Loading controls...
Benchmark: Least Privilege (AC-6)
Description
The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
Usage
Browse dashboards and select Least Privilege (AC-6):
steampipe dashboardOr run the benchmarks in your terminal:
steampipe check aws_compliance.benchmark.nist_800_53_rev_4_ac_6Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share aws_compliance.benchmark.nist_800_53_rev_4_ac_6Benchmarks
Controls
- CodeBuild project plaintext environment variables should not contain sensitive AWS values
- DMS replication instances should not be publicly accessible
- EBS snapshots should not be publicly restorable
- EC2 instances should not have a public IP address
- EC2 instances should use IMDSv2
- EMR cluster Kerberos should be enabled
- IAM groups should have at least one user
- IAM groups, users, and roles should not have any inline policies
- IAM policy should not have statements with admin access
- IAM root user should not have access keys
- IAM users should be in at least one group
- IAM user should not have any inline or attached policies
- IAM user credentials that have not been used in 90 days should be disabled
- Lambda functions should restrict public access
- RDS DB instances should prohibit public access
- RDS snapshots should prohibit public access
- Redshift clusters should prohibit public access
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account and bucket levels
- SageMaker notebook instances should not have direct internet access