An audit finds dozens of unused, over-permissioned service accounts. What do you do?
Short answer
Unused, over-privileged service accounts are prime targets and a large attack surface. Inventory them, disable or delete the unused ones (watching for breakage), right-size the survivors to least privilege, and give each an owner plus a recurring review. Leaving them is standing risk, granting blanket admin maximizes blast radius, and consolidating onto one shared account destroys least privilege and accountability.
Dozens of unused, over-permissioned service accounts are a quiet but serious liability. Each one is a credential that can be stolen or abused, often with broad rights and no human watching it — exactly what attackers hunt for to move laterally and escalate. The right response is a disciplined identity lifecycle cleanup.
The correct approach
- Inventory every service account: what it is, what it can do, when it was last used, and which system depends on it. You can't secure what you haven't enumerated.
- Disable or remove the unused ones. Prefer disable first (reversible) over immediate deletion so you can catch anything that quietly breaks, then delete once you're confident.
- Right-size the survivors to least privilege — strip standing permissions down to exactly what each workload needs, and rotate their credentials.
- Assign an owner to each remaining account and set a recurring access review, so entitlements are re-justified and sprawl doesn't silently return.
Why the distractors are dangerous
- "Leave them — they might be needed someday" is standing risk with no upside. Dormant, powerful identities are pure attack surface; "someday" rarely arrives, and the account sits exploitable in the meantime.
- "Give them all admin so permissions are consistent" maximizes blast radius: now every one of those compromisable accounts is a path to full control. Consistency is no virtue when the consistent state is "over-privileged."
- "Consolidate onto one shared service account" destroys least privilege and accountability at once: that single account needs the union of all permissions, its credential is everywhere, and you lose the ability to attribute actions or revoke access narrowly.
What the interviewer is probing
They want to see that you treat identities as a managed lifecycle — enumerate, disable safely, scope down, assign ownership, review — and that you instinctively minimize both standing privilege and blast radius rather than optimizing for convenience.
Likely follow-ups
- How would you safely disable an account you suspect is unused without causing an outage?
- What signals (last-used, access logs) tell you an account is genuinely dormant?
- How do you prevent service-account sprawl from recurring after this cleanup?