WAF-SOV-060 – Privileged Access Controlled (Separation of Duties)

Pillar: Sovereign | Severity: 🔴 Critical | Category: Access Control | Automatable: High

Description

Privileged roles MUST be minimized, time-limited, and subject to regular access reviews. Separation of duties MUST be enforced: no single principal may simultaneously create infrastructure, approve deployments, AND manage encryption keys.

Wildcard IAM permissions ( on ) are prohibited. Administrative access MUST be provisioned JIT (Just-In-Time) where technically feasible.

Rationale

Over-privileged access is the primary attack vector for both external compromise and insider threats in cloud environments. A developer with AdministratorAccess can bypass arbitrary data residency controls, disable logging, or exfiltrate key material.

Sovereignty requires that administrative actions be restricted, observable, and accountable. Separation of duties prevents a single compromised credential from destroying the entire sovereignty posture.

Threat Context

Risk	Description
Compromised developer credentials	Wildcard permissions enable full data access upon credential compromise.
CI/CD with AdministratorAccess	Build pipeline service account with full access enables arbitrary infrastructure changes.
Missing SoD	A single principal can change key policy and then access encrypted data.
Permanent admin credentials	Never-rotated admin keys without MFA enforcement as a persistent attack target.
Over-privileged service accounts	Routine non-privileged tasks performed via accounts with excessive permissions.

Risk

Description

Compromised developer credentials

Wildcard permissions enable full data access upon credential compromise.

CI/CD with AdministratorAccess

Build pipeline service account with full access enables arbitrary infrastructure changes.

Missing SoD

A single principal can change key policy and then access encrypted data.

Permanent admin credentials

Never-rotated admin keys without MFA enforcement as a persistent attack target.

Over-privileged service accounts

Routine non-privileged tasks performed via accounts with excessive permissions.

Regulatory Mapping

Framework	Controls
GDPR	Art. 32 – Security of processing (access control); Art. 5(1)(f) – Integrity and confidentiality
BSI C5:2020	IAM-01 – Identity and access management; IAM-03 – Privileged access management; IAM-05 – Separation of duties
EUCS (ENISA)	IAM-01 – Access control policy; IAM-03 – Privileged access
ISO 27001:2022	A.8.2 – Privileged access rights; A.8.3 – Restriction of access to information; A.5.3 – Separation of duties
SOC 2	CC6.3 – Role-based access control; CC6.6 – Logical access
BSI C3A:2026	Dimension 5 – Operational: EU-based operational personnel; Dimension 5 – Operational: Separation of duties; Dimension 1 – Strategic: Effective control

Framework

Controls

GDPR

Art. 32 – Security of processing (access control); Art. 5(1)(f) – Integrity and confidentiality

BSI C5:2020

IAM-01 – Identity and access management; IAM-03 – Privileged access management; IAM-05 – Separation of duties

EUCS (ENISA)

IAM-01 – Access control policy; IAM-03 – Privileged access

ISO 27001:2022

A.8.2 – Privileged access rights; A.8.3 – Restriction of access to information; A.5.3 – Separation of duties

SOC 2

CC6.3 – Role-based access control; CC6.6 – Logical access

BSI C3A:2026

Dimension 5 – Operational: EU-based operational personnel; Dimension 5 – Operational: Separation of duties; Dimension 1 – Strategic: Effective control

Requirement

Wildcard actions (Action: *) combined with wildcard resources (Resource: *) are prohibited in custom policies
AdministratorAccess may only be assigned in documented break-glass scenarios
MFA MUST be enforced for all human principals with production access
IAM password policy MUST be configured (minimum length >= 14, expiry ⇐ 90 days)
Long-lived static access keys SHOULD NOT be created via Terraform
Quarterly IAM access reviews MUST be performed and documented
JIT access MUST be implemented for privileged operations where feasible
SCP/Azure Policy MUST prevent privilege escalation at the organization level

Implementation Guidance

Least privilege: Grant only the permissions required for the specific task.
IAM roles over IAM users: Avoid long-lived access keys; use OIDC federation for CI/CD.
Wildcard prohibition: Explicitly prohibit Action: * combined with Resource: * in custom policies.
AdministratorAccess only for break-glass: Only in documented emergency scenarios; implement JIT activation.
JIT access: AWS IAM Identity Center, Azure PIM, or equivalent solution for privileged access.
Enforce MFA: For all human principals with production access; SCP for enforcement.
Quarterly access reviews: Document quarterly IAM access reviews with findings and remediation status.
SCP/Azure Policy: Block privilege escalation actions at the organization level.
CI/CD separation: Separate deploy permissions from data access permissions.

Maturity Levels

Level Name Criteria

Level	Name	Criteria
1	Basic IAM roles, no wildcard admin	No `AdministratorAccess` assigned to regular user accounts; IAM users have separate roles per responsibility.
2	Least-privilege roles, MFA enforced	No `Action:`/`Resource:` in custom policies; MFA for all human console/API access; annual IAM review performed.
3	JIT access, formal SoD, quarterly reviews	JIT provisioning for privileged access; documented SoD matrix (who may do what); quarterly reviews with evidence.
4	Automated detection of privilege drift	IAM Access Analyzer or equivalent tool continuously monitors for over-privileged policies; alerts on policy changes; SCP blocks privilege escalation.
5	Zero-trust IAM with continuous verification	All access context-aware and time-limited; automated remediation of policy violations; IAM compliance integrated into deployment pipeline.

Basic IAM roles, no wildcard admin

No AdministratorAccess assigned to regular user accounts; IAM users have separate roles per responsibility.

Least-privilege roles, MFA enforced

No Action:*/Resource:* in custom policies; MFA for all human console/API access; annual IAM review performed.

JIT access, formal SoD, quarterly reviews

JIT provisioning for privileged access; documented SoD matrix (who may do what); quarterly reviews with evidence.

Automated detection of privilege drift

IAM Access Analyzer or equivalent tool continuously monitors for over-privileged policies; alerts on policy changes; SCP blocks privilege escalation.

Zero-trust IAM with continuous verification

All access context-aware and time-limited; automated remediation of policy violations; IAM compliance integrated into deployment pipeline.

Terraform Checks

waf-sov-060.tf.aws.no-wildcard-iam-policy

Checks: IAM policies must not contain the Action:* with Resource:* combination.

Compliant Non-Compliant

Compliant	Non-Compliant
`data "aws_iam_policy_document" "s3_read" { statement { effect = "Allow" actions = ["s3:GetObject", "s3:ListBucket"] resources = [ aws_s3_bucket.data.arn, "${aws_s3_bucket.data.arn}/*" ] } }`	`data "aws_iam_policy_document" "admin" { statement { effect = "Allow" actions = [""] resources = [""] # ❌ Full administrative access } }`

data "aws_iam_policy_document" "s3_read" {
  statement {
    effect  = "Allow"
    actions = ["s3:GetObject", "s3:ListBucket"]
    resources = [
      aws_s3_bucket.data.arn,
      "${aws_s3_bucket.data.arn}/*"
    ]
  }
}

data "aws_iam_policy_document" "admin" {
  statement {
    effect    = "Allow"
    actions   = ["*"]
    resources = ["*"]
    # ❌ Full administrative access
  }
}

waf-sov-060.tf.aws.no-administrator-access-managed-policy

Checks: The AWS managed policy AdministratorAccess must not be attached to regular roles.

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "aws_iam_role_policy_attachment" "app" { role = aws_iam_role.app.name policy_arn = aws_iam_policy.app_custom.arn # ✅ Uses a custom least-privilege policy }`	`resource "aws_iam_role_policy_attachment" "admin" { role = aws_iam_role.developer.name policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" # ❌ AdministratorAccess on a regular role }`

resource "aws_iam_role_policy_attachment" "app" {
  role       = aws_iam_role.app.name
  policy_arn = aws_iam_policy.app_custom.arn
  # ✅ Uses a custom least-privilege policy
}

resource "aws_iam_role_policy_attachment" "admin" {
  role       = aws_iam_role.developer.name
  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
  # ❌ AdministratorAccess on a regular role
}

waf-sov-060.tf.aws.iam-password-policy-configured

Checks: IAM account password policy must be configured (minimum length >= 14, expiry ⇐ 90 days).

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "aws_iam_account_password_policy" "strict" { minimum_password_length = 16 require_uppercase_characters = true require_lowercase_characters = true require_numbers = true require_symbols = true allow_users_to_change_password = true max_password_age = 90 password_reuse_prevention = 24 }`	`# ❌ No aws_iam_account_password_policy resource # defined – provider defaults apply`

resource "aws_iam_account_password_policy" "strict" {
  minimum_password_length        = 16
  require_uppercase_characters   = true
  require_lowercase_characters   = true
  require_numbers                = true
  require_symbols                = true
  allow_users_to_change_password = true
  max_password_age               = 90
  password_reuse_prevention      = 24
}

# ❌ No aws_iam_account_password_policy resource
#    defined – provider defaults apply

waf-sov-060.tf.aws.no-iam-user-direct-access-keys

Checks: Long-lived IAM access keys should not be created via Terraform.

# Non-Compliant: Static long-lived credentials via Terraform
resource "aws_iam_access_key" "user" {
  user   = aws_iam_user.service.name
  status = "Active"  # ⚠️ Long-lived static key
}

# Compliant: OIDC-based short-lived tokens for CI/CD
resource "aws_iam_openid_connect_provider" "github" {
  url             = "https://token.actions.githubusercontent.com"
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = ["..."]
}

waf-sov-060.tf.stackit.no-wildcard-iam-policy

Checks: StackIT IAM policies must not grant wildcard permissions.

Supported providers: StackIT

Evidence

Type	Required	Description
IaC	✅ Required	IAM policy documents in Terraform without wildcard permissions and with least-privilege design.
Process	✅ Required	Quarterly IAM access review records with findings and remediation status.
Config	Optional	IAM Access Analyzer findings export without active overpermission issues.
Logs	Optional	CloudTrail logs with privileged access events for review.
Config	Optional	SCP or Azure Policy configuration restricting privilege escalation.

Type

Required

Description

IaC

✅ Required

IAM policy documents in Terraform without wildcard permissions and with least-privilege design.

Process

✅ Required

Quarterly IAM access review records with findings and remediation status.

Config

Optional

IAM Access Analyzer findings export without active overpermission issues.

Logs

Optional

CloudTrail logs with privileged access events for review.

Config

Optional

SCP or Azure Policy configuration restricting privilege escalation.

Related Controls

Regulatorisches Mapping

Framework	Controls
DSGVO	Art. 44 – Allg. Grundsätze für Übermittlungen; Art. 46 – Geeignete Garantien; Art. 28 – Verarbeitungsvereinbarung
BSI C5:2020	OPS-04 – Datenverwaltung; OPS-05 – Datenleakage-Prävention; SIM-01 – Sicherheitsvorfallmanagement
EUCS (ENISA)	DSP-01 – Datenklassifikation; DSP-02 – Dateninventar und Datenfluss; DSP-03 – Datenverfügbarkeit; DSP-04 – Datenlöschung; IAM-01 – Identität und Zugriff
ISO 27001:2022	A.5.12 – Klassifizierung von Informationen; A.5.13 – Kennzeichnung von Informationen; A.5.33 – Schutz von Aufzeichnungen
ISO 27017	CLD.5.1 – Information security in cloud services; CLD.5.2 – Access control in cloud services
ISO 27018	A.2 – Purpose legitimacy and PII protection; A.10 – Confidentiality and security of PII
BSI C3A:2026	Domain – Datenhoheit; Domain – Cloud-Spezifische Anforderungen
GAIA-X	Sovereign Cloud – Anforderungen an Datenlokation und Transparenz
NIST SP 800-53	SC-1 – Cloud computing security; SC-7 – Boundary protection; SC-8 – Transmission confidentiality
NIST CSF 2.0	GV.PO – Policy; GV.RM – Risk management; GV.SC – Cybersecurity supply chain risk management
FedRAMP	SC-1, SC-7, SC-8 (High baseline)
TISAX	Information security – Data protection; Prototype protection – Sensitive data handling
ANSSI SecNumCloud	Domain – Data protection; Domain – Cloud security
BIO	BIO – Gegevensbescherming; BIO – Cloudbeveiliging
ENS High	ds.info.1 – Datos personales; ds.info.2 – Calificación de la información
UK NCSC CAF	B3 – Understanding data; B4 – System security
CMMC 2.0	SC.L2-3.13.16 – Protect CUI confidentiality at rest
IRAP	ISM – Data protection; ISM – Cloud security
CCCS PBMM	SC-7 – Boundary protection; SC-8 – Transmission confidentiality
MAS TRM	Ch.5 – Technology risk governance; Ch.8 – Cloud computing controls
ISMAP	Data sovereignty and cloud security
FISC	Technical measures – Data protection

Framework

Controls

DSGVO

Art. 44 – Allg. Grundsätze für Übermittlungen; Art. 46 – Geeignete Garantien; Art. 28 – Verarbeitungsvereinbarung

BSI C5:2020

OPS-04 – Datenverwaltung; OPS-05 – Datenleakage-Prävention; SIM-01 – Sicherheitsvorfallmanagement

EUCS (ENISA)

DSP-01 – Datenklassifikation; DSP-02 – Dateninventar und Datenfluss; DSP-03 – Datenverfügbarkeit; DSP-04 – Datenlöschung; IAM-01 – Identität und Zugriff

ISO 27001:2022

A.5.12 – Klassifizierung von Informationen; A.5.13 – Kennzeichnung von Informationen; A.5.33 – Schutz von Aufzeichnungen

ISO 27017

CLD.5.1 – Information security in cloud services; CLD.5.2 – Access control in cloud services

ISO 27018

A.2 – Purpose legitimacy and PII protection; A.10 – Confidentiality and security of PII

BSI C3A:2026

Domain – Datenhoheit; Domain – Cloud-Spezifische Anforderungen

GAIA-X

Sovereign Cloud – Anforderungen an Datenlokation und Transparenz

NIST SP 800-53

SC-1 – Cloud computing security; SC-7 – Boundary protection; SC-8 – Transmission confidentiality

NIST CSF 2.0

GV.PO – Policy; GV.RM – Risk management; GV.SC – Cybersecurity supply chain risk management

FedRAMP

SC-1, SC-7, SC-8 (High baseline)

TISAX

Information security – Data protection; Prototype protection – Sensitive data handling

ANSSI SecNumCloud

Domain – Data protection; Domain – Cloud security

BIO

BIO – Gegevensbescherming; BIO – Cloudbeveiliging

ENS High

ds.info.1 – Datos personales; ds.info.2 – Calificación de la información

UK NCSC CAF

B3 – Understanding data; B4 – System security

CMMC 2.0

SC.L2-3.13.16 – Protect CUI confidentiality at rest

IRAP

ISM – Data protection; ISM – Cloud security

CCCS PBMM

SC-7 – Boundary protection; SC-8 – Transmission confidentiality

MAS TRM

Ch.5 – Technology risk governance; Ch.8 – Cloud computing controls

ISMAP

Data sovereignty and cloud security

FISC

Technical measures – Data protection

WAF-SOV-060 – Privileged Access Controlled (Separation of Duties)

Description

Rationale

Threat Context

Regulatory Mapping

Requirement

Implementation Guidance

Maturity Levels

Terraform Checks

waf-sov-060.tf.aws.no-wildcard-iam-policy

waf-sov-060.tf.aws.no-administrator-access-managed-policy

waf-sov-060.tf.aws.iam-password-policy-configured

waf-sov-060.tf.aws.no-iam-user-direct-access-keys

waf-sov-060.tf.stackit.no-wildcard-iam-policy

Evidence

Related Controls

Regulatorisches Mapping

Best Practice