Level 2


Description:

This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. 


Priority: High 


Domain: ACCESS CONTROL (AC) 


Services Associated with AWS: 

  • AWS Identity and Access Management (IAM)


Services Associated with Azure:

  • Azure Active Directory (Azure AD)
  • Azure RBAC (Role-Based Access Control)
  • Azure Policy
  • Azure Virtual Machines
  • Azure App Service
  • Azure Functions
  • Azure Logic Apps
  • Azure Data Lake Storage
  • Azure SQL Database
  • Azure Cosmos DB
  • Azure Cognitive Services
  • Azure Key Vault
  • Azure Event Grid
  • Azure Service Bus
  • Azure Notification Hubs


Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  •  Administrative: supporting documentation to demonstrate how Role Based Access Control (RBAC) is properly & securely implemented 
  • Technical: screen shot of groups and membership assignment


Possible Technology Considerations:

  • Privileged Access Management (PAM )


What needs to be answered:

Do users with admin access use a non-privileged account for regular use? Is this enforced by policy? 


Checks for AWS

  • Verify Use of Non-privileged Accounts for Non-security Functions
    Description: This check ensures that non-privileged accounts or roles are used when accessing non-security functions, limiting exposure when operating from within privileged accounts or roles.
  • Confirm Role-based Access Control
    Description: This check verifies that role-based access control is correctly implemented, ensuring that a change of role provides the same degree of assurance in the change of access authorizations as a change between privileged and non-privileged accounts.
  • Validate Correct Use of Non-privileged Roles
    Description: This check confirms that non-privileged roles are correctly used in scenarios where access control policies such as role-based access control are implemented.

     

Checks for Azure

  • Ensure Use of Non-privileged Accounts for Regular Use
    Description: This policy check ensures that users with administrative access in Azure utilize non-privileged accounts for their regular day-to-day activities. It verifies that privileged accounts are not used for non-security functions, reducing the risk of potential exposure and unauthorized access.
  • Confirm Implementation of Role-Based Access Control (RBAC)
    Description: This policy check validates the proper implementation of Role-Based Access Control (RBAC) in Azure. It ensures that RBAC policies are in place, allowing users to assume roles that provide the same degree of assurance in access authorizations as a change between privileged and non-privileged accounts.
  • Validate Correct Usage of Non-privileged Roles
    Description: This policy check confirms that non-privileged roles are correctly utilized in Azure, particularly in scenarios where access control policies such as RBAC are implemented. It ensures that the assigned roles provide appropriate access authorizations and align with the principle of limiting exposure when operating from within privileged accounts or roles.
  • Enforce Policy for Use of Non-privileged Accounts
    Description: This policy check verifies that organizational policies are in place to enforce the use of non-privileged accounts for regular user activities. It ensures that policy guidelines are communicated and adhered to by users with administrative access, further mitigating risks associated with privileged account usage.


More Details: Administrative accounts only used when executing administrative functions.