege Escalation via Indirect Role Usage | An identity principal possesses specific, highly privileged permissions, such as the ability to pass roles or impersonate service accounts, that allow it to leverage the permissions of a different, more privileged role. Even without being able to directly assume the target role, the principal can attach it to a new resource they control and then use that resource to perform unauthorized actions. | 1 | 1 | 0 |
| CCC.IAM.TH09 | Long-Lived Static Credentials | Long-lived static credentials such as access keys for an identity are used and not rotated periodically according to security best practices, extending exposure in the event of credentials compromise. | 1 | 1 | 2 |
| CCC.IAM.TH10 | Orphaned Federated Identity Retains Access | A federated identity is de-provisioned from the external Identity Provider (IdP), but its corresponding cloud identity remains active within the cloud environment. This orphaned identity creates a latent access path that could be exploited if the original username is reactivated or reassigned in the IdP, granting unintended access to a new principal. | 1 | 1 | 2 |
| CCC.IAM.TH11 | Unused Credentials | Unused IAM identity that is no longer needed or monitored remains active. Its compromise is less likely to be detected, and it represents a persistent, unnecessary attack surface. | 1 | 1 | 2 |
| CCC.IAM.TH12 | IAM Role is Coerced into Unauthorized Cross-Account Actions (Confused Deputy) | An external actor tricks a legitimate, authorized third-party application into making requests to the cloud environment. A role in the cloud account (the "deputy"), which trusts that third-party application, then performs unauthorized actions on behalf of the actor. | 1 | 1 | 0 |
| CCC.Core.TH01 | Access is Granted to Unauthorized Users | Logic designed to give different permissions to different entities may be misconfigured or manipulated, allowing unauthorized entities to access restricted parts of the service, its data, or its child resources. This could result in a loss of data confidentiality or tolerance of unauthorized actions which impact the integrity and availability of resources and data. | 1 | 1 | 4 |
| CCC.Core.TH07 | Logs are Tampered With or Deleted | Tampering or deletion of service logs will reduce the system's ability to maintain an accurate record of events. Any actions that compromise the integrity of logs could disrupt system availability by disrupting monitoring, hindering forensic investigations, and reducing the accuracy of audit trails. | 1 | 1 | 1 |
| CCC.Core.TH09 | Runtime Logs are Read by Unauthorized Entities | Unauthorized access to logs may expose valuable information about the system's configuration, operations, and security mechanisms. This could jeopardize system availability through the exposure of vulnerabilities and support the planning of attacks on the service, system, or network. If logs are not adequately sanitized, this may also directly impact the confidentiality of sensitive data. | 1 | 1 | 1 |
| CCC.Core.TH10 | State-change Events are Read by Unauthorized Entities | Unauthorized access to state-change events can reveal information about the system's design and usage patterns. This opens the system up to attacks of opportunity and support the planning of attacks on the service, system, or network. | 1 | 1 | 0 |
| CCC.Core.TH11 | Publications are Incorrectly Triggered | Incorrectly triggered publications may disseminate inaccurate or misleading information, creating a data integrity risk. Such misinformation can cause unintended operations to be initiated, conceal legitimate issues, and disrupt the availability or reliability of systems and their data. | 1 | 1 | 0 |
| CCC.Core.TH13 | Resource Tags are Manipulated | When resource tags are altered, it can lead to misclassification or mismanagement of resources. This can reduce the efficacy of organizational policies, billing rules, or network access rules. Such changes could cause compromised confidentiality, integrity, or availability of the system and its data. | 1 | 1 | 0 |
| CCC.Core.TH15 | Automated Enumeration and Reconnaissance by Non-human Entities | Automated processes may be used to gather details about service and child resource elements such as APIs, file systems, or directories. This information can reveal vulnerabilities, misconfigurations, and the network topology, which can be used to plan an attack against the system, the service, or its child resources. | 1 | 1 | 1 |
Controls
| ID | Title | Objective | Control Family | Threat Mappings | Guideline Mappings | Assessment Requirements |
|---|---|---|---|---|---|---|
| CCC.IAM.C01 | Restrict IAM User Credentials Creation | Prevent non-administrative principals from creating new long-lived credentials like access keys or generating temporary session tokens. This blocks a common privilege escalation and persistence vector. | Identity and Access Management | 1 | 5 | 2 |
| CCC.IAM.C02 | Restrict IAM Policies Modification | Ensure that only designated administrative accounts have the ability to create, modify, or attach policies that define permissions for other identities. | Identity and Access Management | 1 | 5 | 2 |
| CCC.IAM.C03 | Restrict Role Assumption / Delegation | Limit which principals can assume a role or impersonate a service identity to only those required. This prevents unintended cross-account or public access by securing the "who can act as this identity" boundary. | Identity and Access Management | 1 | 5 | 2 |
| CCC.IAM.C04 | Restrict Wildcard Usage in IAM Policies | Limit the use of wildcard permissions in IAM policies to prevent overly broad access from being granted by default. | Identity and Access Management | 2 | 4 | 1 |
| CCC.IAM.C05 | Strong Password Policies for IAM Users | Ensure that the password policies for IAM users have strong configurations. | Identity and Access Management | 1 | 4 | 1 |
| CCC.Core.C03 | Implement Multi-factor Authentication (MFA) for Access | Ensure that all sensitive activities require two or more identity factors during authentication to prevent unauthorized access. | Identity and Access Management | 1 | 6 | 4 |
| CCC.Core.C05 | Prevent Access from Untrusted Entities | Ensure that secure access controls enforce the principle of least privilege to restrict access to authorized entities from explicitly trusted sources only. | Identity and Access Management | 1 | 8 | 6 |
| CCC.IAM.C06 | Maximum Age for Long-Term Static Credentials | Ensure that long-lived static credentials like access keys are programmatically rotated within a defined time period to limit the window of opportunity if compromised. | Identity Provisioning and Lifecycle | 2 | 2 | 1 |
| CCC.IAM.C07 | Automate Identity De-provisioning | Ensure that when an identity is terminated in the central Identity Provider (IdP), ts corresponding access to cloud resources is revoked automatically. | Identity Provisioning and Lifecycle | 2 | 2 | 1 |
| CCC.IAM.C08 | Maximum Age for Unused Credentials | Ensure that unused IAM credentals are removed to reduce exposure in the event of potential compromise. | Identity Provisioning and Lifecycle | 2 | 2 | 1 |
| CCC.IAM.C09 | Enforce Federated Single Sign-On (SSO) for Human Users | Ensure that all human users must authenticate through a central, federated Identity Provider (IdP) to access the cloud environment. This eliminates cloud-native user accounts with long-lived passwords, centralizes authentication controls, and simplifies lifecycle management. | Identity Provisioning and Lifecycle | 2 | 2 | 1 |
| CCC.IAM.C10 | Alert On Anomalous Behaviour | Ensure that logs and associated alerts are generated when anomalous API requests are made by a single identity, such as API requests commonly associated with privilege escalation tactics, originating from an external or malicious IP address or performed by a previously dormant identity, which may indicate that credentals may be compromised, as well as for password brute-force attempts and account lockouts. | Logging and Monitoring | 1 | 6 | 2 |
| CCC.IAM.C11 | Enable Continuous IAM Access and Usage Analysis | Enable and configure the cloud provider's native access and usage analysis services to continuously monitor for external access paths and internal unused access. | Logging and Monitoring | 3 | 5 | 1 |
| CCC.Core.C02 | Encrypt Data for Storage | Ensure that all data stored is encrypted at rest using strong encryption algorithms. | Data | 1 | 7 | 1 |
| CCC.Core.C09 | Ensure Integrity of Access Logs | Ensure that access logs are always recorded to an external location that cannot be manipulated from the context of the service(s) it contains logs for. | Data | 3 | 5 | 3 |
| CCC.Core.C04 | Log All Access and Changes | Ensure that all access attempts are logged to maintain a detailed audit trail for security and compliance purposes. | Logging & Monitoring | 1 | 5 | 3 |
| CCC.Core.C07 | Alert on Unusual Enumeration Activity | Ensure that logs and associated alerts are generated when unusual enumeration activity is detected that may indicate reconnaissance activities. | Logging & Monitoring | 1 | 4 | 2 |