Cloud

CLOUD-04

Infrastructure-as-Code (IaC) IAM Guardrails & Drift Control

This control asks one thing: How are IAM permissions, roles, and trust policies defined, validated, and enforced across cloud environments using Infrastructure as Code?

Low Maturity

What Failure Looks Like

The documented failure mode at level 0 (Absent) on the 0 to 4 maturity scale:

Over-privileged roles proliferate. Risky wildcard permissions enter production unnoticed and persist indefinitely.

High Maturity

What Good Looks Like

The business value the methodology documents at level 4 (Optimized):

Makes over-permission a temporary state rather than a permanent liability.

Next Step

A Typical Next Move

For programs sitting around level 0 (Absent), the methodology recommends this as the next rational step:

Migrate IAM configuration to Infrastructure as Code and restrict console changes.

What reaching level 2 (Developing) unlocks

Meaningful least-privilege enforcement

Evidence

Evidence Assessors Ask For

A sample of the artifacts an assessor expects to see around level 2 (Developing):

  • CI/CD build fails on risky IAM patterns
  • Policy linting and scoring
  • Limited context of actual permission usage

Breach Radar

Seen in Real Breaches

These teardowns of public incidents cite CLOUD-04 as one of the controls that failed. Each one reconstructs the attack chain from public disclosures.

Compliance

Compliance Frameworks That Cite This Control

The bank's regulatory mapping for CLOUD-04 resolves to 4 frameworks with a researched compliance threshold. Weakness here shows up in audits, not only in incidents.

Where Does Your Program Land on CLOUD-04?

This page is the teaser layer. The full rubric behind CLOUD-04 defines 5 scored maturity levels, 0 to 4, each with its own operating model, evidence expectations, and regulatory citations. That rubric is the scoring instrument, so it ships inside the assessment rather than on a marketing page. Running the assessment takes about 20 minutes and no signup is required to start.