CCC.IAM.TH02: Overly-Permissive IAM Policy
Threat ID:CCC.IAM.TH02
Title:Overly-Permissive IAM Policy
Description:
An access control policy attached to an identity or a resource is configured with excessive permissions, violating the principle of least privilege. This can enable unauthorized data access, privilege escalation, or other unintended actions by principals whose credentials might be compromised or who are acting erroneously.
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.IAM.F02 | IAM Users | Ability to create, manage, list and delete IAM users. IAM user represents a single person or application. |
| CCC.IAM.F05 | IAM Groups | Ability to create, manage, list and delete IAM groups. IAM group is a collection of users, roles or other groups. |
| CCC.IAM.F06 | IAM Roles / Service Principals | Ability to create, manage, list and delete IAM roles. IAM role is an identity for applications or services to access resources. |
| CCC.IAM.F07 | Managed Identities | Identity assigned to cloud resources (e.g., VMs, Functions) which are managed by the cloud vendor. |
| CCC.IAM.F10 | Custom Roles | Ability to create, manage, list and delete custom roles. Custom roles are user-defined roles that defines what actions are allowed. |
| CCC.IAM.F12 | Policy Conditions | Ability to use conditions to add additional restrictions to the permission being granted. Allow access control rules to apply only when certain conditions are met. |
External Mappings
| Reference ID | Entry ID | Strength | Remarks |
|---|---|---|---|
MITRE-ATT&CK | T1078.004 | 0 | Valid Accounts: Cloud Accounts |
Controls
| ID | Title | Objective | Control Family | Threat Mappings | Guideline Mappings | Assessment Requirements |
|---|---|---|---|---|---|---|
| CCC.IAM.C03 | Restrict Role Assumption / Delegation | Limit which principals can assume a role or impersonate a service identity to only those required. This prevents unintended cross-account or public access by securing the "who can act as this identity" boundary. | Identity and Access Management | 1 | 5 | 2 |
| CCC.IAM.C04 | Restrict Wildcard Usage in IAM Policies | Limit the use of wildcard permissions in IAM policies to prevent overly broad access from being granted by default. | Identity and Access Management | 2 | 4 | 1 |
| CCC.IAM.C11 | Enable Continuous IAM Access and Usage Analysis | Enable and configure the cloud provider's native access and usage analysis services to continuously monitor for external access paths and internal unused access. | Logging and Monitoring | 3 | 5 | 1 |