💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties

• Contextual name: 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
• ID: /frameworks/nist-csf-v2.0/pr-aa/05
• Located in: 💼 Identity Management, Authentication, and Access Control (PR.AA)

Description

1. Review logical and physical access privileges periodically and whenever someone changes roles or leaves the organization, and promptly rescind privileges that are no longer needed
2. Take attributes of the requester and the requested resource into account for authorization decisions (e.g., geolocation, day/time, requester endpoint's cyber health)
3. Restrict access and privileges to the minimum necessary (e.g., zero trust architecture)
4. Periodically review the privileges associated with critical business functions to confirm proper separation of duties

Similar

• Sections
  • /frameworks/nist-csf-v1.1/pr-ac/01
  • /frameworks/nist-csf-v1.1/pr-ac/03
  • /frameworks/nist-csf-v1.1/pr-ac/04
  • /frameworks/nist-sp-800-53-r5/ac/01
  • /frameworks/nist-sp-800-53-r5/ac/02
  • /frameworks/nist-sp-800-53-r5/ac/03
  • /frameworks/nist-sp-800-53-r5/ac/05
  • /frameworks/nist-sp-800-53-r5/ac/06
  • /frameworks/nist-sp-800-53-r5/ac/10
  • /frameworks/nist-sp-800-53-r5/ac/16
  • /frameworks/nist-sp-800-53-r5/ac/17
  • /frameworks/nist-sp-800-53-r5/ac/18
  • /frameworks/nist-sp-800-53-r5/ac/19
  • /frameworks/nist-sp-800-53-r5/ac/24

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 NIST CSF v1.1 → 💼 PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes		19	30
💼 NIST CSF v1.1 → 💼 PR.AC-3: Remote access is managed			1
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		17	52
💼 NIST SP 800-53 Revision 5 → 💼 AC-1 Policy and Procedures
💼 NIST SP 800-53 Revision 5 → 💼 AC-2 Account Management	13	20	34
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	37
💼 NIST SP 800-53 Revision 5 → 💼 AC-5 Separation of Duties			13
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	49
💼 NIST SP 800-53 Revision 5 → 💼 AC-10 Concurrent Session Control
💼 NIST SP 800-53 Revision 5 → 💼 AC-16 Security and Privacy Attributes	10
💼 NIST SP 800-53 Revision 5 → 💼 AC-17 Remote Access	10	13	19
💼 NIST SP 800-53 Revision 5 → 💼 AC-18 Wireless Access	5		5
💼 NIST SP 800-53 Revision 5 → 💼 AC-19 Access Control for Mobile Devices	5
💼 NIST SP 800-53 Revision 5 → 💼 AC-24 Access Control Decisions	2

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags

Policies (91)

Policy	Logic Count	Flags
📝 AWS Account IAM Access Analyzer is not enabled for all regions 🟢	1	🟢 x6
📝 AWS Account IAM Password Policy Number of passwords to remember is not set to 24 🟢	1	🟢 x6
📝 AWS Account Object-level CloudTrail Logging for Read Events for S3 Buckets is not enabled 🟢	1	🟢 x6
📝 AWS Account Object-level CloudTrail Logging for Write Events for S3 Buckets is not enabled 🟢	1	🟢 x6
📝 AWS Account Root User credentials were used is the last 30 days 🟢	1	🟢 x6
📝 AWS Account Root User has active access keys 🟢	1	🟢 x6
📝 AWS API Gateway API Route Authorization Type is not configured 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution Default Root Object is not configured 🟢	1	🟢 x6
📝 AWS DMS Replication Instance is publicly accessible 🟢	1	🟢 x6
📝 AWS EBS Snapshot is publicly accessible 🟢	1	🟢 x6
📝 AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances 🟢	1	🟢 x6
📝 AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2 🟢	1	🟢 x6
📝 AWS EC2 Instance IAM role is not attached 🟢	1	🟢 x6
📝 AWS EC2 Instance IMDSv2 is not enabled 🟢	1	🟢 x6
📝 AWS EC2 Instance with an auto-assigned public IP address is in a default subnet 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted CIFS traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted DNS traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted FTP traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted ICMP traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted NetBIOS traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted RPC traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted SMTP traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MongoDB 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MSSQL 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MySQL 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to Oracle DBMS 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to PostgreSQL 🟢	1	🟢 x6
📝 AWS IAM Policy allows full administrative privileges 🟢	1	🟢 x6
📝 AWS IAM Server Certificate is expired 🟢	1	🟢 x6
📝 AWS IAM User Access Keys are not rotated every 90 days or less 🟢	1	🟢 x6
📝 AWS IAM User has inline or directly attached policies 🟢	1	🟠 x1, 🟢 x5
📝 AWS IAM User has more than one active access key 🟢	1	🟢 x6
📝 AWS IAM User MFA is not enabled for all users with console password 🟢	1	🟢 x6
📝 AWS IAM User with console and programmatic access set during the initial creation 🟢		🟢 x3
📝 AWS IAM User with credentials unused for 45 days or more is not disabled 🟢	1	🟢 x6
📝 AWS KMS Symmetric CMK Rotation is not enabled 🟢	1	🟢 x6
📝 AWS RDS Instance is publicly accessible and in an unrestricted public subnet 🟢	1	🟢 x6
📝 AWS RDS Snapshot is publicly accessible 🟢	1	🟢 x6
📝 AWS S3 Bucket is not configured to block public access 🟢	1	🟢 x6
📝 AWS S3 Bucket MFA Delete is not enabled 🟠🟢	1	🟠 x1, 🟢 x6
📝 AWS S3 Bucket Object Lock is not enabled 🟠🟢	1	🟠 x1, 🟢 x6
📝 AWS VPC is not configured with a VPC Endpoint for Amazon EC2 service 🟢	1	🟢 x6
📝 AWS VPC Subnet Map Public IP On Launch is enabled 🟢	1	🟢 x6
📝 Azure App Service Authentication is disabled and Basic Authentication is enabled 🟢	1	🟢 x6
📝 Azure App Service Basic Authentication is enabled 🟢		🟢 x3
📝 Azure App Service is not registered with Microsoft Entra ID 🟢	1	🟢 x6
📝 Azure Cosmos DB Account Private Endpoints are not used 🟢	1	🟢 x6
📝 Azure Cosmos DB Account Virtual Network Filter is not enabled 🟢	1	🟢 x6
📝 Azure Cosmos DB Entra ID Client Authentication is not used 🟢		🟢 x3
📝 Azure Key Vault Soft Delete and Purge Protection functions are not enabled 🟢	1	🟢 x6
📝 Azure Network Security Group allows public access to HTTP(S) ports 🟢	1	🟢 x6
📝 Azure Network Security Group allows public access to RDP port 🟢	1	🟢 x6
📝 Azure Network Security Group allows public access to SSH port 🟢	1	🟢 x6
📝 Azure Non-RBAC Key Vault stores Keys without expiration date 🟢	1	🟢 x6
📝 Azure Non-RBAC Key Vault stores Secrets without expiration date 🟢	1	🟢 x6
📝 Azure PostgreSQL Flexible Server Firewall Rules allow access to Azure services 🟢	1	🟢 x6
📝 Azure RBAC Key Vault stores Keys without expiration date 🟢	1	🟢 x6
📝 Azure RBAC Key Vault stores Secrets without expiration date 🟢	1	🟢 x6
📝 Azure SQL Database allows ingress from 0.0.0.0/0 (ANY IP) 🟢	1	🟢 x6
📝 Azure Storage Account Allow Blob Anonymous Access is enabled 🟢	1	🟢 x6
📝 Azure Storage Account Cross Tenant Replication is enabled 🟢	1	🟢 x6
📝 Azure Storage Account Trusted Azure Services are not enabled as networking exceptions 🟢	1	🟢 x6
📝 Consumer Google Accounts are used 🟢		🟢 x3
📝 Google Accounts are not configured with MFA 🟢		🟢 x3
📝 Google BigQuery Dataset is anonymously or publicly accessible 🟢	1	🟢 x6
📝 Google Cloud Audit Logging is not configured properly 🟢	1	🟢 x6
📝 Google Cloud DNS Managed Zone DNSSEC is not enabled 🟢	1	🟢 x6
📝 Google Cloud DNS Managed Zone DNSSEC Key-Signing Algorithm is RSASHA1 🟢	1	🟢 x6
📝 Google Cloud DNS Managed Zone DNSSEC Zone-Signing Algorithm is RSASHA1 🟢	1	🟢 x6
📝 Google Cloud MySQL Instance allows anyone to connect with administrative privileges 🟢		🟢 x3
📝 Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on 🟢	1	🟢 x6
📝 Google Cloud SQL Instance External Authorized Networks do not whitelist all public IP addresses 🟢	1	🟢 x6
📝 Google Cloud SQL Instance has public IP addresses 🟢	1	🟢 x6
📝 Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off 🟢	1	🟢 x6
📝 Google GCE Instance Block Project-Wide SSH Keys is not enabled 🟢	1	🟢 x6
📝 Google GCE Instance has a public IP address 🟢	1	🟢 x6
📝 Google GCE Instance is configured to use the Default Service Account 🟢	1	🟢 x6
📝 Google GCE Instance is configured to use the Default Service Account with full access to all Cloud APIs 🟢	1	🟢 x6
📝 Google GCE Instance OS Login is not enabled 🟢	1	🟢 x6
📝 Google GCE Network has Firewall Rules which allow unrestricted SSH access from the Internet 🟢	1	🟢 x6
📝 Google IAM Service Account has admin privileges 🟢	1	🟢 x6
📝 Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level 🟢	1	🟢 x6
📝 Google KMS Crypto Key is anonymously or publicly accessible 🟠🟢		🟠 x1, 🟢 x3
📝 Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock 🟢	1	🟢 x6
📝 Google Project has a default network 🟢	1	🟢 x6
📝 Google Project has a legacy network 🟢	1	🟢 x6
📝 Google Storage Bucket is anonymously or publicly accessible 🟢	1	🟢 x6
📝 Google Storage Bucket Uniform Bucket-Level Access is not enabled 🟢	1	🟢 x6
📝 Google User has both Service Account Admin and Service Account User roles assigned 🟢	1	🟢 x6