AuditRubric
pr-aa-3 critical Protect / Identity Management, Authentication, and Access Control

Users, services, and hardware are authenticated

Authentication is not just for human users. Service accounts, APIs, and physical devices also need verified identities. Unauthenticated services and hardware are common pivot points in breaches: an attacker who compromises one workload can move laterally to everything else that workload can talk to without proof of identity.

Estimated effort: 4h
authenticationmfaservice-accountscertificates
Complete first: pr-aa-1 , pr-aa-2

Implementation steps

  1. 1

    Audit and secure all service accounts

    Enumerate every non-human account: CI/CD pipelines, monitoring agents, automation scripts, cloud service principals. Replace long-lived passwords and API keys with short-lived credentials or role-based authentication wherever possible.

    vaultaws-iamgoogle-cloud-iamazure-managed-identity
  2. 2

    Enforce certificate-based authentication for devices

    Issue device certificates through an MDM or PKI system. Require devices to present a valid certificate to access corporate resources. This ensures only managed, known hardware can connect.

    jamfmicrosoft-intunesmallstepcertmanager
  3. 3

    Rotate and scope service credentials

    Set maximum lifetimes on all service credentials. API keys should expire. Certificates should auto-renew. Each service account should have only the permissions it needs, nothing more.

    vaultaws-secrets-managerdoppler
  4. 4

    Document all non-human identities

    Maintain an inventory of every service account, bot token, and certificate. Record the owner, purpose, expiry date, and access scope. Review this inventory quarterly alongside human identity reviews.

Evidence required

Service account inventory

A list of all non-human accounts with their owner, purpose, credential type, and expiry.

  • · Spreadsheet or CMDB export of service accounts and API keys
  • · Vault secrets engine showing all service account credentials with TTLs
  • · AWS IAM roles report filtered to service roles

Device certificate configuration

Evidence that devices are required to present certificates to access network resources.

  • · MDM enrollment certificate policy screenshot
  • · 802.1X or VPN configuration requiring client certificates
  • · Smallstep or ADCS certificate authority configuration

Credential rotation policy

Written policy or automated configuration showing that service credentials have maximum lifetimes and are rotated.

  • · Vault policy defining TTLs for secret leases
  • · AWS Secrets Manager rotation schedule screenshot
  • · Policy document stating maximum API key age

Related controls

pr-aa-2 critical

Identities are proofed and bound to credentials based on the context of interactions

Identity Management, Authentication, and Access Control
pr-aa-1 critical

Identities and credentials are managed for authorized users and devices

Identity Management, Authentication, and Access Control
pr-aa-4 high

Identity assertions are protected, conveyed, and verified

Identity Management, Authentication, and Access Control
pr-aa-5 critical

Access permissions are defined in policy, enforced, and reviewed using least privilege and separation of duties

Identity Management, Authentication, and Access Control