Description: 

Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. Note that this requirement represents a condition to be achieved by the definition of authorized privileges in 3.1.2.  Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat. 


Priority: High 


Category: Centralized Controls Management 


Services Associated with AWS: 

  • AWS Identity and Access Management (IAM), AWS Key Management Service (KMS)
  • AWS CloudTrail, AWS Identity and Access Management (IAM)
  • AWS Security Hub, AWS WAF, AWS Shield
  • Amazon Guard Duty, AWS Macie, AWS Security Hub
  • AWS CloudTrail, AWS Identity and Access Management (IAM), Amazon Guard Duty


Objective Evidence:

  • Administrative: documented policies, standards & procedures 
  • Administrative: supporting documentation to demonstrate how Role Based access Control (RBAC) is properly & securely implemented 
  • Technical: screen shot of groups and membership assignment


Possible Technology Considerations:

  • Identity & Access Management (IAM) Privileged Access Management (PAM) 


What needs to be answered: 

Are privilege escalations logged? Who knows the admin credentials?


  • Ensure Non-privileged Users Cannot Execute Privileged Functions
    Description: This check ensures that non-privileged users are prevented from executing privileged functions, such as establishing system accounts, performing system integrity checks, or administering cryptographic key management activities.
  • Audit Execution of Privileged Functions
    Description: This check verifies that the execution of privileged functions is properly captured in audit logs, aiding in the detection of misuse and helping to mitigate the risk from insider threats and advanced persistent threats.
  • Validate Intrusion Detection and Prevention Mechanisms
    Description: This check validates that intrusion detection and prevention mechanisms are properly configured and cannot be circumvented by non-privileged users.
  • Confirm Proper Configuration of Malicious Code Protection Mechanisms
    Description: This check confirms that malicious code protection mechanisms are correctly configured and cannot be bypassed by non-privileged users.
  • Check for Unauthorized Use of Privileged Functions
    Description: This check monitors for any unauthorized or inappropriate use of privileged functions, either intentionally or unintentionally, by authorized users or by unauthorized external entities.
     


More details: Non-privileged users are unable to perform auditing or administrative functions.