GRC Store

Search / finos-ccc/ccc.iam.th / v2026.06-rc3

Release · v2026.06-rc3

FINOS-CCC/CCC.IAM.TH Threat Catalog

FINOS-CCC/CCC.IAM.TH

Threats for Identity and Access Management technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.iam.th --tag v2026.06-rc3
Coordinate
oci.grc.store/finos-ccc/ccc.iam.th:v2026.06-rc3
Manifest digest
sha256:e1751532da702718e03a41fe652218c50f0313af2eed2c9e446e5be5c51da345

Provenance

1 layer
Digest Media type Size
6574ff96c3f9… application/vnd.gemara.artifact.v1+yaml 11.0 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.IAM.TH",
            "type": "ThreatCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.iam.th",
            "tag": "v2026.06-rc3"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "2",
          "GITHUB_RUN_ID": "26768391088",
          "GITHUB_SHA": "24594e28430c12318cacffe7fdda6a3ea272d975",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/identity/iam/threats.yaml",
            "uri": "file://artifacts/identity/iam/threats.yaml",
            "digest": {
              "sha256": "6574ff96c3f9d657a2d909aaac908a8ab2c2788bb899b0185bbc62883b704bea"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@24594e28430c12318cacffe7fdda6a3ea272d975",
            "digest": {
              "gitCommit": "24594e28430c12318cacffe7fdda6a3ea272d975"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26768391088",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26768391088-2",
          "startedOn": "2026-06-01T16:44:46.179633909Z",
          "finishedOn": "2026-06-01T16:44:46.27210944Z"
        },
        "byproducts": [
          {
            "name": "threats.yaml",
            "digest": {
              "sha256": "6574ff96c3f9d657a2d909aaac908a8ab2c2788bb899b0185bbc62883b704bea"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "threats.yaml",
      "type": "ThreatCatalog",
      "id": "CCC.IAM.TH",
      "role": "artifact"
    }
  ]
}

CCC Identity and Access Management Threats

Threats for Identity and Access Management technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.IAM.TH
Version
v2026.06-rc3
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Access Control

The Access Control group covers entries related to authentication, authorization, and trust perimeter enforcement. This includes multi-factor authentication, least privilege access, network access rules, and prevention of unauthorized access or reconnaissance.

  1. CCC.IAM.TH01 Valid Cloud Credentials Abuse

    Valid identity credentials such as access keys, tokens or passwords are misused or compromised. Examples include public exposure, token theft, unprotected metadata service of a compromised compute instance or brute-force attacks. The use of these credentials can provide unauthorized access to the cloud environment, potentially bypassing other security controls and enabling lateral movement across cloud resources.

    Capabilities
    • CCC.IAM.Capabilities
      • CCC.IAM.CP02IAM Users
      • CCC.IAM.CP03Long-Term Credentials
      • CCC.IAM.CP04Password Management
      • CCC.IAM.CP07Managed Identities
      • CCC.IAM.CP08Federated Identity - SAML
      • CCC.IAM.CP09Federated Identity - OIDC

  2. CCC.IAM.TH02 Overly-Permissive IAM Policy

    An access control policy attached to an identity or a resource is configured with excessive permissions, violating the principle of least privilege. This can enable unauthorized data access, privilege escalation, or other unintended actions by principals whose credentials might be compromised or who are acting erroneously.

    Capabilities
    • CCC.IAM.Capabilities
      • CCC.IAM.CP02IAM Users
      • CCC.IAM.CP05IAM Groups
      • CCC.IAM.CP06IAM Roles / Service Principals
      • CCC.IAM.CP07Managed Identities
      • CCC.IAM.CP10Custom Roles
      • CCC.IAM.CP12Policy Conditions

  3. CCC.IAM.TH03 Overly-Permissive Identity Trust Policy

    An IAM role or service principal's trust policy is configured to allow principals from untrusted or overly broad scopes, such as any identity in any account, to assume or impersonate it. This can allow an external or unauthorized identity to gain access to the cloud environment, completely bypassing internal identity controls.

    Capabilities
    • CCC.IAM.Capabilities
      • CCC.IAM.CP06IAM Roles / Service Principals
      • CCC.IAM.CP12Policy Conditions
      • CCC.IAM.CP15Role Assumption / Delegation

  4. CCC.IAM.TH04 Additional Cloud Credentials Creation

    An adversary with access to a sufficiently privileged cloud account may create additional credentials such as access keys, service accounts and temporary credentials to establish persistance or elevate their privileges.

    Capabilities
    • CCC.IAM.Capabilities
      • CCC.IAM.CP02IAM Users
      • CCC.IAM.CP03Long-Term Credentials
      • CCC.IAM.CP04Password Management
      • CCC.IAM.CP08Federated Identity - SAML
      • CCC.IAM.CP09Federated Identity - OIDC
      • CCC.IAM.CP11Temporary Credentials

  5. CCC.IAM.TH05 Additional IAM Roles Creation

    An adversary with access to a sufficiently privileged cloud account may create additional IAM roles to establish persistance or elevate their privileges.

    Capabilities
    • CCC.IAM.Capabilities
      • CCC.IAM.CP06IAM Roles / Service Principals
      • CCC.IAM.CP10Custom Roles
      • CCC.IAM.CP15Role Assumption / Delegation

  6. CCC.IAM.TH06 IAM Policies Modification

    An adversary with access to a sufficiently privileged cloud account may modify IAM policies to establish persistance or elevate their privileges.

    Capabilities
    • CCC.IAM.Capabilities
      • CCC.IAM.CP02IAM Users
      • CCC.IAM.CP06IAM Roles / Service Principals
      • CCC.IAM.CP10Custom Roles

  7. CCC.IAM.TH07 Identity Inherits Excessive Permissions Through Group Membership

    An identity principal becomes a member of one or more IAM groups, and the combined policies of these groups grant permissions beyond what is necessary for the principal's function. This "privilege creep" through group inheritance complicates auditing and can lead to an identity having standing access to sensitive resources.

    Capabilities
    • CCC.IAM.Capabilities
      • CCC.IAM.CP05IAM Groups

  8. CCC.IAM.TH08 Privilege Escalation via Indirect Role Usage

    An identity principal possesses specific, highly privileged permissions, such as the ability to pass roles or impersonate service accounts, that allow it to leverage the permissions of a different, more privileged role. Even without being able to directly assume the target role, the principal can attach it to a new resource they control and then use that resource to perform unauthorized actions.

    Capabilities
    • CCC.IAM.Capabilities
      • CCC.IAM.CP02IAM Users
      • CCC.IAM.CP06IAM Roles / Service Principals
      • CCC.IAM.CP15Role Assumption / Delegation

  9. CCC.IAM.TH09 Long-Lived Static Credentials

    Long-lived static credentials such as access keys for an identity are used and not rotated periodically according to security best practices, extending exposure in the event of credentials compromise.

    Capabilities
    • CCC.IAM.Capabilities
      • CCC.IAM.CP02IAM Users
      • CCC.IAM.CP03Long-Term Credentials

  10. CCC.IAM.TH10 Orphaned Federated Identity Retains Access

    A federated identity is de-provisioned from the external Identity Provider (IdP), but its corresponding cloud identity remains active within the cloud environment. This orphaned identity creates a latent access path that could be exploited if the original username is reactivated or reassigned in the IdP, granting unintended access to a new principal.

    Capabilities
    • CCC.IAM.Capabilities
      • CCC.IAM.CP08Federated Identity - SAML
      • CCC.IAM.CP09Federated Identity - OIDC

  11. CCC.IAM.TH11 Unused Credentials

    Unused IAM identity that is no longer needed or monitored remains active. Its compromise is less likely to be detected, and it represents a persistent, unnecessary attack surface.

    Capabilities
    • CCC.IAM.Capabilities
      • CCC.IAM.CP02IAM Users
      • CCC.IAM.CP03Long-Term Credentials
      • CCC.IAM.CP04Password Management
      • CCC.IAM.CP06IAM Roles / Service Principals

  12. CCC.IAM.TH12 IAM Role is Coerced into Unauthorized Cross-Account Actions (Confused Deputy)

    An external actor tricks a legitimate, authorized third-party application into making requests to the cloud environment. A role in the cloud account (the "deputy"), which trusts that third-party application, then performs unauthorized actions on behalf of the actor.

    Capabilities
    • CCC.IAM.Capabilities
      • CCC.IAM.CP06IAM Roles / Service Principals
      • CCC.IAM.CP10Custom Roles
      • CCC.IAM.CP15Role Assumption / Delegation