Least-privilege scoping for each service account
Demonstrate that service accounts are consistently provisioned with permissions strictly limited to their functional requirements and that no service account possesses unnecessary elevated privileges.
Description
What this control does
This control ensures that each service account is granted only the minimum permissions necessary to perform its designated function, avoiding over-privileged accounts that could be exploited. Service accounts are non-human identities used by applications, systems, or automation processes, and unlike user accounts, they often run unattended with persistent credentials. Implementing least-privilege scoping limits the blast radius of credential compromise, insider misuse, or lateral movement by attackers who gain access to service account credentials.
Control objective
What auditing this proves
Demonstrate that service accounts are consistently provisioned with permissions strictly limited to their functional requirements and that no service account possesses unnecessary elevated privileges.
Associated risks
Risks this control addresses
- An attacker who compromises an over-privileged service account gains unauthorized access to sensitive data or critical systems beyond the account's intended scope
- Lateral movement across environments or cloud tenants becomes possible when service accounts hold cross-boundary permissions not required for their function
- Automated processes running under excessively privileged service accounts inadvertently delete or modify production data due to lack of permission boundaries
- Insider threats exploit service accounts with broad permissions to exfiltrate data or manipulate systems without triggering user-focused monitoring controls
- Compliance violations occur when service accounts with access to regulated data exceed documented business justifications for that access
- Credential harvesting or replay attacks succeed in compromising entire application stacks when a single service account holds administrative privileges across multiple systems
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all service accounts across systems, applications, cloud platforms, databases, and directory services, including account identifiers, owning teams, and stated purposes
- For a representative sample of at least 20 service accounts spanning different risk tiers and platforms, retrieve the full list of assigned permissions, roles, group memberships, and access control lists
- Request and review formal documentation for each sampled service account that defines its functional requirements, approved permissions, and business justification for access scope
- Compare the documented permission requirements against the actual assigned permissions to identify discrepancies, over-provisioning, or undocumented grants
- Execute automated permission analysis queries or scripts to identify service accounts with administrative privileges, wildcard permissions, or access to sensitive resource classes
- Review access logs or audit trails for sampled service accounts over the past 90 days to determine which permissions were actively used versus granted but unused
- Interview application owners and infrastructure teams for high-risk service accounts to validate whether current permissions align with operational necessity and whether recent permission reviews have occurred
- Verify that a periodic access review process exists with documented evidence of service account permission recertification within the last 12 months
Where this control is tested