Problem Statement
How would you design privileged access management for admins and service accounts?
Explanation
Separate human admin access from service identities. Use just-in-time elevation with approval, session recording, and command-level auditing. Rotate secrets automatically, prefer short-lived credentials, and lock high-risk actions behind step-up multi-factor. For services, use managed identities with scoping and time-boxed tokens over long-lived keys. Monitor admin sessions closely and alert on unusual source locations or off-hours activity. Map controls to assurance levels similar to those in national guidelines for authentication strength to avoid oversights.
Code Solution
SolutionRead Only
Example: Admin requests elevation → PAM broker issues time-boxed role → session proxied and recorded; auto-revoke on logout
