💼 AC-3 Access Enforcement

• Contextual name: 💼 AC-3 Access Enforcement
• ID: /frameworks/nist-sp-800-53-r5/ac/03
• Located in: 💼 AC Access Control

Description

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Similar

• Sections
  • /frameworks/aws-fsbp-v1.0.0/api-gateway/08
  • /frameworks/aws-fsbp-v1.0.0/appsync/05
  • /frameworks/aws-fsbp-v1.0.0/auto-scaling/03
  • /frameworks/aws-fsbp-v1.0.0/auto-scaling/05
  • /frameworks/aws-fsbp-v1.0.0/data-firehouse/01
  • /frameworks/aws-fsbp-v1.0.0/dms/01
  • /frameworks/aws-fsbp-v1.0.0/dms/10
  • /frameworks/aws-fsbp-v1.0.0/dms/11
  • /frameworks/aws-fsbp-v1.0.0/documentdb/03
  • /frameworks/aws-fsbp-v1.0.0/ec2/01
  • /frameworks/aws-fsbp-v1.0.0/ec2/08
  • /frameworks/aws-fsbp-v1.0.0/ec2/09
  • /frameworks/aws-fsbp-v1.0.0/ec2/10
  • /frameworks/aws-fsbp-v1.0.0/ec2/15
  • /frameworks/aws-fsbp-v1.0.0/ec2/25
  • /frameworks/aws-fsbp-v1.0.0/ec2/55
  • /frameworks/aws-fsbp-v1.0.0/ec2/56
  • /frameworks/aws-fsbp-v1.0.0/ec2/57
  • /frameworks/aws-fsbp-v1.0.0/ec2/58
  • /frameworks/aws-fsbp-v1.0.0/ec2/60
  • /frameworks/aws-fsbp-v1.0.0/ecs/01
  • /frameworks/aws-fsbp-v1.0.0/ecs/02
  • /frameworks/aws-fsbp-v1.0.0/ecs/04
  • /frameworks/aws-fsbp-v1.0.0/ecs/05
  • /frameworks/aws-fsbp-v1.0.0/eks/01
  • /frameworks/aws-fsbp-v1.0.0/elasticache/06
  • /frameworks/aws-fsbp-v1.0.0/emr/01
  • /frameworks/aws-fsbp-v1.0.0/emr/02
  • /frameworks/aws-fsbp-v1.0.0/es/02
  • /frameworks/aws-fsbp-v1.0.0/eventbridge/03
  • /frameworks/aws-fsbp-v1.0.0/iam/01
  • /frameworks/aws-fsbp-v1.0.0/iam/02
  • /frameworks/aws-fsbp-v1.0.0/iam/08
  • /frameworks/aws-fsbp-v1.0.0/iam/21
  • /frameworks/aws-fsbp-v1.0.0/kms/01
  • /frameworks/aws-fsbp-v1.0.0/kms/02
  • /frameworks/aws-fsbp-v1.0.0/lambda/01
  • /frameworks/aws-fsbp-v1.0.0/neptune/03
  • /frameworks/aws-fsbp-v1.0.0/neptune/07
  • /frameworks/aws-fsbp-v1.0.0/opensearch/02
  • /frameworks/aws-fsbp-v1.0.0/opensearch/07
  • /frameworks/aws-fsbp-v1.0.0/rds/01
  • /frameworks/aws-fsbp-v1.0.0/rds/10
  • /frameworks/aws-fsbp-v1.0.0/rds/12
  • /frameworks/aws-fsbp-v1.0.0/redshift/01
  • /frameworks/aws-fsbp-v1.0.0/s3/01
  • /frameworks/aws-fsbp-v1.0.0/s3/02
  • /frameworks/aws-fsbp-v1.0.0/s3/03
  • /frameworks/aws-fsbp-v1.0.0/s3/12
  • /frameworks/aws-fsbp-v1.0.0/s3/19
  • /frameworks/aws-fsbp-v1.0.0/sagemaker/01
  • /frameworks/aws-fsbp-v1.0.0/sagemaker/02
  • /frameworks/aws-fsbp-v1.0.0/service-catalog/01
  • /frameworks/aws-fsbp-v1.0.0/ssm/04
• Internal
  • ID: dec-c-d4b55a4e

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [APIGateway.8] API Gateway routes should specify an authorization type		1	1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)		1	1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [AutoScaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses		1	1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DataFirehose.1] Firehose delivery streams should be encrypted at rest
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.1] Database Migration Service replication instances should not be public		1	1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.1] Amazon EBS snapshots should not be publicly restorable			1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)		1	1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.9] Amazon EC2 instances should not have a public IPv4 address			1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service			1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses			1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.55] VPCs should be configured with an interface endpoint for ECR API
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.56] VPCs should be configured with an interface endpoint for Docker Registry
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.57] VPCs should be configured with an interface endpoint for Systems Manager
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.2] ECS services should not have public IP addresses assigned to them automatically
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.4] ECS containers should run as non-privileged
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.5] ECS containers should be limited to read-only access to root filesystems
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EKS.1] EKS cluster endpoints should not be publicly accessible
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EMR.2] Amazon EMR block public access setting should be enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ES.2] Elasticsearch domains should not be publicly accessible
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EventBridge.3] EventBridge custom event buses should have a resource-based policy attached
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.1] IAM policies should not allow full "*" administrative privileges		1	1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.2] IAM users should not have IAM policies attached		1	1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.8] Unused IAM user credentials should be removed			1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Lambda.1] Lambda function policies should prohibit public access
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.3] Neptune DB cluster snapshots should not be public
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.7] Neptune DB clusters should have IAM database authentication enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.2] OpenSearch domains should not be publicly accessible
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.7] OpenSearch domains should have fine-grained access control enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.1] RDS snapshot should be private		1	1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.10] IAM authentication should be configured for RDS instances
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.12] IAM authentication should be configured for RDS clusters
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.1] Amazon Redshift clusters should prohibit public access
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.1] S3 general purpose buckets should have block public access settings enabled			1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.2] S3 general purpose buckets should block public read access
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.3] S3 general purpose buckets should block public write access
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.12] ACLs should not be used to manage user access to S3 general purpose buckets
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.19] S3 access points should have block public access settings enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SageMaker.1] Amazon SageMaker AI notebook instances should not have direct internet access
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SageMaker.2] SageMaker AI notebook instances should be launched in a custom VPC
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ServiceCatalog.1] Service Catalog portfolios should be shared within an AWS organization only
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SSM.4] SSM documents should not be public

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	67
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			67
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			91
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			111
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			69

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 AC-3(1) Access Enforcement _ Restricted Access to Privileged Functions
💼 AC-3(2) Access Enforcement _ Dual Authorization
💼 AC-3(3) Access Enforcement _ Mandatory Access Control
💼 AC-3(4) Access Enforcement _ Discretionary Access Control
💼 AC-3(5) Access Enforcement _ Security-relevant Information
💼 AC-3(6) Access Enforcement _ Protection of User and System Information
💼 AC-3(7) Access Enforcement _ Role-based Access Control			14
💼 AC-3(8) Access Enforcement _ Revocation of Access Authorizations
💼 AC-3(9) Access Enforcement _ Controlled Release
💼 AC-3(10) Access Enforcement _ Audited Override of Access Control Mechanisms
💼 AC-3(11) Access Enforcement _ Restrict Access to Specific Information Types
💼 AC-3(12) Access Enforcement _ Assert and Enforce Application Access
💼 AC-3(13) Access Enforcement _ Attribute-based Access Control
💼 AC-3(14) Access Enforcement _ Individual Access
💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control			11

Policies (31)

Policy	Logic Count	Flags
📝 AWS Account Object-level CloudTrail Logging for Read Events for S3 Buckets is not enabled 🟢	1	🟢 x6
📝 AWS Account Object-level CloudTrail Logging for Write Events for S3 Buckets is not enabled 🟢	1	🟢 x6
📝 AWS API Gateway API Route Authorization Type is not configured 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution Default Root Object is not configured 🟢	1	🟢 x6
📝 AWS DMS Replication Instance is publicly accessible 🟢	1	🟢 x6
📝 AWS EBS Snapshot is publicly accessible 🟢	1	🟢 x6
📝 AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances 🟢	1	🟢 x6
📝 AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2 🟢	1	🟢 x6
📝 AWS EC2 Instance IMDSv2 is not enabled 🟢	1	🟢 x6
📝 AWS EC2 Instance with an auto-assigned public IP address is in a default subnet 🟢	1	🟢 x6
📝 AWS IAM Policy allows full administrative privileges 🟢	1	🟢 x6
📝 AWS IAM User has inline or directly attached policies 🟢	1	🟠 x1, 🟢 x5
📝 AWS IAM User with credentials unused for 45 days or more is not disabled 🟢	1	🟢 x6
📝 AWS RDS Snapshot is publicly accessible 🟢	1	🟢 x6
📝 AWS S3 Bucket is not configured to block public access 🟢	1	🟢 x6
📝 AWS S3 Bucket Object Lock is not enabled 🟠🟢	1	🟠 x1, 🟢 x6
📝 AWS VPC is not configured with a VPC Endpoint for Amazon EC2 service 🟢	1	🟢 x6
📝 AWS VPC Subnet Map Public IP On Launch is enabled 🟢	1	🟢 x6
📝 Azure Storage Account Cross Tenant Replication is enabled 🟢	1	🟢 x6
📝 Google BigQuery Dataset is anonymously or publicly accessible 🟢	1	🟢 x6
📝 Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on 🟢	1	🟢 x6
📝 Google Cloud SQL Instance External Authorized Networks do not whitelist all public IP addresses 🟢	1	🟢 x6
📝 Google Cloud SQL Instance has public IP addresses 🟢	1	🟢 x6
📝 Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off 🟢	1	🟢 x6
📝 Google GCE Instance has a public IP address 🟢	1	🟢 x6
📝 Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level 🟢	1	🟢 x6
📝 Google KMS Crypto Key is anonymously or publicly accessible 🟠🟢		🟠 x1, 🟢 x3
📝 Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock 🟢	1	🟢 x6
📝 Google Storage Bucket is anonymously or publicly accessible 🟢	1	🟢 x6
📝 Google Storage Bucket Uniform Bucket-Level Access is not enabled 🟢	1	🟢 x6
📝 Google User has both Service Account Admin and Service Account User roles assigned 🟢	1	🟢 x6

Internal Rules

Rule	Policies	Flags
✉️ dec-x-4f944d13	1
✉️ dec-x-157aa4b9	1
✉️ dec-x-397dd59e	1
✉️ dec-x-b443805a	3
✉️ dec-x-b3342905	1