Description: 

This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. 


Priority: High 


Category:  Identity & Access Management (IAM) 


Services Associated with AWS: 

  • AWS Identity and Access Management (IAM)


Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  •  Administrative: supporting documentation to demonstrate how Role Based Access Control (RBAC) is properly & securely implemented 
  • Technical: screen shot of groups and membership assignment


Possible Technology Considerations: 

  • Privileged Access Management (PAM 


What needs to be answered:

Do users with admin access use a non-privileged account for regular use? Is this enforced by policy? 


  • Verify Use of Non-privileged Accounts for Non-security Functions
    Description: This check ensures that non-privileged accounts or roles are used when accessing non-security functions, limiting exposure when operating from within privileged accounts or roles.
  • Confirm Role-based Access Control
    Description: This check verifies that role-based access control is correctly implemented, ensuring that a change of role provides the same degree of assurance in the change of access authorizations as a change between privileged and non-privileged accounts.
  • Validate Correct Use of Non-privileged Roles
    Description: This check confirms that non-privileged roles are correctly used in scenarios where access control policies such as role-based access control are implemented.

     

More details: Administrative accounts only used when executing administrative functions.