Role-based access controls (RBAC) are a method of restricting access to resources based on the roles of individual users within an organization. RBAC allows administrators to assign permissions to roles, rather than to specific users, and then assign users to those roles. This simplifies the management of access rights and reduces the risk of unauthorized or excessive access. RBAC is especially important for ensuring adequate restriction on the number of people who can access the pipeline production environment, which is the final stage of the continuous integration and continuous delivery (CI/CD) process where code is deployed to the end-users. Access to the production environment should be limited to only those who are responsible for deploying, monitoring, and maintaining the code, such as production engineers, release managers, or site reliability engineers. Developers, testers, or other stakeholders should not have access to the production environment, as this could compromise the security, quality, and performance of the code. RBAC can help enforce this separation of duties and responsibilities by defining different roles for different pipeline stages and granting appropriate permissions to each role. For example, developers may have permission to create, edit, and test code in the development pipeline, but not to deploy or modify code in the production pipeline. Conversely, production engineers may have permission to deploy, monitor, and troubleshoot code in the production pipeline, but not to create or edit code in the development pipeline. RBAC can also help implement the principle of least privilege, which states that users should only have the minimum level of access required to perform their tasks. This reduces the attack surface and minimizes the potential damage in case of a breach or misuse. RBAC can be configured at different levels of granularity, such as at the organization, project, or object level, depending on the needs and complexity of the organization. RBAC can also leverage existing identity and access management (IAM) solutions, such as Azure Active Directory or AWS IAM, to integrate with cloud services and applications.

Set pipeline permissions - Azure Pipelines

Azure DevOps: Access, Roles and Permissions

Cloud Computing --- What IT Auditors Should Really Know

A corrective control is a measure taken to correct or reduce the impact of an error, deviation, or unwanted activity1. Corrective control can be either manual or automated, depending on the type of control used.Corrective control can involve procedures, manuals, systems, patches, quarantines, terminations, reboots, or default dates1. A Business Continuity Plan (BCP) is an example of a corrective control.

Unsuccessful access attempts being automatically logged for investigation is an example of a corrective control because it is a response to a potential security incident that aims to identify and resolve the cause and prevent future occurrences2. Logging and investigating failed login attempts can help detect unauthorized or malicious attempts to access sensitive data or systems and take appropriate actions to mitigate the risk.

The other options are examples of preventive controls, which are designed to prevent problems from occurring in the first place3. Preventive controls can include:

A central antivirus system installing the latest signature files before allowing a connection to the network: This is a preventive control because it prevents malware infection by blocking potentially harmful connections and updating the antivirus software regularly4.

All new employees having standard access rights until their manager approves privileged rights: This is a preventive control because it prevents unauthorized access by enforcing the principle of least privilege and requiring approval for granting higher-level permissions5.

Privileged access to critical information systems requiring a second factor of authentication using a soft token: This is a preventive control because it prevents credential theft or compromise by adding an extra layer of security to verify the identity of the user.

What is a corrective control?- Answers1, section on Corrective control

Detective controls - SaaS Lens - docs.aws.amazon.com2, section on Unsuccessful login attempts

Internal control: how do preventive and detective controls work?3, section on Preventive Controls

What Are Security Controls?- F54, section on Preventive Controls

The 3 Types of Internal Controls (With Examples) | Layer Blog5, section on Preventive Controls

What are the 3 Types of Internal Controls? --- RiskOptics - Reciprocity, section on Preventive Controls

Using a standardized control framework enables auditors to conduct gap analyses of what a cloud service provider (CSP) offers versus what the customer requires. A standardized control framework is a set of guidelines, best practices, and criteria that help to evaluate and improve the security, privacy, and compliance of cloud computing environments. Examples of standardized control frameworks include ISO/IEC 27001/27002/27017/27018, NIST SP 800-53, CSA Cloud Controls Matrix (CCM), COBIT, etc. By using a standardized control framework, auditors can compare the CSP's policies, procedures, and practices with the customer's expectations and requirements, and identify any gaps or discrepancies that may pose risks or issues.A gap analysis can help the auditors to provide recommendations and suggestions to the CSP and the customer on how to close the gaps and enhance the quality and performance of the cloud services12.

Cloud Controls Matrix (CCM) - CSA

Cloud Computing Audit Program - ISACA