IAM-010 Service Account and Non-Human Identity Management
Description
Service accounts, API keys, and other non-human identities are inventoried and managed with the same rigour as human accounts. Each non-human identity has a documented owner, a defined scope of access, and a rotation or expiry policy. Unused service accounts are revoked. Non-human identities are not shared across services or environments.
Rationale
Service accounts and API keys are frequently over-provisioned, long-lived, and poorly tracked. They represent a significant attack surface and are a common source of lateral movement in breaches.
Framework Mappings (4)
| IAM-03 | Identity Inventory | partial |
| 5.16 | Identity management | partial |
| IA-8 | Identification and Authentication (Non-organizational Users) | partial |
| IA-9 | Service Identification and Authentication | full |
Evidence (2)
Service account and non-human identity inventory showing each account's owner, defined access scope, and rotation or expiry policy.
Example: AWS IAM service role export, GCP service account inventory, or an internal CMDB/spreadsheet listing all service accounts and API keys with columns for: account name, owning team, systems it can access, last rotation date, and expiry date or rotation interval.
Test: Export the service account inventory from IAM and cross-reference with a manually maintained register if one exists. Verify: (1) every service account has a named owner (team or individual), (2) no service account has been inactive for more than the policy-defined period without documented justification, (3) API key rotation dates are within the policy-defined interval, (4) no service account is shared across services or environments.
Audit log showing recent activity (or confirmed inactivity) for each service account, enabling detection of dormant accounts that should be revoked.
Example: AWS CloudTrail last-used report for IAM roles/users, GCP IAM Recommender last-authenticated export, or equivalent log query output showing the most recent action timestamp for every service account over a 90-day window.
Test: Run a last-used query against the IAM system for all service accounts (e.g. AWS IAM generate-credential-report, GCP gcloud iam service-accounts list with last-activity metadata). Verify: (1) accounts with no activity in more than 90 days either have a documented active justification or are disabled, (2) accounts used from unexpected source IPs or regions have corresponding change records or alerts.
Questions (2)
Are service accounts, API keys, and other non-human identities inventoried and managed with a documented owner, defined access scope, and rotation or expiry policy?
Every non-human identity should have a named team or individual as owner. Unowned or undocumented service accounts are a significant risk. The inventory must be kept current — not just created once.
How frequently are API keys and service account credentials rotated?
Automated rotation is strongly preferred. Long-lived, non-rotating credentials significantly increase the impact of a credential exposure. Rotation should also occur immediately upon any suspected compromise.