ACC-04: Privileged Access Management
Objective
Protect critical systems through enhanced controls on privileged accounts.
Description
Administrative and privileged access is tightly controlled, monitored, and audited. Break-glass procedures exist for emergency access.
Implementation Details
Admin Accounts: Separate admin accounts (admin@) from regular user accounts. MFA required for all admin access.
AWS Root Account: Root account MFA enabled with hardware token. Root credentials stored in physical safe. Access requires two executives.
Session Recording: All privileged sessions recorded using AWS CloudTrail and CloudWatch Logs.
Break Glass: Emergency access procedures documented. Break-glass account usage triggers alert to security team and CEO.
Examples
- AWS root account credentials locked in company safe, requires CEO + CFO
- All admin actions logged to immutable S3 bucket with CloudTrail
- Engineers use elevated privileges via AWS SSO with automatic 4-hour timeout
- Break-glass account last used 6 months ago during critical outage, fully documented
Audit Evidence
- Privileged account inventory
- AWS CloudTrail logs for admin actions
- Break-glass procedure documentation
- Physical safe access log for root credentials
Framework Mapping
SOC 2
- CC6.2 ^[Tightly controlling privileged access ensures only authorized users can perform administrative functions]
- CC6.8 ^[Restricting privileged access and session recording supports detection and investigation of unauthorized actions]
- CC7.2 ^[Monitoring and alerting on privileged account usage detects anomalies indicative of malicious acts]
GDPR
- Article 32 ^[Enhanced controls on privileged access (MFA, monitoring, break-glass procedures) ensure security appropriate to high risk]
- Article 5 ^[Limiting and auditing privileged access supports accountability principle for data processing]
Referenced By
This section is automatically generated by make generate-backlinks. Do not edit manually.
Standards:
Processes: