Description: 

Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges).  Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk. 


Priority: High 


Category:  Centralized Controls Management 


Services Associated with AWS: 

  • AWS Identity and Access Management (IAM)
  • AWS Identity and Access Management (IAM), AWS CloudFormation
  • AWS Identity and Access Management (IAM), AWS CloudTrail, AWS Security Hub


Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how Role Based Access Control (RBAC) is properly & securely implemented
  • Technical: screenshot of groups and membership assignment 


Possible Technology Considerations: 

  • Secure Baseline Configurations (SBC)
  • Role Based Access Control (RBAC)
  • Discretionary Access Control (DAC)
  • Privileged Access Management (PAM) 


What needs to be answered: 
Do you only grant enough privileges to users to allow them to do their day to day duties?


  • Verify Implementation of Least Privilege Principle
    Description: This check ensures that the principle of least privilege is effectively applied, with user and process privileges no higher than necessary to accomplish required organizational missions or business functions.
  • Confirm Least Privilege in System Development and Operation
    Description: This check confirms that the principle of least privilege is applied during the development, implementation, and operation of organizational systems.
  • Validate Privileges for Security Functions
    Description: This check verifies that access privileges for security functions such as establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations are correctly set according to the least privilege principle.
  • Ensure Restriction of Privileged Accounts
    Description: This check ensures that privileged accounts, including super user accounts, are restricted to specific personnel or roles, preventing day-to-day users from accessing privileged information or functions.
  • Confirm Differentiation in Privileges for Local and Domain Accounts
    Description: This check confirms that the organization has effectively differentiated in the application of the least privilege principle between local accounts and domain accounts, while retaining control over key system configurations and mitigating risk.
     


More details: Company employees only have access to information needed to perform day to day functions.