Privileged Access Management

Why it matters

Unrestricted or shared privileged access is the primary attack vector for production breaches and data exfiltration—a single compromised account becomes a backdoor to your entire infrastructure. Without least-privilege enforcement and session monitoring, you cannot detect or contain unauthorized system changes, configuration drift, or malicious activity by administrators or compromised accounts.

Evidence to collect

• Named IAM role assignments showing each engineer mapped to a distinct principal (not shared accounts); e.g., AWS IAM policy binding reports with user/role ARNs
• Just-in-time access approval logs showing requested duration, approval chain, and auto-expiry timestamps (e.g., AWS IAM Identity Center session logs, GCP Privilege Access Manager request audits)
• Privileged session audit trail with user identity, commands executed, timestamp, and resource accessed (e.g., CloudTrail with admin API calls, SSH audit logs via osquery/auditd)
• Monthly privileged account review records showing removal or revocation dates for accounts no longer needed (e.g., spreadsheet signed by manager with termination or role-change dates)

Testing procedure

Request a sample of 5–10 production IAM roles and verify each is assigned to a named user, not a shared account. Confirm just-in-time access is enforced by attempting to grant immediate permanent access to a non-prod resource and observing rejection. Pull a 30-day session audit log and spot-check 3–5 privileged sessions to confirm user ID, command/API, timestamp, and auto-expiry are recorded. Interview the engineering lead and request the most recent monthly account review (within 30 days) to verify removal or deactivation of unused admin accounts.

Common gotchas