An access control policy attached to an identity or a resource is configured with excessive permissions, violating the principle of least privilege. This can enable unauthorized data access, privilege escalation, or other unintended actions by principals whose credentials might be compromised or who are acting erroneously.
Identity / IAM / Threats / DEV
Overly-Permissive IAM Policy
CCC.IAM.TH02
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.IAM.CP02 | IAM Users | Ability to create, manage, list and delete IAM users. IAM user represents a single person or application. |
| CCC.IAM.CP05 | IAM Groups | Ability to create, manage, list and delete IAM groups. IAM group is a collection of users, roles or other groups. |
| CCC.IAM.CP06 | IAM Roles / Service Principals | Ability to create, manage, list and delete IAM roles. IAM role is an identity for applications or services to access resources. |
| CCC.IAM.CP07 | Managed Identities | Identity assigned to cloud resources (e.g., VMs, Functions) which are managed by the cloud vendor. |
| CCC.IAM.CP10 | Custom Roles | Ability to create, manage, list and delete custom roles. Custom roles are user-defined roles that defines what actions are allowed. |
| CCC.IAM.CP12 | Policy Conditions | Ability to use conditions to add additional restrictions to the permission being granted. Allow access control rules to apply only when certain conditions are met. |
Related Controls
| ID | Title | Description |
|---|---|---|
| CCC.IAM.CN03 | Restrict Role Assumption / Delegation | Limit which principals can assume a role or impersonate a service identity to only those required. This prevents unintended cross-account or public access by securing the "who can act as this identity" boundary. |
| CCC.IAM.CN04 | Restrict Wildcard Usage in IAM Policies | Limit the use of wildcard permissions in IAM policies to prevent overly broad access from being granted by default. |
| CCC.IAM.CN11 | Enable Continuous IAM Access and Usage Analysis | Enable and configure the cloud provider's native access and usage analysis services to continuously monitor for external access paths and internal unused access. |
External Mappings
| Framework | ID | Remarks |
|---|---|---|
| MITRE-ATT&CK | T1078.004 | Valid Accounts: Cloud Accounts |