Unused IAM identity that is no longer needed or monitored remains active. Its compromise is less likely to be detected, and it represents a persistent, unnecessary attack surface.
Identity / IAM / Threats / DEV
Unused Credentials
CCC.IAM.TH11
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.IAM.CP02 | IAM Users | Ability to create, manage, list and delete IAM users. IAM user represents a single person or application. |
| CCC.IAM.CP03 | Long-Term Credentials | Ability to create, manage, list and delete long-term credentials such as access keys and service account keys. |
| CCC.IAM.CP04 | Password Management | Ability to create, change and delete IAM user passwords. |
| CCC.IAM.CP06 | IAM Roles / Service Principals | Ability to create, manage, list and delete IAM roles. IAM role is an identity for applications or services to access resources. |
Related Controls
| ID | Title | Description |
|---|---|---|
| CCC.IAM.CN08 | Maximum Age for Unused Credentials | Ensure that unused IAM credentals are removed to reduce exposure in the event of potential compromise. |
| CCC.IAM.CN11 | Enable Continuous IAM Access and Usage Analysis | Enable and configure the cloud provider's native access and usage analysis services to continuously monitor for external access paths and internal unused access. |