aa-3 High priority Account Security / Account Security

Privileged accounts are separated and access is minimized

Administrator and privileged accounts are the highest-value targets for attackers. An attacker who compromises a privileged account can move laterally, exfiltrate data, and persist undetected far more easily than with a standard user account. Separating privileged accounts from daily-use accounts, minimizing who holds them, and reviewing them regularly significantly reduces the blast radius of a compromise.

3h estimated effort

privileged-access least-privilege admin-accounts pam

Complete first: aa-1 , aa-2

Implementation steps

1

Create separate privileged accounts for administrative tasks

Administrators should have two accounts: a standard account for daily work (email, browsing, documents) and a separate privileged account used only for administrative tasks. The privileged account should not be used for routine work and should not have email or browser access. This prevents phishing and malware from the standard account from directly compromising admin credentials.

okta azure-ad aws-iam
2

Apply just-in-time access for privileged operations

Where possible, use time-limited privilege elevation rather than standing privileged access. Request elevated access for a specific task, perform the task, and let the elevation expire. This means that even a compromised admin account has no standing privileged access to abuse.

cyberark okta-pam aws-iam hashicorp-vault
3

Minimize and document who holds privileged access

Maintain a list of all privileged accounts and their owners. Reduce the number of accounts with admin access to the minimum necessary. Review the list quarterly and remove access that is no longer required. Alert on new privileged account creation.

okta aws-iam drata vanta