Role-Based Access and Least Privilege
Description
The entity authorizes, modifies, or removes access based on roles following the principle of least privilege.
⚠️ Risk Impact
Overprivileged accounts increase the blast radius of any compromise.
🔧 Remediation
Implement granular IAM roles. EchelonGraph detects overprivileged service accounts and admin bindings automatically.
💀 Real-World Attack Scenario
An application service account had been granted Owner role 'temporarily' during a migration 2 years ago. When the application was compromised through a dependency vulnerability, the Owner role gave the attacker full project control — they deleted audit logs, created new admin accounts, and extracted the entire database.
💰 Cost of Non-Compliance
86% of cloud breaches involve overprivileged identities. Average overprivileged-credential breach cost: $4.45M. SOC 2 auditors specifically test for least privilege — violations result in qualified opinions.
📋 Audit Questions
- 1.List all service accounts with admin/owner/editor roles.
- 2.What is your process for granting elevated permissions?
- 3.Are elevated permissions time-bound?
- 4.Show evidence of quarterly permission reviews.
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Temporary elevated permissions that become permanent
- ⛔Custom roles that accumulate permissions over time without review
- ⛔Service accounts shared across multiple applications
📈 Business Value
Least-privilege enforcement reduces breach blast radius by 95%. It's the most impactful access control measure and a key differentiator in SOC 2 audit quality.
⏱️ Effort Estimate
8-16 hours for comprehensive IAM review across all cloud providers
EchelonGraph identifies overprivileged accounts and recommends least-privilege alternatives
🔗 Cross-Framework References
Automate SOC 2 CC6.3 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →