💼 AC-3(15) Access Enforcement | Discretionary and Mandatory Access Control

• ID: /frameworks/nist-sp-800-53-r5/ac/03/15

Description

(a) Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and (b) Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy.

Similar

• Sections
  • /frameworks/aws-fsbp-v1.0.0/appsync/05
  • /frameworks/aws-fsbp-v1.0.0/auto-scaling/03
  • /frameworks/aws-fsbp-v1.0.0/ec2/08
  • /frameworks/aws-fsbp-v1.0.0/ecs/01
  • /frameworks/aws-fsbp-v1.0.0/ecs/04
  • /frameworks/aws-fsbp-v1.0.0/ecs/05
  • /frameworks/aws-fsbp-v1.0.0/elasticache/06
  • /frameworks/aws-fsbp-v1.0.0/eventbridge/03
  • /frameworks/aws-fsbp-v1.0.0/iam/01
  • /frameworks/aws-fsbp-v1.0.0/iam/02
  • /frameworks/aws-fsbp-v1.0.0/iam/03
  • /frameworks/aws-fsbp-v1.0.0/iam/04
  • /frameworks/aws-fsbp-v1.0.0/iam/05
  • /frameworks/aws-fsbp-v1.0.0/iam/06
  • /frameworks/aws-fsbp-v1.0.0/iam/07
  • /frameworks/aws-fsbp-v1.0.0/iam/08
  • /frameworks/aws-fsbp-v1.0.0/iam/21
  • /frameworks/aws-fsbp-v1.0.0/kms/01
  • /frameworks/aws-fsbp-v1.0.0/kms/02
  • /frameworks/aws-fsbp-v1.0.0/neptune/07
  • /frameworks/aws-fsbp-v1.0.0/opensearch/07
  • /frameworks/aws-fsbp-v1.0.0/rds/10
  • /frameworks/aws-fsbp-v1.0.0/rds/12
  • /frameworks/aws-fsbp-v1.0.0/s3/12
  • /frameworks/aws-fsbp-v1.0.0/sagemaker/03
  • /frameworks/aws-fsbp-v1.0.0/secrets-manager/01
  • /frameworks/aws-fsbp-v1.0.0/secrets-manager/02
  • /frameworks/aws-fsbp-v1.0.0/secrets-manager/03
  • /frameworks/aws-fsbp-v1.0.0/secrets-manager/04
• Internal
  • ID: dec-c-4b04bf31

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys					no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)		1	1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)		1	1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions.			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.4] ECS containers should run as non-privileged			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.5] ECS containers should be limited to read-only access to root filesystems			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled					no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EventBridge.3] EventBridge custom event buses should have a resource-based policy attached					no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.1] IAM policies should not allow full "*" administrative privileges		1	1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.2] IAM users should not have IAM policies attached		1	1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.3] IAM users' access keys should be rotated every 90 days or less		1	1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.4] IAM root user access key should not exist		1	1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.5] MFA should be enabled for all IAM users that have a console password			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.6] Hardware MFA should be enabled for the root user			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.7] Password policies for IAM users should have strong configurations		1	3		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.8] Unused IAM user credentials should be removed			2		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys					no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys					no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.7] Neptune DB clusters should have IAM database authentication enabled					no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.7] OpenSearch domains should have fine-grained access control enabled					no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.10] IAM authentication should be configured for RDS instances			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.12] IAM authentication should be configured for RDS clusters			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.12] ACLs should not be used to manage user access to S3 general purpose buckets					no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SageMaker.3] Users should not have root access to SageMaker AI notebook instances			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SecretsManager.2] Secrets Manager secrets configured with automatic rotation should rotate successfully					no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SecretsManager.3] Remove unused Secrets Manager secrets			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days					no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance

Policies (22)

Policy	Logic Count	Flags	Compliance
🛡️ AWS Account does not have an IAM Password Policy🟢	1	🟢 x6	no data
🛡️ AWS Account IAM Password Policy minimum password length is 14 characters or less🟢	1	🟢 x6	no data
🛡️ AWS Account IAM Password Policy Number of passwords to remember is not set to 24🟢	1	🟢 x6	no data
🛡️ AWS Account Root User has active access keys🟢	1	🟢 x6	no data
🛡️ AWS Account Root User Hardware MFA is not enabled.🟢⚪		🟢 x2, ⚪ x1	no data
🛡️ AWS Account Root User MFA is not enabled.🟢	1	🟢 x6	no data
🛡️ AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2🟢	1	🟢 x6	no data
🛡️ AWS EC2 Instance IMDSv2 is not enabled🟢	1	🟢 x6	no data
🛡️ AWS ECS Task Definition runs as privileged🟢	1	🟢 x6	no data
🛡️ AWS ECS Task Definition Readonly Root Filesystem is disabled🟢	1	🟢 x6	no data
🛡️ AWS ECS Task Definition with Host Network Mode runs containers as root🟢	1	🟢 x6	no data
🛡️ AWS IAM Access Key is unused🟢	1	🟢 x6	no data
🛡️ AWS IAM Policy allows full administrative privileges🟢	1	🟢 x6	no data
🛡️ AWS IAM User Access Keys are not rotated every 90 days or less🟢	1	🟢 x6	no data
🛡️ AWS IAM User has inline or directly attached policies🟢	1	🟠 x1, 🟢 x5	no data
🛡️ AWS IAM User MFA is not enabled for all users with console password🟢	1	🟢 x6	no data
🛡️ AWS IAM User with credentials unused for 45 days or more is not disabled🟢	1	🟢 x6	no data
🛡️ AWS RDS Cluster IAM Database Authentication is not enabled🟢	1	🟢 x6	no data
🛡️ AWS RDS Instance IAM Database Authentication is not enabled🟢	1	🟢 x6	no data
🛡️ AWS SageMaker Notebook Instance Root Access is not disabled🟢	1	🟢 x6	no data
🛡️ AWS Secrets Manager Secret Automatic Rotation is not enabled🟢	1	🟢 x6	no data
🛡️ AWS Secrets Manager Secret has not been accessed in over 90 days🟢	1	🟢 x6	no data