Skip to main content

💼 AC-2 Account Management

  • Contextual name: 💼 AC-2 Account Management
  • ID: /frameworks/nist-sp-800-53-r5/ac/02
  • Located in: 💼 AC Access Control

Description

a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify:

  1. Authorized users of the system;
  2. Group and role membership; and
  3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within:
  4. [Assignment: organization-defined time period] when accounts are no longer required;
  5. [Assignment: organization-defined time period] when users are terminated or transferred; and
  6. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on:
  7. A valid access authorization;
  8. Intended system usage; and
  9. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes.

Similar

  • Sections
    • /frameworks/aws-fsbp-v1.0.0/dms/10
    • /frameworks/aws-fsbp-v1.0.0/eventbridge/03
    • /frameworks/aws-fsbp-v1.0.0/iam/01
    • /frameworks/aws-fsbp-v1.0.0/iam/02
    • /frameworks/aws-fsbp-v1.0.0/iam/08
    • /frameworks/aws-fsbp-v1.0.0/iam/21
    • /frameworks/aws-fsbp-v1.0.0/kms/01
    • /frameworks/aws-fsbp-v1.0.0/kms/02
  • Internal
    • ID: dec-c-edf2e320

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlags
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EventBridge.3] EventBridge custom event buses should have a resource-based policy attached
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.1] IAM policies should not allow full "*" administrative privileges11
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.2] IAM users should not have IAM policies attached11
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.8] Unused IAM user credentials should be removed1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys

Similar Sections (Give Policies To)

SectionSub SectionsInternal RulesPoliciesFlags
💼 FedRAMP High Security Controls → 💼 AC-2 Account Management (L)(M)(H)10835
💼 FedRAMP Low Security Controls → 💼 AC-2 Account Management (L)(M)(H)4
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events118
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events81
💼 NIST CSF v2.0 → 💼 PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization38
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties91
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected111

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlags
💼 AC-2(1) Account Management _ Automated System Account Management416
💼 AC-2(2) Account Management _ Automated Temporary and Emergency Account Management
💼 AC-2(3) Account Management _ Disable Accounts14
💼 AC-2(4) Account Management _ Automated Audit Actions1416
💼 AC-2(5) Account Management _ Inactivity Logout
💼 AC-2(6) Account Management _ Dynamic Privilege Management
💼 AC-2(7) Account Management _ Privileged User Accounts11
💼 AC-2(8) Account Management _ Dynamic Account Management
💼 AC-2(9) Account Management _ Restrictions on Use of Shared and Group Accounts
💼 AC-2(10) Account Management _ Shared and Group Account Credential Change
💼 AC-2(11) Account Management _ Usage Conditions
💼 AC-2(12) Account Management _ Account Monitoring for Atypical Usage
💼 AC-2(13) Account Management _ Disable Accounts for High-risk Individuals

Policies (4)

PolicyLogic CountFlags
📝 AWS IAM Policy allows full administrative privileges 🟢1🟢 x6
📝 AWS IAM User has inline or directly attached policies 🟢1🟠 x1, 🟢 x5
📝 AWS IAM User with credentials unused for 45 days or more is not disabled 🟢1🟢 x6
📝 Google GCE Instance OS Login is not enabled 🟢1🟢 x6