AM-18 Access Management

Cloud IAM / Console (GCP)

Cloud identities follow least privilege with guardrails.

Domain: Access Management
Control type: Preventive/Detective
Automated / manual: Automated
Frequency: Continuous
Framework reference: MAS TRM – Cloud; CSA CCM

What good looks like

IAM avoids primitive roles; org-policy guardrails and SCC constrain mis-permissioning; SA keys restricted.

Risk if it fails

Cloud account compromise with wide blast radius.

How Tess tests it

5 tests — each concludes only on cited evidence.

IAM standard avoids primitive roles

Design

Procedure: Inspect the IAM standard.
Expected: Predefined/custom roles preferred.
Sample: 1 (design inspection)
Evidence: IAM policy export, org-policy config, SCC report.

No over-permissioned principals at prod

Operating

Procedure: Review IAM bindings.
Expected: Primitive roles (Owner/Editor) minimal/justified.
Sample: 25 (or full config inspection)
Evidence: IAM policy export, org-policy config, SCC report.

Org-policy guardrails active

Operating

Procedure: Inspect org policies.
Expected: Key constraints enforced.
Sample: 25 (or full config inspection)
Evidence: IAM policy export, org-policy config, SCC report.

SCC high-risk findings triaged

Operating

Procedure: Inspect Security Command Centre.
Expected: Remediated or risk-accepted with rationale.
Sample: 25 (or full config inspection)
Evidence: IAM policy export, org-policy config, SCC report.

Service-account keys restricted/rotated

Operating

Procedure: Inspect SA key usage.
Expected: Minimised, with rotation/expiry.
Sample: 25 (or full config inspection)
Evidence: IAM policy export, org-policy config, SCC report.

Evidence Tess looks for

IAM policy export, org-policy config, SCC report.

More in Access Management

AM-01 IT Organisation & Segregation AM-02 Password / Authentication Policy AM-03 Multi-Factor Authentication (MFA) AM-04 Centralised Identity / SSO

Want Tess to test AM-18 against your evidence?