CCC.IAM.F06: IAM Roles / Service Principals
Capability ID:CCC.IAM.F06
Title:IAM Roles / Service Principals
Description:Ability to create, manage, list and delete IAM roles.
IAM role is an identity for applications or services to
access resources.
Mapped Threats
| ID | Title | Description | External Mappings | Capability Mappings | Control Mappings |
|---|---|---|---|---|---|
| CCC.IAM.TH02 | Overly-Permissive IAM Policy | An access control policy attached to an identity or a resource is configured with excessive permissions, violating the principle of least privilege. This can enable unauthorized data access, privilege escalation, or other unintended actions by principals whose credentials might be compromised or who are acting erroneously. | 1 | 1 | 0 |
| CCC.IAM.TH03 | Overly-Permissive Identity Trust Policy | An IAM role or service principal's trust policy is configured to allow principals from untrusted or overly broad scopes, such as any identity in any account, to assume or impersonate it. This can allow an external or unauthorized identity to gain access to the cloud environment, completely bypassing internal identity controls. | 1 | 1 | 0 |
| CCC.IAM.TH05 | Additional IAM Roles Creation | An adversary with access to a sufficiently privileged cloud account may create additional IAM roles to establish persistance or elevate their privileges. | 1 | 1 | 0 |
| CCC.IAM.TH06 | IAM Policies Modification | An adversary with access to a sufficiently privileged cloud account may modify IAM policies to establish persistance or elevate their privileges. | 1 | 1 | 0 |
| CCC.IAM.TH08 | Privilege Escalation via Indirect Role Usage | An identity principal possesses specific, highly privileged permissions, such as the ability to pass roles or impersonate service accounts, that allow it to leverage the permissions of a different, more privileged role. Even without being able to directly assume the target role, the principal can attach it to a new resource they control and then use that resource to perform unauthorized actions. | 1 | 1 | 0 |
| CCC.IAM.TH11 | Unused Credentials | Unused IAM identity that is no longer needed or monitored remains active. Its compromise is less likely to be detected, and it represents a persistent, unnecessary attack surface. | 1 | 1 | 0 |
| CCC.IAM.TH12 | IAM Role is Coerced into Unauthorized Cross-Account Actions (Confused Deputy) | An external actor tricks a legitimate, authorized third-party application into making requests to the cloud environment. A role in the cloud account (the "deputy"), which trusts that third-party application, then performs unauthorized actions on behalf of the actor. | 1 | 1 | 0 |