Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).

Priority: High 

Category: Identity & Access Management (IAM)

Services Associated with AWS: 

  • AWS Identity and Access Management (IAM)
  • AWS CloudTrail
  • AWS Key Management Service (KMS)
  • Amazon S3
  • Amazon VPC 

Objective Evidence:

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how Role Based Access Control (RBAC) is properly & securely implemented
  • Technical: screen shot of groups and membership assignment

Possible Technology Considerations:

  • Secure Baseline Configurations (SBC)
  • Role Based Access Control (RBAC)
  • Discretionary Access Control (DAC)
  • Privileged Access Management (PAM)

What needs to be answered: 

Do people from different departments have access to the same files or is access limited based on their role? 

  • Ensure Proper Configuration of Multi-Factor Authentication
    Description: This check ensures that Multi-Factor Authentication (MFA) is activated for all IAM users that have a console password. MFA provides an extra layer of protection to prevent unauthorized access to AWS services and resources.
  • Verify Logging Enabled in CloudTrail
    Description: This check confirms that AWS CloudTrail is enabled and properly configured across all regions, ensuring all activities across your AWS infrastructure are logged and can be audited.
  • Confirm Encryption Keys Rotation
    Description: This check ensures that AWS Key Management Service (KMS) keys are rotated for each 365-day period. Regular key rotation makes it harder for unauthorized entities to use the key to gain access to the data.
  • Ensure Secure Access of S3 Buckets
    Description: This check verifies that the S3 buckets are not publicly accessible and proper access levels are configured, limiting the exposure of sensitive data stored in the buckets.
  • Confirm Enabled VPC Flow Logs
    Description: This check ensures that VPC Flow Logs are enabled and correctly configured to capture information about the IP traffic to and from network interfaces in your VPC, thus facilitating network monitoring and anomaly detection.

More details : Permissions to access CUI restricted to only privileged users.