💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties

• Contextual name: 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
• ID: /frameworks/nist-csf-v1.1/pr-ac/04
• Located in: 💼 Identity Management, Authentication and Access Control (PR.AC)

Description

Empty...

Similar

• Sections
  • /frameworks/iso-iec-27001-2013/06/01/02
  • /frameworks/iso-iec-27001-2013/09/01/02
  • /frameworks/iso-iec-27001-2013/09/02/03
  • /frameworks/iso-iec-27001-2013/09/04/01
  • /frameworks/iso-iec-27001-2013/09/04/04
  • /frameworks/iso-iec-27001-2013/09/04/05
  • /frameworks/nist-sp-800-53-r4/ac/01
  • /frameworks/nist-sp-800-53-r4/ac/02
  • /frameworks/nist-sp-800-53-r4/ac/03
  • /frameworks/nist-sp-800-53-r4/ac/05
  • /frameworks/nist-sp-800-53-r4/ac/06
  • /frameworks/nist-sp-800-53-r4/ac/14
  • /frameworks/nist-sp-800-53-r4/ac/16
  • /frameworks/nist-sp-800-53-r4/ac/24
• Internal
  • ID: dec-c-2c2dde09

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 ISO/IEC 27001:2013 → 💼 A.6.1.2 Segregation of duties
💼 ISO/IEC 27001:2013 → 💼 A.9.1.2 Access to networks and network services		17	18
💼 ISO/IEC 27001:2013 → 💼 A.9.2.3 Management of privileged access rights		3	8
💼 ISO/IEC 27001:2013 → 💼 A.9.4.1 Information access restriction		19	20
💼 ISO/IEC 27001:2013 → 💼 A.9.4.4 Use of privileged utility programs
💼 ISO/IEC 27001:2013 → 💼 A.9.4.5 Access control to program source code
💼 NIST SP 800-53 Revision 4 → 💼 AC-1 ACCESS CONTROL POLICY AND PROCEDURES
💼 NIST SP 800-53 Revision 4 → 💼 AC-2 ACCOUNT MANAGEMENT	13	3	6
💼 NIST SP 800-53 Revision 4 → 💼 AC-3 ACCESS ENFORCEMENT	10		2
💼 NIST SP 800-53 Revision 4 → 💼 AC-5 SEPARATION OF DUTIES		3	4
💼 NIST SP 800-53 Revision 4 → 💼 AC-6 LEAST PRIVILEGE	10	2	4
💼 NIST SP 800-53 Revision 4 → 💼 AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION	1
💼 NIST SP 800-53 Revision 4 → 💼 AC-16 SECURITY ATTRIBUTES	10
💼 NIST SP 800-53 Revision 4 → 💼 AC-24 ACCESS CONTROL DECISIONS	2

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			91

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags

Policies (52)

Policy	Logic Count	Flags
📝 AWS Account IAM Access Analyzer is not enabled for all regions 🟢	1	🟢 x6
📝 AWS Account Root User credentials were used is the last 30 days 🟢	1	🟢 x6
📝 AWS Account Root User has active access keys 🟢	1	🟢 x6
📝 AWS DMS Replication Instance is publicly accessible 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted CIFS traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted DNS traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted FTP traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted ICMP traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted NetBIOS traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted RPC traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted SMTP traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MongoDB 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MSSQL 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MySQL 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to Oracle DBMS 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to PostgreSQL 🟢	1	🟢 x6
📝 AWS IAM Policy allows full administrative privileges 🟢	1	🟢 x6
📝 AWS IAM User has inline or directly attached policies 🟢	1	🟠 x1, 🟢 x5
📝 AWS RDS Instance is publicly accessible and in an unrestricted public subnet 🟢	1	🟢 x6
📝 AWS RDS Snapshot is publicly accessible 🟢	1	🟢 x6
📝 AWS S3 Bucket is not configured to block public access 🟢	1	🟢 x6
📝 Azure App Service Authentication is disabled and Basic Authentication is enabled 🟢	1	🟢 x6
📝 Azure App Service Basic Authentication is enabled 🟢		🟢 x3
📝 Azure Cosmos DB Account Private Endpoints are not used 🟢	1	🟢 x6
📝 Azure Cosmos DB Account Virtual Network Filter is not enabled 🟢	1	🟢 x6
📝 Azure Cosmos DB Entra ID Client Authentication is not used 🟢		🟢 x3
📝 Azure Network Security Group allows public access to HTTP(S) ports 🟢	1	🟢 x6
📝 Azure Network Security Group allows public access to RDP port 🟢	1	🟢 x6
📝 Azure Network Security Group allows public access to SSH port 🟢	1	🟢 x6
📝 Azure PostgreSQL Flexible Server Firewall Rules allow access to Azure services 🟢	1	🟢 x6
📝 Azure SQL Database allows ingress from 0.0.0.0/0 (ANY IP) 🟢	1	🟢 x6
📝 Azure Storage Account Allow Blob Anonymous Access is enabled 🟢	1	🟢 x6
📝 Azure Storage Account Trusted Azure Services are not enabled as networking exceptions 🟢	1	🟢 x6
📝 Consumer Google Accounts are used 🟢		🟢 x3
📝 Google BigQuery Dataset is anonymously or publicly accessible 🟢	1	🟢 x6
📝 Google Cloud Audit Logging is not configured properly 🟢	1	🟢 x6
📝 Google Cloud MySQL Instance allows anyone to connect with administrative privileges 🟢		🟢 x3
📝 Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on 🟢	1	🟢 x6
📝 Google Cloud SQL Instance External Authorized Networks do not whitelist all public IP addresses 🟢	1	🟢 x6
📝 Google Cloud SQL Instance has public IP addresses 🟢	1	🟢 x6
📝 Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off 🟢	1	🟢 x6
📝 Google GCE Instance has a public IP address 🟢	1	🟢 x6
📝 Google GCE Instance is configured to use the Default Service Account with full access to all Cloud APIs 🟢	1	🟢 x6
📝 Google IAM Service Account has admin privileges 🟢	1	🟢 x6
📝 Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level 🟢	1	🟢 x6
📝 Google KMS Crypto Key is anonymously or publicly accessible 🟠🟢		🟠 x1, 🟢 x3
📝 Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock 🟢	1	🟢 x6
📝 Google Storage Bucket is anonymously or publicly accessible 🟢	1	🟢 x6
📝 Google Storage Bucket Uniform Bucket-Level Access is not enabled 🟢	1	🟢 x6
📝 Google User has both Service Account Admin and Service Account User roles assigned 🟢	1	🟢 x6

Internal Rules

Rule	Policies	Flags
✉️ dec-x-0a7801fb	1
✉️ dec-x-4c15a09f	1
✉️ dec-x-14bf01f3	1
✉️ dec-x-46a83a30	1
✉️ dec-x-157aa4b9	1
✉️ dec-x-0289e9c9	1
✉️ dec-x-599c86b4	1
✉️ dec-x-083928f5	1
✉️ dec-x-63737248	1
✉️ dec-x-ab7fc52e	1
✉️ dec-x-b3342905	1
✉️ dec-x-bf1f13f6	1
✉️ dec-x-e02b5fdd	1
✉️ dec-x-ec547a7c	1
✉️ dec-x-f4cc003a	1
✉️ dec-x-f937c35f	1
✉️ dec-z-c82c9f97	1