IAM-005 Least Privilege and Need-to-Know Enforcement
Description
Users and services are granted the minimum level of access required to perform their assigned function. Broad or permissive roles are decomposed. Access to sensitive data is restricted to those with a documented business need. Access rights are reviewed when responsibilities change.
Rationale
Least privilege limits the blast radius of compromised credentials and insider threats. It is a foundational principle across all major security frameworks.
Framework Mappings (5)
| IAM-05 | Least Privilege | full |
| 8.3 | Information access restriction | full |
| AC-3 | Access Enforcement | partial |
| AC-6 | Least Privilege | full |
| CC6.3 | Role-Based Access Controls and Least Privilege | full |
Evidence (2)
Role and permission configuration in the IdP or authorisation system showing that each role is scoped to the minimum permissions required for its function, with no overly broad roles assigned to standard users.
Example: AWS IAM policy export, Okta group assignment export, or Azure AD role assignment report showing permissions attached to each role, with no wildcards or admin-level permissions assigned to non-privileged groups.
Test: Export role definitions and user-to-role assignments from the IdP or cloud IAM system. Verify: (1) no standard user role grants administrative or write access to systems outside that role's defined function, (2) wildcard ('*') or overly broad permissions are absent from non-privileged role definitions, (3) sensitive data access roles require explicit documented justification for membership.
Documentation of access right adjustments made when employees changed roles, confirming that prior access was revoked and only new, appropriate access was granted.
Example: HR role-change records cross-referenced with access provisioning tickets showing old access revoked and new access provisioned upon role change, for a sample of 5–10 employees who changed roles in the last 12 months.
Test: Obtain HR records for 5–10 employees who changed roles in the past 12 months. Cross-reference against access management tickets. Verify: (1) old role access was revoked at or before the effective date of role change, (2) new access was provisioned with documented approval, (3) no employee retains permissions from a previous role more than the policy-defined grace period after the change.
Questions (2)
Is the principle of least privilege enforced so that users and services are granted only the minimum access needed for their current function?
Enforcement requires that roles are scoped tightly and that access is actively reviewed when responsibilities change — not merely that a policy document states the principle.
How is least-privilege enforcement implemented in your environment?
Multiple mechanisms in combination indicate a mature least-privilege posture. Relying solely on a written policy without technical enforcement is insufficient.