Section 11 · Deployment & Operations

Access Control

Verify access control model with tiered permissions, minimal production access, and security requirements for access holders

3 items 3 critical

This guide walks you through auditing a project's access control model, ensuring production access is minimal, tiered appropriately, and that access holders meet security requirements.

The Goal: Least Privilege, Verified

Production access is a liability. Every person with access is a potential attack vector, compliance risk, and operational burden. The goal is minimal, justified, secure access with clear accountability.

  • Tiered — Separate access lists for production, staging, and development with documented approval chains
  • Minimal — Production access granted only with clear justification; fewer people means smaller blast radius
  • Verified — Every production access holder meets security requirements: device encryption, MFA, endpoint protection
  • Reviewed — Periodic access audits with clear ownership ensure access stays minimal over time

Before You Start

  1. Confirm you have access to cloud IAM (GCP, AWS, or Azure)
  2. Know the project IDs for production, staging, and dev environments
  3. Have gh CLI authenticated for repository access checks
  4. Identify who manages access control for the organization

Tiered Access

ACCESS-001
Tiered access model documented and approved critical

“Who approved your current prod access list?”

Production Access

ACCESS-002
Production access is minimal critical

“How many people can query your prod database right now?”

Security Requirements

ACCESS-003
Production access holders meet security requirements critical

“Is everyone with prod access actually using MFA?”
← Previous section

Deployments

4 items

 Next section →

Monitoring

6 items