GRC Store

Search / finos-ccc/ccc.iam.cn / v2026.06-rc3

Release · v2026.06-rc3

FINOS-CCC/CCC.IAM.CN Control Catalog

FINOS-CCC/CCC.IAM.CN

Controls for Identity and Access Management technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.iam.cn --tag v2026.06-rc3
Coordinate
oci.grc.store/finos-ccc/ccc.iam.cn:v2026.06-rc3
Manifest digest
sha256:6e9e68e5126a373d8efc6efa54d24ce083bcc6761b11e6b2f497d1bf66de51c4

Provenance

1 layer
Digest Media type Size
3116755a946e… application/vnd.gemara.artifact.v1+yaml 18.4 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.IAM.CN",
            "type": "ControlCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.iam.cn",
            "tag": "v2026.06-rc3"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "2",
          "GITHUB_RUN_ID": "26768391088",
          "GITHUB_SHA": "24594e28430c12318cacffe7fdda6a3ea272d975",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/identity/iam/controls.yaml",
            "uri": "file://artifacts/identity/iam/controls.yaml",
            "digest": {
              "sha256": "3116755a946e7ffe59445a8c80c0a815e4f6c450d4dba928815d7d13910712f3"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@24594e28430c12318cacffe7fdda6a3ea272d975",
            "digest": {
              "gitCommit": "24594e28430c12318cacffe7fdda6a3ea272d975"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26768391088",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26768391088-2",
          "startedOn": "2026-06-01T16:44:48.079329855Z",
          "finishedOn": "2026-06-01T16:44:48.201222325Z"
        },
        "byproducts": [
          {
            "name": "controls.yaml",
            "digest": {
              "sha256": "3116755a946e7ffe59445a8c80c0a815e4f6c450d4dba928815d7d13910712f3"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "controls.yaml",
      "type": "ControlCatalog",
      "id": "CCC.IAM.CN",
      "role": "artifact"
    }
  ]
}

CCC Identity and Access Management Controls

Controls for Identity and Access Management technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.IAM.CN
Version
v2026.06-rc3
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Access Control

The Access Control group covers entries related to authentication, authorization, and trust perimeter enforcement. This includes multi-factor authentication, least privilege access, network access rules, and prevention of unauthorized access or reconnaissance.

  1. CCC.IAM.CN01 Restrict IAM User Credentials Creation

    Objective

    Prevent non-administrative principals from creating new long-lived credentials like access keys or generating temporary session tokens. This blocks a common privilege escalation and persistence vector.

    Assessment requirements

    1. When an identity policy for a non-administrative principal is evaluated, it MUST NOT grant permissions for creating credentials or generating temporary session tokens.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    2. When a non-administrative principal attempts to create new credentials or a temporary session token, the service MUST deny the action.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.AA-05
    • NIST_800_53
      • AC-2
      • AC-3
      • AC-5
      • AC-6
    Threats
    • CCC.IAM.Threats
      • CCC.IAM.TH03Additional Cloud Credentials Creation

  2. CCC.IAM.CN02 Restrict IAM Policies Modification

    Objective

    Ensure that only designated administrative accounts have the ability to create, modify, or attach policies that define permissions for other identities.

    Assessment requirements

    1. When an identity policy for a non-administrative principal is evaluated, it MUST NOT grant permissions for creating, updating, or attaching policies.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    2. When a non-administrative principal attempts to create, update, or attach policies, the service MUST deny the action.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.AA-05
    • NIST_800_53
      • AC-2
      • AC-3
      • AC-5
      • AC-6
    Threats
    • CCC.IAM.Threats
      • CCC.IAM.TH06IAM Policies Modification

  3. CCC.IAM.CN03 Restrict Role Assumption / Delegation

    Objective

    Limit which principals can assume a role or impersonate a service identity to only those required. This prevents unintended cross-account or public access by securing the "who can act as this identity" boundary.

    Assessment requirements

    1. When a policy is created or updated that grants a principal permission to assume a role or impersonate a service identity, the principal MUST NOT contain a wildcard or be public/anonymous.

      Applicability: tlp-green, tlp-amber, tlp-red

    2. When an external or unauthenticated principal tries to assume a role or impersonate a service identity, the service MUST deny the action.

      Applicability: tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.AC-3
      • PR.AC-4
    • NIST_800_53
      • AC-2
      • AC-3
      • AC-6
    Threats
    • CCC.IAM.Threats
      • CCC.IAM.TH02Overly-Permissive Identity Trust Policy

  4. CCC.IAM.CN04 Restrict Wildcard Usage in IAM Policies

    Objective

    Limit the use of wildcard permissions in IAM policies to prevent overly broad access from being granted by default.

    Assessment requirements

    1. When an IAM policy is created or updated, it MUST NOT contain allow statements with wildcard permissions, unless the statement is restricted by a condition.

      Applicability: tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.AC-6
    • NIST_800_53
      • AC-2
      • AC-3
      • AC-6
    Threats
    • CCC.IAM.Threats
      • CCC.IAM.TH01Valid Cloud Credentials Abuse
      • CCC.IAM.TH02Overly-Permissive IAM Policy

  5. CCC.IAM.CN05 Strong Password Policies for IAM Users

    Objective

    Ensure that the password policies for IAM users have strong configurations.

    Assessment requirements

    1. When a new cloud account is provisioned, a password policy MUST be configured for IAM users following the minimum PCI DSS v4.0.1 configurations.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.AA-05
    • NIST_800_53
      • IA-5
    • PCI-DSS
      • 8.3.9
      • 8.6.3
    Threats
    • CCC.IAM.Threats
      • CCC.IAM.TH01Valid Cloud Credentials Abuse

  6. CCC.IAM.CN06 Maximum Age for Long-Term Static Credentials

    Objective

    Ensure that long-lived static credentials like access keys are programmatically rotated within a defined time period to limit the window of opportunity if compromised.

    Assessment requirements

    1. When a static credential such as an access key has existed for 90 days or more, it MUST be rotated.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.AA-01
    • NIST_800_53
      • AC-2
    Threats
    • CCC.IAM.Threats
      • CCC.IAM.TH09Long-Lived Static Credentials
      • CCC.IAM.TH01Valid Cloud Credentials Abuse

  7. CCC.IAM.CN07 Automate Identity De-provisioning

    Objective

    Ensure that when an identity is terminated in the central Identity Provider (IdP), ts corresponding access to cloud resources is revoked automatically.

    Assessment requirements

    1. When a user account is disabled or deleted in the organization's IdP, the corresponding cloud identity and its access policies MUST be disabled or deleted within 24 hours.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.AA-01
    • NIST_800_53
      • AC-2
    Threats
    • CCC.IAM.Threats
      • CCC.IAM.TH10Orphaned Federated Identity Retains Access
      • CCC.IAM.TH01Valid Cloud Credentials Abuse

  8. CCC.IAM.CN08 Maximum Age for Unused Credentials

    Objective

    Ensure that unused IAM credentals are removed to reduce exposure in the event of potential compromise.

    Assessment requirements

    1. When an IAM user has credentials, such as passwords or access keys, that have not been used for 90 days or more, the unused credentials MUST be removed or deactivated.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.AA-01
    • NIST_800_53
      • AC-2
    Threats
    • CCC.IAM.Threats
      • CCC.IAM.TH11Unused Credentials
      • CCC.IAM.TH01Valid Cloud Credentials Abuse

  9. CCC.IAM.CN09 Enforce Federated Single Sign-On (SSO) for Human Users

    Objective

    Ensure that all human users must authenticate through a central, federated Identity Provider (IdP) to access the cloud environment. This eliminates cloud-native user accounts with long-lived passwords, centralizes authentication controls, and simplifies lifecycle management.

    Assessment requirements

    1. When a human user accesses the cloud environment, they MUST authenticate through the organization's federated IdP via a standard protocol (e.g., SAML, OIDC).

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.AA-01
    • NIST_800_53
      • IA-2
    Threats
    • CCC.IAM.Threats
      • CCC.IAM.TH01Valid Cloud Credentials Abuse
      • CCC.IAM.TH09Long-Lived Static Credentials

Observability

The Observability group covers entries related to logging, monitoring, metrics, alerting, and event publication. This includes audit trail integrity, enumeration detection, and protection against tampering or unauthorized access to operational telemetry.

  1. CCC.IAM.CN10 Alert On Anomalous Behaviour

    Objective

    Ensure that logs and associated alerts are generated when anomalous API requests are made by a single identity, such as API requests commonly associated with privilege escalation tactics, originating from an external or malicious IP address or performed by a previously dormant identity, which may indicate that credentals may be compromised, as well as for password brute-force attempts and account lockouts.

    Assessment requirements

    1. When suspicious API requests are detected, real time alerts MUST be generated to notify security personnel.

      Applicability: tlp-red

    2. When suspicious API requests are detected, the associated events MUST be logged, including the source details, time, and nature of the activity.

      Applicability: tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • DE.CM-03
      • DE.CM-06
      • DE.CM-09
    • NIST_800_53
      • SI-4
      • SI-5
      • AC-2
    Threats
    • CCC.IAM.Threats
      • CCC.IAM.TH01Valid Cloud Credentials Abuse

  2. CCC.IAM.CN11 Enable Continuous IAM Access and Usage Analysis

    Objective

    Enable and configure the cloud provider's native access and usage analysis services to continuously monitor for external access paths and internal unused access.

    Assessment requirements

    1. When a cloud account or organization is provisioned, the native automated access and usage analysis services MUST be enabled to continuously monitor for external or public access to resources, and unused access.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • ID.RA-01
      • ID.IM-01
    • NIST_800_53
      • AC-2
      • CA-7
      • RA-5
    Threats
    • CCC.IAM.Threats
      • CCC.IAM.TH02Overly-Permissive Identity Trust Policy
      • CCC.IAM.TH10Orphaned Federated Identity Retains Access
      • CCC.IAM.TH11Unused Credentials