Level 1


Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). 

Priority: High 


Services Associated with AWS: 

  • AWS Identity and Access Management (IAM)
  • AWS CloudTrail
  • AWS Key Management Service (KMS)
  • Amazon S3
  • Amazon VPC 

Services Associated with Azure:

  • Azure Active Directory (Azure AD)
  • Azure RBAC (Role-Based Access Control)
  • Azure Policy
  • Azure Firewall
  • Azure Security Center
  • Azure Sentinel
  • Azure Compliance Manager
  • Azure Audit Logs

Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how Role Based Access Control (RBAC) is properly & securely implemented
  • Technical: screen shot of groups and membership assignment

Possible Technology Considerations:

  • Secure Baseline Configurations (SBC)
  • Role Based Access Control (RBAC)
  • Discretionary Access Control (DAC)
  • Privileged Access Management (PAM)

What needs to be answered:

Do people from different departments have access to the same files or is access limited based on their role?  

Checks for AWS

  • Ensure Proper Configuration of Multi-Factor Authentication
    Description: This check ensures that Multi-Factor Authentication (MFA) is activated for all IAM users that have a console password. MFA provides an extra layer of protection to prevent unauthorized access to AWS services and resources.
  • Verify Logging Enabled in CloudTrail
    Description: This check confirms that AWS CloudTrail is enabled and properly configured across all regions, ensuring all activities across your AWS infrastructure are logged and can be audited.
  • Confirm Encryption Keys Rotation
    Description: This check ensures that AWS Key Management Service (KMS) keys are rotated for each 365-day period. Regular key rotation makes it harder for unauthorized entities to use the key to gain access to the data.
  • Ensure Secure Access of S3 Buckets
    Description: This check verifies that the S3 buckets are not publicly accessible and proper access levels are configured, limiting the exposure of sensitive data stored in the buckets.
  • Confirm Enabled VPC Flow Logs
    Description: This check ensures that VPC Flow Logs are enabled and correctly configured to capture information about the IP traffic to and from network interfaces in your VPC, thus facilitating network monitoring and anomaly detection.

Checks for Azure

  • Ensure Azure AD Multi-Factor Authentication is Enabled for Users
    Description: This policy check ensures that Azure Active Directory (Azure AD) multi-factor authentication (MFA) is enabled for users. MFA adds an extra layer of security by requiring users to provide additional verification factors, such as a phone app or a text message code, in addition to their password.
  •  Enforce Azure RBAC for Resource Management
    Description: This policy check validates that Azure RBAC (Role-Based Access Control) is enforced for managing Azure resources. RBAC allows organizations to grant appropriate access permissions to users based on their roles and responsibilities, limiting access to authorized actions within Azure resources.
  • Implement Azure Policy for Resource Compliance
    Description: This policy check ensures that Azure Policy is implemented to enforce compliance with organizational standards. Azure Policy allows you to define rules and restrictions on resource configurations, including access controls, to maintain compliance with security and governance requirements.
  • Enable Azure Firewall for Network Security
    Description: This policy check confirms that Azure Firewall is enabled to provide network security for Azure resources. Azure Firewall allows organizations to define network rules and access policies to control inbound and outbound traffic, ensuring secure communication and access to resources.
  • Enable Azure Security Center for Threat Detection
    Description: This policy check validates that Azure Security Center is enabled to detect and respond to potential security threats. Azure Security Center provides intelligent security analytics and threat intelligence to identify security vulnerabilities and suspicious activities related to access controls.
  • Enable Azure Sentinel for Security Monitoring
    Description: This policy check ensures that Azure Sentinel, a cloud-native security information and event management (SIEM) service, is enabled. Azure Sentinel helps organizations monitor and analyze access logs, detect anomalies, and respond to potential security incidents related to access privileges.
  • Implement Azure Compliance Manager for Regulatory Compliance
    Description: This policy check verifies that Azure Compliance Manager is implemented to assess and manage compliance with regulatory standards. Azure Compliance Manager provides a centralized dashboard to track compliance progress and generate reports for standards such as ISO 27001, NIST SP 800-53, and GDPR.
  • Enable Azure Audit Logs for Activity Monitoring
    Description: This policy check confirms that Azure Audit Logs are enabled to capture detailed information about operations performed on Azure resources. Azure Audit Logs enable organizations to monitor access activities, detect unauthorized access attempts, and ensure compliance with access privilege requirements.

More details : Permissions to access CUI restricted to only privileged users.