This misconfiguration highlights a detailed aspect of the MITRE ATT&CK matrix and describes a security gap with third-party identities.

In certain cloud estates, it is sometimes required for a third party to be invited to conduct work such as auditing or integration of an application. This is made possible by allowing these third parties to be invited into a cloud estate or become trusted entities within that estate.

When a third party is allowed access into a cloud estate, the principal of least privilege is a crucial factor. In the event the third party is compromised, a malicious actor could pivot into the primary cloud estate.

Mitigations: Ensure that permissions granted to the third party are not overly permissive. Efforts should be made to ensure that the invitation and trust mechanisms provided by the cloud service provider are also set up correctly and are not themselves, also, overly permissive.