πΌ AC-2 Account Management (L)(M)(H)
- Contextual name: πΌ AC-2 Account Management (L)(M)(H)
- ID:
/frameworks/fedramp-low-security-controls/ac/02 - Located in: πΌ Access Control
Descriptionβ
a. Define and document the types of accounts allowed and specifically prohibited for use within the system;
b. Assign account managers;
c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership;
d. Specify:
- Authorized users of the system;
- Group and role membership; and
- Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account;
e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts;
f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];
g. Monitor the use of accounts;
h. Notify account managers and [Assignment: organization-defined personnel or roles] within:
- [FedRAMP Assignment: twenty-four (24) hours] when accounts are no longer required;
- [FedRAMP Assignment: eight (8) hours] when users are terminated or transferred; and
- [FedRAMP Assignment: eight (8) hours] when system usage or need-to-know changes for an individual;
i. Authorize access to the system based on:
- A valid access authorization;
- Intended system usage; and
- [Assignment: organization-defined attributes (as required)];
j. Review accounts for compliance with account management requirements [FedRAMP Assignment: quarterly for privileged access, annually for non-privileged access];
k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and
l. Align account management processes with personnel termination and transfer processes.
Similarβ
- Sections
/frameworks/nist-sp-800-53-r5/ac/02/frameworks/fedramp-high-security-controls/ac/02
- Internal
- ID:
dec-c-ca47f9bb
- ID:
Similar Sections (Take Policies From)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ FedRAMP High Security Controls β πΌ AC-2 Account Management (L)(M)(H) | 10 | 9 | 31 | |
| πΌ NIST SP 800-53 Revision 5 β πΌ AC-2 Account Management | 13 | 17 | 30 |
Sub Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|
Policies (3)β
| Policy | Logic Count | Flags |
|---|---|---|
| π AWS IAM Policy allows full administrative privileges π’ | 1 | π’ x6 |
| π AWS IAM User has inline or directly attached policies π’ | 1 | π x1, π’ x5 |
| π AWS IAM User with credentials unused for 45 days or more is not disabled π’ | 1 | π’ x6 |