CCC.IAM.TH09: Long-Lived Static Credentials
Threat ID:CCC.IAM.TH09
Title:Long-Lived Static Credentials
Description:
Long-lived static credentials such as access keys for an identity are used and not rotated periodically according to security best practices, extending exposure in the event of credentials compromise.
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.IAM.F02 | IAM Users | Ability to create, manage, list and delete IAM users. IAM user represents a single person or application. |
| CCC.IAM.F03 | Long-Term Credentials | Ability to create, manage, list and delete long-term credentials such as access keys and service account keys. |
External Mappings
Controls
| ID | Title | Objective | Control Family | Threat Mappings | Guideline Mappings | Assessment Requirements |
|---|---|---|---|---|---|---|
| CCC.IAM.C06 | Maximum Age for Long-Term Static Credentials | Ensure that long-lived static credentials like access keys are programmatically rotated within a defined time period to limit the window of opportunity if compromised. | Identity Provisioning and Lifecycle | 2 | 2 | 1 |
| CCC.IAM.C09 | Enforce Federated Single Sign-On (SSO) for Human Users | Ensure that all human users must authenticate through a central, federated Identity Provider (IdP) to access the cloud environment. This eliminates cloud-native user accounts with long-lived passwords, centralizes authentication controls, and simplifies lifecycle management. | Identity Provisioning and Lifecycle | 2 | 2 | 1 |