CCC.IAM.TH10: Orphaned Federated Identity Retains Access
Threat ID:CCC.IAM.TH10
Title:Orphaned Federated Identity Retains Access
Description:
A federated identity is de-provisioned from the external Identity Provider (IdP), but its corresponding cloud identity remains active within the cloud environment. This orphaned identity creates a latent access path that could be exploited if the original username is reactivated or reassigned in the IdP, granting unintended access to a new principal.
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.IAM.F08 | Federated Identity - SAML | Support for user authentication outside the cloud service provider using SAML. Authenticated federated identities can assume IAM roles. |
| CCC.IAM.F09 | Federated Identity - OIDC | Support for user authentication outside the cloud service provider using OIDC. Authenticated federated identities can assume IAM roles. |
External Mappings
| Reference ID | Entry ID | Strength | Remarks |
|---|---|---|---|
MITRE-ATT&CK | T1078 | 0 | Valid Accounts |
Controls
| ID | Title | Objective | Control Family | Threat Mappings | Guideline Mappings | Assessment Requirements |
|---|---|---|---|---|---|---|
| CCC.IAM.C07 | Automate Identity De-provisioning | Ensure that when an identity is terminated in the central Identity Provider (IdP), ts corresponding access to cloud resources is revoked automatically. | Identity Provisioning and Lifecycle | 2 | 2 | 1 |
| CCC.IAM.C11 | Enable Continuous IAM Access and Usage Analysis | Enable and configure the cloud provider's native access and usage analysis services to continuously monitor for external access paths and internal unused access. | Logging and Monitoring | 3 | 5 | 1 |