| ID | Title | Description | Threat Mappings |
|---|---|---|---|
| CCC.IAM.CP01 | Global Identities | IAM identities are global across all regions. They are created and managed from a single global namespace. | 0 |
| CCC.IAM.CP02 | IAM Users | Ability to create, manage, list and delete IAM users. IAM user represents a single person or application. | 7 |
| CCC.IAM.CP03 | Long-Term Credentials | Ability to create, manage, list and delete long-term credentials such as access keys and service account keys. | 4 |
| CCC.IAM.CP04 | Password Management | Ability to create, change and delete IAM user passwords. | 3 |
| CCC.IAM.CP05 | IAM Groups | Ability to create, manage, list and delete IAM groups. IAM group is a collection of users, roles or other groups. | 2 |
| CCC.IAM.CP06 | IAM Roles / Service Principals | Ability to create, manage, list and delete IAM roles. IAM role is an identity for applications or services to access resources. | 7 |
| CCC.IAM.CP07 | Managed Identities | Identity assigned to cloud resources (e.g., VMs, Functions) which are managed by the cloud vendor. | 2 |
| CCC.IAM.CP08 | Federated Identity - SAML | Support for user authentication outside the cloud service provider using SAML. Authenticated federated identities can assume IAM roles. | 3 |
| CCC.IAM.CP09 | Federated Identity - OIDC | Support for user authentication outside the cloud service provider using OIDC. Authenticated federated identities can assume IAM roles. | 3 |
| CCC.IAM.CP10 | Custom Roles | Ability to create, manage, list and delete custom roles. Custom roles are user-defined roles that defines what actions are allowed. | 4 |
| CCC.IAM.CP11 | Resource-Level Access | Ability to restrict where actions are allowed, rather than the entire service. Defines the scope of the assignment. | 1 |
| CCC.IAM.CP12 | Policy Conditions | Ability to use conditions to add additional restrictions to the permission being granted. Allow access control rules to apply only when certain conditions are met. | 2 |
| CCC.IAM.CP13 | Temporary Credentials | Ability to grant short-lived security credentials that provide access to resources for a limited period of time. These credentials are typically issued for a specific session or task and expire after a predefined duration. | 0 |
| CCC.IAM.CP14 | Multi-Factor Authentication (MFA) | Support for enforcing MFA on user accounts and roles. Essential for securing root/admin users. | 0 |
| CCC.IAM.CP15 | Role Assumption / Delegation | Ability to temporarily assume another role or delegate access. Commonly used for user impersonation or temporary privilege elevation. | 4 |
| CCC.IAM.CP16 | Access Boundaries | Ability to define a boundary around the maximum effective permissions allowed for an identity at a higher level. | 0 |
| CCC.IAM.CP17 | Deny Permissions by Default | By default, no identity (user, group, role, service) has access to any resource, unless explicit permissions are granted. | 0 |
| CCC.IAM.CP18 | Audit Tooling | Provide tools to simulate or analyze permission used by a roles, and ability to export reports of who has access and whether it's being used, etc. These tools will increase the visibility, auditability and compliance of identities. | 0 |
Identity / IAM
Capabilities
Version: