Access_Control_Policy.md

May 24, 2026 Β· View on GitHub

Hack23 Logo

πŸ”‘ Hack23 AB β€” Access Control Policy

πŸ›‘οΈ Zero Trust Access Through Identity-Centric Security
🎯 Enterprise-Grade Access Control Demonstrating Cybersecurity Excellence

Owner Version Effective Date Review Cycle

πŸ“‹ Document Owner: CEO | πŸ“„ Version: 2.6 | πŸ“… Last Updated: 2026-01-25 (UTC)
πŸ”„ Review Cycle: Semi-Annual | ⏰ Next Review: 2026-07-25


🎯 Purpose Statement

🏒 Hack23 AB's access control policy demonstrates how πŸ”§ systematic identity management directly enables both security excellence and operational transparency. Our πŸ“Š zero-trust access approach serves as both operational necessity and πŸ‘₯ client demonstration of our cybersecurity consulting methodologies.

This policy establishes mandatory access controls based on our 🏷️ Classification Framework and integrates with all systems documented in the πŸ’» Asset Register.

β€” πŸ‘¨β€πŸ’Ό James Pether SΓΆrling, CEO/Founder


πŸ” Access Control Architecture

🎯 Identity-Centric Design

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#1565C0',
      'primaryTextColor': '#0d47a1',
      'lineColor': '#1565C0',
      'secondaryColor': '#4CAF50',
      'tertiaryColor': '#FF9800'
    }
  }
}%%
flowchart TD
    subgraph Core["πŸ” Core Identity"]
        PRIMARY["Primary Identity Provider<br/>πŸ” MFA Enforced<br/>Central Authentication"]
    end
    
    subgraph CloudOrg["☁️ Cloud Organization"]
        IDC["Identity Center<br/>πŸ” SSO + MFA"]
        MGMT["Multi-Account Management<br/>πŸ›‘οΈ Centralized Policies"]
        ACCTS["Business Accounts<br/>πŸ“Š Federated Access"]
    end
    
    subgraph DevOps["πŸ“ Development Platform"]
        REPO["Repository Platform<br/>πŸ” MFA Required"]
        ORG["Organization Access<br/>πŸ›‘οΈ Team Management"]
    end
    
    subgraph Business["πŸ”— Business Services"]
        CRITICAL["Critical Services<br/>🏦 Banking, πŸ’³ Payments, πŸ“Š Accounting"]
        MARKETING["Marketing Tools<br/>πŸ“± Social, 🎡 Content, πŸ“ˆ Analytics"]
        SECURITY["Security Tools<br/>πŸ›‘οΈ Code Analysis, βš–οΈ Compliance"]
    end
    
    PRIMARY --> IDC
    PRIMARY --> REPO
    PRIMARY --> CRITICAL
    PRIMARY --> MARKETING
    
    IDC --> MGMT
    IDC --> ACCTS
    REPO --> ORG
    REPO --> SECURITY
    
    style Core fill:#1565C0
    style CloudOrg fill:#4CAF50
    style DevOps fill:#FF9800
    style Business fill:#D32F2F

πŸ“Š Access Control Matrix

Integration with Classification Framework:

🎯 Asset Category🏷️ ClassificationπŸ” Access MethodπŸ›‘οΈ MFA Requirement⏰ Session TimeoutπŸ“Š Review Frequency
☁️ Cloud Core InfrastructureExtremeIdentity Center SSOHardware + Software4 hoursMonthly
πŸ’° Financial SystemsVery HighProvider MFA + IdPHardware + SMS1 hourMonthly
πŸ“ Development PipelineHighPlatform MFATOTP + SSH Keys8 hoursQuarterly
πŸ“Š Business IntelligenceModerateSSO IntegrationTOTP24 hoursSemi-Annual
πŸ“’ Marketing PlatformsPublicPlatform NativePlatform MFA7 daysAnnual

πŸ›‘οΈ Multi-Factor Authentication Strategy

🎯 MFA Implementation Matrix

πŸ”— Service CategoryπŸ” Primary MFAπŸ›‘οΈ Backup MFAπŸ“± Methods Supportedβœ… Status
Identity ProviderHardware Security KeyTOTP + SMSFIDO2, WebAuthn, Authenticatorβœ… Active
Cloud PlatformEnforced via IdPHardware TokenFIDO2, WebAuthn, SMSβœ… Active
Development PlatformTOTPSSH CertificatePlatform Mobile, TOTPβœ… Active
Banking ServicesProvider-issued TokenMobile AppProprietary Hardwareβœ… Active
Payment ProcessingTOTPEmail VerificationAuthenticator Appβœ… Active
Social PlatformsPlatform TOTPEmail RecoveryNative Appsβœ… Active

πŸ”„ MFA Validation Flow

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#FF9800',
      'primaryTextColor': '#F57C00',
      'lineColor': '#ff9800',
      'secondaryColor': '#4CAF50',
      'tertiaryColor': '#1565C0'
    }
  }
}%%
sequenceDiagram
    participant User as πŸ‘€ User
    participant IdP as πŸ” Identity Provider
    participant MFA as πŸ“± MFA Service
    participant Target as 🎯 Target System
    participant Monitor as πŸ“Š Monitoring
    
    User->>IdP: 1. Username + Password
    IdP->>MFA: 2. Request MFA Challenge
    MFA->>User: 3. Send Challenge (TOTP/Push)
    User->>MFA: 4. Provide MFA Response
    MFA->>IdP: 5. Validate Response
    
    alt MFA Success
        IdP->>Target: 6. Issue Access Token
        Target->>Monitor: 7. Log Successful Access
        Target->>User: 8. Grant Access
    else MFA Failure
        IdP->>Monitor: 6. Log Failed Attempt
        Monitor->>IdP: 7. Trigger Security Alert
        IdP->>User: 8. Access Denied
    end
    
    Monitor->>Monitor: 9. Update Security Metrics

🎯 Role-Based Access Control

πŸ“Š Generic Permission Framework

Integration with cloud organization structure:

πŸ›‘οΈ Permission LevelπŸ“ Scope🎯 Use CaseπŸ” Access PatternπŸ“Š Usage Frequency
AdministratorCritical SystemsEmergency operations, infrastructureBreak-glass onlyMonthly
PowerUserCore SystemsDevelopment, testingRegular operationsDaily
ReadOnlyAll systemsMonitoring, complianceContinuous accessDaily
ServiceManagerSpecific ServicesService provisioningProject deploymentWeekly
ServiceUserManaged ServicesResource consumptionStandard usageWeekly

πŸ”„ Dynamic Access Pattern

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#7B1FA2',
      'primaryTextColor': '#4A148C',
      'lineColor': '#7B1FA2',
      'secondaryColor': '#4CAF50',
      'tertiaryColor': '#FFC107'
    }
  }
}%%
flowchart LR
    subgraph Standard["πŸ“… Standard Access"]
        READ["ReadOnly<br/>πŸ“Š Monitoring"]
        POWER["PowerUser<br/>βš™οΈ Operations"]
    end
    
    subgraph Elevated["πŸ”΄ Elevated Access"]
        ADMIN["Administrator<br/>🚨 Emergency"]
        CATALOG["Service Manager<br/>πŸš€ Provisioning"]
    end
    
    subgraph Controls["πŸ›‘οΈ Access Controls"]
        TIME["Time-based<br/>⏰ Session Limits"]
        JUST["Just-in-time<br/>🎯 Request-based"]
        AUDIT["Continuous Audit<br/>πŸ“ˆ Monitoring"]
    end
    
    READ --> TIME
    POWER --> TIME
    ADMIN --> JUST
    CATALOG --> JUST
    
    TIME --> AUDIT
    JUST --> AUDIT
    
    style Standard fill:#4CAF50
    style Elevated fill:#D32F2F
    style Controls fill:#1565C0

🚫 Segregation of Duties

Role-based access control supports segregation of duties principles by enforcing separation between incompatible functions. See 🚫 Segregation of Duties Policy for:

  • Incompatible role pairs requiring separation
  • Single-person organization compensating controls
  • Temporal and tool-based separation mechanisms
  • Audit trail and external validation requirements

Key access control aspects supporting SoD:

  • Least Privilege: Default to minimum permissions required for role
  • Time-Limited Elevation: Administrator access granted just-in-time with automatic expiration
  • Audit Trail: All permission changes and elevated access logged in CloudTrail
  • Quarterly Review: Access permissions reviewed against principle of least privilege

πŸ“Š Access Monitoring & Compliance

πŸ” Continuous Monitoring Dashboard

Based on business impact and security metrics:

🎯 MetricπŸ“Š TargetπŸ” Measurement🚨 Alert ThresholdπŸ“ˆ Review Frequency
MFA Coverage100%Active MFA methods<100%Real-time
Access Anomalies<5/monthUnusual patterns>10/monthDaily
Failed Login Rate<1%Failed vs successful>5%Hourly
Dormant Accounts0Unused >90 days>0Weekly
Privilege Escalation0 unauthorizedAdmin access grants>0Real-time
Session Compliance100%Timeout adherence<95%Daily

πŸ“ˆ Access Audit Trail

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#1565C0',
      'primaryTextColor': '#1565C0',
      'lineColor': '#1565C0',
      'secondaryColor': '#4CAF50',
      'tertiaryColor': '#FFC107'
    }
  }
}%%
graph TD
    subgraph Capture["πŸ“Š Event Capture"]
        CLOUD_AUDIT["Cloud Platform Audit<br/>πŸ” API Calls & Access"]
        DEV_AUDIT["Development Audit<br/>πŸ“ Repository & Pipeline Access"]
        IDENTITY_LOG["Identity Provider<br/>πŸ“§ Authentication Events"]
        BUSINESS_LOG["Business Systems<br/>πŸ’³ Financial & Operations"]
    end
    
    subgraph Analysis["πŸ§ͺ Analysis Engine"]
        SIEM["Security Hub<br/>πŸ›‘οΈ Event Correlation"]
        DETECT["Behavior Analysis<br/>πŸ” Anomaly Detection"]
        COMPLIANCE["Compliance Monitor<br/>πŸ“‹ Policy Validation"]
    end
    
    subgraph Response["🚨 Response Actions"]
        ALERT["Real-time Alerts<br/>πŸ“± Security Notifications"]
        BLOCK["Automatic Blocking<br/>🚫 Threat Response"]
        REPORT["Compliance Reports<br/>πŸ“Š Evidence Generation"]
    end
    
    CLOUD_AUDIT --> SIEM
    DEV_AUDIT --> SIEM
    IDENTITY_LOG --> SIEM
    BUSINESS_LOG --> SIEM
    
    SIEM --> DETECT
    SIEM --> COMPLIANCE
    
    DETECT --> ALERT
    DETECT --> BLOCK
    COMPLIANCE --> REPORT
    
    style Capture fill:#1565C0
    style Analysis fill:#4CAF50
    style Response fill:#D32F2F

πŸ”§ Access Control Implementation

πŸ’° Financial Systems Access

Process Classification: Finance

Business Impact Justification:

  • High financial impact potential (daily revenue at risk)
  • Regulatory compliance requirements (audit trails, segregation of duties)
  • Operational dependency (cash flow, vendor payments, payroll)

Access Requirements:

System TypeMFA RequirementSession TimeoutReview FrequencyBackup Access
Banking PlatformHardware token + SMS1 hourMonthlyMobile app backup
Accounting SystemSSO + TOTP8 hoursQuarterlyExport procedures
Payment GatewayPlatform MFA4 hoursMonthlyManual processing

πŸ”§ Operations & Development Access

Process Classification: Operations

Business Impact Justification:

  • Service delivery continuity requirements
  • Development pipeline integrity
  • Code and infrastructure security

Access Requirements:

System TypeMFA RequirementSession TimeoutReview FrequencyEmergency Access
Development PlatformTOTP + SSH keys8 hoursQuarterlyLocal environment
Cloud InfrastructureSSO + hardware token4 hoursMonthlyBreak-glass procedures
CI/CD PipelinePlatform MFA24 hoursMonthlyManual deployment

πŸ“’ Marketing & Communications Access

Process Classification: Marketing

Business Impact Justification:

  • Brand reputation management
  • Customer communication continuity
  • Content and campaign integrity

Access Requirements:

System TypeMFA RequirementSession TimeoutReview FrequencyContent Backup
Social Media PlatformsPlatform MFA7 daysSemi-annualContent archives
Content Generation ToolsPlatform authentication30 daysAnnualAlternative services
Analytics PlatformsSSO integration24 hoursQuarterlyExport procedures

🏒 Single-Person Company Adaptation

Traditional Multi-Person Requirement

Industry best practice and NIST 800-53 guidance recommend separation of duties for access control administration:

  • Access Provisioner: Administrator who grants/revokes access rights
  • Access Reviewer: Independent security team member who validates access appropriateness
  • Audit Function: Separate audit team reviewing access control compliance

Traditional separation provides:

  • Independent validation of access decisions
  • Detection of unauthorized access grants
  • Prevention of insider threats through collusion resistance
  • Compliance with segregation of duties requirements

Typical Process:

  1. User requests access (or access change)
  2. Manager/provisioner approves and grants access
  3. Separate security team conducts quarterly access review
  4. Independent auditor validates access control effectiveness annually

Hack23 AB Single-Person Adaptation

As CEO/Founder is the sole employee and performs all roles (access provisioner, reviewer, and user), traditional multi-person access review is not possible. Instead, Hack23 AB implements automated tool validation + external audit model:

🎯 CEO As Access Administrator

Roles Consolidated:

  • Access Provisioner (grants/revokes all access)
  • Access Reviewer (validates access appropriateness)
  • Primary User (uses all systems for business operations)

Limitations of Single-Person Model:

  • No independent human review of access decisions
  • Self-review cannot detect own errors or excessive permissions
  • Risk of "privilege creep" without external validation

🎯 Automated Access Analysis

AWS IAM Access Analyzer (Primary Compensating Control):

FeatureCapabilityBusiness ValueValidation Frequency
Unused Access DetectionIdentifies credentials and permissions not used in 90+ daysReduces attack surface, enforces least privilegeReal-time continuous
External Access AnalysisDetects resources shared outside AWS organizationPrevents unauthorized external accessReal-time continuous
Policy ValidationValidates IAM policies against AWS security best practicesEnsures secure policy configurationOn policy change
Access PreviewSimulates policy changes before implementationPrevents unintended access grantsPre-deployment

GitHub Security Features (Development Platform):

  • Organization Audit Log: Complete history of all access changes, permission grants
  • Security Alerts: Notifications for suspicious access patterns or unauthorized changes
  • Required Reviewers: Branch protection requires PR approval (self-review documented as accepted risk)
  • Dependency Review: Automated analysis of third-party access via dependencies

🎯 External Validation Model

Annual External Auditor Review:

Validation ActivityAuditor ScopeFrequencyDeliverable
Access Control EffectivenessReview access grants, permissions, MFA complianceAnnualAudit report with findings and recommendations
Least Privilege ValidationVerify users have minimum necessary permissionsAnnualExcessive permission identification
Segregation of Duties AssessmentEvaluate compensating controls for SoD violationsAnnualControl adequacy assessment
Compliance VerificationValidate ISO 27001/NIST CSF alignmentAnnualCompliance attestation

Compensating Controls

Control TypeImplementationISO 27001 AlignmentEffectiveness
πŸ€– AWS IAM Access AnalyzerContinuous automated analysis of access permissions, unused access detectionA.5.18 - Access Rights ManagementProvides independent (machine) validation superior to manual review
πŸ“Š Quarterly CEO Self-ReviewCEO reviews all access grants, permissions, MFA status using IAM Access Analyzer findingsA.9.2.5 - Review of User Access RightsSystematic review process with automated tool assistance
πŸ” External Annual AuditIndependent auditor validates access control effectiveness and least privilege complianceA.5.18 - Access Rights ManagementIndependent human validation catches systematic issues
πŸ“‹ Complete Audit TrailAWS CloudTrail + GitHub Audit Log provide tamper-evident access change historyA.8.15 - LoggingEnables retrospective review and forensic investigation
⏱️ Automated AlertsReal-time notifications for suspicious access patterns, policy changes, external sharingA.8.16 - Monitoring ActivitiesImmediate detection of access anomalies

ISO 27001:2022 Compliance

This adaptation maintains control objectives of A.5.18 (Access Rights Management) and A.9.2.5 (Review of User Access Rights) by ensuring:

βœ… Access Rights Allocation: CEO manages all access with documented procedures
βœ… Regular Reviews: Quarterly CEO review + AWS IAM Access Analyzer continuous monitoring
βœ… Least Privilege: Automated unused access detection enforces minimum permissions
βœ… Access Right Removal: Systematic removal of unused credentials and permissions
βœ… Independent Validation: External auditor provides independent human review annually

Alignment with ISO 27001:2022 Guidance: Annex A.9.2.5 requires "regular reviews" of access rights but does not mandate separate reviewer. The standard allows for "automated tools" to support access reviews. Single-person operations achieve control objectives through automated analysis tools (IAM Access Analyzer) providing machine-based independence + external auditor validation rather than dedicated security team review.

Superiority of Automated Approach: AWS IAM Access Analyzer provides continuous real-time monitoring superior to quarterly human review. Machine analysis detects unused access, excessive permissions, and policy violations more consistently and comprehensively than manual review.

Risk Acceptance

Risk Description: Single-person access administration increases risk of self-review bias and excessive permissions compared to independent security team review. CEO may not detect own errors in access grants or recognize privilege creep.

See πŸ“‰ Risk Register for current risk assessment, likelihood/impact scoring, and treatment status.

Compensating Controls Summary:

  • Automated superiority: AWS IAM Access Analyzer continuous monitoring exceeds quarterly human review effectiveness
  • Machine independence: Automated tool provides independent validation without human bias
  • Limited scope: Single-user environment (CEO) has minimal access control complexity
  • External validation: Annual auditor review provides independent human oversight
  • Complete audit trail: CloudTrail + GitHub logs enable retrospective forensic review

Monitoring & Review:

  • Real-Time: AWS IAM Access Analyzer findings reviewed immediately when triggered
  • Quarterly: CEO comprehensive access review using IAM Access Analyzer findings dashboard
  • Annual: External auditor validates access control effectiveness and compensating controls

🚨 Break-Glass Emergency Access Procedure

πŸ“‹ Emergency Access Protocol

When normal access methods fail during critical incidents, the break-glass procedure provides documented emergency access:

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#D32F2F',
      'primaryTextColor': '#b71c1c',
      'lineColor': '#D32F2F',
      'secondaryColor': '#FF9800',
      'tertiaryColor': '#4CAF50'
    }
  }
}%%
flowchart TD
    subgraph Trigger["🚨 Emergency Trigger"]
        INCIDENT[Critical Incident<br/>Normal Access Failed]
        ASSESS[Assess Urgency<br/>Business Impact]
    end
    
    subgraph BreakGlass["πŸ”“ Break-Glass Activation"]
        ROOT[AWS Root Account<br/>Recovery Email Access]
        BACKUP[Backup Authentication<br/>Recovery Codes]
        HARDWARE[Hardware Token<br/>Physical Recovery]
    end
    
    subgraph Controls["πŸ›‘οΈ Compensating Controls"]
        LOG[Immediate Logging<br/>Incident Documentation]
        NOTIFY[Stakeholder Notification<br/>Within 1 Hour]
        REVIEW[Post-Incident Review<br/>Within 24 Hours]
    end
    
    subgraph Restore["πŸ”„ Access Restoration"]
        REVOKE[Revoke Emergency Access<br/>Immediately After Resolution]
        ROTATE[Rotate All Credentials<br/>Used During Emergency]
        AUDIT[Full Access Audit<br/>Within 48 Hours]
    end
    
    INCIDENT --> ASSESS
    ASSESS --> ROOT
    ASSESS --> BACKUP
    ASSESS --> HARDWARE
    
    ROOT --> LOG
    BACKUP --> LOG
    HARDWARE --> LOG
    
    LOG --> NOTIFY
    NOTIFY --> REVIEW
    
    REVIEW --> REVOKE
    REVOKE --> ROTATE
    ROTATE --> AUDIT
    
    style Trigger fill:#D32F2F
    style BreakGlass fill:#FF9800
    style Controls fill:#1565C0
    style Restore fill:#4CAF50

πŸ” Break-Glass Credentials Storage

Credential TypeStorage LocationAccess MethodRecovery Time
AWS Root Account RecoveryCEO personal email (MFA-protected)Email + phone recovery<15 minutes
AWS Root MFA Backup CodesEncrypted USB (fireproof safe)Physical access required<30 minutes
GitHub Personal Access TokenAWS Secrets Manager (backup: encrypted local)CLI recovery<10 minutes
Identity Provider RecoveryBackup email + SMSMulti-channel recovery<15 minutes
Banking Recovery CodesPhysical secure storage (bank safe deposit)In-person retrieval4-24 hours

πŸ“Š Break-Glass Usage Requirements

  1. Pre-Activation Checklist:

    • Confirm normal access methods exhausted
    • Document business justification for emergency access
    • Assess incident severity (Critical/High/Medium)
    • Notify relevant stakeholders if time permits
  2. During Emergency Access:

    • Log all actions taken with timestamps
    • Use minimum necessary permissions
    • Complete only essential tasks for incident resolution
    • Maintain communication with any affected parties
  3. Post-Emergency Requirements:

    • Revoke emergency credentials within 1 hour of resolution
    • Rotate all credentials accessed during emergency
    • Complete incident documentation within 24 hours
    • Conduct root cause analysis for access failure
    • Update procedures if systemic issue identified

πŸ”„ Account Lifecycle Management

πŸ“‹ Account Provisioning Procedure

ISO 27001:2022 Controls: A.5.16 (Identity Management), A.5.17 (Authentication Information)

PhaseActivitiesResponsibleTimelineEvidence
RequestDocument access need, business justificationRequester (CEO)Day 0Access request log
ApprovalVerify business need, least privilege assessmentApprover (CEO)Day 0Approval record
ProvisioningCreate account, configure MFA, assign permissionsAdministrator (CEO)Day 0-1Account creation log
ValidationVerify access works correctly, confirm MFA activeUser (CEO)Day 1MFA enrollment confirmation
DocumentationUpdate Asset Register, access matrixAdministrator (CEO)Day 1Asset Register entry
ReviewQuarterly access appropriateness reviewAdministrator (CEO)QuarterlyReview completion record
TerminationRemove access when no longer neededAdministrator (CEO)As neededDeprovisioning log

πŸ”‘ Access Request Log Template

For each new account or permission change:

Access Request Record
=====================
Request Date: YYYY-MM-DD
Request ID: AR-YYYY-NNN

Requester: [Name/Role]
System/Service: [Target system]
Access Level Requested: [Permission level]
Business Justification: [Why access is needed]

Approval Decision: [ ] Approved / [ ] Denied
Approved By: [CEO signature/date]
Provisioning Date: YYYY-MM-DD
MFA Configured: [ ] Yes / [ ] N/A

Next Review Date: YYYY-MM-DD

πŸ“Š Account Status Categories

StatusDefinitionAction RequiredReview Frequency
ActiveAccount in regular use, MFA enabledStandard monitoringQuarterly
DormantNo activity in 60+ daysVerify continued needWithin 30 days
SuspendedTemporarily disabled pending reviewInvestigate and resolveWithin 7 days
TerminatedPermanently deactivatedArchive audit logsN/A
ServiceNon-human automated accountMonitor for abuseMonthly

πŸ€– Service Account Management

πŸ“‹ Service Account Inventory

ISO 27001:2022 Control: A.5.18 (Access Rights)

Service Account TypePurposePermission ScopeKey RotationMonitoring
GitHub ActionsCI/CD pipeline automationRepository secrets, deployments90 days (via AWS OIDC)Workflow run logs
AWS IAM RolesService-to-service authenticationLeast privilege per serviceAutomatic (STS)CloudTrail
Maven CentralArtifact publishingPublish to group ID365 days (GPG key)Release logs
External API KeysThird-party integrationsAPI-specific scope90-180 daysAPI usage logs

πŸ” Service Account Security Requirements

  1. No Long-Lived Credentials: Prefer OIDC federation, IAM roles, or short-lived tokens
  2. Least Privilege: Grant minimum permissions for specific automation task
  3. No Shared Secrets: Each service/workflow gets unique credentials
  4. Rotation Schedule: Maximum 90 days for API keys, automatic for IAM roles
  5. Audit Logging: All service account actions logged to CloudTrail/audit system
  6. Alerting: Unusual activity triggers immediate notification

πŸ”„ Service Account Lifecycle

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#4CAF50',
      'primaryTextColor': '#2E7D32',
      'lineColor': '#4CAF50',
      'secondaryColor': '#1565C0',
      'tertiaryColor': '#FF9800'
    }
  }
}%%
flowchart LR
    subgraph Create["πŸ†• Creation"]
        REQ[Service Request<br/>Business Justification]
        SCOPE[Define Scope<br/>Least Privilege]
        PROV[Provision Account<br/>Configure Logging]
    end
    
    subgraph Maintain["πŸ”§ Maintenance"]
        ROTATE[Key Rotation<br/>Scheduled/Automatic]
        MONITOR[Usage Monitoring<br/>Anomaly Detection]
        REVIEW[Quarterly Review<br/>Permission Audit]
    end
    
    subgraph Retire["πŸ—‘οΈ Retirement"]
        DEPRECATE[Mark Deprecated<br/>30-Day Notice]
        DISABLE[Disable Account<br/>Test Impact]
        DELETE[Delete & Archive<br/>Retain Logs 7 Years]
    end
    
    REQ --> SCOPE --> PROV
    PROV --> ROTATE --> MONITOR --> REVIEW
    REVIEW --> DEPRECATE --> DISABLE --> DELETE
    
    style Create fill:#4CAF50
    style Maintain fill:#1565C0
    style Retire fill:#D32F2F

πŸ” Privileged Access Management (PAM)

πŸ“‹ Privileged Account Categories

ISO 27001:2022 Control: A.8.2 (Privileged Access Rights)

Privilege LevelAccess ScopeUse CasesSession ControlsMonitoring Level
Root/Super AdminFull system controlBreak-glass only1 hour max, full loggingReal-time + alerts
Organization AdminAWS Organization managementAccount creation, SCPs4 hours max, CloudTrailReal-time
Account AdminIndividual AWS account adminResource management4 hours max, CloudTrailContinuous
Power UserElevated development accessTesting, deployment8 hours max, standard logsDaily review
Standard UserNormal operational accessDaily operations24 hours max, standard logsWeekly review

πŸ”’ Just-In-Time (JIT) Privileged Access

For elevated access beyond standard permissions:

  1. Request Phase:

    • Document specific task requiring elevated access
    • Define minimum permissions needed
    • Specify time window (maximum 4 hours)
  2. Activation Phase:

    • Enable temporary IAM role or permission set
    • Start session recording (CloudTrail enhanced)
    • Set automatic expiration timer
  3. Execution Phase:

    • Perform only documented activities
    • Log all actions taken
    • Complete task within time window
  4. Deactivation Phase:

    • Revoke elevated permissions (automatic or manual)
    • Review session logs for anomalies
    • Document completion and any issues

πŸ“Š Privileged Access Metrics

MetricTargetAlert ThresholdResponse
Root Account Usage0 per month (except break-glass)>1 per monthImmediate investigation
Admin Session Duration<2 hours average>4 hoursReview session purpose
Elevated Access Requests<10 per month>20 per monthReview access model
Failed Privileged Logins0>0Immediate investigation

πŸ“‹ Access Termination Checklist

πŸ—‘οΈ Account Deprovisioning Procedure

Trigger Events:

  • Employee departure (N/A for single-person, but documented for future scaling)
  • Role change requiring access modification
  • System/service retirement
  • Security incident requiring immediate access revocation
  • Contract termination (for any future contractors)

βœ… Access Termination Checklist

Immediate Actions (Within 1 Hour of Trigger):

  • Disable primary identity provider account
  • Revoke active sessions across all SSO-integrated systems
  • Disable AWS IAM Identity Center access
  • Revoke GitHub organization access
  • Change shared credentials (if any exist)

Same-Day Actions (Within 24 Hours):

  • Remove from email distribution lists
  • Revoke access to financial systems (banking, accounting)
  • Disable marketing platform access
  • Revoke API keys and access tokens
  • Remove from any collaboration tools

Follow-Up Actions (Within 7 Days):

  • Audit all access logs for terminated account
  • Verify no residual access permissions remain
  • Transfer ownership of any shared resources
  • Archive account audit history
  • Update Asset Register to reflect deprovisioning
  • Document termination in access control log

πŸ“Š Termination Verification

After access termination, verify complete removal:

Verification CheckMethodTimelineEvidence
No Active SessionsSession management consoleImmediateScreenshot/log
No IAM PermissionsAWS IAM Access AnalyzerWithin 24 hoursAnalyzer report
No GitHub AccessOrganization audit logWithin 24 hoursAudit export
No API AccessAttempt authenticationWithin 48 hoursFailure confirmation
Access Log ReviewCloudTrail/audit analysisWithin 7 daysAnalysis report

Access Control Performance Metrics

Single-Person Access Administration Effectiveness:

MetricTargetCurrent PerformanceStatus
MFA Coverage100%100% (all critical systems)βœ… Exceeds
Unused Access0 credentials unused >90 days0 (IAM Analyzer monitoring)βœ… On target
External Access0 unauthorized external shares0 (IAM Analyzer alerts)βœ… On target
Excessive Permissions<5 findings per quarterN/A (monitored continuously)βœ… Monitored
Access Review Completion100% quarterly100% (systematic process)βœ… Compliant
Annual Audit Pass Rate100% (no major findings)Planned Q2 2026⏳ Scheduled

Business Value Demonstration: Single-person access control with automated tool validation demonstrates:

  • πŸ† Competitive Advantage: Modern cloud-native access management showcasing automation expertise
  • 🀝 Customer Trust: Automated continuous monitoring provides superior assurance vs manual quarterly review
  • πŸ’° Cost Efficiency: IAM Access Analyzer + external audit = €2K/year vs dedicated security team €80K+/year
  • πŸ”„ Operational Excellence: Real-time automated validation vs delayed quarterly human review
  • πŸ’‘ Innovation Enablement: Streamlined access management enables rapid experimentation
  • πŸ›‘οΈ Risk Reduction: Continuous machine monitoring detects issues faster than periodic human review

🎯 Strategic & Governance

πŸ”‘ Access & Identity Policies

πŸ’» Asset & Operations

πŸ”„ Continuity & Response


πŸ“‹ Document Control:
βœ… Approved by: James Pether SΓΆrling, CEO
πŸ“€ Distribution: Public
🏷️ Classification: Confidentiality: Public
πŸ“… Effective Date: 2026-01-25
⏰ Next Review: 2026-07-25
🎯 Framework Compliance: ISO 27001 NIST CSF 2.0 CIS Controls