Identity & Access Management (expanded)47 items

Tags: SSO, MFA

Question: Is workforce identity federated to cloud/SaaS with conditional access and phishing-resistant MFA?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17
- ISO 27001: A.9.2.1
- SOC 2: CC6.1

Applicability: Cloud consoles and SaaS

Expected Result: No local users; SSO only; FIDO2/WebAuthn for admins; risk/device policy gates.

Why It Matters: Eliminates password reuse and reduces phish success.

Technical Breakdown:

1. Disable direct logins; enforce CA; monitor impossible travel.

Tags: Service Accounts

Question: Are service accounts non-human, least-privileged, rotated, and auditable?

Applicable Requirements:
- NIST 800-53: IA-5, AC-6
- SOC 2: CC6.1

Applicability: Automation and integrations

Expected Result: No shared creds; unique identities; short-lived tokens; PAM/secret manager rotation.

Why It Matters: Shared/long-lived secrets are high-risk.

Technical Breakdown:

1. SCIM/IGA lifecycle; vault credentials; per-service roles.

Tags: PAM, PIM, JIT

Question: Is JIT elevation enforced for admin roles with auto-revoke and session recording?

Applicable Requirements:
- NIST 800-53: AC-2(2), AC-5
- ISO 27001: A.9.2.3

Applicability: Admin access

Expected Result: No standing admins; elevation ≤ 1h; approvals; logs to SIEM.

Why It Matters: Reduces attack surface and blast radius.

Technical Breakdown:

1. PAM/PIM integration; break-glass controls; rotate post-use.

Tags: IGA, Certifications

Question: Are quarterly access certifications performed for privileged roles/data sets?

Applicable Requirements:
- NIST 800-53: AC-2(7), AC-6

Applicability: Privileged/sensitive systems

Expected Result: Quarterly reviews; attestations and removals tracked.

Why It Matters: Prevents privilege creep.

Technical Breakdown:

1. Risk-prioritize systems; auto-revoke unattended access.

Tags: OPA, Cedar

Question: Is authZ centralized as code (OPA/Cedar) with unit tests and decision logs?

Applicable Requirements:
- NIST 800-53: AC-3, SA-10
- SOC 2: CC7.2

Applicability: Microservices/APIs

Expected Result: Policies in repo; CI tests; PDP/sidecar; logs for audits.

Why It Matters: Consistency and verifiability.

Technical Breakdown:

1. Dry-run before promoting; version policies with app releases.

Tags: Root, Break-glass

Question: Are root/owner accounts locked down with HSM-backed MFA, vault storage, and no daily use?

Applicable Requirements:
- NIST 800-53: IA-2(1), AC-6
- SOC 2: CC6.1

Applicability: Cloud org roots/tenant owners

Expected Result: FIDO2 on roots; keys in vault; no API keys; monitored logins.

Why It Matters: Root compromise is catastrophic.

Technical Breakdown:

1. Disable access keys; alert any root auth; require approvals.
2. AWS: SSO only; disable IAM users.
3. AWS: Use Permission Boundaries; SCP guardrails.
4. AWS: Access Analyzer for wildcards.

Tags: Guardrails

Question: Do you enforce org-level constraints (SCPs, Organization Policies) to prevent privilege escalation?

Applicable Requirements:
- NIST 800-53: AC-6, CM-7
- NIST CSF: PR.AC

Applicability: Cloud orgs

Expected Result: Deny wildcard admin; forbid public storage; restrict key actions.

Why It Matters: Prevents drift and toxic combos.

Technical Breakdown:

1. Template guardrails; unit-test policies; attest exceptions.
2. AWS: SSO only; disable IAM users.
3. AWS: Use Permission Boundaries; SCP guardrails.
4. AWS: Access Analyzer for wildcards.

Tags: Root, Break-glass

Question: Are root/owner accounts locked down with HSM-backed MFA, vault storage, and no daily use?

Applicable Requirements:
- NIST 800-53: IA-2(1), AC-6
- SOC 2: CC6.1

Applicability: Cloud org roots/tenant owners

Expected Result: FIDO2 on roots; keys in vault; no API keys; monitored logins.

Why It Matters: Root compromise is catastrophic.

Technical Breakdown:

1. Disable access keys; alert any root auth; require approvals.
2. Azure: Enforce Conditional Access; block legacy auth.
3. Azure: Privileged Identity Management (PIM).
4. Azure: Review risky sign-ins in Entra ID.

Tags: Guardrails

Question: Do you enforce org-level constraints (SCPs, Organization Policies) to prevent privilege escalation?

Applicable Requirements:
- NIST 800-53: AC-6, CM-7
- NIST CSF: PR.AC

Applicability: Cloud orgs

Expected Result: Deny wildcard admin; forbid public storage; restrict key actions.

Why It Matters: Prevents drift and toxic combos.

Technical Breakdown:

1. Template guardrails; unit-test policies; attest exceptions.
2. Azure: Enforce Conditional Access; block legacy auth.
3. Azure: Privileged Identity Management (PIM).
4. Azure: Review risky sign-ins in Entra ID.

Tags: Root, Break-glass

Question: Are root/owner accounts locked down with HSM-backed MFA, vault storage, and no daily use?

Applicable Requirements:
- NIST 800-53: IA-2(1), AC-6
- SOC 2: CC6.1

Applicability: Cloud org roots/tenant owners

Expected Result: FIDO2 on roots; keys in vault; no API keys; monitored logins.

Why It Matters: Root compromise is catastrophic.

Technical Breakdown:

1. Disable access keys; alert any root auth; require approvals.
2. GCP: Use Workforce/Workload Identity Federation.
3. GCP: Restrict primitive roles; use IAM Conditions.
4. GCP: Organization Policies enforce constraints.

Tags: Guardrails

Question: Do you enforce org-level constraints (SCPs, Organization Policies) to prevent privilege escalation?

Applicable Requirements:
- NIST 800-53: AC-6, CM-7
- NIST CSF: PR.AC

Applicability: Cloud orgs

Expected Result: Deny wildcard admin; forbid public storage; restrict key actions.

Why It Matters: Prevents drift and toxic combos.

Technical Breakdown:

1. Template guardrails; unit-test policies; attest exceptions.
2. GCP: Use Workforce/Workload Identity Federation.
3. GCP: Restrict primitive roles; use IAM Conditions.
4. GCP: Organization Policies enforce constraints.

Tags: Root, Break-glass

Question: Are root/owner accounts locked down with HSM-backed MFA, vault storage, and no daily use?

Applicable Requirements:
- NIST 800-53: IA-2(1), AC-6
- SOC 2: CC6.1

Applicability: Cloud org roots/tenant owners

Expected Result: FIDO2 on roots; keys in vault; no API keys; monitored logins.

Why It Matters: Root compromise is catastrophic.

Technical Breakdown:

1. Disable access keys; alert any root auth; require approvals.
2. OCI: Use Identity Domains; Federation to IdP.
3. OCI: Compartment-based least privilege.
4. OCI: IAM policies reviewed quarterly.

Tags: Guardrails

Question: Do you enforce org-level constraints (SCPs, Organization Policies) to prevent privilege escalation?

Applicable Requirements:
- NIST 800-53: AC-6, CM-7
- NIST CSF: PR.AC

Applicability: Cloud orgs

Expected Result: Deny wildcard admin; forbid public storage; restrict key actions.

Why It Matters: Prevents drift and toxic combos.

Technical Breakdown:

1. Template guardrails; unit-test policies; attest exceptions.
2. OCI: Use Identity Domains; Federation to IdP.
3. OCI: Compartment-based least privilege.
4. OCI: IAM policies reviewed quarterly.

Tags: Identity, Baseline

Question: Are admins required to use passwordless auth (passkeys/WebAuthn)?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17, AC-6
- SOC 2: CC6.1, CC7.2

Applicability: Admin and sensitive access contexts.

Expected Result: Policies configured and enforced; telemetry proves effectiveness.

Why It Matters: Stops common identity-driven attacks.

Technical Breakdown:

1. Define baselines; review quarterly; integrate with SIEM.

Tags: Identity, Baseline

Question: Do sessions expire quickly with step-up for sensitive actions?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17, AC-6
- SOC 2: CC6.1, CC7.2

Applicability: Admin and sensitive access contexts.

Expected Result: Policies configured and enforced; telemetry proves effectiveness.

Why It Matters: Stops common identity-driven attacks.

Technical Breakdown:

1. Define baselines; review quarterly; integrate with SIEM.

Tags: Identity, Baseline

Question: Are risky sign-ins blocked by geo/device posture policies?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17, AC-6
- SOC 2: CC6.1, CC7.2

Applicability: Admin and sensitive access contexts.

Expected Result: Policies configured and enforced; telemetry proves effectiveness.

Why It Matters: Stops common identity-driven attacks.

Technical Breakdown:

1. Define baselines; review quarterly; integrate with SIEM.

Tags: Identity, Baseline

Question: Are API client IDs/secrets lifecycle-managed and reviewed?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17, AC-6
- SOC 2: CC6.1, CC7.2

Applicability: Admin and sensitive access contexts.

Expected Result: Policies configured and enforced; telemetry proves effectiveness.

Why It Matters: Stops common identity-driven attacks.

Technical Breakdown:

1. Define baselines; review quarterly; integrate with SIEM.

Tags: Identity, Baseline

Question: Do contractors have separated tenants/groups and time-bound access?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17, AC-6
- SOC 2: CC6.1, CC7.2

Applicability: Admin and sensitive access contexts.

Expected Result: Policies configured and enforced; telemetry proves effectiveness.

Why It Matters: Stops common identity-driven attacks.

Technical Breakdown:

1. Define baselines; review quarterly; integrate with SIEM.

Tags: Identity, Baseline

Question: Are deprovisions enforced within 24h and sessions revoked instantly?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17, AC-6
- SOC 2: CC6.1, CC7.2

Applicability: Admin and sensitive access contexts.

Expected Result: Policies configured and enforced; telemetry proves effectiveness.

Why It Matters: Stops common identity-driven attacks.

Technical Breakdown:

1. Define baselines; review quarterly; integrate with SIEM.

Tags: Identity, Baseline

Question: Are generic/shared accounts prohibited or tightly controlled?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17, AC-6
- SOC 2: CC6.1, CC7.2

Applicability: Admin and sensitive access contexts.

Expected Result: Policies configured and enforced; telemetry proves effectiveness.

Why It Matters: Stops common identity-driven attacks.

Technical Breakdown:

1. Define baselines; review quarterly; integrate with SIEM.

Tags: Identity, Baseline

Question: Are token signing keys rotated with JWKS and rollover windows?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17, AC-6
- SOC 2: CC6.1, CC7.2

Applicability: Admin and sensitive access contexts.

Expected Result: Policies configured and enforced; telemetry proves effectiveness.

Why It Matters: Stops common identity-driven attacks.

Technical Breakdown:

1. Define baselines; review quarterly; integrate with SIEM.

Tags: Identity, Baseline

Question: Are critical IAM changes alerted (role grants, policy edits, MFA disabled)?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17, AC-6
- SOC 2: CC6.1, CC7.2

Applicability: Admin and sensitive access contexts.

Expected Result: Policies configured and enforced; telemetry proves effectiveness.

Why It Matters: Stops common identity-driven attacks.

Technical Breakdown:

1. Define baselines; review quarterly; integrate with SIEM.

Tags: Identity, Baseline

Question: Is device compliance required for privileged console access?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17, AC-6
- SOC 2: CC6.1, CC7.2

Applicability: Admin and sensitive access contexts.

Expected Result: Policies configured and enforced; telemetry proves effectiveness.

Why It Matters: Stops common identity-driven attacks.

Technical Breakdown:

1. Define baselines; review quarterly; integrate with SIEM.

Tags: AWS, SSO

Question: Are org/tenant guardrails enforcing least privilege and preventing public exposure and escalation?

Applicable Requirements:
- NIST 800-53: CM-7, AC-6
- NIST CSF: PR.AC

Applicability: Cloud organizations/tenants.

Expected Result: Guardrails deny risky patterns (public storage, wildcard roles, key deletes).

Why It Matters: Prevents configuration drift and toxic privilege combinations.

Technical Breakdown:

1. Template and test guardrails; document exceptions with expiry.
2. AWS SSO Permission Sets

Tags: Azure, Entra

Question: Are org/tenant guardrails enforcing least privilege and preventing public exposure and escalation?

Applicable Requirements:
- NIST 800-53: CM-7, AC-6
- NIST CSF: PR.AC

Applicability: Cloud organizations/tenants.

Expected Result: Guardrails deny risky patterns (public storage, wildcard roles, key deletes).

Why It Matters: Prevents configuration drift and toxic privilege combinations.

Technical Breakdown:

1. Template and test guardrails; document exceptions with expiry.
2. Azure Entra Conditional Access

Tags: GCP, OrgPolicy

Question: Are org/tenant guardrails enforcing least privilege and preventing public exposure and escalation?

Applicable Requirements:
- NIST 800-53: CM-7, AC-6
- NIST CSF: PR.AC

Applicability: Cloud organizations/tenants.

Expected Result: Guardrails deny risky patterns (public storage, wildcard roles, key deletes).

Why It Matters: Prevents configuration drift and toxic privilege combinations.

Technical Breakdown:

1. Template and test guardrails; document exceptions with expiry.
2. GCP Org Policy Constraints

Tags: OCI, Compartments

Question: Are org/tenant guardrails enforcing least privilege and preventing public exposure and escalation?

Applicable Requirements:
- NIST 800-53: CM-7, AC-6
- NIST CSF: PR.AC

Applicability: Cloud organizations/tenants.

Expected Result: Guardrails deny risky patterns (public storage, wildcard roles, key deletes).

Why It Matters: Prevents configuration drift and toxic privilege combinations.

Technical Breakdown:

1. Template and test guardrails; document exceptions with expiry.
2. OCI Compartments & Policies

Tags: IAM

Question: Is the following control enforced: SCIM Provisioning?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17
- SOC 2: CC6.1, CC7.2

Applicability: SaaS apps that support SCIM

Expected Result: Automated JML; no manual grants

Why It Matters: Improves identity hygiene and auditability.

Technical Breakdown:

1. Define KPIs; auto-enforce via IdP/PAM APIs; quarterly attestations.

Tags: IAM

Question: Is the following control enforced: Delegated Administration?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17
- SOC 2: CC6.1, CC7.2

Applicability: Business unit admins

Expected Result: Scoped, time-bound delegated roles with audit

Why It Matters: Improves identity hygiene and auditability.

Technical Breakdown:

1. Define KPIs; auto-enforce via IdP/PAM APIs; quarterly attestations.

Tags: IAM

Question: Is the following control enforced: Step-Up Authentication?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17
- SOC 2: CC6.1, CC7.2

Applicability: Sensitive operations

Expected Result: Re-auth with WebAuthn/passkey + device attest

Why It Matters: Improves identity hygiene and auditability.

Technical Breakdown:

1. Define KPIs; auto-enforce via IdP/PAM APIs; quarterly attestations.

Tags: IAM

Question: Is the following control enforced: Session Revocation?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17
- SOC 2: CC6.1, CC7.2

Applicability: Termination or compromise

Expected Result: Instant JWT/session revocation and token kill

Why It Matters: Improves identity hygiene and auditability.

Technical Breakdown:

1. Define KPIs; auto-enforce via IdP/PAM APIs; quarterly attestations.

Tags: IAM

Question: Is the following control enforced: API Key Governance?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17
- SOC 2: CC6.1, CC7.2

Applicability: Developer keys

Expected Result: Per-app keys; rotation; usage logs; no sharing

Why It Matters: Improves identity hygiene and auditability.

Technical Breakdown:

1. Define KPIs; auto-enforce via IdP/PAM APIs; quarterly attestations.

Tags: IAM

Question: Is the following control enforced: Group Sprawl Control?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17
- SOC 2: CC6.1, CC7.2

Applicability: Large directories

Expected Result: Attest group ownership; cap nested depth; cleanup jobs

Why It Matters: Improves identity hygiene and auditability.

Technical Breakdown:

1. Define KPIs; auto-enforce via IdP/PAM APIs; quarterly attestations.

Tags: IAM

Question: Is the following control enforced: Privileged Role Alerts?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17
- SOC 2: CC6.1, CC7.2

Applicability: IAM role changes

Expected Result: Realtime alerts on role grants/policy edits

Why It Matters: Improves identity hygiene and auditability.

Technical Breakdown:

1. Define KPIs; auto-enforce via IdP/PAM APIs; quarterly attestations.

Tags: IAM

Question: Is the following control enforced: Geo-Fencing?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17
- SOC 2: CC6.1, CC7.2

Applicability: Admin console access

Expected Result: Restrict to approved geos; alert anomalies

Why It Matters: Improves identity hygiene and auditability.

Technical Breakdown:

1. Define KPIs; auto-enforce via IdP/PAM APIs; quarterly attestations.

Tags: IAM

Question: Is the following control enforced: Privileged Access Reporting?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17
- SOC 2: CC6.1, CC7.2

Applicability: Audit needs

Expected Result: Monthly reports of all privileged sessions

Why It Matters: Improves identity hygiene and auditability.

Technical Breakdown:

1. Define KPIs; auto-enforce via IdP/PAM APIs; quarterly attestations.

Tags: IAM

Question: Is the following control enforced: FIDO Key Inventory?

Applicable Requirements:
- NIST 800-53: IA-2, AC-17
- SOC 2: CC6.1, CC7.2

Applicability: Security keys fleet

Expected Result: Tracked, phishing-resistant MFA coverage >98%

Why It Matters: Improves identity hygiene and auditability.

Technical Breakdown:

1. Define KPIs; auto-enforce via IdP/PAM APIs; quarterly attestations.

Tags: IAM-Advanced

Question: Is the following control enforced: Privileged Browser Isolation?

Applicable Requirements:
- NIST 800-53: IA-2, AC-6, AU-12
- SOC 2: CC6.1, CC7.2

Applicability: Admin consoles

Expected Result: Isolated browser or VDI for admin access

Why It Matters: Protects high-value admin sessions and reduces identity attack surface.

Technical Breakdown:

1. Harden MFA UX; broker DB/SSH via cert-based short-lived access; separate human/non-human identities.

Tags: IAM-Advanced

Question: Is the following control enforced: MFA Fatigue Resistance?

Applicable Requirements:
- NIST 800-53: IA-2, AC-6, AU-12
- SOC 2: CC6.1, CC7.2

Applicability: Push-based MFA

Expected Result: Number matching; rate limits; context in prompts

Why It Matters: Protects high-value admin sessions and reduces identity attack surface.

Technical Breakdown:

1. Harden MFA UX; broker DB/SSH via cert-based short-lived access; separate human/non-human identities.

Tags: IAM-Advanced

Question: Is the following control enforced: Password Policy (NIST 800-63B)?

Applicable Requirements:
- NIST 800-53: IA-2, AC-6, AU-12
- SOC 2: CC6.1, CC7.2

Applicability: Password auth where still used

Expected Result: Block common passwords; no complexity games; longer length

Why It Matters: Protects high-value admin sessions and reduces identity attack surface.

Technical Breakdown:

1. Harden MFA UX; broker DB/SSH via cert-based short-lived access; separate human/non-human identities.

Tags: IAM-Advanced

Question: Is the following control enforced: Sign-In Risk Policies?

Applicable Requirements:
- NIST 800-53: IA-2, AC-6, AU-12
- SOC 2: CC6.1, CC7.2

Applicability: IdP analytics

Expected Result: Deny risky sign-ins; require step-up; investigate

Why It Matters: Protects high-value admin sessions and reduces identity attack surface.

Technical Breakdown:

1. Harden MFA UX; broker DB/SSH via cert-based short-lived access; separate human/non-human identities.

Tags: IAM-Advanced

Question: Is the following control enforced: Device Certificate Attestation?

Applicable Requirements:
- NIST 800-53: IA-2, AC-6, AU-12
- SOC 2: CC6.1, CC7.2

Applicability: Managed devices

Expected Result: Device certs with attestation in IdP

Why It Matters: Protects high-value admin sessions and reduces identity attack surface.

Technical Breakdown:

1. Harden MFA UX; broker DB/SSH via cert-based short-lived access; separate human/non-human identities.

Tags: IAM-Advanced

Question: Is the following control enforced: Human vs Non-Human Identity Split?

Applicable Requirements:
- NIST 800-53: IA-2, AC-6, AU-12
- SOC 2: CC6.1, CC7.2

Applicability: Directories

Expected Result: Separate OU/groups; distinct policies and reviews

Why It Matters: Protects high-value admin sessions and reduces identity attack surface.

Technical Breakdown:

1. Harden MFA UX; broker DB/SSH via cert-based short-lived access; separate human/non-human identities.

Tags: IAM-Advanced

Question: Is the following control enforced: SSH Certificate Authorities?

Applicable Requirements:
- NIST 800-53: IA-2, AC-6, AU-12
- SOC 2: CC6.1, CC7.2

Applicability: Server admin

Expected Result: Short-lived SSH certs via CA; no static keys

Why It Matters: Protects high-value admin sessions and reduces identity attack surface.

Technical Breakdown:

1. Harden MFA UX; broker DB/SSH via cert-based short-lived access; separate human/non-human identities.

Tags: IAM-Advanced

Question: Is the following control enforced: Database Access Broker?

Applicable Requirements:
- NIST 800-53: IA-2, AC-6, AU-12
- SOC 2: CC6.1, CC7.2

Applicability: DB admin/users

Expected Result: IAM/PAM-brokered access; short-lived creds; per-query audit

Why It Matters: Protects high-value admin sessions and reduces identity attack surface.

Technical Breakdown:

1. Harden MFA UX; broker DB/SSH via cert-based short-lived access; separate human/non-human identities.

Tags: IAM-Advanced

Question: Is the following control enforced: SaaS Admin Role Minimization?

Applicable Requirements:
- NIST 800-53: IA-2, AC-6, AU-12
- SOC 2: CC6.1, CC7.2

Applicability: SaaS platforms

Expected Result: Break glass + minimal admins per tenant

Why It Matters: Protects high-value admin sessions and reduces identity attack surface.

Technical Breakdown:

1. Harden MFA UX; broker DB/SSH via cert-based short-lived access; separate human/non-human identities.

Tags: IAM-Advanced

Question: Is the following control enforced: Privileged Session Watermarking?

Applicable Requirements:
- NIST 800-53: IA-2, AC-6, AU-12
- SOC 2: CC6.1, CC7.2

Applicability: Admin GUIs

Expected Result: Visual watermarks; screen capture detection

Why It Matters: Protects high-value admin sessions and reduces identity attack surface.

Technical Breakdown:

1. Harden MFA UX; broker DB/SSH via cert-based short-lived access; separate human/non-human identities.