Level 2


Description:

Individuals with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of audit information by inhibiting audit logging activities or modifying audit records. This requirement specifies that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges 


Priority: High 


Domain: AUDIT AND ACCOUNTABILITY (AU) 


Services Associated with AWS: 

  • AWS Identity and Access Management (IAM)


Services Associated with Azure:

  • Azure Active Directory (Azure AD)
  • Azure RBAC (Role-Based Access Control)
  • Azure Policy
  • Azure Sentinel
  • Azure Log Analytics
  • Azure Monitor
  • Azure Security Center


Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Administrative: supporting documentation to demonstrate how Role Based Access Control (RBAC) is properly & securely implemented
  • Technical: screen shot of SIEM settings
  • Technical: screen shot of groups and membership assignment


Possible Technology Considerations:

  • Secure Baseline Configurations (SBC)
  • Security Information & Event Management (SIEM)
  • Role Based Access Control (RBAC)
  • Privileged Access Management (PAM) 


What needs to be answered:

Is access to management of audit functionality authorized only to a limited subset of privileged users?  


Checks for AWS

  • Restrict Audit Management Privileges to Authorized Users
    Description: This check ensures that the management of audit logging functionality is limited to a subset of privileged users. Organizations define a distinct set of audit-related privileges separate from other privileged access privileges. Only authorized individuals with specific audit-related privileges are granted the ability to manage and configure the audit logging functionality. This segregation of duties reduces the risk of unauthorized modification or manipulation of audit records by privileged users who are the subject of the audit.
  • Implement Role-Based Access Control for Audit Management
    Description: This check verifies that organizations have implemented role-based access control (RBAC) mechanisms to restrict access to audit management functionality. RBAC ensures that only authorized users assigned to specific audit management roles can perform activities related to configuring, monitoring, and maintaining the audit logging functionality. By assigning roles based on job responsibilities, organizations can ensure that audit-related privileges are granted only to individuals who have a legitimate need for such access.
  • Regularly Review and Update Audit Management Privileges
    Description: This check emphasizes the importance of regularly reviewing and updating audit management privileges. Organizations periodically assess and validate the access privileges granted to individuals for audit management activities. This includes removing access privileges for individuals who no longer require them or adjusting privileges based on changes in job responsibilities. By conducting regular reviews, organizations can maintain an up-to-date and accurate list of authorized users with audit management privileges, reducing the risk of unauthorized access or misuse.
     


Checks for Azure

  • Restrict Audit Management Privileges to Authorized Users in Azure:
    Description: This check ensures that access to the management of audit functionality in Azure is authorized only for a limited subset of privileged users. Organizations define a distinct set of audit-related privileges separate from other privileged access privileges. Only authorized individuals with specific audit-related privileges are granted the ability to manage and configure the audit logging functionality. By limiting access to audit management privileges, the risk of unauthorized modification or manipulation of audit records by privileged users who are the subject of the audit is reduced.
  • Implement Role-Based Access Control for Audit Management in Azure:
    Description: This check verifies that organizations have implemented RBAC mechanisms in Azure to control access to audit management functionality. RBAC ensures that only authorized users assigned to specific audit management roles can perform activities related to configuring, monitoring, and maintaining the audit logging functionality. By assigning roles based on job responsibilities, organizations can ensure that audit-related privileges are granted only to individuals who have a legitimate need for such access.
  • Regularly Review and Update Audit Management Privileges in Azure:
    Description: This check emphasizes the importance of regularly reviewing and updating audit management privileges in Azure. Organizations should conduct periodic assessments to validate the access privileges granted to individuals for audit management activities. This includes removing access privileges for individuals who no longer require them or adjusting privileges based on changes in job responsibilities. By regularly reviewing and updating audit management privileges, organizations can maintain an up-to-date and accurate list of authorized users with audit management privileges, reducing the risk of unauthorized access or misuse.


More Details: Management of monitoring systems restricted to IT administrators.