CSA CCM IAM-05

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation, limit permissions to modify cloud bucket lifecycle policies (e.g., PutLifecycleConfiguration in AWS) to only those accounts that require it. In AWS environments, consider using Service Control policies to limit the use of the PutBucketLifecycle API call.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. Adversaries has been observed using this technique to delete backup files and disable any restoration capabilties. For this technique, in terms of mitigation, limit the user accounts that have access to backups to only those required. For example, in AWS environments, consider using Service Control Policies to restrict API calls to delete backups, snapshots, and images.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. Adversaries has been observed using this technique to directly download cloud user data such as OneDrive files. For this technique, in terms of mitigation, Configure user permissions groups and roles for access to cloud storage. Implement strict Identity and Access Management (IAM) controls to prevent access to storage solutions except for the applications, users, and services that require access. Ensure that temporary access tokens are issued rather than permanent credentials, especially when access is being granted to entities outside of the internal security boundary.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. Adversaries has been observed using this technique to directly download cloud user data such as OneDrive files. For this technique, in terms of mitigation, Configure user permissions groups and roles for access to cloud storage. Implement strict Identity and Access Management (IAM) controls to prevent access to storage solutions except for the applications, users, and services that require access. Ensure that temporary access tokens are issued rather than permanent credentials, especially when access is being granted to entities outside of the internal security boundary.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. Adversaries may utilize these cloud native methods to directly access virtual infrastructure and pivot through an environment. These connections typically provide direct console access to the VM rather than the execution of scripts (i.e., Cloud Administration Command). For this technique, in terms of mitigation, limit which users are allowed to access compute infrastructure via cloud native methods. If direct virtual machine connections are not required for administrative use or certain users, disable these connection types where feasible.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. Adversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For this technique, in terms of mitigation, limit permissions to add, delete, or modify resource groups to only those required.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. Adversary's have been observed using this technique to create new virtual machines for defense evasion within the target's cloud environment after leveraging credential access to cloud assets. For this technique, in terms of mitigation, limit permissions for deleting new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies. Additionally, enforce user permissions to ensure only the expected users have the capability to create new instances.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. Adversary's have been observed using this technique to create snapshots of EBS volumes and RDS instances for execution and defense evasion. For this technique, in terms of mitigation, limit permissions for deleting new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. Adversary's have been observed using this technique to delete the victime's systems and resources in the cloud to trigger the organization's incident and crisis response process. For this technique, in terms of mitigation, limit permissions for deleting new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation, limit permissions to request quotas adjustments or modify tenant-level compute setting to only those required.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. Adversaries have been known to modify cloud compute infrastructure for evading defenses. For this technique, in terms of mitigation, limit permissions for creating, deleting, and otherwise altering compute components in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. Adversaries have been known to introduce new firewall rules or policies to allow access into a victim cloud environment and/or disable cloud logs to evade defenses. For this technique, in terms of mitigation, configure and ensure least privilege principles are applied to Identity and Access Management (IAM) security policies to prevent only necessary users to modify certain security mechanisms in place.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. Adversaries have been known to introduce new firewall rules or policies to allow access into a victim cloud environment and/or move laterally from the cloud control plane to the data plane. For this technique, in terms of mitigation, configure and ensure least privilege principles are applied to Identity and Access Management (IAM) security policies to prevent only necessary users to modify firewall rules or policies.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation, configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies. Adversaries have been known to disable or otherwise restrict various AWS logging services, such as AWS CloudTrail and VPC flow logs

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation, limit the privileges of cloud accounts to assume, create, or impersonate additional roles, policies, and permissions to only those required. Where just-in-time access is enabled, consider requiring manual approval for temporary elevation of privileges.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation for cloud IaaS, ensure that only users who explicitly require the permissions to update instance metadata or configurations can do so.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation, ensure that low-privileged user accounts do not have permission to add access keys to accounts. For example, in AWS environments, prohibit users from calling the sts:GetFederationToken API unless explicitly required.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation, ensure that low-privileged user accounts do not have permissions to add permissions to accounts or update IAM policies.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation, ensure that ensure that low-privileged user accounts do not have permissions to modify accounts or account-related policies.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation, ensure that proper cloud policies are implemented to dictate the the secure enrollment and deactivation of authentication mechanisms, such as MFA, for user accounts.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation, ensure that proper cloud policies are implemented to dictate the the secure enrollment and deactivation of authentication mechanisms, such as MFA, for user accounts.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, in terms of mitigation, limit permissions to modify conditional access policies to only those required.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, limit the ability for user accounts to create additional accounts.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. In terms of mitigation, ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required. Ensure proper system and access isolation for critical network systems through use of account privilege separation.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Remove permissions to create, modify, or run serverless resources from users that do not explicitly require them. Where possible, consider restricting access to and use of serverless functions. For examples, conditional access policies can be applied to users attempting to abuse these resources in various ways as a means of executing arbitrary commands.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, properly manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary. In Office 365 environments, partner relationships and roles can be viewed under the "Partner Relationships" page

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. For this technique, adversaries have been known to add a federated identity provider to the victim’s SSO tenant and activates automatic account linking. In terms of mitigation, using the principal of least privilege and protect administrative access to domain trusts and identity tenants. Additionally, in cloud environments, limit permissions to create new identity providers to only those accounts that require them. In AWS environments, consider using Service Control policies to limit the use of API calls such as CreateSAMLProvider or CreateOpenIDConnectProvider.

This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data. Adversaries have been observed leveraging this type of technique for collecting data from misconfigured cloud-hosted databases. For this technique, in terms of mitigation, enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.