CCC.IAM.F10: Custom Roles
Capability ID:CCC.IAM.F10
Title:Custom Roles
Description:Ability to create, manage, list and delete custom roles.
Custom roles are user-defined roles that defines what
actions are allowed.
Mapped Threats
| ID | Title | Description | External Mappings | Capability Mappings | Control Mappings |
|---|---|---|---|---|---|
| CCC.IAM.TH02 | Overly-Permissive IAM Policy | An access control policy attached to an identity or a resource is configured with excessive permissions, violating the principle of least privilege. This can enable unauthorized data access, privilege escalation, or other unintended actions by principals whose credentials might be compromised or who are acting erroneously. | 1 | 1 | 0 |
| CCC.IAM.TH05 | Additional IAM Roles Creation | An adversary with access to a sufficiently privileged cloud account may create additional IAM roles to establish persistance or elevate their privileges. | 1 | 1 | 0 |
| CCC.IAM.TH06 | IAM Policies Modification | An adversary with access to a sufficiently privileged cloud account may modify IAM policies to establish persistance or elevate their privileges. | 1 | 1 | 0 |
| CCC.IAM.TH12 | IAM Role is Coerced into Unauthorized Cross-Account Actions (Confused Deputy) | An external actor tricks a legitimate, authorized third-party application into making requests to the cloud environment. A role in the cloud account (the "deputy"), which trusts that third-party application, then performs unauthorized actions on behalf of the actor. | 1 | 1 | 0 |