graphgrc

ACC-02: Least Privilege & RBAC

Objective

Minimize risk by ensuring users only have access needed for their role.

Description

Access to systems and data is granted based on job function using role-based access control. Users receive minimum necessary permissions. Production access requires additional approval.

Implementation Details

RBAC Model: Define roles for Engineering, Support, Admin, etc. Map users to roles in identity provider.

AWS Access: Use AWS SSO permission sets tied to job functions. No direct IAM user access. Separate read-only and admin roles.

Production Access: Requires manager approval. Time-limited sessions using AWS SSO or just-in-time access tools.

Service Accounts: Use AWS IAM roles with scoped policies. No broad wildcard permissions.

Examples

• Engineers have read-only production access by default
• Admin access to production requires manager approval and expires after 8 hours
• AWS IAM roles follow principle of least privilege with no wildcard (*) permissions
• Support team has limited read access to customer data based on support case

Audit Evidence

• RBAC role definitions and mappings
• AWS IAM policies showing least privilege
• Production access approval logs
• Access review documentation

---

Framework Mapping

SOC 2

• CC6.1 ^[RBAC implements logical access controls restricting users to minimum necessary permissions]
• CC6.2 ^[Role-based access ensures users are authorized for their specific job function before system access]
• CC6.3 ^[Least privilege limits damage from compromised accounts and supports access removal on role change]
• CC6.6 ^[RBAC restricts access to information assets based on user’s role in the organization]

GDPR

• Article 32 ^[Least privilege and RBAC are technical and organizational measures ensuring security appropriate to risk]
• Article 5 ^[Limiting access to personal data to only those who need it supports data minimization principle]

---

Referenced By

This section is automatically generated by make generate-backlinks. Do not edit manually.

Standards:

• AWS Security Standard ^[IAM policies with least privilege, no wildcard permissions in production]
• Data Classification Standard ^[Access to Confidential and Restricted data based on role and need-to-know]
• GitHub Security Standard ^[GitHub Teams for access management, least privilege (Read by default), quarterly reviews]
• SaaS IAM Standard ^[RBAC configured in each SaaS app, default least privilege, elevated permissions require approval]

Processes:

• Access Provisioning Process ^[Role-based access templates, manager approval for elevated permissions]

Policies:

• Data Access Policy ^[Access granted based on job role and business need, elevated access requires justification]
• Engineering Security Policy ^[Requires least privilege for IAM roles, no wildcard permissions in production, role-based access]

Charter:

• Information Security Program Charter ^[Security principle: least privilege, program component: RBAC implementation]

This site is open source. Improve this page.