Skip to main content

πŸ’Ό AC-2 Account Management

  • Contextual name: πŸ’Ό AC-2 Account Management
  • ID: /frameworks/nist-sp-800-53-r5/ac/02
  • Located in: πŸ’Ό AC Access Control

Description​

a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify:

  1. Authorized users of the system;
  2. Group and role membership; and
  3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within:
  4. [Assignment: organization-defined time period] when accounts are no longer required;
  5. [Assignment: organization-defined time period] when users are terminated or transferred; and
  6. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on:
  7. A valid access authorization;
  8. Intended system usage; and
  9. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes.

Similar​

  • Sections
    • /frameworks/aws-fsbp-v1.0.0/dms/10
    • /frameworks/aws-fsbp-v1.0.0/eventbridge/03
    • /frameworks/aws-fsbp-v1.0.0/iam/01
    • /frameworks/aws-fsbp-v1.0.0/iam/02
    • /frameworks/aws-fsbp-v1.0.0/iam/08
    • /frameworks/aws-fsbp-v1.0.0/iam/21
    • /frameworks/aws-fsbp-v1.0.0/kms/01
    • /frameworks/aws-fsbp-v1.0.0/kms/02
  • Internal
    • ID: dec-c-edf2e320

Similar Sections (Take Policies From)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EventBridge.3] EventBridge custom event buses should have a resource-based policy attached
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [IAM.1] IAM policies should not allow full "*" administrative privileges11
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [IAM.2] IAM users should not have IAM policies attached11
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [IAM.8] Unused IAM user credentials should be removed1
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2 Account Management (L)(M)(H)10931
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-2 Account Management (L)(M)(H)3
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events83
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events59
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties58
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected67

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AC-2(1) Account Management _ Automated System Account Management416
πŸ’Ό AC-2(2) Account Management _ Automated Temporary and Emergency Account Management
πŸ’Ό AC-2(3) Account Management _ Disable Accounts14
πŸ’Ό AC-2(4) Account Management _ Automated Audit Actions1113
πŸ’Ό AC-2(5) Account Management _ Inactivity Logout
πŸ’Ό AC-2(6) Account Management _ Dynamic Privilege Management
πŸ’Ό AC-2(7) Account Management _ Privileged User Accounts11
πŸ’Ό AC-2(8) Account Management _ Dynamic Account Management
πŸ’Ό AC-2(9) Account Management _ Restrictions on Use of Shared and Group Accounts
πŸ’Ό AC-2(10) Account Management _ Shared and Group Account Credential Change
πŸ’Ό AC-2(11) Account Management _ Usage Conditions
πŸ’Ό AC-2(12) Account Management _ Account Monitoring for Atypical Usage
πŸ’Ό AC-2(13) Account Management _ Disable Accounts for High-risk Individuals

Policies (3)​

PolicyLogic CountFlags
πŸ“ AWS IAM Policy allows full administrative privileges 🟒1🟒 x6
πŸ“ AWS IAM User has inline or directly attached policies 🟒1🟠 x1, 🟒 x5
πŸ“ AWS IAM User with credentials unused for 45 days or more is not disabled 🟒1🟒 x6