Level 2
Description:
Identifiers are provided for users, processes acting on behalf of users, or devices (3.5.). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.
Priority: High
Domain: IDENTIFICATION AND AUTHENTICATION (IA)
Services Associated with AWS:
- AWS Identity and Access Management (IAM)
Services Associated with Azure:
- Azure Active Directory (Azure AD)
- Azure Identity Protection
- Azure Key Vault
- Azure Active Directory B2C
- Azure Multi-Factor Authentication
- Azure Conditional Access
- Azure Active Directory Domain Services
- Azure AD Privileged Identity Management
- Azure Information Protection
- Azure Sentinel
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific
- secure baseline configurations
- Technical: screenshot of configuration settings
Possible Technology Considerations:
- Identity & Access Management (IAM)
- Secure Baseline Configurations (SBC)
What needs to be answered:
Are user accounts or identifiers monitored for inactivity? Are user or device identifiers disabled after a period of inactivity (30 days)?
Checks for AWS
- Disable Inactive Identifiers
Description: This check ensures that identifiers (e.g., user accounts, service accounts, device identifiers) are disabled after a defined period of inactivity. Inactive identifiers refer to accounts or identifiers that have not been used for a specified period of time. Disabling inactive identifiers helps mitigate the risk of unauthorized access and potential misuse of dormant accounts. Organizations should establish policies and procedures to identify and monitor inactive identifiers and implement controls to automatically disable these identifiers after a defined period of inactivity. The defined period of inactivity should be based on the organization's risk tolerance and security requirements. By disabling inactive identifiers, organizations can reduce the attack surface and enhance the overall security posture of their systems.
Checks for Azure
- Monitor User Account Inactivity
Description: This check verifies that user accounts are monitored for inactivity in Azure. Monitoring user account inactivity helps identify accounts that have not been used for a specified period of time. By monitoring inactivity, organizations can identify potentially dormant accounts and take appropriate actions to mitigate the risk of unauthorized access. This can include disabling or deleting inactive user accounts, depending on the organization's policies and security requirements. - Disable Inactive User or Device Identifiers
Description: This check ensures that inactive user or device identifiers are disabled after a defined period of inactivity in Azure. Inactive identifiers refer to user accounts or device identifiers that have not been used for a specified period of time. Disabling inactive identifiers helps mitigate the risk of unauthorized access and potential misuse of dormant accounts or devices. Organizations should establish policies and procedures to identify and monitor inactive identifiers and implement controls to automatically disable these identifiers after a defined period of inactivity. The defined period of inactivity should be based on the organization's risk tolerance and security requirements.
More Details: User accounts monitored for inactivity and reviewed for deactivation of removal after significant idle period.