PAM Standard (PR.AA)

Overview

Draft and validate a Privileged Access Management (PAM) standard aligned to NIST CSF 2.0 PR.AA (Identity Management, Authentication, and Access Control). The skill helps define Just-in-Time (JIT) and least-privilege rules for administrative accounts, formal approval workflows for break-glass and root access, and separation-of-duty (SoD) boundaries for AWS, Azure, and on-premises. A built-in validation tool ensures the standard explicitly requires MFA for 100% of privileged sessions per NIST CSF 2.0 Protect before you finalize it.

Example Conversation

You: We need a PAM standard for our AWS and Azure environment. We want JIT, break-glass rules, and SoD boundaries. Can you draft it and validate that MFA is required for all privileged sessions?

Agent: I’ll use the PAM Standard skill. I’ll run iam_role_definer with platforms AWS and Azure to get SoD boundaries and break-glass guidance, then draft the standard from the template and run privileged_account_audit_logic to ensure the MFA requirement is explicit.

Agent: (Runs iam_role_definer with platforms ["AWS","Azure"].) Here are the suggested SoD boundaries and break-glass/JIT notes for AWS and Azure. I’ll create pam-standard.md from the template and fill in the scope, definitions, and section 5 (SoD) using this output…

Agent: Draft is ready. Running privileged_account_audit_logic on the PAM standard…

Agent: Result of privileged_account_audit_logic:

— PRIVILEGED ACCOUNT AUDIT (MFA) — Result: PASS Document: pam-standard.md Mandatory MFA requirement: found. Coverage of all privileged sessions: explicit (100% / all privileged). PAM standard meets NIST CSF 2.0 Protect requirement for MFA on privileged sessions.

The standard is ready for review. I’ve included the AWS and Azure SoD boundaries and break-glass rules from the tool output.

Output Excerpt

After the agent drafts the PAM standard and the MFA audit passes, the document includes scope, definitions, an explicit MFA-for-100%-privileged requirement, JIT, SoD, and break-glass. Excerpt:

# Privileged Access Management (PAM) Standard

**Framework**: NIST Cybersecurity Framework 2.0 — PR.AA

## 2. Definitions

- **Privileged access**: Access that can modify security settings, grant/revoke access, or change critical configuration (e.g. root, Domain Admin, subscription Owner, IAM admin).
- **Just-in-time (JIT)**: Time-bound elevation of privilege; no standing privileged access for routine tasks.
- **Break-glass**: Documented emergency access used only when normal channels are unavailable; subject to alerting and review.
- **Separation of duties (SoD)**: No single role can both perform and approve the same sensitive action.

## 3. Authentication for privileged sessions

**[Organization] must require multi-factor authentication (MFA) for 100% of privileged sessions.** There are no exceptions for routine administrative access. Break-glass access must use MFA where technically feasible; where not (e.g. legacy system), compensating controls (session recording, maximum duration, immediate review) must be documented and approved.

- All privileged logins and role activations must use MFA (hardware or software token, or equivalent strong authentication).
- Session duration for privileged access must not exceed 4 hours for cloud and 8 hours for on-prem unless a documented exception exists.

## 5. Separation of duties (SoD)

**AWS:** Root account: no routine use; MFA + break-glass only. IAM roles: separate roles for billing, security audit, support (no single role with both security and app-admin). IAM Identity Center: map permission sets to SoD; time-bound session duration.

**Azure:** Subscription/MG: separate roles for Owner vs. User Access Administrator vs. Contributor. PIM: eligible assignments only; active duration ≤8h; justification required for activation. Privileged Role Admin only for break-glass.

The validation script passes when the document contains both mandatory MFA language and explicit coverage of all privileged sessions (e.g. “100% of privileged sessions” or “all privileged … must use MFA”).

Extension Tools and Validations

The skill includes two extension tools: one to suggest SoD boundaries by platform, and one to validate that the PAM standard requires MFA for all privileged sessions.

iam_role_definer suggests separation-of-duty boundaries and role design for privileged access based on the organization’s technical stack:

• Input — platforms: array of one or more of "AWS", "Azure", "On-prem".
• Output — For each platform: SoD boundaries (e.g. root vs. IAM roles, PIM eligible vs. active, Domain Admin vs. local admin), break-glass guidance (MFA, session duration, alerting, review), and JIT notes (temporary credentials, PIM activation, time-bound elevation).
• Use — Run when drafting or updating the role-definition and SoD sections of the PAM standard so they align with AWS, Azure, and/or on-prem patterns.

privileged_account_audit_logic validates that the PAM standard document explicitly requires MFA for 100% of privileged sessions (NIST CSF 2.0 Protect):

Run privileged_account_audit_logic after drafting or editing the PAM standard and before finalizing; iterate until the report shows PASS.

Getting Started

Add your technical stack (AWS, Azure, on-prem) and any existing PAM or IAM docs to the project workspace, then activate the PAM Standard (PR.AA) skill. Run iam_role_definer with your platforms to get SoD and break-glass suggestions, draft the standard from the template, and run privileged_account_audit_logic until the MFA requirement passes before sending the document for review.