186 – Use the principle of least privilege

Summary

The principle of least privilege must be applied when creating new objects and roles, setting access permissions, and accessing other systems.

Description

Systems should have a set of roles with different levels of privilege to access resources. Users and applications should always have a role with the minimum level of privilege required to execute their functions. A violation of this may become a new vulnerability or leverage for causing a greater impact when exploiting other vulnerabilities.

Supported In

Essential: True

Advanced: True

References

• CAPEC-17. Using malicious files
• CAPEC-23. File content injection
• CAPEC-27. Leveraging race conditions via symbolic links
• CAPEC-35. Leverage executable code in non-executable files
• CAPEC-122. Privilege abuse
• CAPEC-153. Input data manipulation
• CAPEC-176. Configuration/Environment manipulation
• CAPEC-233. Privilege escalation
• CIS-2_7. Allowlist authorized scripts
• CWE-250. Execution with unnecessary privileges
• CWE-269. Improper privilege management
• CWE-272. Least privilege violation
• CWE-276. Incorrect default permissions
• CWE-732. Incorrect permission assignment for critical resource
• NIST80053-AC-6. Least privilege
• OWASP10-A1. Broken access control
• SOC2-CC6_3. Logical and physical access controls
• SOC2-P1_1. Additional criteria for privacy (related to notice and communication of objectives related to privacy)
• CERTJ-FIO01-J. Create files with appropriate access permissions
• MITRE-M1056. Pre-compromise
• PADSS-3_4. Limit access to required functions/resources and enforce least privilege for built-in accounts
• PADSS-5_2_8. Improper access controls
• CMMC-AC_L2-3_1_5. Least privilege
• CMMC-CM_L2-3_4_6. Least functionality
• HITRUST-09_c. Segregation of duties
• FEDRAMP-CM-5_5. Access restrictions for change - Limit production, operational privileges
• IEC62443-RA-7_7. Least functionality
• WASC-W_17. Improper filesystem permissions
• OWASPRISKS-P2. Operator-sided data leakage
• OWASPSCP-5. Access control
• OWASPSCP-8. Data protection
• OWASPSCP-10. System configuration
• BSAFSS-AA_1-1. Principle of least privilege
• NIST800171-1_5. Employ the principle of least privilege, including for specific security functions and privileged accounts
• NIST800171-4_6. Employ the principle of least functionality and provide only essential capabilities
• SWIFTCSC-5_1. Logical access control
• ASVS-1_2_1. Authentication architecture
• ASVS-4_1_3. General access control design
• C2M2-9_2_e. Implement network protections for cybersecurity architecture
• C2M2-9_3_c. Implement IT and OT asset security for cybersecurity architecture
• PCI-7_2_5. Access to system components and data is defined and assigned
• SIGLITE-SL_148. Is there a process that requires security approval to allow external networks to connect to the company network, and enforces the least privilege necessary?
• SIG-H_1_2. Access control
• SIG-U_1_2_2. Server security
• ASVS-1_2_2. Authentication architecture
• CASA-1_2_2. Authentication Architecture
• CASA-4_1_3. General Access Control Design
• CASA-4_3_3. Other Access Control Considerations
• RESOLSB-Art_27_18. Security in Electronic Channels
• FISMA-AC-6. Least privilege
• NIST-PR_AA-05. Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
• OWASPLLM-LLM06:2025. Excessive Agency

Weaknesses

• 101 – Lack of protection against deletion
• 159 – Excessive privileges
• 160 – Excessive privileges - Temporary Files
• 256 – Lack of protection against deletion - RDS
• 257 – Lack of protection against deletion - EC2
• 258 – Lack of protection against deletion - ELB
• 259 – Lack of protection against deletion - DynamoDB
• 266 – Excessive Privileges - Docker
• 267 – Excessive Privileges - Kubernetes
• 325 – Excessive privileges - Wildcards
• 346 – Excessive privileges - Mobile App
• 412 – Lack of protection against deletion - Azure Key Vault
• 415 – Insecure service configuration - Container level access policy
• 430 – Serverless - one dedicated IAM role per function
• 455 – Excessive LLM agency
• 031 – Excessive privileges - AWS

Last updated

2024/03/05