Home · Synthesis · cl-ccm-v4-iam-complete

Cloud IAM complete — CSA IAM control family

CSA CCM v4

Primary statement

Cloud IAM per CSA IAM-01 (least-privilege via RBAC, JIT elevation, named roles) + IAM-02 (privileged access — standing-zero policy, session recording) + IAM-03 (federation — Azure AD/Okta with SAML/OIDC, local accounts exception-only) + IAM-04 (entitlement reviews quarterly minimum) + IAM-05 (segregation of duties). Full CSA IAM series.

Audit-fatigue payoff

A unified cloud IAM programme aligned to CSA IAM series satisfies cloud IAM with canonical specifications.

Strictness matrix

Scope
Scope: ALL cloud IAM — least-privilege via role-based access (named roles, not policies-on-users) + JIT elevation for privileged + federation + entitlement reviews + SoD. Ceiling source: csa_ccm:CSA.IAM-01 Rationale: CSA IAM-01 comprehensive IAM scope.
Threshold
Threshold: standing-zero policy — NO permanent admin. JIT elevation required for privileged. Binary policy qualifier. Ceiling source: csa_ccm:CSA.IAM-02 Rationale: CSA IAM-02 standing-zero threshold is uniquely strict.
Method
Method: cloud IAM with RBAC + named roles + JIT (IAM-01) + privileged with standing-zero + session recording (IAM-02) + federation to enterprise IdP (IAM-03) + quarterly entitlement reviews (IAM-04) + SoD enforcement (IAM-05). Ceiling source: csa_ccm:CSA.IAM-02 Rationale: CSA IAM-01 through IAM-05 form the canonical cloud IAM method.
Frequency
Entitlement review: quarterly minimum. JIT elevation per access event. Federation review annual. Ceiling source: csa_ccm:CSA.IAM-04 Rationale: CSA IAM-04 quarterly reviews are the audit-defensible cadence.
Evidence
Evidence: cloud IAM configuration + named roles + JIT enforcement + standing-zero policy + federation configuration + quarterly review records + SoD enforcement evidence. Ceiling source: csa_ccm:CSA.IAM-01 Rationale: CSA IAM-01 evidence is comprehensive.

Auditor test pattern

Step 1: Inspect cloud IAM configuration. Step 2: Verify named roles (not policies-on-users). Step 3: Verify standing-zero policy. Step 4: Inspect quarterly entitlement review. Step 5: Verify SoD enforcement.

Common findings

Common findings: (1) Policies attached to users not roles; (2) Standing admin permissions persist; (3) JIT theoretical — admins use break-glass; (4) Federation absent — local cloud accounts widespread; (5) SoD violations not detected.