💼 PR.AA-03: Users, services, and hardware are authenticated

ID: /frameworks/nist-csf-v2.0/pr-aa/03

Description

Require multifactor authentication
Enforce policies for the minimum strength of passwords, PINs, and similar authenticators
Periodically reauthenticate users, services, and hardware based on risk (e.g., in zero trust architectures)
Ensure that authorized personnel can access accounts essential for protecting safety under emergency conditions

Similar

Sections
- /frameworks/nist-csf-v1.1/pr-ac/03
- /frameworks/nist-csf-v1.1/pr-ac/07
- /frameworks/nist-sp-800-53-r5/ac/07
- /frameworks/nist-sp-800-53-r5/ac/12
- /frameworks/nist-sp-800-53-r5/ia/02
- /frameworks/nist-sp-800-53-r5/ia/03
- /frameworks/nist-sp-800-53-r5/ia/05
- /frameworks/nist-sp-800-53-r5/ia/07
- /frameworks/nist-sp-800-53-r5/ia/08
- /frameworks/nist-sp-800-53-r5/ia/09
- /frameworks/nist-sp-800-53-r5/ia/10
- /frameworks/nist-sp-800-53-r5/ia/11

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 NIST CSF v1.1 → 💼 PR.AC-3: Remote access is managed			22	no data
💼 NIST CSF v1.1 → 💼 PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)		19	23	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-7 Unsuccessful Logon Attempts	4			no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-12 Session Termination	3			no data
💼 NIST SP 800-53 Revision 5 → 💼 IA-2 Identification and Authentication (organizational Users)	13		3	no data
💼 NIST SP 800-53 Revision 5 → 💼 IA-3 Device Identification and Authentication	4			no data
💼 NIST SP 800-53 Revision 5 → 💼 IA-5 Authenticator Management	18		16	no data
💼 NIST SP 800-53 Revision 5 → 💼 IA-7 Cryptographic Module Authentication				no data
💼 NIST SP 800-53 Revision 5 → 💼 IA-8 Identification and Authentication (non-organizational Users)	6			no data
💼 NIST SP 800-53 Revision 5 → 💼 IA-9 Service Identification and Authentication	2			no data
💼 NIST SP 800-53 Revision 5 → 💼 IA-10 Adaptive Authentication				no data
💼 NIST SP 800-53 Revision 5 → 💼 IA-11 Re-authentication				no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance

Policies (53)

Policy	Logic Count	Flags	Compliance
🛡️ AWS Account IAM Password Policy Number of passwords to remember is not set to 24🟢	1	🟢 x6	no data
🛡️ AWS Account Root User credentials were used is the last 30 days🟢	1	🟢 x6	no data
🛡️ AWS EC2 Instance IAM role is not attached🟢	1	🟢 x6	no data
🛡️ AWS IAM Policy allows full administrative privileges🟢	1	🟢 x6	no data
🛡️ AWS IAM Server Certificate is expired🟢	1	🟢 x6	no data
🛡️ AWS IAM User Access Keys are not rotated every 90 days or less🟢	1	🟢 x6	no data
🛡️ AWS IAM User has inline or directly attached policies🟢	1	🟠 x1, 🟢 x5	no data
🛡️ AWS IAM User has more than one active access key🟢	1	🟢 x6	no data
🛡️ AWS IAM User MFA is not enabled for all users with console password🟢	1	🟢 x6	no data
🛡️ AWS IAM User with console and programmatic access set during the initial creation🟢⚪		🟢 x2, ⚪ x1	no data
🛡️ AWS KMS Symmetric CMK Rotation is not enabled🟢	1	🟢 x6	no data
🛡️ AWS S3 Bucket MFA Delete is not enabled🟠🟢	1	🟠 x1, 🟢 x6	no data
🛡️ Azure App Service Authentication is disabled and Basic Authentication is enabled🟢	1	🟢 x6	no data
🛡️ Azure App Service Basic Authentication is enabled🟢⚪		🟢 x2, ⚪ x1	no data
🛡️ Azure App Service is not registered with Microsoft Entra ID🟢	1	🟢 x6	no data
🛡️ Azure Key Vault Soft Delete and Purge Protection functions are not enabled🟢	1	🟢 x6	no data
🛡️ Azure Non-RBAC Key Vault stores Keys without expiration date🟢	1	🟢 x6	no data
🛡️ Azure Non-RBAC Key Vault stores Secrets without expiration date🟢	1	🟢 x6	no data
🛡️ Azure RBAC Key Vault stores Keys without expiration date🟢	1	🟢 x6	no data
🛡️ Azure RBAC Key Vault stores Secrets without expiration date🟢	1	🟢 x6	no data
🛡️ Azure SQL Database allows ingress from 0.0.0.0/0 (ANY IP)🟢	1	🟢 x6	no data
🛡️ Consumer Google Accounts are used🟢⚪		🟢 x2, ⚪ x1	no data
🛡️ Google Accounts are not configured with MFA🟢⚪		🟢 x2, ⚪ x1	no data
🛡️ Google BigQuery Dataset is not encrypted with Customer-Managed Encryption Key (CMEK)🟢	1	🟢 x6	no data
🛡️ Google BigQuery Table is not encrypted with Customer-Managed Encryption Key (CMEK)🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Instance SSL Connections are not enforced🟢	1	🟢 x6	no data
🛡️ Google Dataproc Cluster is not encrypted using Customer-Managed Encryption Key🟢	1	🟢 x6	no data
🛡️ Google GCE Disk for critical VMs is not encrypted with Customer-Supplied Encryption Key (CSEK)🟢	1	🟢 x6	no data
🛡️ Google GCE Firewall Rule logging is disabled🟢	1	🟢 x6	no data
🛡️ Google GCE Instance Block Project-Wide SSH Keys is not enabled🟢	1	🟢 x6	no data
🛡️ Google GCE Instance Confidential Compute is not enabled🟢	1	🟢 x6	no data
🛡️ Google GCE Instance is configured to use the Default Service Account🟢	1	🟢 x6	no data
🛡️ Google GCE Instance is configured to use the Default Service Account with full access to all Cloud APIs🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted CiscoSecure/WebSM traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted DNS traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted FTP traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted HTTP traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted LDAP traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted NetBIOS traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted POP3 traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted SMTP traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted SSH traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to Cassandra🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to Directory services"🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to Elasticsearch🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to Memcached🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to MongoDB🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to MySQL🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to OracleDB🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to PostgreSQL🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to Redis🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted Telnet traffic🟢	1	🟢 x6	no data
🛡️ Google GKE Cluster Network policy is disabled.🟢	1	🟢 x6	no data

Description​

Similar​

Similar Sections (Take Policies From)​

Sub Sections​

Policies (53)​

Description

Similar

Similar Sections (Take Policies From)

Sub Sections

Policies (53)