An identity principal becomes a member of one or more IAM groups, and the combined policies of these groups grant permissions beyond what is necessary for the principal's function. This "privilege creep" through group inheritance complicates auditing and can lead to an identity having standing access to sensitive resources.
Identity / IAM / Threats / DEV
Identity Inherits Excessive Permissions Through Group Membership
CCC.IAM.TH07
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.IAM.CP05 | IAM Groups | Ability to create, manage, list and delete IAM groups. IAM group is a collection of users, roles or other groups. |
External Mappings
| Framework | ID | Remarks |
|---|---|---|
| MITRE-ATT&CK | T1098 | Account Manipulation |