Skip to main content

💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties

  • ID: /frameworks/nist-csf-v2.0/pr-aa/05

Description

  1. Review logical and physical access privileges periodically and whenever someone changes roles or leaves the organization, and promptly rescind privileges that are no longer needed
  2. Take attributes of the requester and the requested resource into account for authorization decisions (e.g., geolocation, day/time, requester endpoint's cyber health)
  3. Restrict access and privileges to the minimum necessary (e.g., zero trust architecture)
  4. Periodically review the privileges associated with critical business functions to confirm proper separation of duties

Similar

  • Sections
    • /frameworks/nist-csf-v1.1/pr-ac/01
    • /frameworks/nist-csf-v1.1/pr-ac/03
    • /frameworks/nist-csf-v1.1/pr-ac/04
    • /frameworks/nist-sp-800-53-r5/ac/01
    • /frameworks/nist-sp-800-53-r5/ac/02
    • /frameworks/nist-sp-800-53-r5/ac/03
    • /frameworks/nist-sp-800-53-r5/ac/05
    • /frameworks/nist-sp-800-53-r5/ac/06
    • /frameworks/nist-sp-800-53-r5/ac/10
    • /frameworks/nist-sp-800-53-r5/ac/16
    • /frameworks/nist-sp-800-53-r5/ac/17
    • /frameworks/nist-sp-800-53-r5/ac/18
    • /frameworks/nist-sp-800-53-r5/ac/19
    • /frameworks/nist-sp-800-53-r5/ac/24

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 NIST CSF v1.1 → 💼 PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1934no data
💼 NIST CSF v1.1 → 💼 PR.AC-3: Remote access is managed22no data
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1756no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-1 Policy and Proceduresno data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2 Account Management132037no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement15540no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-5 Separation of Duties15no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege102350no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-10 Concurrent Session Controlno data
💼 NIST SP 800-53 Revision 5 → 💼 AC-16 Security and Privacy Attributes10no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-17 Remote Access101319no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-18 Wireless Access55no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-19 Access Control for Mobile Devices5no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-24 Access Control Decisions2no data

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance

Policies (116)

PolicyLogic CountFlagsCompliance
🛡️ AWS Account IAM Access Analyzer is not enabled for all regions🟢1🟢 x6no data
🛡️ AWS Account IAM Password Policy Number of passwords to remember is not set to 24🟢1🟢 x6no data
🛡️ AWS Account Object-level CloudTrail Logging for Read Events for S3 Buckets is not enabled🟢1🟢 x6no data
🛡️ AWS Account Object-level CloudTrail Logging for Write Events for S3 Buckets is not enabled🟢1🟢 x6no data
🛡️ AWS Account Root User credentials were used is the last 30 days🟢1🟢 x6no data
🛡️ AWS Account Root User has active access keys🟢1🟢 x6no data
🛡️ AWS API Gateway API Route Authorization Type is not configured🟢1🟢 x6no data
🛡️ AWS CloudFront Web Distribution Default Root Object is not configured🟢1🟢 x6no data
🛡️ AWS DMS Replication Instance is publicly accessible🟢1🟢 x6no data
🛡️ AWS EBS Snapshot is publicly accessible🟢1🟢 x6no data
🛡️ AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances🟢1🟢 x6no data
🛡️ AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2🟢1🟢 x6no data
🛡️ AWS EC2 Instance IAM role is not attached🟢1🟢 x6no data
🛡️ AWS EC2 Instance IMDSv2 is not enabled🟢1🟢 x6no data
🛡️ AWS EC2 Instance with an auto-assigned public IP address is in a default subnet🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted CIFS traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted DNS traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted FTP traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted ICMP traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted NetBIOS traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted RPC traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted SMTP traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MongoDB🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MSSQL🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MySQL🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to Oracle DBMS🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to PostgreSQL🟢1🟢 x6no data
🛡️ AWS IAM Policy allows full administrative privileges🟢1🟢 x6no data
🛡️ AWS IAM Server Certificate is expired🟢1🟢 x6no data
🛡️ AWS IAM User Access Keys are not rotated every 90 days or less🟢1🟢 x6no data
🛡️ AWS IAM User has inline or directly attached policies🟢1🟠 x1, 🟢 x5no data
🛡️ AWS IAM User has more than one active access key🟢1🟢 x6no data
🛡️ AWS IAM User MFA is not enabled for all users with console password🟢1🟢 x6no data
🛡️ AWS IAM User with console and programmatic access set during the initial creation🟢⚪🟢 x2, ⚪ x1no data
🛡️ AWS IAM User with credentials unused for 45 days or more is not disabled🟢1🟢 x6no data
🛡️ AWS KMS Symmetric CMK Rotation is not enabled🟢1🟢 x6no data
🛡️ AWS RDS Instance is publicly accessible and in an unrestricted public subnet🟢1🟢 x6no data
🛡️ AWS RDS Snapshot is publicly accessible🟢1🟢 x6no data
🛡️ AWS S3 Bucket is not configured to block public access🟢1🟢 x6no data
🛡️ AWS S3 Bucket MFA Delete is not enabled🟠🟢1🟠 x1, 🟢 x6no data
🛡️ AWS S3 Bucket Object Lock is not enabled🟠🟢1🟠 x1, 🟢 x6no data
🛡️ AWS VPC is not configured with a VPC Endpoint for Amazon EC2 service🟢1🟢 x6no data
🛡️ AWS VPC Subnet Map Public IP On Launch is enabled🟢1🟢 x6no data
🛡️ Azure App Service Authentication is disabled and Basic Authentication is enabled🟢1🟢 x6no data
🛡️ Azure App Service Basic Authentication is enabled🟢⚪🟢 x2, ⚪ x1no data
🛡️ Azure App Service is not registered with Microsoft Entra ID🟢1🟢 x6no data
🛡️ Azure Cosmos DB Account Private Endpoints are not used🟢1🟢 x6no data
🛡️ Azure Cosmos DB Account Virtual Network Filter is not enabled🟢1🟢 x6no data
🛡️ Azure Cosmos DB Entra ID Client Authentication is not used🟢⚪🟢 x2, ⚪ x1no data
🛡️ Azure Key Vault Soft Delete and Purge Protection functions are not enabled🟢1🟢 x6no data
🛡️ Azure Network Security Group allows public access to HTTP(S) ports🟢1🟢 x6no data
🛡️ Azure Network Security Group allows public access to RDP port🟢1🟢 x6no data
🛡️ Azure Network Security Group allows public access to SSH port🟢1🟢 x6no data
🛡️ Azure Non-RBAC Key Vault stores Keys without expiration date🟢1🟢 x6no data
🛡️ Azure Non-RBAC Key Vault stores Secrets without expiration date🟢1🟢 x6no data
🛡️ Azure PostgreSQL Flexible Server Firewall Rules allow access to Azure services🟢1🟢 x6no data
🛡️ Azure RBAC Key Vault stores Keys without expiration date🟢1🟢 x6no data
🛡️ Azure RBAC Key Vault stores Secrets without expiration date🟢1🟢 x6no data
🛡️ Azure SQL Database allows ingress from 0.0.0.0/0 (ANY IP)🟢1🟢 x6no data
🛡️ Azure Storage Account Allow Blob Anonymous Access is enabled🟢1🟢 x6no data
🛡️ Azure Storage Account Cross Tenant Replication is enabled🟢1🟢 x6no data
🛡️ Azure Storage Account Trusted Azure Services are not enabled as networking exceptions🟢1🟢 x6no data
🛡️ Consumer Google Accounts are used🟢⚪🟢 x2, ⚪ x1no data
🛡️ Google Accounts are not configured with MFA🟢⚪🟢 x2, ⚪ x1no data
🛡️ Google BigQuery Dataset is anonymously or publicly accessible🟢1🟢 x6no data
🛡️ Google Cloud Audit Logging is not configured properly🟢1🟢 x6no data
🛡️ Google Cloud DNS Managed Zone DNSSEC is not enabled🟢1🟢 x6no data
🛡️ Google Cloud DNS Managed Zone DNSSEC Key-Signing Algorithm is RSASHA1🟢1🟢 x6no data
🛡️ Google Cloud DNS Managed Zone DNSSEC Zone-Signing Algorithm is RSASHA1🟢1🟢 x6no data
🛡️ Google Cloud MySQL Instance allows anyone to connect with administrative privileges🟢⚪🟢 x2, ⚪ x1no data
🛡️ Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on🟢1🟢 x6no data
🛡️ Google Cloud SQL Instance External Authorized Networks whitelists all public IP addresses🟢1🟢 x6no data
🛡️ Google Cloud SQL Instance has public IP addresses🟢1🟢 x6no data
🛡️ Google Cloud SQL Instance SSL Connections are not enforced🟢1🟢 x6no data
🛡️ Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off🟢1🟢 x6no data
🛡️ Google GCE Firewall Rule logging is disabled🟢1🟢 x6no data
🛡️ Google GCE Instance Block Project-Wide SSH Keys is not enabled🟢1🟢 x6no data
🛡️ Google GCE Instance has a public IP address🟢1🟢 x6no data
🛡️ Google GCE Instance is configured to use the Default Service Account🟢1🟢 x6no data
🛡️ Google GCE Instance is configured to use the Default Service Account with full access to all Cloud APIs🟢1🟢 x6no data
🛡️ Google GCE Instance OS Login is not enabled🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted CiscoSecure/WebSM traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted DNS traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted FTP traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted HTTP traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted LDAP traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted NetBIOS traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted POP3 traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted SMTP traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted SSH traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to Cassandra🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to Directory services"🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to Elasticsearch🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to Memcached🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to MongoDB🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to MySQL🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to OracleDB🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to PostgreSQL🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to Redis🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted Telnet traffic🟢1🟢 x6no data
🛡️ Google GKE Cluster Network policy is disabled.🟢1🟢 x6no data
🛡️ Google GKE Cluster Node Pool uses default Service account🟢1🟢 x6no data
🛡️ Google IAM Policy Binding Member (User) is assigned a basic role🟢1🟢 x6no data
🛡️ Google IAM Service Account has admin privileges🟢1🟢 x6no data
🛡️ Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level🟢1🟢 x6no data
🛡️ Google KMS Crypto Key is anonymously or publicly accessible🟠🟢⚪🟠 x1, 🟢 x2, ⚪ x1no data
🛡️ Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock🟢1🟢 x6no data
🛡️ Google Project has a default network🟢1🟢 x6no data
🛡️ Google Project has a legacy network🟢1🟢 x6no data
🛡️ Google Project with KMS keys has a principal with Owner role🟢1🟢 x6no data
🛡️ Google Resource Manager Organization has a Redis IAM role assigned🟢1🟢 x6no data
🛡️ Google Storage Bucket is anonymously or publicly accessible🟢1🟢 x6no data
🛡️ Google Storage Bucket Uniform Bucket-Level Access is not enabled🟢1🟢 x6no data
🛡️ Google User has both Service Account Admin and Service Account User roles assigned🟢1🟢 x6no data