An external actor tricks a legitimate, authorized third-party application into making requests to the cloud environment. A role in the cloud account (the "deputy"), which trusts that third-party application, then performs unauthorized actions on behalf of the actor.
Identity / IAM / Threats / DEV
IAM Role is Coerced into Unauthorized Cross-Account Actions (Confused Deputy)
CCC.IAM.TH12
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.IAM.CP06 | IAM Roles / Service Principals | Ability to create, manage, list and delete IAM roles. IAM role is an identity for applications or services to access resources. |
| CCC.IAM.CP10 | Custom Roles | Ability to create, manage, list and delete custom roles. Custom roles are user-defined roles that defines what actions are allowed. |
| CCC.IAM.CP15 | Role Assumption / Delegation | Ability to temporarily assume another role or delegate access. Commonly used for user impersonation or temporary privilege elevation. |