# Privileged access management

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/privileged-access-management

## Quick definition

Privileged access management (PAM) is a set of tools and processes that protect your most powerful accounts. These accounts, like admin accounts, can change system settings, access sensitive data, and install software. PAM makes sure only the right people can use these accounts and that their actions are watched closely.

## Simple meaning

Imagine you work in a large office building. Most employees have a regular keycard that lets them into their own floor and the break room. This represents a normal user account. Now, think about the building superintendent, the head of IT, and the security director. These people have master keys that open every door, including the server room, the safe, and the CEO’s office. If someone steals their keys, they can cause enormous damage. Privileged access management is like a system that keeps those master keys in a special locked box. To use a master key, you have to ask for it, get approved, and sign it out. The system watches how you use the key and takes it back when you are done. It also keeps a log of every door you unlocked and when.

In the IT world, privileged accounts include system administrators, database administrators, and network engineers. They have rights to change configurations, install software, reset passwords, and access sensitive information. If a hacker takes over one of these accounts, they can delete databases, steal customer data, or shut down the entire network. PAM solves this by putting those accounts under strict control. It rotates passwords automatically so nobody, not even the account owner, knows the password all the time. It also records every action the admin takes. If something goes wrong, you can replay the session to see exactly what happened.

PAM also uses a concept called “just-in-time” access. This means you only get the elevated permissions for the exact time you need them, not as a permanent privilege. For example, a server admin might need admin rights for 15 minutes to apply a security patch. After the patch is applied, the rights are automatically removed. This reduces the risk of someone abusing those rights later. Another part of PAM is session management. When an admin logs in with a privileged account, their entire session can be recorded and monitored in real time. If they try to do something suspicious, like copy a customer database, the security team can stop the session immediately.

Think of it like a rental car. When you rent a car, you get a key for a limited time, and the company tracks how many miles you drive and where you go. If you try to take the car across the border without permission, they can disable the engine remotely. PAM works the same way for IT accounts. It gives you the keys for a limited time, tracks your every move, and can revoke your access the moment you break the rules. This is how organizations protect their most critical assets from both outside attackers and from mistakes or misuse by their own employees.

## Technical definition

Privileged access management (PAM) is a cybersecurity discipline that encompasses the policies, processes, and technologies used to secure, control, monitor, and audit privileged identities and their access to critical enterprise resources. It falls under the broader umbrella of identity and access management (IAM) and is specifically focused on accounts that have administrative or superuser permissions. These accounts include root accounts in Unix/Linux, domain admins in Active Directory, local administrator accounts on Windows systems, service accounts, application accounts, and cloud admin roles in AWS IAM or Azure RBAC.

The core components of a PAM solution include a password vault, session manager, privilege elevation and delegation engine, and auditing and reporting capabilities. The password vault stores privileged account credentials in an encrypted repository, often using hardware security modules (HSMs) or key management services. Credentials are checked out by authorized users through a workflow that requires approval, time-bounding, and justification. Once checked out, the password is presented to the user temporarily, often through a single sign-on (SSO) integration or a password injection mechanism that prevents the user from ever seeing the actual password. After the session ends, the password is automatically rotated to a new, random value using a cryptographic pseudorandom number generator (CSPRNG) and stored back in the vault.

Session management in PAM uses proxy-based architectures. When an admin connects to a target server, the connection is routed through a PAM proxy or jump server. The proxy enforces policies such as command filtering, clipboard redirection restrictions, and file transfer controls. All keystrokes and screen output are recorded as video logs. These logs are stored in a tamper-proof format and can be replayed for forensic analysis. Some solutions integrate with Security Information and Event Management (SIEM) systems to detect anomalous behavior, such as an admin logging in from an unusual geographic location at 3 AM.

Privilege elevation and delegation tools, such as Unix sudo or Windows User Account Control (UAC), are often extended by PAM to provide granular control. Administrators can define policies that allow a specific command (like restarting a service) to be executed with elevated privileges without granting full admin rights. This is known as least privilege, a fundamental security principle that states a user should have only the minimum permissions necessary to perform their job.

Standards and protocols relevant to PAM include RADIUS and TACACS+ for authentication, SAML 2.0 and OAuth 2.0 for federated identity, and LDAP for directory integration. NIST Special Publication 800-53 provides control families (e.g., AC-6 Least Privilege, IA-2 Identification and Authentication, AU-3 Audit and Accountability) that PAM implementations must address. Many compliance frameworks, such as PCI DSS, HIPAA, SOX, and GDPR, mandate privileged access controls, including password vaulting, session recording, and periodic access reviews.

In cloud environments, PAM integrates with cloud native services like AWS Secrets Manager, Azure Key Vault, and secret management tools such as HashiCorp Vault. Just-in-time (JIT) access policies in Azure AD Privileged Identity Management (PIM) grant temporary role assignments for Azure resources. AWS IAM can use policies with conditions that restrict access to specific times or require multi-factor authentication (MFA). Modern PAM solutions also support discovery and onboarding of privileged accounts across hybrid environments, including on-premises servers, cloud instances, databases, network devices, and SaaS applications.

Implementation best practices include implementing a zero-standing privileges model, where no privileged account retains permanent elevated access. Instead, access is requested on demand, approved through a ticketing system, and approved by a manager. Regular audits of privileged account usage, combined with user behavior analytics (UBA), help identify insider threats. PAM also involves emergency access procedures, known as break-glass accounts, which allow critical access during outages but trigger immediate alerts and require post-incident review.

Common vulnerabilities in PAM implementations include misconfigured vault policies that allow unchecked password checkout, failure to rotate passwords after use, and improper session recording configuration that omits certain ports or protocols. Attackers frequently target PAM systems directly using techniques like credential theft, pass-the-hash, or exploiting API access to the vault. Therefore, securing the PAM infrastructure itself, including the use of dedicated bastion hosts, network segmentation, and strong MFA for PAM administrators, is essential.

## Real-life example

Think about a large hotel. The hotel has hundreds of guest rooms, a kitchen, a laundry room, a maintenance workshop, a safe, and an IT server room. Most hotel employees have keys that let them into specific areas. Housekeepers have keys to guest rooms. Cooks have keys to the kitchen. Front desk clerks have keys to their office. This is like normal user accounts in an IT system, each person can only access what they need for their job.

Now consider the hotel manager. The manager has a master key card that opens every door in the entire hotel. This is a privileged account. If a dishonest employee steals the manager’s master key, they could steal money from the safe, tamper with the IT network, or let criminals into guest rooms. The hotel cannot afford to let just anyone use that master key. So, the hotel installs a special system for managing master keys. This is exactly what privileged access management does in IT.

The hotel installs a smart key box in the manager’s office. To get the master key, the manager must first scan their fingerprint and type in a code. The box then logs who took the key and at what time. The key is only available for two hours, after which the box locks again. The hotel also installs cameras and door sensors that record every door the master key opens. If an employee tries to open the safe at midnight, an alert is sent to the security team. The team can watch the cameras in real time and, if something looks wrong, remotely lock the master key so it stops working.

At the end of the day, the manager returns the key to the box. The box automatically checks that the key is back and logs the return time. The hotel’s security manager reviews a report every morning that shows who used the master key, which doors they opened, and whether any unusual patterns occurred. This whole process, storing the key securely, authenticating the user, limiting the time it can be used, monitoring all activity, and generating an audit report, is exactly what a PAM system does for IT privileged accounts.

In the same way, a PAM system stores privileged credentials in an encrypted vault. An admin requests access through a secure portal, gets approval via a ticket system, and the password is temporarily revealed or injected into a session. The entire session is recorded and monitored. After the task is complete, the password is automatically changed to a new random value. This ensures that even if the admin’s laptop is later stolen, the privileged credentials are no longer valid.

## Why it matters

Privileged access management matters because privileged accounts are the most attractive target for cyber attackers. According to multiple breach reports, the majority of serious data breaches involve the compromise of privileged credentials. Once an attacker gains control of a domain admin account, they can move laterally across the network, disable security tools, exfiltrate data, and deploy ransomware. PAM is the primary defense against this type of attack because it limits the exposure of those credentials and monitors their use.

In practical IT operations, PAM helps organizations comply with regulations such as PCI DSS, HIPAA, SOX, and GDPR. These frameworks require strict access controls, audit trails, and periodic reviews of privileged access. Without a PAM solution, meeting these requirements is nearly impossible because passwords are often shared among team members, never changed, and used for years. PAM automates password rotation, enforces approvals, and provides tamper-proof audit logs, making compliance audits much easier.

PAM also reduces the risk of insider threats. Disgruntled employees with privileged access can cause enormous damage by deleting backups, altering logs, or installing backdoors. PAM’s session recording and real-time monitoring allow security teams to detect and stop malicious activity before it causes harm. PAM helps prevent accidental misconfigurations. By granting just-in-time access and restricting commands to only those needed for a specific task, PAM reduces the chance that an admin will accidentally delete a database or change a critical setting.

For IT professionals, understanding PAM is essential for career growth. It is a core topic in many certification exams, including Security+, CySA+, CISSP, and cloud platform exams like AWS SAA and Azure AZ-104. Knowing how to implement and manage PAM demonstrates a mature understanding of enterprise security and access control.

## Why it matters in exams

Privileged access management is a key exam topic for several IT certifications. In the CompTIA Security+ exam (SY0-601), PAM falls under Objective 3.3 “Given a scenario, implement secure access controls.” Questions often ask you to identify the purpose of a jump server, the difference between a standard user account and a privileged account, or the benefits of password vaulting. In CySA+ (CS0-002), PAM appears in Domain 4 “Security Operations and Monitoring” and you may see scenario-based questions about detecting anomalous privileged account usage or implementing session recording for compliance.

For the CISSP exam (ISC2), PAM is covered in Domain 5 “Identity and Access Management (IAM)” and Domain 7 “Security Operations.” CISSP questions are more conceptual, often asking about the principles of least privilege and segregation of duties in the context of privileged accounts. You might be asked to recommend a control that prevents a system administrator from having both privileged access and audit log access.

In the AWS Solutions Architect Associate (SAA-C03) exam, PAM relates to IAM best practices. You need to know how to use IAM roles with temporary credentials, how to set up AWS Secrets Manager for automated password rotation, and how to use AWS CloudTrail to monitor API calls from privileged roles. The AZ-104 exam (Microsoft Azure Administrator) covers Azure Privileged Identity Management (PIM) and Azure AD roles. You will need to understand how to configure just-in-time access, approval workflows, and access reviews for privileged roles.

The SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) exam includes PAM in its coverage of Azure AD PIM and identity governance. The MD-102 (Microsoft Endpoint Administrator) exam involves managing administrator roles on endpoints and using Microsoft Intune to enforce least privilege on managed devices. The MS-102 (Microsoft 365 Administrator) exam covers privileged access management for Microsoft 365, including the use of Privileged Access Management in Exchange Online and SharePoint.

Common question types include multiple-choice questions that ask for the best control to reduce the risk of a compromised admin account, drag-and-drop questions that require matching PAM components to their functions, and scenario-based questions where you must choose an appropriate PAM solution for a given organizational size and budget. You may also see questions about break-glass accounts and emergency access procedures. Understanding the core concepts of password vaulting, session monitoring, and just-in-time access will help you answer these questions correctly.

## How it appears in exam questions

Privileged access management shows up in exam questions in several distinct patterns. The first is the “best control” type. For example, “A company is concerned about an attacker compromising a domain administrator account. Which of the following is the BEST control to protect against this?” The correct answer is typically related to implementing a PAM solution with password rotation and session recording. Wrong answers might include simple MFA, which is good but does not address shared passwords or session monitoring, or network segmentation, which helps but does not directly protect the privileged account.

The second pattern is scenario-based questions about password vaulting. A question might describe an organization where admins share root passwords written on sticky notes, and ask what should be implemented. The answer is to deploy a privileged password vault that automates password changes and requires checkout via an approval workflow.

The third pattern involves session monitoring. A question might describe a situation where a server administrator is suspected of exfiltrating data during a maintenance window. The question asks what PAM feature would help investigate. The answer is session recording with keystroke capture and replay.

The fourth pattern is about just-in-time access. For instance, “A security team wants to grant an admin the ability to restart a service on a server, but not have permanent admin rights. What should they configure?” The answer could be a privilege elevation policy that allows only that specific command with sudo or RunAs, combined with a time-bound permission.

The fifth pattern involves compliance and audit. Questions about PCI DSS or HIPAA might ask what PAM controls are needed to meet audit requirements, such as automatic password rotation every 90 days or quarterly access reviews.

Finally, there are trick questions about break-glass procedures. A question might say “An emergency requires immediate privileged access, but the PAM administrator is unavailable. What should be done?” The answer is to use a break-glass account that is stored in a sealed envelope or vault, triggers an alert upon use, and requires a post-incident review. The trap answer might be to bypass PAM entirely, which is not acceptable.

In cloud-specific exams, questions often ask about integrating PAM with cloud native services. For example, “A company wants to automatically rotate database passwords every 30 days. Which AWS service should they use?” The answer is AWS Secrets Manager.

Being able to recognize these patterns and map them to the correct PAM concept is critical for exam success.

## Example scenario

A medium-sized healthcare organization, MedCore, uses an electronic health records system that stores patient data. The system is managed by a team of five database administrators (DBAs). Currently, all DBAs share the same admin password, which has not been changed in two years. The password is stored in a shared Excel file on a network drive. Last month, a DBA left the company, but the password was never changed. The security team is worried that the former employee could log in and delete patient records.

MedCore decides to implement a PAM solution. First, they deploy a password vault that stores the admin credentials in an encrypted format. Each DBA must request access through a service portal, where they enter a ticket number and the reason for access. Their manager must approve the request. Once approved, the vault displays the password for 30 minutes, and the password is automatically changed to a new random value after that time. All DBAs are also required to use MFA when checking out passwords.

The PAM solution also sets up a jump server. When a DBA needs to connect to the database server, they first log into the jump server using their own credentials and MFA. From the jump server, they can RDP or SSH into the database server using the privileged account. The PAM system records the entire session, including all SQL commands executed. If a DBA tries to execute a command that drops a table, the session is flagged for review.

After implementation, the former DBA’s credentials no longer work because the password was rotated. The security team now has an audit trail showing every database connection, who made it, what commands were run, and how long it lasted. The organization passes its next HIPAA audit with no findings related to access control. This scenario demonstrates how PAM solves the specific problems of shared passwords, lack of audit, and risk of credential theft.

## Core Concepts and the Principle of Least Privilege in PAM

Privileged Access Management (PAM) is a specialized subset of identity and access management (IAM) that focuses on securing, managing, and monitoring accounts with elevated permissions. These accounts, often referred to as privileged accounts, include administrator accounts, root accounts, service accounts, and emergency break-glass accounts. The core goal of PAM is to enforce the principle of least privilege, ensuring that users, applications, and systems only have the minimum level of access necessary to perform their authorized tasks. In practice, this means that traditional static passwords for privileged accounts are replaced with just-in-time (JIT) access grants, session monitoring, and automated password rotation.

PAM solutions typically include a password vault that securely stores credentials, a session manager that records all privileged sessions, and a policy engine that enforces access controls. When an administrator needs to perform a privileged task, they must request access through the vault, which then checks the request against policy, authenticates the user (often with multi-factor authentication), and then either provides a one-time password or launches a proxy session that records all keystrokes and commands. After the task is completed, the credentials are automatically rotated, rendering any captured credentials useless. This process is critical in modern cloud and hybrid environments, where the blast radius of a compromised privileged account can be vast. Exam topics such as AWS Shared Responsibility Model, CISSP domain 5 (Identity and Access Management), and CompTIA Security+ attack vectors all tie directly to these PAM concepts.

The principle of least privilege is not a one-time configuration but an ongoing process. It requires discovering all privileged accounts across the environment, including local administrator accounts on servers, domain admin accounts, and application service accounts. Many organizations are surprised to find hundreds of service accounts with domain admin privileges that were created years ago and never removed. PAM tools can automatically map these accounts and suggest privilege reduction. In exams, you will often see scenario questions where a user has too many rights, and the correct answer is to implement a PAM solution or apply least privilege through role-based access control (RBAC) combined with PAM. Understanding the lifecycle of a privileged account, from discovery to onboarding to vaulting to rotation, is essential for passing security exams.

## Just-in-Time (JIT) and Just-Enough-Access (JEA) in PAM

Just-in-Time (JIT) and Just-Enough-Access (JEA) are two complementary strategies within Privileged Access Management that dramatically reduce the attack surface. JIT provides privileged access only for the duration of a specific task, automatically revoking the access once the task is complete or after a predefined time window. JEA, on the other hand, ensures that even when a user is granted access, they only receive the minimal permissions required to perform the specific operation, not full administrative rights. Together, these concepts form the backbone of modern PAM.

A typical JIT workflow in a Microsoft Azure environment (relevant for exams like AZ-104 and SC-900) involves using Privileged Identity Management (PIM) for Azure AD roles. An administrator who needs to manage users would activate the User Administrator role through PIM, which triggers a multi-factor authentication challenge, then grants the role for a set duration like one hour. After that hour, the role is automatically deactivated. The same concept applies to AWS IAM, where you can use IAM Roles with AWS Systems Manager Session Manager or use AWS STS (Security Token Service) to generate temporary credentials. In exam questions, you might be given a scenario where a junior admin accidentally left a high-privilege role active, and the answer involves implementing JIT access with automatic expiration.

JEA is often implemented through constrained delegation, task-specific roles, or custom RBAC. For example, instead of giving a helpdesk user domain admin rights to reset passwords, you would create a custom role that can only reset passwords for non-admin users. In a Linux environment, JEA can be implemented using sudo with restricted command sets. The key exam point is that JEA is about limiting the scope of what a privileged user can do, even when they are elevated. Both JIT and JEA are tested heavily in CISSP (domain 5), Security+ (3.3), and the Microsoft SC-900 exam. Understanding the difference between temporary elevation (JIT) and reduced scope elevation (JEA) is critical for scenario-based questions.

Implementation of JIT and JEA requires careful planning. You must first identify all administrative tasks and define roles that have exactly the permissions needed. For instance, a database administrator might only need ALTER and SELECT permissions on a specific database, not sysadmin rights on the SQL Server. PAM solutions like CyberArk, BeyondTrust, or Microsoft's PIM can enforce these policies automatically. In the cloud, Azure AD PIM and AWS IAM roles are first-party examples. When studying for exams, practice mapping a business need to the appropriate JIT or JEA control. For example, "An external auditor needs to view logs for one day", the answer is JIT access to a read-only log role. Never grant permanent elevated access.

## Session Monitoring, Recording, and Auditing for Privileged Access

Session monitoring and recording are critical components of any Privileged Access Management (PAM) strategy because they provide accountability, forensics, and compliance evidence. When a user has elevated privileges, every action they take must be logged, recorded, and ideally reviewed in near real-time. PAM solutions typically implement this by using a proxy or bastion host that sits between the user and the target system. All traffic, whether it is SSH, RDP, or web console, is routed through this proxy, which records the session video, captures keystrokes, and logs commands. This is distinct from standard system logs because it provides a replayable record of exactly what happened, including GUI interactions.

From an exam perspective, especially for CySA+ and CISSP, you need to understand why session recording is important. For example, if a privileged user accidentally deletes a critical file, standard logs might show the command or event, but a session recording can show the context, maybe the user was in the wrong window. Session recordings also prevent repudiation; a user cannot deny they performed a malicious action if the video recording exists. In many compliance frameworks like PCI DSS, SOX, and HIPAA, controls over privileged access require session recording. The exam will often present a scenario where a breach occurred via an internal admin, and the correct answer is to implement PAM with session recording and review.

Auditing in PAM goes beyond recording. It includes automated analysis of recorded sessions for anomalies, such as unexpected commands, geographic locations, or time-of-day patterns. Some PAM tools use machine learning to flag potentially dangerous behavior, like an admin who always logs in from 9-5 suddenly logging in at 3 AM. In cloud environments, you can integrate AWS CloudTrail with PAM to monitor all API calls made by privileged roles. For Azure, Azure Monitor and Azure Sentinel can ingest PIM activity logs. The exam will likely test your ability to choose the correct audit tool for a given scenario. For instance, on the AWS SAA exam, you might be asked how to capture all privileged API calls, the answer is CloudTrail with PAM integration, not just CloudWatch. Understanding the difference between recording (video/keystrokes) and logging (events) is a common trick question.

Another important audit concept is the certification process. PAM solutions require periodic review of who has privileged access, often through a quarterly attestation campaign. The security team sends a list of all privileged users and their roles to business owners, who must approve or revoke each access. If a business owner does not respond, the access is automatically removed. This is a key control for compliance and is tested in the ISC2 CISSP exam under Domain 5 (Identity and Access Management) and Domain 7 (Security Operations). Knowing that PAM includes not just technical controls but also process controls like certification is essential.

## Emergency Break-Glass and Disaster Recovery in PAM

Emergency break-glass procedures are a fundamental component of any robust Privileged Access Management (PAM) implementation. The purpose is to ensure that if the regular PAM system is unavailable, due to a network outage, a compromise, or an authentication failure, authorized personnel can still gain privileged access to critical systems to restore services. Without a break-glass process, an organization could be locked out of its own infrastructure, which is a serious operational risk. PAM solutions address this by creating one or more highly secure, offline, and often physically secured emergency accounts.

The break-glass account is typically a local administrator account on a domain controller or equivalent that has its password stored in a sealed envelope, a bank vault, or a tamper-evident safe. In cloud environments, this might be a root account with its password stored securely offline. The key principle is that the break-glass process requires multiple approvals and auditing. For example, two senior directors must physically retrieve the password, and after use, the account password must be rotated and the usage reviewed. Many organizations implement a time-limited break-glass account that automatically expires after a few hours. In exams like the CISSP and Security+, you will encounter questions about how to handle a situation where the PAM vault is unreachable. The correct answer is always to use the pre-defined break-glass process, not to share production admin passwords.

Disaster recovery (DR) planning for PAM is equally important. If the PAM server itself is compromised, the attacker could vault all privileged accounts. Therefore, PAM servers must be hardened, monitored, and placed in a separate administrative network segment. Backups of the PAM vault must be encrypted and stored offline. In a multi-site environment, PAM vaults are often replicated geographically with strict access controls. For example, Azure AD PIM allows you to designate break-glass global admin accounts that are excluded from PIM policies and are monitored more heavily. The SC-900 exam specifically covers the concept of emergency accounts and break-glass procedures in Microsoft identity solutions.

From a testing perspective, break-glass procedures are a favorite topic for scenario questions. A typical question might describe a ransomware attack that encrypted the PAM server, and the administrator needs to recover. The correct answer involves using the offline break-glass account to restore the PAM server from an offline backup. Another common question involves an administrator who forgot their PAM credentials, break-glass is not for password resets; it is for system-level emergencies. Understanding the difference between operational access requests (JIT) and emergency break-glass is crucial. The break-glass process should be documented, tested annually at minimum, and include a full audit review after each use to determine if the procedure was followed correctly and if any improvements are needed.

## Common mistakes

- **Mistake:** Thinking MFA alone is sufficient to protect privileged accounts
  - Why it is wrong: While MFA adds a layer of security, it does not address the risks of shared passwords, password reuse, or session hijacking. An attacker who compromises an admin session can still perform actions without MFA being prompted again if the session token is still valid.
  - Fix: Implement MFA together with a full PAM solution that includes password vaulting, session recording, and just-in-time access. Treat MFA as one component of a layered defense.
- **Mistake:** Storing privileged passwords in a shared Excel file or password manager for personal use
  - Why it is wrong: These methods do not provide automatic password rotation, approval workflows, or audit trails. If a password is shared among multiple people, it is impossible to know who used it and when. This violates the principle of accountability and fails compliance requirements.
  - Fix: Use a dedicated enterprise password vault that logs every checkout, enforces approvals, and rotates passwords automatically after use.
- **Mistake:** Granting permanent admin rights to users who only need temporary elevated access
  - Why it is wrong: Permanent privileged access increases the attack surface. If the user’s account is compromised, the attacker inherits those permanent rights. It also makes it harder to track whether the user still needs those privileges.
  - Fix: Implement just-in-time access policies. Grant elevated rights only for the duration of the specific task, using time-bound role assignments or approval-based checkout.
- **Mistake:** Forgetting to change default credentials on network devices and servers
  - Why it is wrong: Default usernames and passwords are widely known and can be exploited by attackers using automated scanning tools. Many breaches start with a device that still has its factory default password.
  - Fix: Include all network devices, printers, and IoT devices in your PAM solution. Onboard their default accounts, change the passwords immediately, and store the new credentials in the vault.
- **Mistake:** Assuming PAM is only for human users and ignoring service accounts
  - Why it is wrong: Service accounts, which run automated processes and applications, often have highly privileged permissions. These accounts are rarely monitored and their passwords are frequently hardcoded in scripts, making them a prime target for attackers.
  - Fix: Extend PAM to cover service accounts. Use a secrets management tool that injects credentials at runtime, rotates them on a schedule, and logs all usage.
- **Mistake:** Not auditing session recordings or vault activity logs
  - Why it is wrong: Simply recording sessions and logging checkouts does not provide security if nobody reviews them. Malicious activity can go unnoticed for months. Without active monitoring, PAM becomes a checkbox compliance tool rather than a real security control.
  - Fix: Set up alerts for suspicious activities, such as a checkout outside business hours, access to sensitive servers, or execution of dangerous commands. Conduct periodic manual or automated reviews of session recordings.

## Exam trap

{"trap":"The exam asks: “Which PAM feature prevents an admin from seeing the password of a privileged account?” and the learner chooses “Password vault with manual copy.”","why_learners_choose_it":"Learners think that if a password is stored in a vault, the admin can simply copy it and use it. They may not be aware of password injection, where the PAM system passes the credential to the target system without revealing it to the user.","how_to_avoid_it":"Understand that one of the key capabilities of advanced PAM is password injection. The admin authenticates to the PAM proxy, and the proxy handles the connection to the target system. The password is never displayed on the admin’s screen and is not stored in the admin’s clipboard. This reduces the risk of credential theft from the admin’s workstation."}

## Commonly confused with

- **Privileged access management vs Identity and access management (IAM):** IAM is the broader framework that manages user identities and their access to resources across the entire organization. PAM is a subset of IAM that specifically focuses on accounts with elevated or administrative privileges. While IAM handles standard user onboarding and role-based access, PAM addresses the unique risks of superuser accounts. (Example: An IAM system manages HR employees’ access to the payroll system. A PAM system manages the IT admin’s access to reset all payroll system passwords.)
- **Privileged access management vs Multi-factor authentication (MFA):** MFA is an authentication method that requires two or more verification factors. PAM often enforces MFA for privileged access, but MFA alone does not provide password vaulting, session recording, or automatic password rotation. PAM uses MFA as one of its security layers, but MFA is not a substitute for PAM. (Example: MFA is like requiring a fingerprint and a key to open a safe. PAM is the entire system that logs who opened the safe, tracks what they took, and changes the lock combination afterward.)
- **Privileged access management vs Least privilege:** Least privilege is a security principle stating that users should have only the minimum permissions needed to perform their tasks. PAM is a set of tools and processes that help enforce the least privilege principle for privileged accounts. The principle guides the design; PAM provides the technical implementation. (Example: The principle of least privilege says a backup admin only needs to run backup software, not install new applications. PAM enforces this by allowing that admin to execute only backup commands with elevated rights.)
- **Privileged access management vs Role-based access control (RBAC):** RBAC is a method of regulating access to resources based on the roles assigned to individual users. PAM often integrates with RBAC to define which roles can access which privileged accounts. However, RBAC does not include the password vaulting, session recording, or just-in-time capabilities that are unique to PAM. (Example: RBAC assigns a user to the “Database Administrator” role, granting them access to database servers. PAM then controls how that user logs in, rotates the password after use, and records the session.)
- **Privileged access management vs Privilege escalation:** Privilege escalation is the act of gaining elevated rights, either legitimately (through sudo or RunAs) or illegitimately (through exploiting a vulnerability). PAM manages and controls privilege escalation so it happens securely, with approval and monitoring. Uncontrolled privilege escalation is a security risk; PAM makes it safe. (Example: Privilege escalation is like a regular employee temporarily using the manager’s key to enter a restricted area. PAM is the system that approves the request, logs the time, and ensures the key is returned immediately.)

## Step-by-step breakdown

1. **Discovery and onboarding of privileged accounts** — The first step is to identify all privileged accounts across the organization, including local admin accounts, domain admin accounts, service accounts, application accounts, and cloud admin roles. The PAM solution scans network devices, servers, databases, and applications to discover these accounts and their current permissions. Once discovered, the accounts are onboarded into the PAM vault, which automatically takes ownership of the credentials and stores them securely.
2. **Password vaulting and encryption** — All onboarded privileged credentials are stored in a centralized vault that encrypts the data both at rest and in transit. The vault uses strong encryption algorithms such as AES-256. Access to the vault itself is restricted to authorized PAM administrators and requires MFA. The vault also stores metadata such as password expiration dates, last checkout time, and the user who checked it out.
3. **Defining access policies and approval workflows** — Administrators create policies that govern who can request access to each privileged account, under what conditions, and for how long. Policies may require a ticket number, manager approval, or a reason justification. Approval workflows route the request to the appropriate manager or security team. Policies also define time-based access limits, such as granting access only during business hours.
4. **Request and authentication** — A user who needs privileged access logs into the PAM portal using their own corporate credentials and MFA. They select the target account, specify the reason, and optionally attach a ticket number. The system checks the access policy and, if approval is not required, proceeds to the next step. If approval is required, the request enters a queue and waits for authorization.
5. **Credential checkout and password injection** — Once approved, the PAM system checks out the credential from the vault. The temporary password (or a new password if rotation is immediate) is provided to the user through a secure interface. In more advanced setups, the user does not see the password at all; instead, the PAM proxy initiates a connection to the target system and injects the credential. This prevents the password from being exposed on the user’s screen or stored in their clipboard.
6. **Session management and monitoring** — When the user connects to the target system, the connection is routed through a PAM proxy or jump server. The proxy records the entire session, including keystrokes, screen output, and file transfers. It can enforce command restrictions, such as blocking the execution of destructive commands like “rm -rf” or “DROP TABLE.” The monitoring team can view the session in real time and terminate it if suspicious activity is detected.
7. **Automatic password rotation** — After the session ends or the access time expires, the PAM system automatically changes the privileged account’s password to a new, random value. The old password is no longer valid. This ensures that credentials are not reused and that any user who previously checked out the password cannot log in again later. The new password is stored back in the vault, ready for the next authorized checkout.
8. **Audit and reporting** — All activities related to privileged access are logged in a tamper-proof audit trail. This includes checkout requests, approvals, session recordings, password rotations, and any policy violations. Reports can be generated for compliance audits, showing who accessed what, when, and for how long. Automated alerts notify security teams of exceptions, such as a checkout after hours or access to a sensitive server not related to the user’s role.
9. **Access review and certification** — Periodically, managers or security administrators review the list of users who have access to privileged accounts and confirm that access is still necessary. This is often required by regulations. The PAM system can automate this process by sending certification reminders and revoking access that was not recertified. This step ensures that old permissions do not accumulate and that the principle of least privilege is maintained over time.

## Practical mini-lesson

Implementing privileged access management in a real enterprise requires careful planning and customization. The first step is to understand the landscape. You need to inventory every system that has privileged accounts, including servers, network devices, databases, cloud consoles, and even IoT devices. Many organizations are surprised by how many administrative accounts they have. For example, a single Windows server might have a local Administrator account, a domain administrator account, and several service accounts. A PAM solution like CyberArk, BeyondTrust, or Delinea can automatically discover these accounts through network scans and agent-based collectors.

Once you have the inventory, the next challenge is onboarding those accounts. For each account, you need to change the existing password to one generated by the vault. This can be risky if you are not careful, because losing the password can lock you out. That is why you should always have a break-glass procedure, which might involve a printed and sealed copy of the initial password stored in a safe. After onboarding, the vault will manage all future password rotations.

Password rotation frequency is a configuration decision. For highly sensitive accounts, you might rotate after every use. For less sensitive accounts, rotation every 30 or 90 days may be sufficient. However, many compliance standards like PCI DSS require rotation every 90 days at minimum. The rotation must be designed to fail gracefully. If the target server is offline when rotation is attempted, the PAM system should retry and notify an admin if the rotation fails after several attempts.

Session management is another area where practical considerations matter. Recording every session can consume a lot of storage, so you should define retention policies. For example, you might retain session recordings for 90 days, then archive them for longer if needed for legal hold. Also, not all protocols can be recorded easily. SSH and RDP are well-supported, but console connections to network devices via serial or telnet may require additional configuration. Some PAM solutions provide a terminal emulator that works over SSH for text-based sessions.

A common mistake in implementation is inadequate testing. If the PAM proxy fails, admins might be locked out of critical systems. Therefore, you should have a high-availability architecture for the PAM infrastructure, such as clustering and failover. You should also test failover scenarios regularly. Another practical issue is user resistance. Admins who are used to having direct access and full control may resist changes. It is important to communicate the benefits, such as reduced risk of password theft and easier compliance, and to involve key stakeholders in the policy design.

One often overlooked aspect is the need to manage the PAM solution itself. The PAM system has its own admin accounts that are extremely powerful. These accounts must be protected with the highest level of security, including dedicated hardware security modules, separate network segmentation, and mandatory MFA with phishing-resistant methods. Regular security assessments and penetration testing of the PAM infrastructure should be part of your operations.

Finally, consider integration with existing identity systems. PAM often works best when it is tied to an existing directory service like Active Directory or Azure AD. This allows you to reuse user identities and policies. Integration with ticketing systems like ServiceNow or Jira enables automation of approval workflows. Integration with SIEM tools like Splunk or Azure Sentinel allows you to correlate privileged access events with other security events for threat detection. In practice, a well-integrated PAM solution becomes a central part of the organization’s security operations.

## Commands

```
aws iam create-role --role-name AdminRoleJIT --assume-role-policy-document file://trust-policy.json --permissions-boundary arn:aws:iam::aws:policy/AdministratorAccess
```
Creates an IAM role with a permissions boundary to enforce least privilege for temporary elevated access in AWS. Used to implement just-in-time (JIT) access where users assume this role through STS.

*Exam note: Tests understanding of permissions boundaries as a PAM control. On the AWS SAA exam, you might be asked how to restrict a role to only certain actions even if the policy allows full admin, the answer is permissions boundaries combined with PAM.*

```
az role assignment create --assignee user@contoso.com --role "Privileged Role Administrator" --scope /subscriptions/00000000-0000-0000-0000-000000000000
```
Assigns the Privileged Role Administrator role in Azure RBAC, which is a PIM-eligible role that requires activation. This is used to grant just-enough-access for managing other roles.

*Exam note: Azure AD PIM is a core PAM feature tested on AZ-104 and MS-102. The exam expects you to know that PIM requires activation and approval for privileged roles, not direct assignment.*

```
Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId "<tenantId>" | Where-Object {$_.DisplayName -eq "Global Administrator"}
```
Retrieves the Azure AD PIM configuration for the Global Administrator role, used to review activation settings and approval requirements. Essential for auditing PAM policies.

*Exam note: Appears in MS-102 and SC-900 exams. You must know how to query PIM settings via PowerShell to verify just-in-time activation is enforced.*

```
vault login -method=ldap username=admin password=example
```
Authenticates to HashiCorp Vault (a common PAM vault) using LDAP. Used by administrators to obtain a token for retrieving dynamic secrets or accessing privileged credentials.

*Exam note: Vault is a popular PAM tool in cloud-native environments. CISSP and Security+ exams may reference vault concepts like dynamic secrets and leasing, which this command implements.*

```
sudo visudo -f /etc/sudoers.d/custom-admin
```
Opens the sudoers file for editing to define custom restricted commands for a privileged user. For example, allowing only specific commands like /usr/bin/systemctl restart apache2 for a service account.

*Exam note: This is a Linux-level JEA control. In Security+ and CySA+, you might need to configure sudo to limit what an admin can do. The exam tests knowledge of sudoers syntax and principle of least privilege.*

```
Invoke-Command -ComputerName SRV-DB01 -ScriptBlock {Get-Service} -Credential (Get-Credential)
```
Uses PowerShell Remoting with a credential obtained from a PAM vault to execute a single command on a remote server without granting interactive logon rights. This implements just-enough-access.

*Exam note: Relevant for MD-102 and MS-102. The exam might ask how to allow an admin to run only specific PowerShell commands on servers without granting full admin rights, constrained PowerShell endpoints are the answer.*

## Troubleshooting clues

- **PAM vault unreachable after network change** — symptom: Admins cannot authenticate to the PAM vault; attempts to access privileged accounts time out.. The firewall or routing rules were changed and blocked traffic to the PAM vault server (e.g., TCP port 443 or 1858). PAM vaults are often isolated in a management subnet with strict access controls. (Exam clue: On the AZ-104 and MS-102 exams, you might be given a scenario where after implementing network security groups, admins cannot access PIM. The cause is likely a missing NSG rule allowing traffic from admin workstations to the PIM endpoint.)
- **Privileged account password rotation failure** — symptom: One-time password returned by PAM vault is not accepted by the target server; check password status shows failed rotation.. The service account used by the PAM vault to rotate passwords (e.g., the CyberArk Central Policy Manager account) lacks update permissions on the target system's local security policies or Active Directory. (Exam clue: In CISSP and Security+, this is a common error where the vault agent doesn't have necessary rights. The exam tests understanding that the PAM vault has its own privileged account that must be properly delegated.)
- **Session recording not capturing keystrokes** — symptom: Reviewing a recorded session shows a blank screen or no keystroke data, but the session connection was live.. The PAM proxy session manager is configured to use an outdated protocol (e.g., RDP without keyboard hook) or the target system is blocking the recording agent injection (e.g., through Group Policy disabling Remote Desktop Services hooks). (Exam clue: For CySA+ and Security+, this scenario tests knowledge of how privileged session recording works at the proxy level versus agent-based. The correct fix is to ensure the target system allows the recording agent.)
- **User cannot activate privileged role in PIM even after MFA** — symptom: User completes MFA but gets an error that activation is pending or denied; no approval request appears.. The role requires approval from a specific group (e.g., engineering managers) and the approval workflow is misconfigured, perhaps the approver group is empty or the users are not included in the approval scope. (Exam clue: MS-102 and SC-900 exams test PIM activation workflows. A question might ask why an admin cannot activate a role after MFA, the answer is that PIM requires separate approval, not just MFA.)
- **Break-glass account fails to log in** — symptom: During an emergency, the break-glass local admin account password is entered but login is denied.. The break-glass account was recently disabled by a GPO that enforces local admin restrictions, or the password was rotated after previous use but the rotated password was not recorded in the emergency envelope. (Exam clue: This is a classic CISSP exam scenario. The solution is to ensure break-glass accounts are excluded from Group Policies that disable local accounts and that after each use, the new password is secured in the tamper-evident container.)
- **PAM vault shows stale credentials for service accounts** — symptom: Service accounts managed by PAM are shown as 'out of sync' even though their passwords are manually changed outside the vault.. The service account password was updated by an administrator directly on the target system bypassing the PAM vault. The vault's last known password is now different from the actual password. (Exam clue: On the AWS SAA and Security+ exams, this teaches the importance of single control plane for privileged credentials, any manual change outside PAM breaks the integrity of the vault.)
- **Just-in-time access grants are not expiring** — symptom: A user who was granted 1-hour JIT access still has the absolute role days later.. The PAM scheduler or expiration policy is not functioning, either the JIT role assignment was set to permanent accidentally, or the PAM webhook to deactivate roles failed. In cloud environments, this often happens when the cloud provider's API returns a transient error. (Exam clue: For AZ-104 and SC-900, the exam might ask you to investigate why a temporary role never expired. The answer is to check that the JIT policy's max duration is set correctly and that deactivation automation (e.g., Azure Automation runbook) is healthy.)

## Memory tip

PAM = Password Vault, Approvals, Monitoring. Think of the master key box at a hotel: locked away, only checked out with permission, and every door it opens is recorded.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/privileged-access-management
