💼 AC-6(9) Least Privilege | Log Use of Privileged Functions

• Contextual name: 💼 AC-6(9) Least Privilege | Log Use of Privileged Functions
• ID: /frameworks/nist-sp-800-53-r5/ac/06/09
• Located in: 💼 AC-6 Least Privilege

Description

Log the execution of privileged functions.

Similar

• Sections
  • /frameworks/aws-fsbp-v1.0.0/cloudfront/05
  • /frameworks/aws-fsbp-v1.0.0/cloudtrail/01
  • /frameworks/aws-fsbp-v1.0.0/cloudtrail/05
  • /frameworks/aws-fsbp-v1.0.0/codebuild/04
  • /frameworks/aws-fsbp-v1.0.0/dms/07
  • /frameworks/aws-fsbp-v1.0.0/dms/08
  • /frameworks/aws-fsbp-v1.0.0/documentdb/04
  • /frameworks/aws-fsbp-v1.0.0/ec2/51
  • /frameworks/aws-fsbp-v1.0.0/eks/08
  • /frameworks/aws-fsbp-v1.0.0/es/04
  • /frameworks/aws-fsbp-v1.0.0/es/05
  • /frameworks/aws-fsbp-v1.0.0/neptune/02
  • /frameworks/aws-fsbp-v1.0.0/network-firewall/02
  • /frameworks/aws-fsbp-v1.0.0/opensearch/04
  • /frameworks/aws-fsbp-v1.0.0/opensearch/05
  • /frameworks/aws-fsbp-v1.0.0/route-53/02
  • /frameworks/aws-fsbp-v1.0.0/rds/09
  • /frameworks/aws-fsbp-v1.0.0/rds/34
  • /frameworks/aws-fsbp-v1.0.0/rds/40
  • /frameworks/aws-fsbp-v1.0.0/redshift/04
  • /frameworks/aws-fsbp-v1.0.0/s3/09
  • /frameworks/aws-fsbp-v1.0.0/transfer-family/03
• Internal
  • ID: dec-c-0fd8b0e9

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudFront.5] CloudFront distributions should have logging enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events			1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.7] DMS replication tasks for the target database should have logging enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.8] DMS replication tasks for the source database should have logging enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.51] EC2 Client VPN endpoints should have client connection logging enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EKS.8] EKS clusters should have audit logging enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ES.5] Elasticsearch domains should have audit logging enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [NetworkFirewall.2] Network Firewall logging should be enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.5] OpenSearch domains should have audit logging enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.9] RDS DB instances should publish logs to CloudWatch Logs
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.4] Amazon Redshift clusters should have audit logging enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Route53.2] Route 53 public hosted zones should log DNS queries
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.9] S3 general purpose buckets should have server access logging enabled		1	2
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Transfer.3] Transfer Family connectors should have logging enabled

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 FedRAMP High Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)		7	23

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags

Policies (16)

Policy	Logic Count	Flags
📝 AWS Account Multi-Region CloudTrail is not enabled 🟢	1	🟢 x6
📝 AWS API Gateway API Access Logging in CloudWatch is not enabled 🟢	1	🟠 x1, 🟢 x5
📝 AWS CloudTrail S3 Bucket Access Logging is not enabled. 🟢	1	🟢 x6
📝 AWS S3 Bucket Server Access Logging is not enabled 🟢	1	🟢 x6
📝 AWS VPC Flow Logs are not enabled 🟢	1	🟠 x1, 🟢 x5
📝 Azure Diagnostic Setting captures Administrative, Alert, Policy, and Security categories 🟢	1	🟢 x6
📝 Azure Diagnostic Setting for Azure Key Vault is not enabled 🟢		🟢 x3
📝 Azure Network Security Group Flow Logs retention period is less than 90 days 🟢	1	🟢 x6
📝 Azure PostgreSQL Flexible Server log_checkpoints Parameter is not set to ON 🟢	1	🟢 x6
📝 Azure PostgreSQL Flexible Server log_retention_days Parameter is less than 4 days 🟢	1	🟢 x6
📝 Azure PostgreSQL Single Server log_connections Parameter is not set to ON 🟢	1	🟢 x6
📝 Azure PostgreSQL Single Server log_disconnections Parameter is not set to ON 🟢	1	🟢 x6
📝 Azure SQL Server Auditing is not enabled 🟢	1	🟢 x6
📝 Azure SQL Server Auditing Retention is less than 90 days 🟢	1	🟢 x6
📝 Azure Storage Blob Logging is not enabled for Read, Write, and Delete requests 🟢	1	🟢 x6
📝 Azure Storage Queue Logging is not enabled for Read, Write, and Delete requests 🟢	1	🟢 x6

Internal Rules

Rule	Policies	Flags
✉️ dec-x-0c82d775	1
✉️ dec-x-9b79d91f	1
✉️ dec-x-9c041667	1
✉️ dec-x-24bba483	1
✉️ dec-x-36ced3d1	1
✉️ dec-x-89d5ed7a	1
✉️ dec-x-611eaa35	1
✉️ dec-x-1518c16e	1
✉️ dec-x-a193b20f	1
✉️ dec-x-b2ce0ca1	1
✉️ dec-x-d75f6d86	1
✉️ dec-x-db1b7a1b	1
✉️ dec-x-e5c05d3e	1
✉️ dec-x-e0014333	2
✉️ dec-z-3f480eb5	1