CCC.IAM.C11: Enable Continuous IAM Access and Usage Analysis
Control ID:CCC.IAM.C11
Title:Enable Continuous IAM Access and Usage Analysis
Objective:Enable and configure the cloud provider's native access and
usage analysis services to continuously monitor for external
access paths and internal unused access.
Control Family:
Logging and Monitoring
Related Threats
| ID | Title | Description | External Mappings | Capability Mappings | Control Mappings |
|---|---|---|---|---|---|
| CCC.IAM.TH02 | Overly-Permissive IAM Policy | An access control policy attached to an identity or a resource is configured with excessive permissions, violating the principle of least privilege. This can enable unauthorized data access, privilege escalation, or other unintended actions by principals whose credentials might be compromised or who are acting erroneously. | 1 | 1 | 0 |
| CCC.IAM.TH10 | Orphaned Federated Identity Retains Access | A federated identity is de-provisioned from the external Identity Provider (IdP), but its corresponding cloud identity remains active within the cloud environment. This orphaned identity creates a latent access path that could be exploited if the original username is reactivated or reassigned in the IdP, granting unintended access to a new principal. | 1 | 1 | 0 |
| CCC.IAM.TH11 | Unused Credentials | Unused IAM identity that is no longer needed or monitored remains active. Its compromise is less likely to be detected, and it represents a persistent, unnecessary attack surface. | 1 | 1 | 0 |
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.IAM.F02 | IAM Users | Ability to create, manage, list and delete IAM users. IAM user represents a single person or application. |
| CCC.IAM.F05 | IAM Groups | Ability to create, manage, list and delete IAM groups. IAM group is a collection of users, roles or other groups. |
| CCC.IAM.F06 | IAM Roles / Service Principals | Ability to create, manage, list and delete IAM roles. IAM role is an identity for applications or services to access resources. |
| CCC.IAM.F07 | Managed Identities | Identity assigned to cloud resources (e.g., VMs, Functions) which are managed by the cloud vendor. |
| CCC.IAM.F10 | Custom Roles | Ability to create, manage, list and delete custom roles. Custom roles are user-defined roles that defines what actions are allowed. |
| CCC.IAM.F12 | Policy Conditions | Ability to use conditions to add additional restrictions to the permission being granted. Allow access control rules to apply only when certain conditions are met. |