CCC.IAM.C04: Restrict Wildcard Usage in IAM Policies
Control ID:CCC.IAM.C04
Title:Restrict Wildcard Usage in IAM Policies
Objective:Limit the use of wildcard permissions in IAM policies to prevent
overly broad access from being granted by default.
Control Family:
Identity and Access Management
Related Threats
| ID | Title | Description | External Mappings | Capability Mappings | Control Mappings |
|---|---|---|---|---|---|
| CCC.IAM.TH01 | Valid Cloud Credentials Abuse | Valid identity credentials such as access keys, tokens or passwords are misused or compromised. Examples include public exposure, token theft, unprotected metadata service of a compromised compute instance or brute-force attacks. The use of these credentials can provide unauthorized access to the cloud environment, potentially bypassing other security controls and enabling lateral movement across cloud resources. | 1 | 1 | 0 |
| CCC.IAM.TH02 | Overly-Permissive IAM Policy | An access control policy attached to an identity or a resource is configured with excessive permissions, violating the principle of least privilege. This can enable unauthorized data access, privilege escalation, or other unintended actions by principals whose credentials might be compromised or who are acting erroneously. | 1 | 1 | 0 |
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.IAM.F02 | IAM Users | Ability to create, manage, list and delete IAM users. IAM user represents a single person or application. |
| CCC.IAM.F03 | Long-Term Credentials | Ability to create, manage, list and delete long-term credentials such as access keys and service account keys. |
| CCC.IAM.F04 | Password Management | Ability to create, change and delete IAM user passwords. |
| CCC.IAM.F07 | Managed Identities | Identity assigned to cloud resources (e.g., VMs, Functions) which are managed by the cloud vendor. |
| CCC.IAM.F08 | Federated Identity - SAML | Support for user authentication outside the cloud service provider using SAML. Authenticated federated identities can assume IAM roles. |
| CCC.IAM.F09 | Federated Identity - OIDC | Support for user authentication outside the cloud service provider using OIDC. Authenticated federated identities can assume IAM roles. |