IAM-007 Privileged Access Management
Description
Privileged accounts (administrative, root, superuser, and equivalent) are inventoried, tightly controlled, and issued only to named individuals with a documented business justification. Privileged access is time-limited where technically feasible. All privileged actions are logged. Privileged roles are segregated from standard user roles.
Rationale
Privileged accounts represent the highest-risk identities in any environment. Compromise of a privileged account can result in complete system takeover. Strict controls and logging are non-negotiable.
Framework Mappings (4)
| IAM-09 | Segregation of Privileged Access Roles | full |
| IAM-10 | Management of Privileged Access Roles | full |
| 8.2 | Privileged access rights | full |
| AC-6 | Least Privilege | partial |
Evidence (2)
Privileged account inventory and configuration settings showing all admin, root, and superuser accounts with named owners, MFA enforcement, and time-limited or just-in-time (JIT) access where supported.
Example: AWS IAM privileged-user/role export, Azure AD Privileged Identity Management (PIM) role assignment report, or PAM tool (CyberArk, HashiCorp Boundary) account listing showing each privileged account, its owner, MFA status, and session duration limits.
Test: Export all accounts with admin, root, or equivalent privileges. Verify: (1) every privileged account maps to a named, individually identified user — no shared admin accounts, (2) MFA is enforced on all privileged accounts, (3) where JIT or time-limited access is available in the tooling, it is in use, (4) any permanent privileged access is backed by a documented business justification.
Privileged action audit logs showing that all administrative and elevated-privilege operations are recorded with actor identity, timestamp, and action detail.
Example: AWS CloudTrail management event logs, Azure AD audit log, or PAM session recording archive filtered for privileged-role actions over the last 30 days, showing no events with an unidentifiable or system-generated actor for human-initiated actions.
Test: Query the privileged-access audit log for the past 30 days. Verify: (1) every privileged action entry contains a named user identity (not a shared or anonymous account), (2) log retention meets the policy-defined period, (3) a sample of 10 privileged actions can be cross-referenced to a valid change or approval record, (4) no privileged access events originate outside approved access paths (e.g. direct console access bypassing the PAM tool).
Questions (2)
Is an inventory of all privileged accounts (administrative, root, superuser, and equivalent) maintained and tightly controlled?
Every privileged account must map to a named individual with a documented business justification. Shared admin accounts are not acceptable.
Which controls are applied specifically to privileged accounts in your environment?
MFA and full audit logging are non-negotiable minimums. JIT access and PAM tooling represent a mature privileged access posture.