| ID | Title | Objective | Control Family | Threat Mappings | Guideline Mappings | Assessment Requirements |
|---|---|---|---|---|---|---|
| CCC.IAM.CN01 | Restrict IAM User Credentials Creation | Prevent non-administrative principals from creating new long-lived credentials like access keys or generating temporary session tokens. This blocks a common privilege escalation and persistence vector. | Access | 1 | 5 | 2 |
| CCC.IAM.CN02 | Restrict IAM Policies Modification | Ensure that only designated administrative accounts have the ability to create, modify, or attach policies that define permissions for other identities. | Access | 1 | 5 | 2 |
| CCC.IAM.CN03 | Restrict Role Assumption / Delegation | Limit which principals can assume a role or impersonate a service identity to only those required. This prevents unintended cross-account or public access by securing the "who can act as this identity" boundary. | Access | 1 | 5 | 2 |
| CCC.IAM.CN04 | Restrict Wildcard Usage in IAM Policies | Limit the use of wildcard permissions in IAM policies to prevent overly broad access from being granted by default. | Access | 2 | 4 | 1 |
| CCC.IAM.CN05 | Strong Password Policies for IAM Users | Ensure that the password policies for IAM users have strong configurations. | Access | 1 | 4 | 1 |
| CCC.IAM.CN06 | Maximum Age for Long-Term Static Credentials | Ensure that long-lived static credentials like access keys are programmatically rotated within a defined time period to limit the window of opportunity if compromised. | Access | 2 | 2 | 1 |
| CCC.IAM.CN07 | Automate Identity De-provisioning | Ensure that when an identity is terminated in the central Identity Provider (IdP), ts corresponding access to cloud resources is revoked automatically. | Access | 2 | 2 | 1 |
| CCC.IAM.CN08 | Maximum Age for Unused Credentials | Ensure that unused IAM credentals are removed to reduce exposure in the event of potential compromise. | Access | 2 | 2 | 1 |
| CCC.IAM.CN09 | Enforce Federated Single Sign-On (SSO) for Human Users | Ensure that all human users must authenticate through a central, federated Identity Provider (IdP) to access the cloud environment. This eliminates cloud-native user accounts with long-lived passwords, centralizes authentication controls, and simplifies lifecycle management. | Access | 2 | 2 | 1 |
| CCC.IAM.CN10 | Alert On Anomalous Behaviour | Ensure that logs and associated alerts are generated when anomalous API requests are made by a single identity, such as API requests commonly associated with privilege escalation tactics, originating from an external or malicious IP address or performed by a previously dormant identity, which may indicate that credentals may be compromised, as well as for password brute-force attempts and account lockouts. | Observability | 1 | 6 | 2 |
| CCC.IAM.CN11 | Enable Continuous IAM Access and Usage Analysis | Enable and configure the cloud provider's native access and usage analysis services to continuously monitor for external access paths and internal unused access. | Observability | 3 | 5 | 1 |
Identity / IAM
CCC Identity and Access Management Controls
Version: DEV