CCC.IAM.TH12 - IAM Role is Coerced into Unauthorized Cross-Account Actions (Confused Deputy)

CCC.IAM.TH12: IAM Role is Coerced into Unauthorized Cross-Account Actions (Confused Deputy)

Threat ID:CCC.IAM.TH12

Title:IAM Role is Coerced into Unauthorized Cross-Account Actions (Confused Deputy)

Description:

An external actor tricks a legitimate, authorized third-party application into making requests to the cloud environment. A role in the cloud account (the "deputy"), which trusts that third-party application, then performs unauthorized actions on behalf of the actor.

Related Capabilities

ID	Title	Description
CCC.IAM.CP06	IAM Roles / Service Principals	Ability to create, manage, list and delete IAM roles. IAM role is an identity for applications or services to access resources.
CCC.IAM.CP10	Custom Roles	Ability to create, manage, list and delete custom roles. Custom roles are user-defined roles that defines what actions are allowed.
CCC.IAM.CP15	Role Assumption / Delegation	Ability to temporarily assume another role or delegate access. Commonly used for user impersonation or temporary privilege elevation.

External Mappings

Reference ID	Entry ID	Strength	Remarks
MITRE-ATT&CK	T1199	0	Trusted Relationship
MITRE-ATT&CK	T1548.005	0	Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access