Access Control System
Description
Access to system components and cardholder data must be controlled via a documented role-based access control (RBAC) system.
⚠️ Risk Impact
RBAC without defined roles = access management chaos. Each grant becomes a one-off decision; cumulative grants become unauditable. Auditors specifically test role-to-permission consistency.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Document role definitions per system. Map permissions per role. Quarterly review. Federate through IdP. Avoid direct individual grants.
💀 Real-World Attack Scenario
A merchant's CDE access was managed via individual IAM grants accumulated over years. When a SOC analyst rotated off the team, nobody knew which permissions to revoke (no role definition). The analyst retained CDE access 6 months post-team-transfer; eventually was social-engineered into granting access to attackers.
💰 Cost of Non-Compliance
RBAC failures contribute to 41% of cloud breaches (Mandiant M-Trends 2024).
📋 Audit Questions
- 1.Role definitions documented?
- 2.Permissions-per-role mapped?
- 3.Quarterly review evidence?
- 4.Are grants always tied to roles or are direct individual grants permitted?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Individual grants accumulate
- ⛔Role definitions stale
- ⛔Quarterly review skipped
📈 Business Value
Role-based access is foundational to scalable secure operations.
⏱️ Effort Estimate
Per-system RBAC design + quarterly review
EchelonGraph identifies grants not tied to documented roles
🔗 Cross-Framework References
Automate PCI DSS 7.2 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →