Individuals with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of audit information by inhibiting audit logging activities or modifying audit records. This requirement specifies that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges 

Priority: High  

Category: Baseline Security Configurations 

Services Associated with AWS:   

  • AWS Identity and Access Management (IAM)

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Administrative: supporting documentation to demonstrate how Role Based Access Control (RBAC) is properly & securely implemented
  • Technical: screen shot of SIEM settings
  • Technical: screen shot of groups and membership assignment

Possible Technology Considerations : 

  • Secure Baseline Configurations (SBC)
  • Security Information & Event Management (SIEM)
  • Role Based Access Control (RBAC)
  • Privileged Access Management (PAM) 

What needs to be answered :  

Is access to management of audit functionality authorized only to a limited subset of privileged users? 

  • Restrict Audit Management Privileges to Authorized Users
    Description: This check ensures that the management of audit logging functionality is limited to a subset of privileged users. Organizations define a distinct set of audit-related privileges separate from other privileged access privileges. Only authorized individuals with specific audit-related privileges are granted the ability to manage and configure the audit logging functionality. This segregation of duties reduces the risk of unauthorized modification or manipulation of audit records by privileged users who are the subject of the audit.
  • Implement Role-Based Access Control for Audit Management
    Description: This check verifies that organizations have implemented role-based access control (RBAC) mechanisms to restrict access to audit management functionality. RBAC ensures that only authorized users assigned to specific audit management roles can perform activities related to configuring, monitoring, and maintaining the audit logging functionality. By assigning roles based on job responsibilities, organizations can ensure that audit-related privileges are granted only to individuals who have a legitimate need for such access.
  • Regularly Review and Update Audit Management Privileges
    Description: This check emphasizes the importance of regularly reviewing and updating audit management privileges. Organizations periodically assess and validate the access privileges granted to individuals for audit management activities. This includes removing access privileges for individuals who no longer require them or adjusting privileges based on changes in job responsibilities. By conducting regular reviews, organizations can maintain an up-to-date and accurate list of authorized users with audit management privileges, reducing the risk of unauthorized access or misuse.

More Details:  

Management of monitoring systems restricted to IT administrators.