CCC.IAM.F15: Role Assumption / Delegation
Capability ID:CCC.IAM.F15
Title:Role Assumption / Delegation
Description:Ability to temporarily assume another role or delegate access.
Commonly used for user impersonation or temporary privilege
elevation.
Mapped Threats
| ID | Title | Description | External Mappings | Capability Mappings | Control Mappings |
|---|---|---|---|---|---|
| CCC.IAM.TH03 | Overly-Permissive Identity Trust Policy | An IAM role or service principal's trust policy is configured to allow principals from untrusted or overly broad scopes, such as any identity in any account, to assume or impersonate it. This can allow an external or unauthorized identity to gain access to the cloud environment, completely bypassing internal identity controls. | 1 | 1 | 0 |
| CCC.IAM.TH05 | Additional IAM Roles Creation | An adversary with access to a sufficiently privileged cloud account may create additional IAM roles to establish persistance or elevate their privileges. | 1 | 1 | 0 |
| CCC.IAM.TH08 | Privilege Escalation via Indirect Role Usage | An identity principal possesses specific, highly privileged permissions, such as the ability to pass roles or impersonate service accounts, that allow it to leverage the permissions of a different, more privileged role. Even without being able to directly assume the target role, the principal can attach it to a new resource they control and then use that resource to perform unauthorized actions. | 1 | 1 | 0 |
| CCC.IAM.TH12 | IAM Role is Coerced into Unauthorized Cross-Account Actions (Confused Deputy) | An external actor tricks a legitimate, authorized third-party application into making requests to the cloud environment. A role in the cloud account (the "deputy"), which trusts that third-party application, then performs unauthorized actions on behalf of the actor. | 1 | 1 | 0 |