Skip to main content

πŸ’Ό AC-6 Least Privilege (M)(H)

  • Contextual name: πŸ’Ό AC-6 Least Privilege (M)(H)
  • ID: /frameworks/fedramp-moderate-security-controls/ac/06
  • Located in: πŸ’Ό Access Control

Description​

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

Similar​

  • Sections
    • /frameworks/fedramp-high-security-controls/ac/06
  • Internal
    • ID: dec-c-e3bc71a5

Similar Sections (Take Policies From)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)81150

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AC-6(1) Authorize Access to Security Functions (M)(H)4
πŸ’Ό AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)4
πŸ’Ό AC-6(5) Privileged Accounts (M)(H)5
πŸ’Ό AC-6(7) Review of User Privileges (M)(H)2
πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)25
πŸ’Ό AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)3

Policies (22)​

PolicyLogic CountFlags
πŸ“ AWS Account Root User has active access keys 🟒1🟒 x6
πŸ“ AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances 🟒1🟒 x6
πŸ“ AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2 🟒1🟒 x6
πŸ“ AWS EC2 Instance IMDSv2 is not enabled 🟒1🟒 x6
πŸ“ AWS IAM Policy allows full administrative privileges 🟒1🟒 x6
πŸ“ AWS IAM User has inline or directly attached policies 🟒1🟠 x1, 🟒 x5
πŸ“ AWS IAM User with credentials unused for 45 days or more is not disabled 🟒1🟒 x6
πŸ“ AWS RDS Snapshot is publicly accessible 🟒1🟒 x6
πŸ“ AWS S3 Bucket is not configured to block public access 🟒1🟒 x6
πŸ“ Google BigQuery Dataset is anonymously or publicly accessible 🟒1🟒 x6
πŸ“ Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on 🟒1🟒 x6
πŸ“ Google Cloud SQL Instance External Authorized Networks do not whitelist all public IP addresses 🟒1🟒 x6
πŸ“ Google Cloud SQL Instance has public IP addresses 🟒1🟒 x6
πŸ“ Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off 🟒1🟒 x6
πŸ“ Google GCE Instance has a public IP address 🟒1🟒 x6
πŸ“ Google IAM Service Account has admin privileges 🟒1🟒 x6
πŸ“ Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level 🟒1🟒 x6
πŸ“ Google KMS Crypto Key is anonymously or publicly accessible 🟠🟒🟠 x1, 🟒 x3
πŸ“ Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock 🟒1🟒 x6
πŸ“ Google Storage Bucket is anonymously or publicly accessible 🟒1🟒 x6
πŸ“ Google Storage Bucket Uniform Bucket-Level Access is not enabled 🟒1🟒 x6
πŸ“ Google User has both Service Account Admin and Service Account User roles assigned 🟒1🟒 x6