CCC.IAM.TH01 - Valid Cloud Credentials Abuse

CCC.IAM.TH01: Valid Cloud Credentials Abuse

Threat ID:CCC.IAM.TH01

Title:Valid Cloud Credentials Abuse

Description:

Valid identity credentials such as access keys, tokens or passwords are misused or compromised. Examples include public exposure, token theft, unprotected metadata service of a compromised compute instance or brute-force attacks. The use of these credentials can provide unauthorized access to the cloud environment, potentially bypassing other security controls and enabling lateral movement across cloud resources.

Related Capabilities

ID	Title	Description
CCC.IAM.F02	IAM Users	Ability to create, manage, list and delete IAM users. IAM user represents a single person or application.
CCC.IAM.F03	Long-Term Credentials	Ability to create, manage, list and delete long-term credentials such as access keys and service account keys.
CCC.IAM.F04	Password Management	Ability to create, change and delete IAM user passwords.
CCC.IAM.F07	Managed Identities	Identity assigned to cloud resources (e.g., VMs, Functions) which are managed by the cloud vendor.
CCC.IAM.F08	Federated Identity - SAML	Support for user authentication outside the cloud service provider using SAML. Authenticated federated identities can assume IAM roles.
CCC.IAM.F09	Federated Identity - OIDC	Support for user authentication outside the cloud service provider using OIDC. Authenticated federated identities can assume IAM roles.

External Mappings

Reference ID	Entry ID	Remarks
MITRE-ATT&CK	T1078.004	Valid Accounts: Cloud Accounts
MITRE-ATT&CK	T1552	Unsecured Credentials
MITRE-ATT&CK	T1552.005	Unsecured Credentials: Cloud Instance Metadata API
MITRE-ATT&CK	T1528	Steal Application Access Token
MITRE-ATT&CK	T1110	Brute Force

Controls

ID	Title	Objective	Control Family	Threat Mappings	Guideline Mappings	Assessment Requirements
CCC.IAM.C04	Restrict Wildcard Usage in IAM Policies	Limit the use of wildcard permissions in IAM policies to prevent overly broad access from being granted by default.	Identity and Access Management	2	4	1
CCC.IAM.C05	Strong Password Policies for IAM Users	Ensure that the password policies for IAM users have strong configurations.	Identity and Access Management	1	4	1
CCC.IAM.C06	Maximum Age for Long-Term Static Credentials	Ensure that long-lived static credentials like access keys are programmatically rotated within a defined time period to limit the window of opportunity if compromised.	Identity Provisioning and Lifecycle	2	2	1
CCC.IAM.C07	Automate Identity De-provisioning	Ensure that when an identity is terminated in the central Identity Provider (IdP), ts corresponding access to cloud resources is revoked automatically.	Identity Provisioning and Lifecycle	2	2	1
CCC.IAM.C08	Maximum Age for Unused Credentials	Ensure that unused IAM credentals are removed to reduce exposure in the event of potential compromise.	Identity Provisioning and Lifecycle	2	2	1
CCC.IAM.C09	Enforce Federated Single Sign-On (SSO) for Human Users	Ensure that all human users must authenticate through a central, federated Identity Provider (IdP) to access the cloud environment. This eliminates cloud-native user accounts with long-lived passwords, centralizes authentication controls, and simplifies lifecycle management.	Identity Provisioning and Lifecycle	2	2	1
CCC.IAM.C10	Alert On Anomalous Behaviour	Ensure that logs and associated alerts are generated when anomalous API requests are made by a single identity, such as API requests commonly associated with privilege escalation tactics, originating from an external or malicious IP address or performed by a previously dormant identity, which may indicate that credentals may be compromised, as well as for password brute-force attempts and account lockouts.	Logging and Monitoring	1	6	2