MFA on 100% of admin accounts; quarterly access review

SOC2.CC6.IAM · GLOBAL · operational_security

Severity

critical

Cadence

daily

Region

global

Current status (Apollo Gaming Ltd.)

not evaluated

Requirement

Every account with admin privileges to production AWS, GitHub, or the database must have MFA enabled. Access is reviewed quarterly and revoked within 24h of role change.

Source: AICPA TSC — CC6 Logical & Physical Access

Evidence specification

Evidence type	Connector	Spec	Acceptance criteria
`infra_config`	`cloud-aws`	{ "resource_type": "iam_account", "scope": "admin", "required_fields": [ "user_id", "mfa_enabled", "last_access_review_at" ] }	`every admin user_id has mfa_enabled = true` `last_access_review_at within 92 days`

Recent evaluations (Apollo Gaming Ltd.)

No evaluation history for this control yet.