Tokens scoped to least privilege
Demonstrate that all authentication tokens issued within the organization are configured with the minimum necessary permissions and scopes required for their intended use cases, with no excessive or blanket privileges granted.
Description
What this control does
Tokens scoped to least privilege ensures that API tokens, service account credentials, OAuth tokens, and personal access tokens (PATs) are granted only the minimum permissions required to perform their intended function. This control involves defining granular scopes or roles for each token type, restricting access to specific resources, operations, and time windows. Properly scoped tokens limit the blast radius of credential compromise by preventing lateral movement and unauthorized access to sensitive systems or data beyond the token's legitimate purpose.
Control objective
What auditing this proves
Demonstrate that all authentication tokens issued within the organization are configured with the minimum necessary permissions and scopes required for their intended use cases, with no excessive or blanket privileges granted.
Associated risks
Risks this control addresses
- Compromised tokens with broad permissions allow attackers to access sensitive data, systems, or APIs beyond the original scope of the application or service
- Over-privileged service account tokens enable lateral movement across environments or escalation to administrative functions
- Stolen personal access tokens with repository-wide or organization-wide write access permit unauthorized code modification or supply chain injection
- OAuth tokens with excessive scopes allow third-party applications to exfiltrate user data or perform unauthorized actions on behalf of users
- Long-lived tokens with admin-level permissions create persistent attack vectors if credentials are leaked through logs, code repositories, or developer workstations
- Machine-to-machine tokens with unrestricted API access enable automated reconnaissance and data harvesting at scale
- Insufficient scope validation allows token reuse across unintended contexts, bypassing intended access boundaries
Testing procedure
How an auditor verifies this control
- Obtain an inventory of all token types used in the environment including API keys, PATs, OAuth tokens, service account tokens, JWT tokens, and cloud IAM tokens from identity management systems, API gateways, and developer documentation.
- Review the authorization policies, scope definitions, and permission matrices associated with each token type from identity provider configurations, API management platforms, and IAM policy documents.
- Select a representative sample of active tokens across different service tiers, applications, and user roles for detailed examination, ensuring coverage of high-privilege and external-facing services.
- For each sampled token, verify the assigned scopes, roles, and permissions against documented functional requirements and compare to actual resource access patterns from API logs or access audit trails.
- Examine token creation workflows and approval processes to confirm that least privilege principles are enforced at issuance, including technical controls that prevent over-scoping and require justification for elevated permissions.
- Test a subset of tokens by attempting to perform operations outside their documented scope using API clients or testing tools to validate that authorization controls correctly deny out-of-scope actions.
- Review token lifecycle management procedures including rotation policies, expiration settings, and revocation processes to ensure temporal scoping limits exposure windows.
- Interview application owners and DevOps personnel to validate understanding of scope requirements and confirm that tokens are regularly reviewed and right-sized as application needs evolve.
Where this control is tested