Overview
Privileged Access Management is the process of controlling, monitoring, and reviewing access to systems and data that require elevated permissions. This process ensures privileged access is granted only when necessary, approved, time-bound, and regularly reviewed in alignment with SOC 2 CC6 requirements.
Step-by-Step Process
Identify privileged systems and roles
The Security Lead identifies all systems, applications, and cloud environments that require privileged access and documents the associated privileged roles. This includes admin, root, and break-glass accounts, with the output being a current privileged systems and roles inventory.
Role: Security Lead
Review privileged access inventory
The Security Lead reviews the inventory to confirm completeness and accuracy, validating that all privileged accounts are known and assigned to a system owner. The output is an approved inventory with documented system ownership.
Role: Security Lead
Validate access approvals
The Security Lead verifies that each privileged account has documented business justification and management approval. Any accounts missing approval are flagged for remediation, resulting in an approval validation log.
Role: Security Lead
Verify least privilege configuration
The Security Lead reviews permissions for each privileged role to confirm access is limited to what is required for job responsibilities. The output is a list of confirmed compliant roles and identified excessive permissions.
Role: Security Lead
Review privileged access activity logs
The Security Lead reviews logs and session records for privileged access activity during the review period to identify unauthorized or anomalous behavior. The output is a dated access review report with findings noted.
Role: Security Lead
Remediate access issues
The Security Lead coordinates with IT or Cloud Administrators to remove, reduce, or correct inappropriate privileged access. The output is evidence of access changes completed and validated.
Role: Security Lead
Document and certify review
The Security Lead documents the monthly review results, remediation actions, and formally certifies completion. The output is a signed and dated privileged access review record.
Role: Security Lead
What You Need Before Starting
- Current privileged access inventory
- Access approval records or ticketing system access
- Privileged access management tool access (CyberArk, HashiCorp Vault, or AWS IAM)
- Prior month privileged access review report
Evidence Your Auditor Expects
- Privileged access inventory export dated for the review month
- Screenshots of approval records or tickets showing approver and approval date
- Privileged access activity logs with timestamps covering the review period
- Completed and signed monthly privileged access review report with date
How This Looks In Your Tools
CyberArk
Log in to the CyberArk Privileged Access Security Console and navigate to Accounts > Accounts Management to export a list of privileged accounts. Use the filter options to scope accounts by platform and last accessed date, then download the report with a visible timestamp.
Navigate to Reports > Access and Session Reports to review privileged session activity. Open each relevant report, validate user, system, and access time, and capture screenshots or export reports as evidence of the monthly review.
HashiCorp Vault
Log in to the Vault UI and navigate to Access > Entities and Access > Auth Methods to identify users and authentication paths with elevated permissions. Export entity and policy assignments using the UI or vault list and vault read commands, saving outputs with command timestamps.
Navigate to Audit Devices and review audit log files for privileged operations during the review period. Filter logs by policy name or root access and retain log excerpts showing date, time, and actor.
AWS IAM
Log in to the AWS Management Console and navigate to IAM > Roles and IAM > Users. Filter for roles and users with AdministratorAccess or custom high-privilege policies, and export the list using the IAM credential report or screenshots with visible dates.
Navigate to CloudTrail > Event history and filter events by IAM service and privileged actions such as AttachRolePolicy or AssumeRole. Download event logs showing user, action, and timestamp as evidence of activity review.
Common Audit Findings
- Privileged accounts without documented approval
- This occurs when access is granted outside the formal approval workflow. Prevent this by enforcing ticket-based approvals and validating approvals during each monthly review.
- Excessive privileges assigned to roles
- Overly broad roles are often created for convenience and not revisited. Regularly review role permissions and enforce least privilege during access reviews.
- Missing or incomplete access review evidence
- Reviews may be performed but not documented in an auditable format. Use a standardized review template and retain dated screenshots and reports.
- Lack of privileged activity monitoring
- Organizations may grant access but fail to review usage logs. Ensure logging is enabled and included as a mandatory step in the monthly review.