An adversary with access to a sufficiently privileged cloud account may modify IAM policies to establish persistance or elevate their privileges.
Identity / IAM / Threats / DEV
IAM Policies Modification
CCC.IAM.TH06
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.IAM.CP02 | IAM Users | Ability to create, manage, list and delete IAM users. IAM user represents a single person or application. |
| CCC.IAM.CP06 | IAM Roles / Service Principals | Ability to create, manage, list and delete IAM roles. IAM role is an identity for applications or services to access resources. |
| CCC.IAM.CP10 | Custom Roles | Ability to create, manage, list and delete custom roles. Custom roles are user-defined roles that defines what actions are allowed. |
Related Controls
| ID | Title | Description |
|---|---|---|
| CCC.IAM.CN02 | Restrict IAM Policies Modification | Ensure that only designated administrative accounts have the ability to create, modify, or attach policies that define permissions for other identities. |