💼 AC-5 Separation of Duties (M)(H)

Description

a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and

b. Define system access authorizations to support separation of duties.

AC-5 Additional FedRAMP Requirements and Guidance:

Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.

Section	Sub Sections	Internal Rules	Policies	Flags
💼 FedRAMP High Security Controls → 💼 AC-5 Separation of Duties (M)(H)			13

Section	Sub Sections	Internal Rules	Policies	Flags

Policy	Logic Count	Flags
📝 AWS IAM Policy allows full administrative privileges 🟢	1	🟢 x6
📝 Google BigQuery Dataset is anonymously or publicly accessible 🟢	1	🟢 x6
📝 Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on 🟢	1	🟢 x6
📝 Google Cloud SQL Instance External Authorized Networks do not whitelist all public IP addresses 🟢	1	🟢 x6
📝 Google Cloud SQL Instance has public IP addresses 🟢	1	🟢 x6
📝 Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off 🟢	1	🟢 x6
📝 Google GCE Instance has a public IP address 🟢	1	🟢 x6
📝 Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level 🟢	1	🟢 x6
📝 Google KMS Crypto Key is anonymously or publicly accessible 🟠🟢		🟠 x1, 🟢 x3
📝 Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock 🟢	1	🟢 x6
📝 Google Storage Bucket is anonymously or publicly accessible 🟢	1	🟢 x6
📝 Google Storage Bucket Uniform Bucket-Level Access is not enabled 🟢	1	🟢 x6
📝 Google User has both Service Account Admin and Service Account User roles assigned 🟢	1	🟢 x6