Description:
System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate. This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.
Priority: High
Category: Baseline Security Configurations
Services Associated with AWS:
- AWS Identity and Access Management (IAM), AWS Virtual Private Cloud (VPC), AWS EC, Amazon RDS, Amazon WorkSpaces
- AWS Identity and Access Management (IAM), AWS Cognito, AWS SSO
- AWS Identity and Access Management (IAM), AWS WAF, AWS Shield, Amazon Route
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Technical: screenshot of configuration settings
Possible Technology Considerations :
- Secure Baseline Configurations (SBC)
- Identity & Access Management (IAM)
- Privileged Access Management (PAM)
What needs to be answered :
Are there controls to ensure that administration privileges are not available to general users? Is user functionality separated from system management functionality?
- Separation of User and System Management Functionality
Description: This check ensures that user functionality is separated from system management functionality. This includes using different computers, different central processing units, different instances of operating systems, different network addresses, or virtualization techniques. - Separate Authentication for User and System Resources
Description: This check verifies that separate authentication methods are used for users of system resources and those accessing web administrative interfaces. This helps maintain the separation between user and system management functionality. - Isolation of Administrative Interfaces
Description: This check ensures that administrative interfaces are isolated on different domains and with additional access controls, thus maintaining the separation between system and user functionality.
More Details:
User functionality separate from system management functionality.