AC-3 / AC-6 / AU-9 / A.9.2.1 / A.9.4.1 / CIS-5.4 / CIS-6.7 NIST SP 800-53 Rev 5

Database access controls

Demonstrate that database access is restricted to authorized users and service accounts through enforced authentication, role-based permissions aligned with job functions, and continuous monitoring of privileged activities.

Description

What this control does

Database access controls enforce authentication, authorization, and accountability mechanisms that restrict who can connect to databases, which objects they can manipulate, and what operations they can perform. These controls typically include role-based access assignments, least-privilege account configurations, segregation of administrative and application accounts, and audit logging of privileged actions. Strong database access controls prevent unauthorized data disclosure, manipulation, and destruction by limiting attack surfaces and enforcing defense-in-depth at the data layer.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Unauthorized users or compromised application accounts gaining direct access to sensitive data bypassing application-layer controls
Privilege escalation through overly permissive default roles or failure to remove dormant accounts with elevated database privileges
Lateral movement by attackers using shared or hardcoded database credentials discovered in application code or configuration files
Insider threats exploiting excessive permissions to exfiltrate, modify, or delete production data without detection
Unaudited privileged operations such as schema changes, bulk deletions, or permission grants obscuring malicious or accidental data loss
Service account compromise leading to full database takeover due to DBA-level privileges granted to application service principals
Compliance violations from inability to prove who accessed regulated data (PII, PHI, PCI) and when access occurred

Testing procedure

How an auditor verifies this control

Obtain a complete inventory of database instances in scope, including production, non-production, cloud-hosted, and on-premises systems.
Export current user and service account lists from each database system, including role assignments, group memberships, and privilege grants.
Review authentication configuration to verify that strong authentication methods (password policies, certificate-based, or MFA) are enforced and default accounts are disabled or secured.
Select a risk-based sample of user accounts and validate that assigned permissions align with documented job responsibilities and adhere to least-privilege principles.
Examine database audit logging configurations to confirm that authentication attempts, privilege escalations, DDL operations, and sensitive data access are captured.
Review access request and approval records for a sample period to verify that database access follows formal provisioning workflows with management authorization.
Test segregation of duties by confirming that application service accounts cannot perform administrative functions and that developers lack production database write access.
Validate that access reviews are conducted at defined intervals and that findings result in timely revocation of unnecessary privileges.

Evidence required Collect database user and role exports showing current permissions, authentication configuration screenshots or policy files demonstrating enforced controls, and audit log samples covering authentication events and privileged operations. Obtain access request tickets with approvals, periodic access review reports with remediation evidence, and documented role definitions mapping database privileges to business functions.

Pass criteria All database user accounts have documented business justification, permissions align with least-privilege principles, authentication mechanisms meet organizational standards, privileged actions are logged and monitored, and periodic access reviews demonstrate active governance with timely revocation of unnecessary access.