SOL-C01 · Question #47
A security auditor discovers that multiple users are using the 'ACCOUNTADMIN' role directly for their daily tasks. This violates the principle of least privilege. Which of the following actions should
The correct answer is A. Create custom roles with specific privileges required for their tasks and grant those roles to the B. Implement Multi-Factor Authentication (MFA) for all users with the 'ACCOUNTADMIN' role to. Options A and B address remediation at two levels: A directly enforces least privilege by creating custom roles scoped to specific job functions - the core fix - while B adds a compensating security control (MFA) for users who still retain ACCOUNTADMIN, reducing the blast radius
Question
A security auditor discovers that multiple users are using the 'ACCOUNTADMIN' role directly for their daily tasks. This violates the principle of least privilege. Which of the following actions should you take to remediate this situation? (Choose two)
Options
- ACreate custom roles with specific privileges required for their tasks and grant those roles to the
- BImplement Multi-Factor Authentication (MFA) for all users with the 'ACCOUNTADMIN' role to
- CEducate the users about the risks of using the 'ACCOUNTADMIN' role and instruct them to use it
- DGrant the 'SECURITYADMIN' role to these users instead of `ACCOUNTADMINS.
- ECreate a view that hides sensitive data and grant 'SELECT' on the view to users. Keep granting
How the community answered
(29 responses)- A72% (21)
- C3% (1)
- D7% (2)
- E17% (5)
Explanation
Options A and B address remediation at two levels: A directly enforces least privilege by creating custom roles scoped to specific job functions - the core fix - while B adds a compensating security control (MFA) for users who still retain ACCOUNTADMIN, reducing the blast radius if those credentials are compromised during the transition period.
Why the distractors fail:
- C relies on user behavior, not technical enforcement - education is a supplement, never a remediation control.
- D substitutes one high-privilege role for another; SECURITYADMIN still has sweeping account-level access and doesn't achieve least privilege.
- E hides data via a view but does nothing to reduce the users' administrative role - they still hold ACCOUNTADMIN, so the underlying violation is unchanged.
Memory tip: Think of it as a two-step formula - "Shrink the role (A), then shield what's left (B)." In any least-privilege remediation question, the primary fix is always scoping down privileges, and a compensating control (like MFA) buys safety while the transition happens.
Topics
Community Discussion
No community discussion yet for this question.