Use the principle of least privilege
Summary
The principle of least privilege must be applied when creating new objects and roles, setting access permissions, and accessing other systems.
Description
Systems should have a set of roles with different levels of privilege to access resources. Users and applications should always have a role with the minimum level of privilege required to execute their functions. A violation of this may become a new vulnerability or leverage for causing a greater impact when exploiting other vulnerabilities.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CAPEC™-17. Using malicious files
- CAPEC™-23. File content injection
- CAPEC™-27. Leveraging race conditions via symbolic links
- CAPEC™-35. Leverage executable code in non-executable files
- CAPEC™-122. Privilege abuse
- CAPEC™-153. Input data manipulation
- CAPEC™-176. Configuration/Environment manipulation
- CAPEC™-233. Privilege escalation
- CIS-2_7. Allowlist authorized scripts
- CWE™-250. Execution with unnecessary privileges
- CWE™-269. Improper privilege management
- CWE™-272. Least privilege violation
- CWE™-276. Incorrect default permissions
- CWE™-732. Incorrect permission assignment for critical resource
- NIST 800-53-AC-6. Least privilege
- OWASP TOP 10-A1. Broken access control
- SOC2®-CC6_3. Logical and physical access controls
- SOC2®-P1_1. Additional criteria for privacy (related to notice and communication of objectives related to privacy)
- NIST Framework-PR_AC-4. Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
- CERT-J-FIO01-J. Create files with appropriate access permissions
- MITRE ATT&CK®-M1056. Pre-compromise
- PA-DSS-3_4. Limit access to required functions/resources and enforce least privilege for built-in accounts
- PA-DSS-5_2_8. Improper access controls
- CMMC-AC_L2-3_1_5. Least privilege
- CMMC-CM_L2-3_4_6. Least functionality
- HITRUST CSF-09_c. Segregation of duties
- FedRAMP-CM-5_5. Access restrictions for change - Limit production, operational privileges
- ISA/IEC 62443-RA-7_7. Least functionality
- WASC-W_17. Improper filesystem permissions
- OWASP Top 10 Privacy Risks-P2. Operator-sided data leakage
- OWASP SCP-5. Access control
- OWASP SCP-8. Data protection
- OWASP SCP-10. System configuration
- BSAFSS-AA_1-1. Principle of least privilege
- NIST 800-171-1_5. Employ the principle of least privilege, including for specific security functions and privileged accounts
- NIST 800-171-4_6. Employ the principle of least functionality and provide only essential capabilities
- SWIFT CSCF-5_1. Logical access control
- OWASP ASVS-1_2_1. Authentication architecture
- OWASP ASVS-4_1_3. General access control design
- C2M2-9_2_e. Implement network protections for cybersecurity architecture
- C2M2-9_3_c. Implement IT and OT asset security for cybersecurity architecture
- PCI DSS-7_2_5. Access to system components and data is defined and assigned
- SIG Lite-SL_148. Is there a process that requires security approval to allow external networks to connect to the company network, and enforces the least privilege necessary?
- SIG Core-H_1_2. Access control
- SIG Core-U_1_2_2. Server security
- OWASP ASVS-1_2_2. Authentication architecture
- OWASP MASVS-V6_1. Platform interaction requirements
- CASA-1_2_2. Authentication Architecture
- CASA-4_1_3. General Access Control Design
- CASA-4_3_3. Other Access Control Considerations
- Resolution SB 2021 2126-Art_27_18. Security in Electronic Channels
Vulnerabilities
- 031. Excessive privileges - AWS
- 101. Lack of protection against deletion
- 159. Excessive privileges
- 160. Excessive privileges - Temporary Files
- 256. Lack of protection against deletion - RDS
- 257. Lack of protection against deletion - EC2
- 258. Lack of protection against deletion - ELB
- 259. Lack of protection against deletion - DynamoDB
- 266. Excessive Privileges - Docker
- 267. Excessive Privileges - Kubernetes
- 325. Excessive privileges - Wildcards
- 346. Excessive privileges - Mobile App
- 412. Lack of protection against deletion - Azure Key Vault
- 415. Insecure service configuration - Container level access policy
- 430. Serverless - one dedicated IAM role per function
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.