CSA CCM IAM-02

This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes. For this technique, adversaries may create a cloud account to maintain access to victim systems. In terms of mitigation, use multi-factor authentication for new user and privileged accounts. For instance, require multi-factor authentication to register devices in Entra ID. Configure multi-factor authentication systems to disallow enrolling new devices for inactive accounts. When first enrolling MFA, use conditional access policies to restrict device enrollment to trusted locations or devices, and consider using temporary access passes as an initial MFA solution to enroll a device.

This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes. For this technique, an adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. In terms of mitigation, use multi-factor authentication for user and privileged accounts. Implementing MFA across all critical systems and services ensures robust protection against account takeover and unauthorized access.

This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes. For this technique, adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. In terms of mitigation, use multi-factor authentication for user and privileged accounts. Consider enforcing multi-factor authentication for the CreateKeyPair and ImportKeyPair API calls through IAM policies

This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes. For this technique, in order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. In terms of mitigation, use multi-factor authentication for user and privileged accounts.

This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes. For this technique, in terms of mitigation, ensure that cloud accounts, particularly privileged accounts, have complex, unique passwords across all systems on the network. Passwords and access keys should be rotated regularly. This limits the amount of time credentials can be used to access resources if a credential is compromised without your knowledge. Cloud service providers may track access key age to help audit and identify keys that may need to be rotated.

This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes. For this technique, adversaries may modify or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. In. terms of mitigation, integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics.

This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes. For this technique, adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users. In terms of mitigation, implementing more secure 2FA/MFA mechanisms in replacement of simple push or one-click 2FA/MFA options, or enabling account restrictions to prevent login attempts, and the subsequent 2FA/MFA service requests, from being initiated from suspicious locations or when the source of the login attempts do not match the location of the 2FA/MFA smart device, or using conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges can limit the abuse of this technique to circumvent account compromise.

This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes. For this technique, adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. In terms of mitigation, ensure that proper policies are implemented to dictate the secure enrollment and deactivation of MFA for user accounts.

This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes. For this technique, adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. In terms of mitigation, integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials, then attempting to modify the authentication process that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.

This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes. For this technique, secrets managers support the secure centralized management of passwords, API keys, and other credential material. Where secrets managers are in use, cloud services can dynamically acquire credentials via API requests rather than accessing secrets insecurely stored in plain text files or environment variables. In terms of mitigation, limit the number of cloud accounts and services with permission to query the secrets manager to only those required. Ensure that accounts and services with permissions to query the secrets manager only have access to the secrets they require.

This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes. For this technique, adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. In terms of mitigation, Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Also, where possible, enforce multi-factor authentication on externally facing services to limit brute force succession.

This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes. For this technique, adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. In terms of mitigation, Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Also, where possible, enforce multi-factor authentication on externally facing services to limit brute force succession.

This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes. For this technique, adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. In terms of mitigation, Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Also, where possible, enforce multi-factor authentication on externally facing services to limit brute force succession.

This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes. For this technique, adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. In terms of mitigation, Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Also, where possible, enforce multi-factor authentication on externally facing services to limit brute force succession.

This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes. For this technique, adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. In terms of mitigation, Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Also, where possible, enforce multi-factor authentication on externally facing services to limit brute force succession.

This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes. For this technique, adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. In terms of mitigation, eequire MFA for all delegated administrator accounts. Properly manage accounts and password policies, including MFA requirements, used by parties in trusted relationships to minimize potential abuse by the party if the party is compromised by an adversary.