Level 2
Description:
Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. Note that this requirement represents a condition to be achieved by the definition of authorized privileges in 3.1.2. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat.
Priority: High
Domain: ACCESS CONTROL (AC)
Services Associated with AWS:
- AWS Identity and Access Management (IAM), AWS Key Management Service (KMS)
- AWS CloudTrail, AWS Identity and Access Management (IAM)
- AWS Security Hub, AWS WAF, AWS Shield
- Amazon Guard Duty, AWS Macie, AWS Security Hub
- AWS CloudTrail, AWS Identity and Access Management (IAM), Amazon Guard Duty
Services Associated with Azure:
- Azure RBAC (Role-Based Access Control)
- Azure Policy
- Azure Audit Logs
- Azure Active Directory (Azure AD)
- Azure Security Center
- Azure Sentinel
- Azure Monitor
- Azure Key Vault
- Azure Virtual Machines
- Azure App Service
- Azure Functions
- Azure Logic Apps
- Azure SQL Database
- Azure Cosmos DB
- Azure Event Grid
- Azure Service Bus
- Azure Notification Hubs
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate how Role Based access Control (RBAC) is properly & securely implemented
- Technical: screen shot of groups and membership assignment
Possible Technology Considerations:
- Identity & Access Management (IAM) Privileged Access Management (PAM)
What needs to be answered:
Are privilege escalations logged? Who knows the admin credentials?
Checks for AWS
- Ensure Non-privileged Users Cannot Execute Privileged Functions
Description: This check ensures that non-privileged users are prevented from executing privileged functions, such as establishing system accounts, performing system integrity checks, or administering cryptographic key management activities. - Audit Execution of Privileged Functions
Description: This check verifies that the execution of privileged functions is properly captured in audit logs, aiding in the detection of misuse and helping to mitigate the risk from insider threats and advanced persistent threats. - Validate Intrusion Detection and Prevention Mechanisms
Description: This check validates that intrusion detection and prevention mechanisms are properly configured and cannot be circumvented by non-privileged users. - Confirm Proper Configuration of Malicious Code Protection Mechanisms
Description: This check confirms that malicious code protection mechanisms are correctly configured and cannot be bypassed by non-privileged users. - Check for Unauthorized Use of Privileged Functions
Description: This check monitors for any unauthorized or inappropriate use of privileged functions, either intentionally or unintentionally, by authorized users or by unauthorized external entities.
Checks for Azure
- Ensure Non-privileged Users Cannot Execute Privileged Functions
Description: This policy check ensures that non-privileged users in Azure are restricted from executing privileged functions, such as establishing system accounts, conducting system integrity checks, performing patching operations, or administering cryptographic key management activities. It helps prevent unauthorized access and misuse of privileged functions by enforcing appropriate access controls. - Audit Execution of Privileged Functions
Description: This policy check verifies that the execution of privileged functions in Azure is logged and captured in audit logs. It ensures that the use of privileged functions is properly recorded, allowing for detection and mitigation of misuse, insider threats, and advanced persistent threats through effective log analysis. - Validate Intrusion Detection and Prevention Mechanisms
Description: This policy check validates that intrusion detection and prevention mechanisms in Azure are properly configured to prevent non-privileged users from circumventing or bypassing these security measures. It helps maintain the integrity and effectiveness of the security controls against unauthorized activities. - Confirm Proper Configuration of Malicious Code Protection Mechanisms
Description: This policy check ensures that malicious code protection mechanisms in Azure are correctly configured and cannot be bypassed by non-privileged users. It helps protect the environment from potential malware or malicious code execution by enforcing effective security measures. - Check for Unauthorized Use of Privileged Functions
Description: This policy check monitors Azure for any unauthorized or inappropriate use of privileged functions, whether intentional or unintentional, by authorized users or unauthorized external entities. It helps detect and mitigate risks associated with unauthorized access to privileged functions, reducing the potential impact on organizational security.
More Details: Non-privileged users are unable to perform auditing or administrative functions.