ACCESS-002 critical Production Access

Production access is minimal

Question to ask

"How many people can query your prod database right now?"

What to check

  • Count production log access (target 1-2 people)
  • Count production database access
  • Count production infrastructure access
  • Verify justification for each access holder

Pass criteria

  • Production log access limited to 1-2 people
  • Production DB access limited to essential personnel
  • Each person with prod access has documented justification
  • No broad "everyone has prod access" patterns

Fail criteria

  • More than 2-3 people with prod log access
  • Broad prod DB access (entire team)
  • No justification for who has access
  • Service accounts with unnecessary prod access

Related items

ACCESS-001 Tiered access model documented and approved ACCESS-003 Production access holders meet security requirements

Verification guide

Severity: Critical

Check automatically:

  1. Count production log access:

    # GCP - who can view logs?
gcloud projects get-iam-policy PROJECT_ID --format=json | jq '[.bindings[] | select(.role | test("logging.viewer|logging.admin"; "i")) | .members[]] | unique | length'

# AWS CloudWatch - who has logs access?
aws iam get-account-authorization-details --filter LocalManagedPolicy | jq '.Policies[] | select(.PolicyName | test("CloudWatch|Logs"; "i"))'

  2. Count production database access:

    # GCP Cloud SQL - who can access?
gcloud sql instances describe INSTANCE_NAME --format=json | jq '.settings.ipConfiguration.authorizedNetworks'

# Count DB users with login access
# (ask user to run if no direct access)

  3. Count production infrastructure access:

    # GCP - owners/editors (should be minimal)
gcloud projects get-iam-policy PROJECT_ID --format=json | jq '[.bindings[] | select(.role | test("owner|editor"; "i")) | .members[]] | unique'

If CLI not available, ask user: "Please provide counts for production environment:

  1. How many people can view production logs? (Target: 1-2)
  2. How many people can access production database? (Target: as few as possible)
  3. How many people have production infrastructure access (console, SSH, etc.)?

Provide names and their justification for having access."

Cross-reference with:

  • ACCESS-001 (Tiered access exists)
  • ACCESS-003 (Security requirements for prod access holders)

Pass criteria:

  • Production log access: 1-2 people
  • Production DB access: Limited to essential personnel only
  • Each person with prod access has documented justification
  • No "everyone has prod access" patterns

Fail criteria:

  • More than 2-3 people with prod log access
  • Broad prod DB access (entire team)
  • No justification for who has access
  • Service accounts with unnecessary prod access

Evidence to capture:

  • Number of people with prod log access
  • Number of people with prod DB access
  • Names of prod access holders
  • Justification for each (documented or provided by user)

Section

11. Access Control

Deployment & Operations

← Previous

ACCESS-001

Tiered access model documented and approved

 Next →

ACCESS-003

Production access holders meet security requirements