Level 2


Description:

Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges).  Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.  


Priority: High 


Domain: ACCESS CONTROL (AC) 


Services Associated with AWS: 

  • AWS Identity and Access Management (IAM)
  • AWS Identity and Access Management (IAM), AWS CloudFormation
  • AWS Identity and Access Management (IAM), AWS CloudTrail, AWS Security Hub


Services Associated with Azure:

  • Azure Active Directory (Azure AD)
  • Azure RBAC (Role-Based Access Control)
  • Azure Policy
  • Azure Security Center
  • Azure Privileged Identity Management (PIM)
  • Azure Audit Logs
  • Azure Virtual Machines
  • Azure Key Vault
  • Azure Sentinel
  • Azure Monitor
  • Azure Functions
  • Azure Logic Apps
  • Azure Data Lake Storage
  • Azure SQL Database
  • Azure DevOps


Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how Role Based Access Control (RBAC) is properly & securely implemented
  • Technical: screenshot of groups and membership assignment 


Possible Technology Considerations:

  • Secure Baseline Configurations (SBC)
  • Role Based Access Control (RBAC)
  • Discretionary Access Control (DAC)
  • Privileged Access Management (PAM) 


What needs to be answered:

Do you only grant enough privileges to users to allow them to do their day to day duties? 


Checks for AWS

  • Verify Implementation of Least Privilege Principle
    Description: This check ensures that the principle of least privilege is effectively applied, with user and process privileges no higher than necessary to accomplish required organizational missions or business functions.
  • Confirm Least Privilege in System Development and Operation
    Description: This check confirms that the principle of least privilege is applied during the development, implementation, and operation of organizational systems.
  • Validate Privileges for Security Functions
    Description: This check verifies that access privileges for security functions such as establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations are correctly set according to the least privilege principle.
  • Ensure Restriction of Privileged Accounts
    Description: This check ensures that privileged accounts, including super user accounts, are restricted to specific personnel or roles, preventing day-to-day users from accessing privileged information or functions.
  • Confirm Differentiation in Privileges for Local and Domain Accounts
    Description: This check confirms that the organization has effectively differentiated in the application of the least privilege principle between local accounts and domain accounts, while retaining control over key system configurations and mitigating risk.
     


Checks for Azure

  • Verify Implementation of Least Privilege Principle
    Description: This policy check ensures that the principle of least privilege is implemented effectively in Azure. It validates that user and process privileges are granted at the minimum necessary level to accomplish required organizational missions or business functions, reducing the risk of unauthorized access or actions.
  • Confirm Least Privilege in System Development and Operation
    Description: This policy check confirms that the principle of least privilege is applied during the development, implementation, and operation of Azure systems. It ensures that the necessary measures are taken to restrict privileges and access rights to only what is essential for system functionality and security.
  • Validate Privileges for Security Functions
    Description: This policy check verifies that access privileges for security functions within Azure, such as establishing system accounts, setting event logging, configuring intrusion detection parameters, and managing access authorizations, are appropriately set based on the principle of least privilege. It ensures that only necessary privileges are granted to perform these security functions.
  • Ensure Restriction of Privileged Accounts
    Description: This policy check ensures that privileged accounts, including super user accounts, are restricted to specific personnel or roles within Azure. It verifies that day-to-day users do not have access to privileged information or functions and that privileged accounts are controlled and managed according to the least privilege principle.
  • Confirm Differentiation in Privileges for Local and Domain Accounts
    Description: This policy check confirms that the organization has effectively differentiated the privileges granted to local accounts and domain accounts within Azure. It ensures that while retaining control over system configurations, access permissions are appropriately restricted based on the principle of least privilege.


More Details: Company employees only have access to information needed to perform day to day functions.