Finding AUD-2026-014 — Access Control Review

Observation: During review of the production AWS account, the audit team observed that 14 IAM users retained administrator-level permissions despite not requiring such access for their current role, based on a comparison against the documented least-privilege policy.

Risk: Excessive standing privileges increase the blast radius of a compromised credential and violate the principle of least privilege required under the organization's own access control policy (Section 4.2).

Recommendation: We recommend the organization implement role-based access control (RBAC) with periodic access reviews, and remove unnecessary administrator permissions within 30 days. This finding is rated Medium and should be tracked to remediation in the next audit cycle.

Question 1 of 5