💼 AC-6 Least Privilege (M)(H)

• ID: /frameworks/fedramp-moderate-security-controls/ac/06

Description

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

Similar

• Sections
  • /frameworks/fedramp-high-security-controls/ac/06
• Internal
  • ID: dec-c-e3bc71a5

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	57		no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AC-6(1) Authorize Access to Security Functions (M)(H)			4		no data
💼 AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)			5		no data
💼 AC-6(5) Privileged Accounts (M)(H)			5		no data
💼 AC-6(7) Review of User Privileges (M)(H)			2		no data
💼 AC-6(9) Log Use of Privileged Functions (M)(H)			26		no data
💼 AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)			4		no data

Policies (28)

Policy	Logic Count	Flags	Compliance
🛡️ AWS Account Root User has active access keys🟢	1	🟢 x6	no data
🛡️ AWS DMS Replication Instance is publicly accessible🟢	1	🟢 x6	no data
🛡️ AWS EBS Snapshot is publicly accessible🟢	1	🟢 x6	no data
🛡️ AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances🟢	1	🟢 x6	no data
🛡️ AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2🟢	1	🟢 x6	no data
🛡️ AWS EC2 Instance IMDSv2 is not enabled🟢	1	🟢 x6	no data
🛡️ AWS EC2 Instance with an auto-assigned public IP address is in a default subnet🟢	1	🟢 x6	no data
🛡️ AWS IAM Policy allows full administrative privileges🟢	1	🟢 x6	no data
🛡️ AWS IAM User has inline or directly attached policies🟢	1	🟠 x1, 🟢 x5	no data
🛡️ AWS IAM User with credentials unused for 45 days or more is not disabled🟢	1	🟢 x6	no data
🛡️ AWS RDS Snapshot is publicly accessible🟢	1	🟢 x6	no data
🛡️ AWS S3 Bucket is not configured to block public access🟢	1	🟢 x6	no data
🛡️ AWS VPC is not configured with a VPC Endpoint for Amazon EC2 service🟢	1	🟢 x6	no data
🛡️ AWS VPC Subnet Map Public IP On Launch is enabled🟢	1	🟢 x6	no data
🛡️ Google BigQuery Dataset is anonymously or publicly accessible🟢	1	🟢 x6	no data
🛡️ Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Instance External Authorized Networks whitelists all public IP addresses🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Instance has public IP addresses🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off🟢	1	🟢 x6	no data
🛡️ Google GCE Instance has a public IP address🟢	1	🟢 x6	no data
🛡️ Google IAM Service Account has admin privileges🟢	1	🟢 x6	no data
🛡️ Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level🟢	1	🟢 x6	no data
🛡️ Google KMS Crypto Key is anonymously or publicly accessible🟠🟢⚪		🟠 x1, 🟢 x2, ⚪ x1	no data
🛡️ Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock🟢	1	🟢 x6	no data
🛡️ Google Project with KMS keys has a principal with Owner role🟢	1	🟢 x6	no data
🛡️ Google Storage Bucket is anonymously or publicly accessible🟢	1	🟢 x6	no data
🛡️ Google Storage Bucket Uniform Bucket-Level Access is not enabled🟢	1	🟢 x6	no data
🛡️ Google User has both Service Account Admin and Service Account User roles assigned🟢	1	🟢 x6	no data