Restrict IAM Policies Modification

CCC.IAM.C02: Restrict IAM Policies Modification

Control ID:CCC.IAM.C02

Title:Restrict IAM Policies Modification

Objective:Ensure that only designated administrative accounts have the ability to create, modify, or attach policies that define permissions for other identities.

Control Family:

Identity and Access Management

Related Threats

ID	Title	Description	External Mappings	Capability Mappings	Control Mappings
CCC.IAM.TH06	IAM Policies Modification	An adversary with access to a sufficiently privileged cloud account may modify IAM policies to establish persistance or elevate their privileges.	1	1	0

Related Capabilities

ID	Title	Description
CCC.IAM.F02	IAM Users	Ability to create, manage, list and delete IAM users. IAM user represents a single person or application.
CCC.IAM.F06	IAM Roles / Service Principals	Ability to create, manage, list and delete IAM roles. IAM role is an identity for applications or services to access resources.
CCC.IAM.F10	Custom Roles	Ability to create, manage, list and delete custom roles. Custom roles are user-defined roles that defines what actions are allowed.

Guideline Mappings

Reference ID	Entry ID	Remarks
NIST-CSF	PR.AA-05	-
NIST_800_53	AC-2	-
NIST_800_53	AC-3	-
NIST_800_53	AC-5	-
NIST_800_53	AC-6	-

Assessment Requirements

ID	Description	Applicability
CCC.IAM.C02.TR01	When an identity policy for a non-administrative principal is evaluated, it MUST NOT grant permissions for creating, updating, or attaching policies.	tlp-clear tlp-green tlp-amber tlp-red
CCC.IAM.C02.TR02	When a non-administrative principal attempts to create, update, or attach policies, the service MUST deny the action.	tlp-clear tlp-green tlp-amber tlp-red