Ensure that unused IAM credentals are removed to reduce exposure in the event of potential compromise.
Identity / IAM / Controls / DEV
Maximum Age for Unused Credentials
CCC.IAM.CN08 · Access
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.IAM.CP02 | IAM Users | Ability to create, manage, list and delete IAM users. IAM user represents a single person or application. |
| CCC.IAM.CP03 | Long-Term Credentials | Ability to create, manage, list and delete long-term credentials such as access keys and service account keys. |
| CCC.IAM.CP04 | Password Management | Ability to create, change and delete IAM user passwords. |
| CCC.IAM.CP06 | IAM Roles / Service Principals | Ability to create, manage, list and delete IAM roles. IAM role is an identity for applications or services to access resources. |
| CCC.IAM.CP07 | Managed Identities | Identity assigned to cloud resources (e.g., VMs, Functions) which are managed by the cloud vendor. |
| CCC.IAM.CP08 | Federated Identity - SAML | Support for user authentication outside the cloud service provider using SAML. Authenticated federated identities can assume IAM roles. |
| CCC.IAM.CP09 | Federated Identity - OIDC | Support for user authentication outside the cloud service provider using OIDC. Authenticated federated identities can assume IAM roles. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.IAM.TH11 | Unused Credentials | Unused IAM identity that is no longer needed or monitored remains active. Its compromise is less likely to be detected, and it represents a persistent, unnecessary attack surface. |
| CCC.IAM.TH01 | Valid Cloud Credentials Abuse | Valid identity credentials such as access keys, tokens or passwords are misused or compromised. Examples include public exposure, token theft, unprotected metadata service of a compromised compute instance or brute-force attacks. The use of these credentials can provide unauthorized access to the cloud environment, potentially bypassing other security controls and enabling lateral movement across cloud resources. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.IAM.CN08.AR01 | When an IAM user has credentials, such as passwords or access keys, that have not been used for 90 days or more, the unused credentials MUST be removed or deactivated. | tlp-clear, tlp-green, tlp-amber, tlp-red |