💼 AC-5 Separation of Duties

• ID: /frameworks/nist-sp-800-53-r5/ac/05

Stats

not available

Description

a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties.

Similar

• Sections
  • /frameworks/aws-fsbp-v1.0.0/ecs/04
  • /frameworks/aws-fsbp-v1.0.0/ecs/05
  • /frameworks/aws-fsbp-v1.0.0/eventbridge/03
  • /frameworks/aws-fsbp-v1.0.0/iam/01
  • /frameworks/aws-fsbp-v1.0.0/iam/21
  • /frameworks/aws-fsbp-v1.0.0/kms/01
  • /frameworks/aws-fsbp-v1.0.0/kms/02
  • /frameworks/aws-fsbp-v1.0.0/opensearch/07
• Internal
  • ID: dec-c-f475a8fd

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.4] ECS containers should run as non-privileged			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.5] ECS containers should be limited to read-only access to root filesystems			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EventBridge.3] EventBridge custom event buses should have a resource-based policy attached					no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.1] IAM policies should not allow full "*" administrative privileges		1	1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys			3		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.7] OpenSearch domains should have fine-grained access control enabled			1		no data

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 FedRAMP High Security Controls → 💼 AC-5 Separation of Duties (M)(H)			22		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			144		no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance

Policies (22)

Policy	Logic Count	Flags	Compliance
🛡️ AWS ECS Task Definition runs as privileged🟢	1	🟢 x6	no data
🛡️ AWS ECS Task Definition Readonly Root Filesystem is disabled🟢	1	🟢 x6	no data
🛡️ AWS IAM Customer Managed Policy allows KMS decryption actions on all KMS keys🟢	1	🟢 x6	no data
🛡️ AWS IAM Group Inline Policy allows KMS decryption actions on all KMS keys🟢	1	🟢 x6	no data
🛡️ AWS IAM Policy allows full administrative privileges🟢	1	🟢 x6	no data
🛡️ AWS IAM Role Inline Policy allows KMS decryption actions on all KMS keys🟢	1	🟢 x6	no data
🛡️ AWS IAM User has inline or directly attached policies🟢	1	🟠 x1, 🟢 x5	no data
🛡️ AWS IAM User Inline Policy allows KMS decryption actions on all KMS keys🟢	1	🟢 x6	no data
🛡️ AWS OpenSearch Domain fine-grained access control is not enabled🟢	1	🟢 x6	no data
🛡️ Google BigQuery Dataset is anonymously or publicly accessible🟢	1	🟢 x6	no data
🛡️ Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Instance External Authorized Networks whitelists all public IP addresses🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Instance has public IP addresses🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off🟢	1	🟢 x6	no data
🛡️ Google GCE Instance has a public IP address🟢	1	🟢 x6	no data
🛡️ Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level🟢	1	🟢 x6	no data
🛡️ Google KMS Crypto Key is anonymously or publicly accessible🟠🟢⚪		🟠 x1, 🟢 x2, ⚪ x1	no data
🛡️ Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock🟢	1	🟢 x6	no data
🛡️ Google Project with KMS keys has a principal with Owner role🟢	1	🟢 x6	no data
🛡️ Google Storage Bucket is anonymously or publicly accessible🟢	1	🟢 x6	no data
🛡️ Google Storage Bucket Uniform Bucket-Level Access is not enabled🟢	1	🟢 x6	no data
🛡️ Google User has both Service Account Admin and Service Account User roles assigned🟢	1	🟢 x6	no data