CPLT
Scope an Engagement
Back to overview
SAMPLEArchitect Report · Finding

Finding CTRL-IAM-04

A representative finding from a CPLT Architect Report. Real structure, real control mapping, real remediation specification — anonymized environment details.

HIGH SEVERITYOPENED · 2026-04-12
SHA256 · a7f9…91c4…03e08

TITLE

Privileged session timeout not enforced

FRAMEWORK

SOC 2 · CC6.3

ISO MAPPING

A.5.15 / A.8.2

SCOPE

IAM · production

01 / WHAT THE FRAMEWORK REQUIRES

Control Requirement

The entity restricts privileged access by terminating idle sessions within a defined threshold. For SOC 2 CC6.3, the control is met when administrative or  root-equivalent sessions are automatically terminated after a period of inactivity consistent with the entity’s access policy and risk appetite.

  • Idle timeout must be enforced at the identity-provider layer, not only at the workload.
  • Privileged and non-privileged roles must have distinct timeout thresholds.
  • Session-termination events must be captured in an immutable log.
02 / WHAT WE OBSERVED

Identified Gap

Production IAM roles withsudoorAdministratorAccessequivalents have no idle-timeout policy attached. Observed sessions remained authenticated for over 12h without re-auth.

observed:

role=arn:aws:iam::****:role/ops-admin
max_session_duration=43200s · idle_timeout=0

03 / WHAT WE SIGNED

Raw Evidence

Three signed artifacts support this finding. Each carries a SHA-256 hash and a verifiable timestamp. Content is redacted for this sample.

iam-trust-policy.json
a7f9…912
session-audit.log
b2c1…e40
policy-review.md
cd91…fe2

REMEDIATION · DETERMINISTIC

Prioritized, copy-paste-able fix.

Every finding in the Architect Report ships with an unambiguous remediation plan — not guidance, not “consider X.” Here is what CTRL-IAM-04 looks like, resolved.

  1. Enforce idle timeout at IdP layer

    Attach a session policy with MaxSessionDuration=3600s and IdleTimeout=900s to all privileged IAM roles. Commit via Terraform, PR-tracked.

  2. 2

    Rotate root-equivalent service accounts

    Install a 90-day rotation cadence on programmatic credentials. Automate revocation via your secrets manager.

  3. 3

    Ship session-termination log to immutable store

    Emit session-close events to a WORM-compliant log sink. Verify write-once property quarterly.

Post-remediation re-run is deterministic: the same evidence produces the same finding state, verifiably closed.

WANT THE FULL THING?

Request a complete sample Architect Report.

Tell us the framework you’re preparing for, and we’ll send a full redacted sample report — 47 pages, 12 findings, signed.