WAF++ WAF++
Back to WAF++ Homepage

WAF-SOV-060 – Privileged Access Controlled (Separation of Duties)

Pillar: Sovereign | Severity: 🔴 Critical | Category: Access Control | Automatable: High

Description

Privileged roles MUST be minimized, time-limited, and subject to regular access reviews. Separation of duties MUST be enforced: no single principal may simultaneously create infrastructure, approve deployments, AND manage encryption keys.

Wildcard IAM permissions ( on ) are prohibited. Administrative access MUST be provisioned JIT (Just-In-Time) where technically feasible.

Rationale

Over-privileged access is the primary attack vector for both external compromise and insider threats in cloud environments. A developer with AdministratorAccess can bypass arbitrary data residency controls, disable logging, or exfiltrate key material.

Sovereignty requires that administrative actions be restricted, observable, and accountable. Separation of duties prevents a single compromised credential from destroying the entire sovereignty posture.

Threat Context

Risk Description

Compromised developer credentials

Wildcard permissions enable full data access upon credential compromise.

CI/CD with AdministratorAccess

Build pipeline service account with full access enables arbitrary infrastructure changes.

Missing SoD

A single principal can change key policy and then access encrypted data.

Permanent admin credentials

Never-rotated admin keys without MFA enforcement as a persistent attack target.

Over-privileged service accounts

Routine non-privileged tasks performed via accounts with excessive permissions.

Regulatory Mapping

Framework Controls

GDPR

Art. 32 – Security of processing (access control); Art. 5(1)(f) – Integrity and confidentiality

BSI C5:2020

IAM-01 – Identity and access management; IAM-03 – Privileged access management; IAM-05 – Separation of duties

EUCS (ENISA)

IAM-01 – Access control policy; IAM-03 – Privileged access

ISO 27001:2022

A.8.2 – Privileged access rights; A.8.3 – Restriction of access to information; A.5.3 – Separation of duties

SOC 2

CC6.3 – Role-based access control; CC6.6 – Logical access

Requirement

  • Wildcard actions (Action: *) combined with wildcard resources (Resource: *) are prohibited in custom policies

  • AdministratorAccess may only be assigned in documented break-glass scenarios

  • MFA MUST be enforced for all human principals with production access

  • IAM password policy MUST be configured (minimum length >= 14, expiry ⇐ 90 days)

  • Long-lived static access keys SHOULD NOT be created via Terraform

  • Quarterly IAM access reviews MUST be performed and documented

  • JIT access MUST be implemented for privileged operations where feasible

  • SCP/Azure Policy MUST prevent privilege escalation at the organization level

Implementation Guidance

  1. Least privilege: Grant only the permissions required for the specific task.

  2. IAM roles over IAM users: Avoid long-lived access keys; use OIDC federation for CI/CD.

  3. Wildcard prohibition: Explicitly prohibit Action: * combined with Resource: * in custom policies.

  4. AdministratorAccess only for break-glass: Only in documented emergency scenarios; implement JIT activation.

  5. JIT access: AWS IAM Identity Center, Azure PIM, or equivalent solution for privileged access.

  6. Enforce MFA: For all human principals with production access; SCP for enforcement.

  7. Quarterly access reviews: Document quarterly IAM access reviews with findings and remediation status.

  8. SCP/Azure Policy: Block privilege escalation actions at the organization level.

  9. CI/CD separation: Separate deploy permissions from data access permissions.

Maturity Levels

Level Name Criteria

1

Basic IAM roles, no wildcard admin

No AdministratorAccess assigned to regular user accounts; IAM users have separate roles per responsibility.

2

Least-privilege roles, MFA enforced

No Action:*/Resource:* in custom policies; MFA for all human console/API access; annual IAM review performed.

3

JIT access, formal SoD, quarterly reviews

JIT provisioning for privileged access; documented SoD matrix (who may do what); quarterly reviews with evidence.

4

Automated detection of privilege drift

IAM Access Analyzer or equivalent tool continuously monitors for over-privileged policies; alerts on policy changes; SCP blocks privilege escalation.

5

Zero-trust IAM with continuous verification

All access context-aware and time-limited; automated remediation of policy violations; IAM compliance integrated into deployment pipeline.

Terraform Checks

waf-sov-060.tf.aws.no-wildcard-iam-policy

Checks: IAM policies must not contain the Action:* with Resource:* combination.

Compliant Non-Compliant 
data "aws_iam_policy_document" "s3_read" {
  statement {
    effect  = "Allow"
    actions = ["s3:GetObject", "s3:ListBucket"]
    resources = [
      aws_s3_bucket.data.arn,
      "${aws_s3_bucket.data.arn}/*"
    ]
  }
}
 
data "aws_iam_policy_document" "admin" {
  statement {
    effect    = "Allow"
    actions   = ["*"]
    resources = ["*"]
    # ❌ Full administrative access
  }
}

waf-sov-060.tf.aws.no-administrator-access-managed-policy

Checks: The AWS managed policy AdministratorAccess must not be attached to regular roles.

Compliant Non-Compliant 
resource "aws_iam_role_policy_attachment" "app" {
  role       = aws_iam_role.app.name
  policy_arn = aws_iam_policy.app_custom.arn
  # ✅ Uses a custom least-privilege policy
}
 
resource "aws_iam_role_policy_attachment" "admin" {
  role       = aws_iam_role.developer.name
  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
  # ❌ AdministratorAccess on a regular role
}

waf-sov-060.tf.aws.iam-password-policy-configured

Checks: IAM account password policy must be configured (minimum length >= 14, expiry ⇐ 90 days).

Compliant Non-Compliant 
resource "aws_iam_account_password_policy" "strict" {
  minimum_password_length        = 16
  require_uppercase_characters   = true
  require_lowercase_characters   = true
  require_numbers                = true
  require_symbols                = true
  allow_users_to_change_password = true
  max_password_age               = 90
  password_reuse_prevention      = 24
}
 
# ❌ No aws_iam_account_password_policy resource
#    defined – provider defaults apply

waf-sov-060.tf.aws.no-iam-user-direct-access-keys

Checks: Long-lived IAM access keys should not be created via Terraform.

# Non-Compliant: Static long-lived credentials via Terraform
resource "aws_iam_access_key" "user" {
  user   = aws_iam_user.service.name
  status = "Active"  # ⚠️ Long-lived static key
}

# Compliant: OIDC-based short-lived tokens for CI/CD
resource "aws_iam_openid_connect_provider" "github" {
  url             = "https://token.actions.githubusercontent.com"
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = ["..."]
}

Evidence

Type Required Description

IaC

✅ Required

IAM policy documents in Terraform without wildcard permissions and with least-privilege design.

Process

✅ Required

Quarterly IAM access review records with findings and remediation status.

Config

Optional

IAM Access Analyzer findings export without active overpermission issues.

Logs

Optional

CloudTrail logs with privileged access events for review.

Config

Optional

SCP or Azure Policy configuration restricting privilege escalation.

Related Controls

Best Practice