Skip to main content

💼 AC-6 Least Privilege

  • ID: /frameworks/nist-sp-800-53-r5/ac/06

Stats

not available

Description

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

Similar

  • Sections
    • /frameworks/aws-fsbp-v1.0.0/appsync/05
    • /frameworks/aws-fsbp-v1.0.0/auto-scaling/03
    • /frameworks/aws-fsbp-v1.0.0/auto-scaling/05
    • /frameworks/aws-fsbp-v1.0.0/dms/01
    • /frameworks/aws-fsbp-v1.0.0/dms/10
    • /frameworks/aws-fsbp-v1.0.0/dms/11
    • /frameworks/aws-fsbp-v1.0.0/documentdb/03
    • /frameworks/aws-fsbp-v1.0.0/ec2/01
    • /frameworks/aws-fsbp-v1.0.0/ec2/08
    • /frameworks/aws-fsbp-v1.0.0/ec2/09
    • /frameworks/aws-fsbp-v1.0.0/ec2/10
    • /frameworks/aws-fsbp-v1.0.0/ec2/15
    • /frameworks/aws-fsbp-v1.0.0/ec2/25
    • /frameworks/aws-fsbp-v1.0.0/ec2/55
    • /frameworks/aws-fsbp-v1.0.0/ec2/56
    • /frameworks/aws-fsbp-v1.0.0/ec2/57
    • /frameworks/aws-fsbp-v1.0.0/ec2/58
    • /frameworks/aws-fsbp-v1.0.0/ec2/60
    • /frameworks/aws-fsbp-v1.0.0/ecs/02
    • /frameworks/aws-fsbp-v1.0.0/ecs/04
    • /frameworks/aws-fsbp-v1.0.0/ecs/05
    • /frameworks/aws-fsbp-v1.0.0/eks/01
    • /frameworks/aws-fsbp-v1.0.0/elasticache/06
    • /frameworks/aws-fsbp-v1.0.0/emr/01
    • /frameworks/aws-fsbp-v1.0.0/emr/02
    • /frameworks/aws-fsbp-v1.0.0/es/02
    • /frameworks/aws-fsbp-v1.0.0/eventbridge/03
    • /frameworks/aws-fsbp-v1.0.0/iam/01
    • /frameworks/aws-fsbp-v1.0.0/iam/02
    • /frameworks/aws-fsbp-v1.0.0/iam/04
    • /frameworks/aws-fsbp-v1.0.0/iam/08
    • /frameworks/aws-fsbp-v1.0.0/iam/21
    • /frameworks/aws-fsbp-v1.0.0/kms/01
    • /frameworks/aws-fsbp-v1.0.0/kms/02
    • /frameworks/aws-fsbp-v1.0.0/lambda/01
    • /frameworks/aws-fsbp-v1.0.0/neptune/03
    • /frameworks/aws-fsbp-v1.0.0/neptune/07
    • /frameworks/aws-fsbp-v1.0.0/opensearch/02
    • /frameworks/aws-fsbp-v1.0.0/opensearch/07
    • /frameworks/aws-fsbp-v1.0.0/rds/01
    • /frameworks/aws-fsbp-v1.0.0/rds/10
    • /frameworks/aws-fsbp-v1.0.0/rds/12
    • /frameworks/aws-fsbp-v1.0.0/redshift/01
    • /frameworks/aws-fsbp-v1.0.0/s3/01
    • /frameworks/aws-fsbp-v1.0.0/s3/02
    • /frameworks/aws-fsbp-v1.0.0/s3/03
    • /frameworks/aws-fsbp-v1.0.0/s3/12
    • /frameworks/aws-fsbp-v1.0.0/s3/19
    • /frameworks/aws-fsbp-v1.0.0/sagemaker/01
    • /frameworks/aws-fsbp-v1.0.0/sagemaker/02
    • /frameworks/aws-fsbp-v1.0.0/sagemaker/03
    • /frameworks/aws-fsbp-v1.0.0/service-catalog/01
    • /frameworks/aws-fsbp-v1.0.0/ssm/04
  • Internal
    • ID: dec-c-20404502

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keysno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [AutoScaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.1] Database Migration Service replication instances should not be public11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be publicno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.1] Amazon EBS snapshots should not be publicly restorable1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.9] Amazon EC2 instances should not have a public IPv4 address1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfacesno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.55] VPCs should be configured with an interface endpoint for ECR APIno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.56] VPCs should be configured with an interface endpoint for Docker Registryno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.57] VPCs should be configured with an interface endpoint for Systems Managerno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contactsno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Managerno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.2] ECS services should not have public IP addresses assigned to them automatically1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.4] ECS containers should run as non-privileged1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.5] ECS containers should be limited to read-only access to root filesystems1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EKS.1] EKS cluster endpoints should not be publicly accessible1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EMR.1] Amazon EMR cluster primary nodes should not have public IP addressesno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EMR.2] Amazon EMR block public access setting should be enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ES.2] Elasticsearch domains should not be publicly accessible1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EventBridge.3] EventBridge custom event buses should have a resource-based policy attachedno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.1] IAM policies should not allow full "*" administrative privileges11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.2] IAM users should not have IAM policies attached11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.4] IAM root user access key should not exist11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.8] Unused IAM user credentials should be removed2no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys3no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Lambda.1] Lambda function policies should prohibit public access1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.3] Neptune DB cluster snapshots should not be publicno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.7] Neptune DB clusters should have IAM database authentication enabled1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.2] OpenSearch domains should not be publicly accessible1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.7] OpenSearch domains should have fine-grained access control enabled1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.1] RDS snapshot should be private11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.10] IAM authentication should be configured for RDS instances1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.12] IAM authentication should be configured for RDS clusters1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.1] Amazon Redshift clusters should prohibit public access1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.1] S3 general purpose buckets should have block public access settings enabled1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.2] S3 general purpose buckets should block public read access2no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.3] S3 general purpose buckets should block public write access2no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.12] ACLs should not be used to manage user access to S3 general purpose bucketsno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.19] S3 access points should have block public access settings enabled1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SageMaker.1] Amazon SageMaker AI notebook instances should not have direct internet access1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SageMaker.2] SageMaker AI notebook instances should be launched in a custom VPC1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SageMaker.3] Users should not have root access to SageMaker AI notebook instances1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ServiceCatalog.1] Service Catalog portfolios should be shared within an AWS organization onlyno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SSM.4] SSM documents should not be publicno data

Similar Sections (Give Policies To)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)81285no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties144no data

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 AC-6(1) Least Privilege _ Authorize Access to Security Functions22no data
💼 AC-6(2) Least Privilege _ Non-privileged Access for Nonsecurity Functions46no data
💼 AC-6(3) Least Privilege _ Network Access to Privileged Commands6no data
💼 AC-6(4) Least Privilege _ Separate Processing Domainsno data
💼 AC-6(5) Least Privilege _ Privileged Accounts33no data
💼 AC-6(6) Least Privilege _ Privileged Access by Non-organizational Usersno data
💼 AC-6(7) Least Privilege _ Review of User Privilegesno data
💼 AC-6(8) Least Privilege _ Privilege Levels for Code Executionno data
💼 AC-6(9) Least Privilege _ Log Use of Privileged Functions1725no data
💼 AC-6(10) Least Privilege _ Prohibit Non-privileged Users from Executing Privileged Functions4no data

Policies (50)

PolicyLogic CountFlagsCompliance
🛡️ AWS Account Root User has active access keys🟢1🟢 x6no data
🛡️ AWS DMS Replication Instance is publicly accessible🟢1🟢 x6no data
🛡️ AWS EBS Snapshot is publicly accessible🟢1🟢 x6no data
🛡️ AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances🟢1🟢 x6no data
🛡️ AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2🟢1🟢 x6no data
🛡️ AWS EC2 Instance IMDSv2 is not enabled🟢1🟢 x6no data
🛡️ AWS EC2 Instance with an auto-assigned public IP address is in a default subnet🟢1🟢 x6no data
🛡️ AWS ECS Service automatically assigns public IP addresses🟢1🟢 x6no data
🛡️ AWS ECS Task Definition runs as privileged🟢1🟢 x6no data
🛡️ AWS ECS Task Definition Readonly Root Filesystem is disabled🟢1🟢 x6no data
🛡️ AWS EKS Cluster allows unrestricted public traffic🟢1🟢 x6no data
🛡️ AWS IAM Access Key is unused🟢1🟢 x6no data
🛡️ AWS IAM Customer Managed Policy allows KMS decryption actions on all KMS keys🟢1🟢 x6no data
🛡️ AWS IAM Group Inline Policy allows KMS decryption actions on all KMS keys🟢1🟢 x6no data
🛡️ AWS IAM Policy allows full administrative privileges🟢1🟢 x6no data
🛡️ AWS IAM Role Inline Policy allows KMS decryption actions on all KMS keys🟢1🟢 x6no data
🛡️ AWS IAM User has inline or directly attached policies🟢1🟠 x1, 🟢 x5no data
🛡️ AWS IAM User Inline Policy allows KMS decryption actions on all KMS keys🟢1🟢 x6no data
🛡️ AWS IAM User with credentials unused for 45 days or more is not disabled🟢1🟢 x6no data
🛡️ AWS Lambda Function allows public access🟢1🟠 x1, 🟢 x5no data
🛡️ AWS Lambda Function is not in a VPC🟢1🟢 x6no data
🛡️ AWS OpenSearch Domain fine-grained access control is not enabled🟢1🟢 x6no data
🛡️ AWS OpenSearch Domain has a public endpoint🟢1🟢 x6no data
🛡️ AWS RDS Cluster IAM Database Authentication is not enabled🟢1🟢 x6no data
🛡️ AWS RDS Instance IAM Database Authentication is not enabled🟢1🟢 x6no data
🛡️ AWS RDS Snapshot is publicly accessible🟢1🟢 x6no data
🛡️ AWS Redshift Cluster is publicly accessible🟢1🟢 x6no data
🛡️ AWS S3 Access Point is not configured to block public access🟢1🟢 x6no data
🛡️ AWS S3 Bucket ACL allows public read or write access🟢1🟢 x6no data
🛡️ AWS S3 Bucket is not configured to block public access🟢1🟢 x6no data
🛡️ AWS S3 Bucket Policy allows public read or write access🟢1🟢 x6no data
🛡️ AWS SageMaker Notebook Instance Direct Internet Access is not disabled🟢1🟢 x6no data
🛡️ AWS SageMaker Notebook Instance is not in a VPC🟢1🟢 x6no data
🛡️ AWS SageMaker Notebook Instance Root Access is not disabled🟢1🟢 x6no data
🛡️ AWS VPC is not configured with a VPC Endpoint for Amazon EC2 service🟢1🟢 x6no data
🛡️ AWS VPC Subnet Map Public IP On Launch is enabled🟢1🟢 x6no data
🛡️ Google BigQuery Dataset is anonymously or publicly accessible🟢1🟢 x6no data
🛡️ Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on🟢1🟢 x6no data
🛡️ Google Cloud SQL Instance External Authorized Networks whitelists all public IP addresses🟢1🟢 x6no data
🛡️ Google Cloud SQL Instance has public IP addresses🟢1🟢 x6no data
🛡️ Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off🟢1🟢 x6no data
🛡️ Google GCE Instance has a public IP address🟢1🟢 x6no data
🛡️ Google IAM Service Account has admin privileges🟢1🟢 x6no data
🛡️ Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level🟢1🟢 x6no data
🛡️ Google KMS Crypto Key is anonymously or publicly accessible🟠🟢⚪🟠 x1, 🟢 x2, ⚪ x1no data
🛡️ Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock🟢1🟢 x6no data
🛡️ Google Project with KMS keys has a principal with Owner role🟢1🟢 x6no data
🛡️ Google Storage Bucket is anonymously or publicly accessible🟢1🟢 x6no data
🛡️ Google Storage Bucket Uniform Bucket-Level Access is not enabled🟢1🟢 x6no data
🛡️ Google User has both Service Account Admin and Service Account User roles assigned🟢1🟢 x6no data