Description:
Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges). Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.
Priority: High
Category: Centralized Controls Management
Services Associated with AWS:
- AWS Identity and Access Management (IAM)
- AWS Identity and Access Management (IAM), AWS CloudFormation
- AWS Identity and Access Management (IAM), AWS CloudTrail, AWS Security Hub
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate how Role Based Access Control (RBAC) is properly & securely implemented
- Technical: screenshot of groups and membership assignment
Possible Technology Considerations:
- Secure Baseline Configurations (SBC)
- Role Based Access Control (RBAC)
- Discretionary Access Control (DAC)
- Privileged Access Management (PAM)
What needs to be answered:
Do you only grant enough privileges to users to allow them to do their day to day duties?
- Verify Implementation of Least Privilege Principle
Description: This check ensures that the principle of least privilege is effectively applied, with user and process privileges no higher than necessary to accomplish required organizational missions or business functions. - Confirm Least Privilege in System Development and Operation
Description: This check confirms that the principle of least privilege is applied during the development, implementation, and operation of organizational systems. - Validate Privileges for Security Functions
Description: This check verifies that access privileges for security functions such as establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations are correctly set according to the least privilege principle. - Ensure Restriction of Privileged Accounts
Description: This check ensures that privileged accounts, including super user accounts, are restricted to specific personnel or roles, preventing day-to-day users from accessing privileged information or functions. - Confirm Differentiation in Privileges for Local and Domain Accounts
Description: This check confirms that the organization has effectively differentiated in the application of the least privilege principle between local accounts and domain accounts, while retaining control over key system configurations and mitigating risk.
More details: Company employees only have access to information needed to perform day to day functions.