CCC.IAM.C10: Alert On Anomalous Behaviour
Control ID:CCC.IAM.C10
Title:Alert On Anomalous Behaviour
Objective:Ensure that logs and associated alerts are generated when anomalous
API requests are made by a single identity, such as API requests
commonly associated with privilege escalation tactics, originating
from an external or malicious IP address or performed by a previously
dormant identity, which may indicate that credentals may be compromised,
as well as for password brute-force attempts and account lockouts.
Control Family:
Logging and Monitoring
Related Threats
ID | Title | Description | External Mappings | Capability Mappings | Control Mappings |
---|---|---|---|---|---|
CCC.IAM.TH01 | Valid Cloud Credentials Abuse | Valid identity credentials such as access keys, tokens or passwords are misused or compromised. Examples include public exposure, token theft, unprotected metadata service of a compromised compute instance or brute-force attacks. The use of these credentials can provide unauthorized access to the cloud environment, potentially bypassing other security controls and enabling lateral movement across cloud resources. | 1 | 1 | 0 |
Related Capabilities
ID | Title | Description |
---|---|---|
CCC.IAM.F02 | IAM Users | Ability to create, manage, list and delete IAM users. IAM user represents a single person or application. |
CCC.IAM.F03 | Long-Term Credentials | Ability to create, manage, list and delete long-term credentials such as access keys and service account keys. |
CCC.IAM.F04 | Password Management | Ability to create, change and delete IAM user passwords. |
CCC.IAM.F07 | Managed Identities | Identity assigned to cloud resources (e.g., VMs, Functions) which are managed by the cloud vendor. |
CCC.IAM.F08 | Federated Identity - SAML | Support for user authentication outside the cloud service provider using SAML. Authenticated federated identities can assume IAM roles. |
CCC.IAM.F09 | Federated Identity - OIDC | Support for user authentication outside the cloud service provider using OIDC. Authenticated federated identities can assume IAM roles. |