Summary

The principle of least privilege must be applied when creating new objects and roles, setting access permissions, and accessing other systems.

Description

Systems should have a set of roles with different levels of privilege to access resources. Users and applications should always have a role with the minimum level of privilege required to execute their functions. A violation of this may become a new vulnerability or leverage for causing a greater impact when exploiting other vulnerabilities.

References

• CAPEC-17. Using malicious files
• CAPEC-23. File content injection
• CAPEC-27. Leveraging race conditions via symbolic links
• CAPEC-35. Leverage executable code in non-executable files
• CAPEC-122. Privilege abuse
• CAPEC-153. Input data manipulation
• CAPEC-176. Configuration/Environment manipulation
• CAPEC-233. Privilege escalation
• CIS-2_7. Allowlist authorized scripts
• CWE-250. Execution with unnecessary privileges
• CWE-269. Improper privilege management
• CWE-272. Least privilege violation
• CWE-276. Incorrect default permissions
• CWE-732. Incorrect permission assignment for critical resource
• NIST80053-AC-6. Least privilege
• OWASP10-A1. Broken access control
• SOC2-CC6_3. Logical and physical access controls
• SOC2-P1_1. Additional criteria for privacy (related to notice and communication of objectives related to privacy)
• CERTJ-FIO01-J. Create files with appropriate access permissions
• MITRE-M1056. Pre-compromise
• PADSS-3_4. Limit access to required functions/resources and enforce least privilege for built-in accounts
• PADSS-5_2_8. Improper access controls
• CMMC-AC_L2-3_1_5. Least privilege
• CMMC-CM_L2-3_4_6. Least functionality
• HITRUST-09_c. Segregation of duties
• FEDRAMP-CM-5_5. Access restrictions for change - Limit production, operational privileges
• IEC62443-RA-7_7. Least functionality
• WASC-W_17. Improper filesystem permissions
• OWASPRISKS-P2. Operator-sided data leakage
• OWASPSCP-5. Access control
• OWASPSCP-8. Data protection
• OWASPSCP-10. System configuration
• BSAFSS-AA_1-1. Principle of least privilege
• NIST800171-1_5. Employ the principle of least privilege, including for specific security functions and privileged accounts
• NIST800171-4_6. Employ the principle of least functionality and provide only essential capabilities
• SWIFTCSC-5_1. Logical access control
• ASVS-1_2_1. Authentication architecture
• ASVS-4_1_3. General access control design
• C2M2-9_2_e. Implement network protections for cybersecurity architecture
• C2M2-9_3_c. Implement IT and OT asset security for cybersecurity architecture
• PCI-7_2_5. Access to system components and data is defined and assigned
• SIGLITE-SL_148. Is there a process that requires security approval to allow external networks to connect to the company network, and enforces the least privilege necessary?
• SIG-H_1_2. Access control
• SIG-U_1_2_2. Server security
• ASVS-1_2_2. Authentication architecture
• CASA-1_2_2. Authentication Architecture
• CASA-4_1_3. General Access Control Design
• CASA-4_3_3. Other Access Control Considerations
• RESOLSB-Art_27_18. Security in Electronic Channels
• FISMA-AC-6. Least privilege
• NIST-PR_AA-05. Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
• OWASPLLM-LLM06:2025. Excessive Agency

Weaknesses

• 031. Excessive privileges - AWS
• 101. Lack of protection against deletion
• 159. Excessive privileges
• 160. Excessive privileges - Temporary Files
• 256. Lack of protection against deletion - RDS
• 257. Lack of protection against deletion - EC2
• 258. Lack of protection against deletion - ELB
• 259. Lack of protection against deletion - DynamoDB
• 266. Excessive Privileges - Docker
• 267. Excessive Privileges - Kubernetes
• 325. Excessive privileges - Wildcards
• 346. Excessive privileges - Mobile App
• 412. Lack of protection against deletion - Azure Key Vault
• 415. Insecure service configuration - Container level access policy
• 430. Serverless - one dedicated IAM role per function
• 455. Excessive LLM agency