Skip to main content

💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties

  • ID: /frameworks/nist-csf-v1.1/pr-ac/04

Description

Empty...

Similar

  • Sections
    • /frameworks/iso-iec-27001-2013/06/01/02
    • /frameworks/iso-iec-27001-2013/09/01/02
    • /frameworks/iso-iec-27001-2013/09/02/03
    • /frameworks/iso-iec-27001-2013/09/04/01
    • /frameworks/iso-iec-27001-2013/09/04/04
    • /frameworks/iso-iec-27001-2013/09/04/05
    • /frameworks/nist-sp-800-53-r4/ac/01
    • /frameworks/nist-sp-800-53-r4/ac/02
    • /frameworks/nist-sp-800-53-r4/ac/03
    • /frameworks/nist-sp-800-53-r4/ac/05
    • /frameworks/nist-sp-800-53-r4/ac/06
    • /frameworks/nist-sp-800-53-r4/ac/14
    • /frameworks/nist-sp-800-53-r4/ac/16
    • /frameworks/nist-sp-800-53-r4/ac/24
  • Internal
    • ID: dec-c-2c2dde09

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 ISO/IEC 27001:2013 → 💼 A.6.1.2 Segregation of dutiesno data
💼 ISO/IEC 27001:2013 → 💼 A.9.1.2 Access to networks and network services1718no data
💼 ISO/IEC 27001:2013 → 💼 A.9.2.3 Management of privileged access rights312no data
💼 ISO/IEC 27001:2013 → 💼 A.9.4.1 Information access restriction1920no data
💼 ISO/IEC 27001:2013 → 💼 A.9.4.4 Use of privileged utility programsno data
💼 ISO/IEC 27001:2013 → 💼 A.9.4.5 Access control to program source codeno data
💼 NIST SP 800-53 Revision 4 → 💼 AC-1 ACCESS CONTROL POLICY AND PROCEDURESno data
💼 NIST SP 800-53 Revision 4 → 💼 AC-2 ACCOUNT MANAGEMENT1336no data
💼 NIST SP 800-53 Revision 4 → 💼 AC-3 ACCESS ENFORCEMENT102no data
💼 NIST SP 800-53 Revision 4 → 💼 AC-5 SEPARATION OF DUTIES34no data
💼 NIST SP 800-53 Revision 4 → 💼 AC-6 LEAST PRIVILEGE1027no data
💼 NIST SP 800-53 Revision 4 → 💼 AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION1no data
💼 NIST SP 800-53 Revision 4 → 💼 AC-16 SECURITY ATTRIBUTES10no data
💼 NIST SP 800-53 Revision 4 → 💼 AC-24 ACCESS CONTROL DECISIONS2no data

Similar Sections (Give Policies To)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties116no data

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance

Policies (56)

PolicyLogic CountFlagsCompliance
🛡️ AWS Account IAM Access Analyzer is not enabled for all regions🟢1🟢 x6no data
🛡️ AWS Account Root User credentials were used is the last 30 days🟢1🟢 x6no data
🛡️ AWS Account Root User has active access keys🟢1🟢 x6no data
🛡️ AWS DMS Replication Instance is publicly accessible🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted CIFS traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted DNS traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted FTP traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted ICMP traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted NetBIOS traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted RPC traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted SMTP traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MongoDB🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MSSQL🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MySQL🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to Oracle DBMS🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to PostgreSQL🟢1🟢 x6no data
🛡️ AWS IAM Policy allows full administrative privileges🟢1🟢 x6no data
🛡️ AWS IAM User has inline or directly attached policies🟢1🟠 x1, 🟢 x5no data
🛡️ AWS RDS Instance is publicly accessible and in an unrestricted public subnet🟢1🟢 x6no data
🛡️ AWS RDS Snapshot is publicly accessible🟢1🟢 x6no data
🛡️ AWS S3 Bucket is not configured to block public access🟢1🟢 x6no data
🛡️ Azure App Service Authentication is disabled and Basic Authentication is enabled🟢1🟢 x6no data
🛡️ Azure App Service Basic Authentication is enabled🟢⚪🟢 x2, ⚪ x1no data
🛡️ Azure Cosmos DB Account Private Endpoints are not used🟢1🟢 x6no data
🛡️ Azure Cosmos DB Account Virtual Network Filter is not enabled🟢1🟢 x6no data
🛡️ Azure Cosmos DB Entra ID Client Authentication is not used🟢⚪🟢 x2, ⚪ x1no data
🛡️ Azure Network Security Group allows public access to HTTP(S) ports🟢1🟢 x6no data
🛡️ Azure Network Security Group allows public access to RDP port🟢1🟢 x6no data
🛡️ Azure Network Security Group allows public access to SSH port🟢1🟢 x6no data
🛡️ Azure PostgreSQL Flexible Server Firewall Rules allow access to Azure services🟢1🟢 x6no data
🛡️ Azure SQL Database allows ingress from 0.0.0.0/0 (ANY IP)🟢1🟢 x6no data
🛡️ Azure Storage Account Allow Blob Anonymous Access is enabled🟢1🟢 x6no data
🛡️ Azure Storage Account Trusted Azure Services are not enabled as networking exceptions🟢1🟢 x6no data
🛡️ Consumer Google Accounts are used🟢⚪🟢 x2, ⚪ x1no data
🛡️ Google BigQuery Dataset is anonymously or publicly accessible🟢1🟢 x6no data
🛡️ Google Cloud Audit Logging is not configured properly🟢1🟢 x6no data
🛡️ Google Cloud MySQL Instance allows anyone to connect with administrative privileges🟢⚪🟢 x2, ⚪ x1no data
🛡️ Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on🟢1🟢 x6no data
🛡️ Google Cloud SQL Instance External Authorized Networks whitelists all public IP addresses🟢1🟢 x6no data
🛡️ Google Cloud SQL Instance has public IP addresses🟢1🟢 x6no data
🛡️ Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off🟢1🟢 x6no data
🛡️ Google GCE Instance has a public IP address🟢1🟢 x6no data
🛡️ Google GCE Instance is configured to use the Default Service Account with full access to all Cloud APIs🟢1🟢 x6no data
🛡️ Google GKE Cluster Node Pool uses default Service account🟢1🟢 x6no data
🛡️ Google IAM Policy Binding Member (User) is assigned a basic role🟢1🟢 x6no data
🛡️ Google IAM Service Account has admin privileges🟢1🟢 x6no data
🛡️ Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level🟢1🟢 x6no data
🛡️ Google KMS Crypto Key is anonymously or publicly accessible🟠🟢⚪🟠 x1, 🟢 x2, ⚪ x1no data
🛡️ Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock🟢1🟢 x6no data
🛡️ Google Project with KMS keys has a principal with Owner role🟢1🟢 x6no data
🛡️ Google Resource Manager Organization has a Redis IAM role assigned🟢1🟢 x6no data
🛡️ Google Storage Bucket is anonymously or publicly accessible🟢1🟢 x6no data
🛡️ Google Storage Bucket Uniform Bucket-Level Access is not enabled🟢1🟢 x6no data
🛡️ Google User has both Service Account Admin and Service Account User roles assigned🟢1🟢 x6no data

Internal Rules

RulePoliciesFlags
✉️ dec-x-0a7801fb1
✉️ dec-x-4c15a09f1
✉️ dec-x-14bf01f31
✉️ dec-x-46a83a301
✉️ dec-x-157aa4b91
✉️ dec-x-0289e9c91
✉️ dec-x-599c86b41
✉️ dec-x-083928f51
✉️ dec-x-637372481
✉️ dec-x-ab7fc52e1
✉️ dec-x-b33429051
✉️ dec-x-bf1f13f61
✉️ dec-x-e02b5fdd1
✉️ dec-x-ec547a7c1
✉️ dec-x-f4cc003a1
✉️ dec-x-f937c35f1
✉️ dec-z-c82c9f971