💼 PR.AA-03: Users, services, and hardware are authenticated

• Contextual name: 💼 PR.AA-03: Users, services, and hardware are authenticated
• ID: /frameworks/nist-csf-v2.0/pr-aa/03
• Located in: 💼 Identity Management, Authentication, and Access Control (PR.AA)

Description

1. Require multifactor authentication
2. Enforce policies for the minimum strength of passwords, PINs, and similar authenticators
3. Periodically reauthenticate users, services, and hardware based on risk (e.g., in zero trust architectures)
4. Ensure that authorized personnel can access accounts essential for protecting safety under emergency conditions

Similar

• Sections
  • /frameworks/nist-csf-v1.1/pr-ac/03
  • /frameworks/nist-csf-v1.1/pr-ac/07
  • /frameworks/nist-sp-800-53-r5/ac/07
  • /frameworks/nist-sp-800-53-r5/ac/12
  • /frameworks/nist-sp-800-53-r5/ia/02
  • /frameworks/nist-sp-800-53-r5/ia/03
  • /frameworks/nist-sp-800-53-r5/ia/05
  • /frameworks/nist-sp-800-53-r5/ia/07
  • /frameworks/nist-sp-800-53-r5/ia/08
  • /frameworks/nist-sp-800-53-r5/ia/09
  • /frameworks/nist-sp-800-53-r5/ia/10
  • /frameworks/nist-sp-800-53-r5/ia/11

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 NIST CSF v1.1 → 💼 PR.AC-3: Remote access is managed			1
💼 NIST CSF v1.1 → 💼 PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)		19	23
💼 NIST SP 800-53 Revision 5 → 💼 AC-7 Unsuccessful Logon Attempts	4
💼 NIST SP 800-53 Revision 5 → 💼 AC-12 Session Termination	3
💼 NIST SP 800-53 Revision 5 → 💼 IA-2 Identification and Authentication (organizational Users)	13		2
💼 NIST SP 800-53 Revision 5 → 💼 IA-3 Device Identification and Authentication	4
💼 NIST SP 800-53 Revision 5 → 💼 IA-5 Authenticator Management	18		16
💼 NIST SP 800-53 Revision 5 → 💼 IA-7 Cryptographic Module Authentication
💼 NIST SP 800-53 Revision 5 → 💼 IA-8 Identification and Authentication (non-organizational Users)	6
💼 NIST SP 800-53 Revision 5 → 💼 IA-9 Service Identification and Authentication	2
💼 NIST SP 800-53 Revision 5 → 💼 IA-10 Adaptive Authentication
💼 NIST SP 800-53 Revision 5 → 💼 IA-11 Re-authentication

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags

Policies (32)

Policy	Logic Count	Flags
📝 AWS Account IAM Password Policy Number of passwords to remember is not set to 24 🟢	1	🟢 x6
📝 AWS Account Root User credentials were used is the last 30 days 🟢	1	🟢 x6
📝 AWS EC2 Instance IAM role is not attached 🟢	1	🟢 x6
📝 AWS IAM Policy allows full administrative privileges 🟢	1	🟢 x6
📝 AWS IAM Server Certificate is expired 🟢	1	🟢 x6
📝 AWS IAM User Access Keys are not rotated every 90 days or less 🟢	1	🟢 x6
📝 AWS IAM User has inline or directly attached policies 🟢	1	🟠 x1, 🟢 x5
📝 AWS IAM User has more than one active access key 🟢	1	🟢 x6
📝 AWS IAM User MFA is not enabled for all users with console password 🟢	1	🟢 x6
📝 AWS IAM User with console and programmatic access set during the initial creation 🟢		🟢 x3
📝 AWS KMS Symmetric CMK Rotation is not enabled 🟢	1	🟢 x6
📝 AWS S3 Bucket MFA Delete is not enabled 🟠🟢	1	🟠 x1, 🟢 x6
📝 Azure App Service Authentication is disabled and Basic Authentication is enabled 🟢	1	🟢 x6
📝 Azure App Service Basic Authentication is enabled 🟢		🟢 x3
📝 Azure App Service is not registered with Microsoft Entra ID 🟢	1	🟢 x6
📝 Azure Key Vault Soft Delete and Purge Protection functions are not enabled 🟢	1	🟢 x6
📝 Azure Non-RBAC Key Vault stores Keys without expiration date 🟢	1	🟢 x6
📝 Azure Non-RBAC Key Vault stores Secrets without expiration date 🟢	1	🟢 x6
📝 Azure RBAC Key Vault stores Keys without expiration date 🟢	1	🟢 x6
📝 Azure RBAC Key Vault stores Secrets without expiration date 🟢	1	🟢 x6
📝 Azure SQL Database allows ingress from 0.0.0.0/0 (ANY IP) 🟢	1	🟢 x6
📝 Consumer Google Accounts are used 🟢		🟢 x3
📝 Google Accounts are not configured with MFA 🟢		🟢 x3
📝 Google BigQuery Dataset is not encrypted with Customer-Managed Encryption Key (CMEK) 🟢	1	🟢 x6
📝 Google BigQuery Table is not encrypted with Customer-Managed Encryption Key (CMEK) 🟢	1	🟢 x6
📝 Google Dataproc Cluster is not encrypted using Customer-Managed Encryption Key 🟢	1	🟢 x6
📝 Google GCE Disk for critical VMs is not encrypted with Customer-Supplied Encryption Key (CSEK) 🟢	1	🟢 x6
📝 Google GCE Instance Block Project-Wide SSH Keys is not enabled 🟢	1	🟢 x6
📝 Google GCE Instance Confidential Compute is not enabled 🟢	1	🟢 x6
📝 Google GCE Instance is configured to use the Default Service Account 🟢	1	🟢 x6
📝 Google GCE Instance is configured to use the Default Service Account with full access to all Cloud APIs 🟢	1	🟢 x6
📝 Google GCE Network has Firewall Rules which allow unrestricted SSH access from the Internet 🟢	1	🟢 x6