Ensure that only designated administrative accounts have the ability to create, modify, or attach policies that define permissions for other identities.
Identity / IAM / Controls / DEV
Restrict IAM Policies Modification
CCC.IAM.CN02 · Access
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.IAM.CP02 | IAM Users | Ability to create, manage, list and delete IAM users. IAM user represents a single person or application. |
| CCC.IAM.CP06 | IAM Roles / Service Principals | Ability to create, manage, list and delete IAM roles. IAM role is an identity for applications or services to access resources. |
| CCC.IAM.CP10 | Custom Roles | Ability to create, manage, list and delete custom roles. Custom roles are user-defined roles that defines what actions are allowed. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.IAM.TH06 | IAM Policies Modification | An adversary with access to a sufficiently privileged cloud account may modify IAM policies to establish persistance or elevate their privileges. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.IAM.CN02.AR01 | When an identity policy for a non-administrative principal is evaluated, it MUST NOT grant permissions for creating, updating, or attaching policies. | tlp-clear, tlp-green, tlp-amber, tlp-red |
| CCC.IAM.CN02.AR02 | When a non-administrative principal attempts to create, update, or attach policies, the service MUST deny the action. | tlp-clear, tlp-green, tlp-amber, tlp-red |