CSA CCM IAM-04

This control describes separation of duties (SoD) must be implemented by assigning and managing distinct roles for users, applications, and services, minimizing overlapping responsibilities and restricting access to critical functions through centralized role management, multi-level approvals, and automated provisioning tools. Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, or pass roles onto resources and services. In terms of mitigations, limit the privileges of cloud accounts to assume, create, or impersonate additional roles, policies, and permissions to only those required. Where just-in-time access is enabled, consider requiring manual approval for temporary elevation of privileges.

This control describes separation of duties (SoD) must be implemented by assigning and managing distinct roles for users, applications, and services, minimizing overlapping responsibilities and restricting access to critical functions through centralized role management, multi-level approvals, and automated provisioning tools. An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. In terms of mitigation, having multi-level approval chains for creating additional roles or ensuring that low-privileged user accounts do not have permissions to add permissions to accounts or update IAM policies could help catch the use of this technique.

This control describes separation of duties (SoD) must be implemented by assigning and managing distinct roles for users, applications, and services, minimizing overlapping responsibilities and restricting access to critical functions through centralized role management, multi-level approvals, and automated provisioning tools. An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. In terms of mitigation, having multi-level approval chains for creating additional roles or ensuring that low-privileged user accounts do not have permissions to add permissions to accounts or update IAM policies could help catch the use of this technique.

This control describes separation of duties (SoD) must be implemented by assigning and managing distinct roles for users, applications, and services, minimizing overlapping responsibilities and restricting access to critical functions through centralized role management, multi-level approvals, and automated provisioning tools. Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, or pass roles onto resources and services. In terms of mitigations, limit the privileges of cloud accounts to assume, create, or impersonate additional roles, policies, and permissions to only those required. Where just-in-time access is enabled, consider requiring manual approval for temporary elevation of privileges.