CCC.IAM.TH11: Unused Credentials
Threat ID:CCC.IAM.TH11
Title:Unused Credentials
Description:
Unused IAM identity that is no longer needed or monitored remains active. Its compromise is less likely to be detected, and it represents a persistent, unnecessary attack surface.
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.IAM.F02 | IAM Users | Ability to create, manage, list and delete IAM users. IAM user represents a single person or application. |
| CCC.IAM.F03 | Long-Term Credentials | Ability to create, manage, list and delete long-term credentials such as access keys and service account keys. |
| CCC.IAM.F04 | Password Management | Ability to create, change and delete IAM user passwords. |
| CCC.IAM.F06 | IAM Roles / Service Principals | Ability to create, manage, list and delete IAM roles. IAM role is an identity for applications or services to access resources. |
External Mappings
Controls
| ID | Title | Objective | Control Family | Threat Mappings | Guideline Mappings | Assessment Requirements |
|---|---|---|---|---|---|---|
| CCC.IAM.C08 | Maximum Age for Unused Credentials | Ensure that unused IAM credentals are removed to reduce exposure in the event of potential compromise. | Identity Provisioning and Lifecycle | 2 | 2 | 1 |
| CCC.IAM.C11 | Enable Continuous IAM Access and Usage Analysis | Enable and configure the cloud provider's native access and usage analysis services to continuously monitor for external access paths and internal unused access. | Logging and Monitoring | 3 | 5 | 1 |