Description:   

Common device identifiers include Media Access Control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device.  [SP 800-63-3] provides guidance on digital identities.   


Priority: High   


Category: Identity & Access Management (IAM) 


Services Associated with AWS:   

  • AWS Identity and Access Management (IAM), Amazon Virtual Private Cloud (VPC), AWS Systems Manager, AWS CloudTrail 


Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how Identity & Access Management (IAM) practices are implemented
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screenshot of AD settings, or other IAM interface 


Possible Technology Considerations : 

  • Identity & Access Management (IAM)
  • Secure Baseline Configurations (SBC) 


What needs to be answered :  

Does the system make use of company-assigned accounts for unique access by individuals? If service accounts are necessary, are the accounts created by the central management and assigned using the account? Are company and service accounts managed centrally and deleted automatically when an individual leaves the company?

 

  • Identify System Users, Processes, and Devices
    Description: This check ensures that organizations have mechanisms in place to identify and distinguish system users, processes acting on behalf of users, and devices within their systems. Common identifiers such as user names, Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers are used to uniquely identify and track the activities of system users and devices. While shared system accounts may not have individual identifiers, organizations may require unique identification for individuals within group accounts or for detailed accountability. This requirement also includes identifying individual identifiers that are not necessarily associated with system accounts. Organizational devices are also identified, either by type, specific device, or a combination of both.


More Details:   

All users have company-issued accounts with unique identification. All accounts are managed by IT administration.