PAM, JIT, JEA, and Service Accounts
Key Takeaways
- Privileged access management reduces standing administrative access and records high-risk actions.
- Just-in-time access grants privilege only for a limited approved window.
- Just-enough administration limits privileged users to the specific actions needed for the task.
- Service accounts need ownership, scoped permissions, credential rotation, and monitoring.
- Shared administrator accounts reduce accountability and should be replaced with named access plus elevation controls.
PAM, JIT, JEA, and Service Accounts
Privileged accounts can change security settings, read sensitive data, create users, disable logs, or deploy code. A small mistake or compromise can affect many systems. Privileged access management, or PAM, is the set of controls used to request, approve, limit, monitor, and revoke privileged access.
Key Concepts
| Term | Meaning | Security value |
|---|---|---|
| PAM | Controls for privileged account use | Reduces abuse and improves accountability |
| JIT | Just-in-time access for a limited duration | Reduces standing privilege |
| JEA | Just-enough administration for limited actions | Reduces blast radius |
| Credential vault | Secure storage and checkout for secrets | Protects administrative passwords and keys |
| Session recording | Capture of privileged activity | Supports investigation and deterrence |
Scenario: Database Maintenance
A database administrator needs to apply an emergency index change to a production database. Without PAM, the DBA might have permanent administrator rights. If that account is phished, an attacker could immediately access production.
With PAM, the DBA submits a request tied to an incident ticket. The system checks the on-call schedule, requires MFA, grants database administrator rights for 60 minutes, records the session, and removes the role when the window expires. JEA narrows the allowed operations to database maintenance commands instead of full operating system administration.
Example privileged event trail:
2026-04-29T15:04:11Z pam request_id=PR-8842 user=dbell target=db-prod-03 role=db-maint approver=ltan duration=60m status=approved
2026-04-29T15:06:03Z pam request_id=PR-8842 user=dbell mfa=success session=started source_ip=10.40.8.25
2026-04-29T15:42:18Z pam request_id=PR-8842 command="ALTER INDEX IX_CLAIMS_REBUILD" result=success
2026-04-29T16:06:04Z pam request_id=PR-8842 session=ended elevation=revoked
The important details are identity, approval, target, role, start time, actions, outcome, and revocation.
Service Accounts
Service accounts run applications, scheduled jobs, integrations, and system-to-system tasks. They are easy to overlook because they are not tied to a person sitting at a keyboard.
| Service account control | Why it matters |
|---|---|
| Named owner | Someone must approve use and respond to alerts |
| Noninteractive login restriction | Prevents use as a normal human login where possible |
| Least privilege | Limits what an application can access if compromised |
| Secret rotation | Reduces impact of leaked passwords or keys |
| Vaulting | Avoids hardcoded secrets in scripts or repositories |
| Monitoring | Detects unusual source hosts, times, or actions |
Common Traps
- Using one shared "admin" account for the whole IT team.
- Granting permanent domain administrator access for occasional troubleshooting.
- Hardcoding service account passwords in scripts.
- Forgetting to disable a contractor privileged account after the project ends.
- Monitoring failed user logins but ignoring service account behavior.
Exam Focus
When a question asks for the best way to reduce risk from privileged accounts, look for controls that reduce standing privilege, scope the permission, enforce MFA, require approval, log activity, and automatically revoke access. For service accounts, look for owner assignment, least privilege, vaulting, and rotation.
An engineer needs temporary firewall administrator access for a planned change. Which approach best follows JIT?
What is the best reason to replace shared administrator accounts with named accounts and elevation?
Which controls are most appropriate for service accounts? Select three.
Select all that apply