Skip to main content

💼 AC-6 Least Privilege (M)(H)

  • ID: /frameworks/fedramp-high-security-controls/ac/06

Description

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

Similar

  • Sections
    • /frameworks/nist-sp-800-53-r5/ac/06
  • Internal
    • ID: dec-c-e3bc71a5

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege102350no data

Similar Sections (Give Policies To)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)657no data

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 AC-6(1) Authorize Access to Security Functions (M)(H)44no data
💼 AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)15no data
💼 AC-6(3) Network Access to Privileged Commands (H)12no data
💼 AC-6(5) Privileged Accounts (M)(H)35no data
💼 AC-6(7) Review of User Privileges (M)(H)22no data
💼 AC-6(8) Privilege Levels for Code Execution (H)no data
💼 AC-6(9) Log Use of Privileged Functions (M)(H)726no data
💼 AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)14no data

Policies (28)

PolicyLogic CountFlagsCompliance
🛡️ AWS Account Root User has active access keys🟢1🟢 x6no data
🛡️ AWS DMS Replication Instance is publicly accessible🟢1🟢 x6no data
🛡️ AWS EBS Snapshot is publicly accessible🟢1🟢 x6no data
🛡️ AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances🟢1🟢 x6no data
🛡️ AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2🟢1🟢 x6no data
🛡️ AWS EC2 Instance IMDSv2 is not enabled🟢1🟢 x6no data
🛡️ AWS EC2 Instance with an auto-assigned public IP address is in a default subnet🟢1🟢 x6no data
🛡️ AWS IAM Policy allows full administrative privileges🟢1🟢 x6no data
🛡️ AWS IAM User has inline or directly attached policies🟢1🟠 x1, 🟢 x5no data
🛡️ AWS IAM User with credentials unused for 45 days or more is not disabled🟢1🟢 x6no data
🛡️ AWS RDS Snapshot is publicly accessible🟢1🟢 x6no data
🛡️ AWS S3 Bucket is not configured to block public access🟢1🟢 x6no data
🛡️ AWS VPC is not configured with a VPC Endpoint for Amazon EC2 service🟢1🟢 x6no data
🛡️ AWS VPC Subnet Map Public IP On Launch is enabled🟢1🟢 x6no data
🛡️ Google BigQuery Dataset is anonymously or publicly accessible🟢1🟢 x6no data
🛡️ Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on🟢1🟢 x6no data
🛡️ Google Cloud SQL Instance External Authorized Networks whitelists all public IP addresses🟢1🟢 x6no data
🛡️ Google Cloud SQL Instance has public IP addresses🟢1🟢 x6no data
🛡️ Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off🟢1🟢 x6no data
🛡️ Google GCE Instance has a public IP address🟢1🟢 x6no data
🛡️ Google IAM Service Account has admin privileges🟢1🟢 x6no data
🛡️ Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level🟢1🟢 x6no data
🛡️ Google KMS Crypto Key is anonymously or publicly accessible🟠🟢⚪🟠 x1, 🟢 x2, ⚪ x1no data
🛡️ Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock🟢1🟢 x6no data
🛡️ Google Project with KMS keys has a principal with Owner role🟢1🟢 x6no data
🛡️ Google Storage Bucket is anonymously or publicly accessible🟢1🟢 x6no data
🛡️ Google Storage Bucket Uniform Bucket-Level Access is not enabled🟢1🟢 x6no data
🛡️ Google User has both Service Account Admin and Service Account User roles assigned🟢1🟢 x6no data