IAM-05: Least Privilege

CSF v1.1 References:

PF v1.0 References:

Threats Addressed:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: IAM-02: Credential Lifecycle / Provision Management, IAM-06: Source Code Access Restriction, IVS-11: Hypervisor Hardening.

Control Statement

Employ the least privilege principle when implementing information system access.

Implementation Guidance

User and service account access should leverage access control methods, such as role-based access control (RBAC) and attribute-based access control (ABAC). In addition, conduct regular reviews of access processes (including auditing, when appropriate) to identify non-adherence to the principle of least privilege. Restrict privileged access and access to administrative accounts should be via the principle of least privilege and a need-to-know basis. Furthermore, access should be set to “deny all“ unless specifically allowed.

Auditing Guidance

  1. xamine the policy to determine the least privilege required for each role or user.
  2. valuate the effectiveness of the implementation and review of policy.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.