Level 1
Description:
Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2.
Priority: High
Domain: ACCESS CONTROL (AC)
Services Associated with AWS:
- Identity and Access Management (IAM)
- Multi-Factor Authentication (MFA)
- Service Control Policies (SCPs)
- Security Groups and Network Access Control Lists (NACLs)
- AWS Key Management Service (KMS)
- AWS Config
- AWS Secrets Manager
Services Associated with Azure:
- Azure Active Directory (Azure AD)
- Azure Role-Based Access Control (RBAC)
- Azure Virtual Network (VNet) Service Endpoints
- Azure Security Center
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate how Role Based Access Control (RBAC) is properly & securely implemented
- Technical: screenshot of groups and membership assignment
Possible Technology Considerations:
- Role Based Access Control (RBAC)
- Discretionary Access Control (DAC)
What needs to be answered:
Does everyone have their own username and password? Does the company maintain a list of authorized users defining their identity and role?
Checks for AWS
- Verify that all IAM users, roles, and policies are correctly set up and managed. Ensure that the principle of least privilege is followed when assigning roles and permissions.
Description: This check involves reviewing the configuration of IAM (Identity and Access Management) users, roles, and policies within the AWS environment. It aims to ensure that the setup is correct and well-managed. Specifically, it focuses on following the principle of least privilege, which means granting users and roles only the permissions necessary for them to perform their intended tasks and no more. By implementing the principle of least privilege, the risk of unauthorized access or accidental misuse of resources is minimized. - Ensure MFA is enabled for all IAM users who have console access, and for the root user.
Description: Multi-Factor Authentication (MFA) adds an extra layer of security to the authentication process by requiring users to provide additional verification in addition to their username and password. This check involves verifying that MFA is enabled for all IAM users who have console access, which refers to accessing the AWS Management Console. Additionally, it ensures that MFA is also enabled for the root user, which is the initial administrative account created when setting up an AWS account. Enabling MFA helps protect against unauthorized access even if usernames and passwords are compromised. - Review and validate the SCPs applied at the organization level and the individual account level.
Description: Service Control Policies (SCPs) are a set of policies that help manage permissions and access within an AWS Organization. This check involves reviewing and validating the SCPs applied at two levels: the organization level and the individual account level. SCPs define the maximum permissions that can be granted to accounts within the organization hierarchy. By reviewing and validating these policies, organizations can ensure that the desired restrictions and controls are in place to enforce security and compliance requirements. - Validate that the security groups and NACLs are correctly configured to allow only the necessary traffic.
Description: Security Groups and Network Access Control Lists (NACLs) are used to control inbound and outbound traffic to AWS resources. This check involves validating the configuration of security groups and NACLs to ensure they are set up correctly. It focuses on allowing only the necessary network traffic and blocking any unauthorized or unnecessary access. By properly configuring security groups and NACLs, organizations can prevent unauthorized access to their resources and reduce the risk of network-related security incidents. - Ensure encryption keys are properly managed and rotated.
Description: Encryption keys play a crucial role in securing data within AWS services. This check involves ensuring that encryption keys are properly managed and rotated. Proper management includes securely storing and managing the keys, defining key policies to control access, and regularly reviewing key usage and permissions. Additionally, encryption keys should be rotated periodically to minimize the impact of a compromised key. By ensuring proper key management and rotation, organizations can enhance the confidentiality and integrity of their data. - Make sure that AWS Config is enabled and configured to track changes in the AWS environment.
Description: AWS Config is a service that provides a detailed inventory of AWS resources and tracks changes made to those resources over time. This check involves ensuring that AWS Config is enabled and properly configured to track changes in the AWS environment. By monitoring changes, organizations can gain visibility into resource configurations, detect any unauthorized modifications or deviations from desired configurations, and maintain an audit trail for compliance purposes. - Validate that access to secrets is tightly controlled and rotated regularly.
Description: Secrets, such as passwords, API keys, and database credentials, are sensitive information that needs to be securely managed. This check involves validating that access to secrets is tightly controlled and that proper access controls and encryption measures are in place. Additionally, secrets should be regularly rotated, meaning that new credentials or keys are generated and the old ones are invalidated. Regular rotation helps mitigate the risk of compromised secrets being used maliciously. By tightly controlling and regularly rotating access to secrets, organizations can enhance the security of their sensitive information.
Checks for Azure
- Verify Azure Active Directory (AD) User and Role Management:
Description: Review the configuration of Azure AD users and roles to ensure that access is granted to authorized users only. Validate that user accounts are properly managed, including appropriate assignment and removal of roles based on job responsibilities. This check aims to enforce access control policies and prevent unauthorized access to information systems. - Implement Role-Based Access Control (RBAC) in Azure:
Description: Ensure that RBAC is properly implemented in Azure to control access to resources and services. Review and validate the assignment of roles to users and groups based on their specific responsibilities. This check helps enforce identity- or role-based access control policies and prevents unauthorized access to sensitive information. - Enable Multi-Factor Authentication (MFA) for Azure Accounts:
Description: Verify that MFA is enabled for Azure accounts to add an extra layer of security during authentication. This check ensures that access to Azure resources requires multiple factors, such as a password and a unique verification code. Enabling MFA helps mitigate the risk of unauthorized access and strengthens the access control mechanism. - Regularly Review and Update Access Policies and Control Matrices:
Description: Conduct regular reviews of access policies and control matrices to ensure they are up to date and aligned with the organization's security requirements. Validate that access controls are properly defined, documented, and implemented. This check helps maintain effective access control policies and reduces the risk of unauthorized access.
More Details: Users must use unique credentials to access systems containing CUI.