Prevent non-administrative principals from creating new long-lived credentials like access keys or generating temporary session tokens. This blocks a common privilege escalation and persistence vector.
Identity / IAM / Controls / DEV
Restrict IAM User Credentials Creation
CCC.IAM.CN01 · Access
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.IAM.CP06 | IAM Roles / Service Principals | Ability to create, manage, list and delete IAM roles. IAM role is an identity for applications or services to access resources. |
| CCC.IAM.CP12 | Policy Conditions | Ability to use conditions to add additional restrictions to the permission being granted. Allow access control rules to apply only when certain conditions are met. |
| CCC.IAM.CP15 | Role Assumption / Delegation | Ability to temporarily assume another role or delegate access. Commonly used for user impersonation or temporary privilege elevation. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.IAM.TH03 | Overly-Permissive Identity Trust Policy | An IAM role or service principal's trust policy is configured to allow principals from untrusted or overly broad scopes, such as any identity in any account, to assume or impersonate it. This can allow an external or unauthorized identity to gain access to the cloud environment, completely bypassing internal identity controls. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.IAM.CN01.AR01 | When an identity policy for a non-administrative principal is evaluated, it MUST NOT grant permissions for creating credentials or generating temporary session tokens. | tlp-clear, tlp-green, tlp-amber, tlp-red |
| CCC.IAM.CN01.AR02 | When a non-administrative principal attempts to create new credentials or a temporary session token, the service MUST deny the action. | tlp-clear, tlp-green, tlp-amber, tlp-red |