CSA CCM IAM-03

This control describes how the CSP must actively maintain and review a comprehensive inventory of all system identities (users, services, applications, roles, groups) with access to cloud resources. Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. For this technique, adversaries may be able to modify the hybrid identity authentication process from the cloud. In terms of mitigation, reviewing the hybrid identity solution in use for any discrepancies could aid with thwarting the use of this technique.

This control describes how the CSP must actively maintain and review a comprehensive inventory of all system identities (users, services, applications, roles, groups) with access to cloud resources. For this technique, adversaries may add adversary-controlled credentials and identity to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure / Entra ID. In terms of mitigation, a dynamic inventory of permitted cloud identities and roles may aid in flagging the creation or addition of any unauthorized identities.

This control describes how the CSP must actively maintain and review a comprehensive inventory of all system identities (users, services, applications, roles, groups) with access to cloud resources. Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. A dynamic inventory of permitted cloud identities may aid in flagging the creation of any unauthorized identities.

This control describes how the CSP must actively maintain and review a comprehensive inventory of all system identities (users, services, applications, roles, groups) with access to cloud resources. In relation to this technique, default accounts may be created on a system after initial setup by connecting or integrating it with another application. Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. A dynamic inventory of permitted identities may aid in flagging the creation of any unauthorized identities.