💼 AC-2 Account Management

• ID: /frameworks/nist-sp-800-53-r5/ac/02

Description

a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify:

1. Authorized users of the system;
2. Group and role membership; and
3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within:
4. [Assignment: organization-defined time period] when accounts are no longer required;
5. [Assignment: organization-defined time period] when users are terminated or transferred; and
6. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on:
7. A valid access authorization;
8. Intended system usage; and
9. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes.

Similar

• Sections
  • /frameworks/aws-fsbp-v1.0.0/dms/10
  • /frameworks/aws-fsbp-v1.0.0/eventbridge/03
  • /frameworks/aws-fsbp-v1.0.0/iam/01
  • /frameworks/aws-fsbp-v1.0.0/iam/02
  • /frameworks/aws-fsbp-v1.0.0/iam/08
  • /frameworks/aws-fsbp-v1.0.0/iam/21
  • /frameworks/aws-fsbp-v1.0.0/kms/01
  • /frameworks/aws-fsbp-v1.0.0/kms/02
• Internal
  • ID: dec-c-edf2e320

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled					no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EventBridge.3] EventBridge custom event buses should have a resource-based policy attached					no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.1] IAM policies should not allow full "*" administrative privileges		1	1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.2] IAM users should not have IAM policies attached		1	1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.8] Unused IAM user credentials should be removed			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys					no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys					no data

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 FedRAMP High Security Controls → 💼 AC-2 Account Management (L)(M)(H)	10	8	38		no data
💼 FedRAMP Low Security Controls → 💼 AC-2 Account Management (L)(M)(H)			4		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			145		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			85		no data
💼 NIST CSF v2.0 → 💼 PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization			42		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			116		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			142		no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AC-2(1) Account Management _ Automated System Account Management		4	18		no data
💼 AC-2(2) Account Management _ Automated Temporary and Emergency Account Management					no data
💼 AC-2(3) Account Management _ Disable Accounts		1	4		no data
💼 AC-2(4) Account Management _ Automated Audit Actions		14	16		no data
💼 AC-2(5) Account Management _ Inactivity Logout					no data
💼 AC-2(6) Account Management _ Dynamic Privilege Management					no data
💼 AC-2(7) Account Management _ Privileged User Accounts		1	1		no data
💼 AC-2(8) Account Management _ Dynamic Account Management					no data
💼 AC-2(9) Account Management _ Restrictions on Use of Shared and Group Accounts					no data
💼 AC-2(10) Account Management _ Shared and Group Account Credential Change					no data
💼 AC-2(11) Account Management _ Usage Conditions					no data
💼 AC-2(12) Account Management _ Account Monitoring for Atypical Usage			1		no data
💼 AC-2(13) Account Management _ Disable Accounts for High-risk Individuals					no data

Policies (4)

Policy	Logic Count	Flags	Compliance
🛡️ AWS IAM Policy allows full administrative privileges🟢	1	🟢 x6	no data
🛡️ AWS IAM User has inline or directly attached policies🟢	1	🟠 x1, 🟢 x5	no data
🛡️ AWS IAM User with credentials unused for 45 days or more is not disabled🟢	1	🟢 x6	no data
🛡️ Google GCE Instance OS Login is not enabled🟢	1	🟢 x6	no data