Skip to main content

πŸ’Ό AC-2 Account Management (L)(M)(H)

  • Contextual name: πŸ’Ό AC-2 Account Management (L)(M)(H)
  • ID: /frameworks/fedramp-moderate-security-controls/ac/02
  • Located in: πŸ’Ό Access Control

Description​

a. Define and document the types of accounts allowed and specifically prohibited for use within the system;

b. Assign account managers;

c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership;

d. Specify:

  1. Authorized users of the system;
  2. Group and role membership; and
  3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account;

e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts;

f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];

g. Monitor the use of accounts;

h. Notify account managers and [Assignment: organization-defined personnel or roles] within:

  1. [FedRAMP Assignment: twenty-four (24) hours] when accounts are no longer required;
  2. [FedRAMP Assignment: eight (8) hours] when users are terminated or transferred; and
  3. [FedRAMP Assignment: eight (8) hours] when system usage or need-to-know changes for an individual;

i. Authorize access to the system based on:

  1. A valid access authorization;
  2. Intended system usage; and
  3. [Assignment: organization-defined attributes (as required)];

j. Review accounts for compliance with account management requirements [FedRAMP Assignment: quarterly for privileged access, annually for non-privileged access];

k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and

l. Align account management processes with personnel termination and transfer processes.

Similar​

  • Sections
    • /frameworks/fedramp-high-security-controls/ac/02
  • Internal
    • ID: dec-c-ca47f9bb

Similar Sections (Take Policies From)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2 Account Management (L)(M)(H)10931

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16
πŸ’Ό AC-2(2) Automated Temporary and Emergency Account Management (M)(H)
πŸ’Ό AC-2(3) Disable Accounts (M)(H)4
πŸ’Ό AC-2(4) Automated Audit Actions (M)(H)13
πŸ’Ό AC-2(5) Inactivity Logout (M)(H)
πŸ’Ό AC-2(7) Privileged User Accounts (M)(H)7
πŸ’Ό AC-2(9) Restrictions on Use of Shared and Group Accounts (M)(H)2
πŸ’Ό AC-2(12) Account Monitoring for Atypical Usage (M)(H)2
πŸ’Ό AC-2(13) Disable Accounts for High-risk Individuals (M)(H)

Policies (3)​

PolicyLogic CountFlags
πŸ“ AWS IAM Policy allows full administrative privileges 🟒1🟒 x6
πŸ“ AWS IAM User has inline or directly attached policies 🟒1🟠 x1, 🟒 x5
πŸ“ AWS IAM User with credentials unused for 45 days or more is not disabled 🟒1🟒 x6