>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

AC-22Publicly Accessible Content

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Designate individuals authorized to make information publicly accessible;

b

Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

c

Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and

d

Review the content on the publicly accessible system for nonpublic information organization-defined frequency and remove such information, if discovered.

>DoD Impact Level Requirements

FedRAMP Parameter Values

AC-22 (d) [at least quarterly]

>Discussion

In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the PRIVACT and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy.

While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible.

>Programmatic Queries

Beta

Related Services

S3
CloudFront
API Gateway

CLI Commands

Find public S3 buckets
aws s3api list-buckets --query 'Buckets[].Name' | xargs -I {} aws s3api get-bucket-acl --bucket {}
Check S3 Block Public Access
aws s3control get-public-access-block --account-id ACCOUNT_ID
List CloudFront distributions
aws cloudfront list-distributions --query 'DistributionList.Items[*].{Id:Id,Domain:DomainName,Origins:Origins.Items[*].DomainName}'
Check public API Gateway endpoints
aws apigateway get-rest-apis --query 'items[?endpointConfiguration.types[0]==`REGIONAL`]'
Open AWS ConsoleDocumentation

>Related Controls

AC-3
AT-2
AT-3
AU-13

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AC-22 (Publicly Accessible Content)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AC-22?
  • How frequently is the AC-22 policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AC-22?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AC-22 requirements.
  • What automated tools, systems, or technologies are deployed to implement AC-22?
  • How is AC-22 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AC-22 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AC-22?
  • What audit logs, records, reports, or monitoring data validate AC-22 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AC-22 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AC-22 compliance?

Ask AI

Configure your API key to use AI features.