# PAM Standard (PR.AA) > Draft and validate a Privileged Access Management standard aligned to NIST CSF 2.0 PR.AA. Defines JIT, least privilege, SoD boundaries, and break-glass workflow; ensures MFA for 100% of privileged sessions. Tags: NIST CSF 2.0, PAM, Identity and Access, GRC, Privileged Access, Compliance ## Example Prompts - Draft a PAM standard for our AWS and Azure environment with JIT and break-glass rules - Define SoD boundaries for our technical stack and add them to the PAM standard - Ensure our PAM standard requires MFA for all privileged sessions and validate it URL: https://rakenne.app/skills/pam-standard/index.md Try this skill: https://rakenne.app/a/?skill=pam-standard ## Overview Draft and validate a **Privileged Access Management (PAM) standard** aligned to NIST CSF 2.0 PR.AA (Identity Management, Authentication, and Access Control). The skill helps define Just-in-Time (JIT) and least-privilege rules for administrative accounts, formal approval workflows for break-glass and root access, and separation-of-duty (SoD) boundaries for AWS, Azure, and on-premises. A built-in validation tool ensures the standard explicitly requires **MFA for 100% of privileged sessions** per NIST CSF 2.0 Protect before you finalize it. ## Example Conversation > **You:** We need a PAM standard for our AWS and Azure environment. We want JIT, break-glass rules, and SoD boundaries. Can you draft it and validate that MFA is required for all privileged sessions? > **Agent:** I'll use the PAM Standard skill. I'll run `iam_role_definer` with platforms AWS and Azure to get SoD boundaries and break-glass guidance, then draft the standard from the template and run `privileged_account_audit_logic` to ensure the MFA requirement is explicit. > **Agent:** *(Runs `iam_role_definer` with platforms `["AWS","Azure"]`.)* Here are the suggested SoD boundaries and break-glass/JIT notes for AWS and Azure. I'll create `pam-standard.md` from the template and fill in the scope, definitions, and section 5 (SoD) using this output... > **Agent:** Draft is ready. Running `privileged_account_audit_logic` on the PAM standard... > **Agent:** Result of `privileged_account_audit_logic`: > > --- PRIVILEGED ACCOUNT AUDIT (MFA) --- > Result: PASS > Document: pam-standard.md > Mandatory MFA requirement: found. > Coverage of all privileged sessions: explicit (100% / all privileged). > PAM standard meets NIST CSF 2.0 Protect requirement for MFA on privileged sessions. > > The standard is ready for review. I've included the AWS and Azure SoD boundaries and break-glass rules from the tool output. ## Output Excerpt After the agent drafts the PAM standard and the MFA audit passes, the document includes scope, definitions, an explicit MFA-for-100%-privileged requirement, JIT, SoD, and break-glass. Excerpt: ```markdown # Privileged Access Management (PAM) Standard **Framework**: NIST Cybersecurity Framework 2.0 — PR.AA ## 2. Definitions - **Privileged access**: Access that can modify security settings, grant/revoke access, or change critical configuration (e.g. root, Domain Admin, subscription Owner, IAM admin). - **Just-in-time (JIT)**: Time-bound elevation of privilege; no standing privileged access for routine tasks. - **Break-glass**: Documented emergency access used only when normal channels are unavailable; subject to alerting and review. - **Separation of duties (SoD)**: No single role can both perform and approve the same sensitive action. ## 3. Authentication for privileged sessions **[Organization] must require multi-factor authentication (MFA) for 100% of privileged sessions.** There are no exceptions for routine administrative access. Break-glass access must use MFA where technically feasible; where not (e.g. legacy system), compensating controls (session recording, maximum duration, immediate review) must be documented and approved. - All privileged logins and role activations must use MFA (hardware or software token, or equivalent strong authentication). - Session duration for privileged access must not exceed 4 hours for cloud and 8 hours for on-prem unless a documented exception exists. ## 5. Separation of duties (SoD) **AWS:** Root account: no routine use; MFA + break-glass only. IAM roles: separate roles for billing, security audit, support (no single role with both security and app-admin). IAM Identity Center: map permission sets to SoD; time-bound session duration. **Azure:** Subscription/MG: separate roles for Owner vs. User Access Administrator vs. Contributor. PIM: eligible assignments only; active duration ≤8h; justification required for activation. Privileged Role Admin only for break-glass. ``` The validation script passes when the document contains both mandatory MFA language and explicit coverage of all privileged sessions (e.g. "100% of privileged sessions" or "all privileged … must use MFA"). ## Extension Tools and Validations The skill includes two extension tools: one to suggest SoD boundaries by platform, and one to validate that the PAM standard requires MFA for all privileged sessions. **`iam_role_definer`** suggests separation-of-duty boundaries and role design for privileged access based on the organization's technical stack: - **Input** — `platforms`: array of one or more of `"AWS"`, `"Azure"`, `"On-prem"`. - **Output** — For each platform: SoD boundaries (e.g. root vs. IAM roles, PIM eligible vs. active, Domain Admin vs. local admin), break-glass guidance (MFA, session duration, alerting, review), and JIT notes (temporary credentials, PIM activation, time-bound elevation). - **Use** — Run when drafting or updating the role-definition and SoD sections of the PAM standard so they align with AWS, Azure, and/or on-prem patterns. **`privileged_account_audit_logic`** validates that the PAM standard document explicitly requires MFA for 100% of privileged sessions (NIST CSF 2.0 Protect): | Check | What it looks for | Pass condition | |-------|-------------------|-----------------| | **Mandatory MFA** | Phrases that require MFA (or multi-factor / two-factor / strong authentication) with "must", "shall", or "is required" in the same sentence or nearby. | At least one such phrase found in the document. | | **Coverage of all privileged** | Explicit scope over *all* privileged sessions: e.g. "100% of privileged sessions", "all privileged … must use MFA", or mandatory MFA language in a privileged-access section. | Document states that *all* (or 100% of) privileged sessions/access/logins require MFA. | | **Result** | PASS only when both mandatory MFA and full privileged-session coverage are present. | FAIL if either is missing; the report suggests adding or strengthening language so the standard requires MFA for 100% of privileged sessions. | Run `privileged_account_audit_logic` after drafting or editing the PAM standard and before finalizing; iterate until the report shows PASS. ## Getting Started Add your technical stack (AWS, Azure, on-prem) and any existing PAM or IAM docs to the project workspace, then activate the *PAM Standard (PR.AA)* skill. Run `iam_role_definer` with your platforms to get SoD and break-glass suggestions, draft the standard from the template, and run `privileged_account_audit_logic` until the MFA requirement passes before sending the document for review. --- Back to [Skill Library](https://rakenne.app/skills/index.md)