>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

AC-6(2)Least Privilege | Non-privileged Access for Nonsecurity Functions

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Require that users of system accounts (or roles) with access to organization-defined security functions or security-relevant information use non-privileged accounts or roles, when accessing nonsecurity functions.

>DoD Impact Level Requirements

FedRAMP Parameter Values

AC-6 (2) [all security functions]

Additional Requirements and Guidance

AC-6 (2) Guidance: Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.

>Discussion

Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

>Programmatic Queries

Beta

Related Services

IAM
AWS Organizations
IAM Identity Center

CLI Commands

List users without MFA (potential non-compliant privileged users)
aws iam get-credential-report --query 'Content' --output text | base64 -d | awk -F, '$4 == "false" {print $1}'
List inline policies attached to users (should be minimized)
aws iam list-user-policies --user-name USERNAME
Check if user has both admin and non-admin roles
aws iam list-groups-for-user --user-name USERNAME --query 'Groups[].GroupName'
List permission sets with non-admin access
aws sso-admin list-permission-sets --instance-arn INSTANCE_ARN --query 'PermissionSets'
Open AWS ConsoleDocumentation

>Related Controls

AC-17
AC-18
AC-19
PL-4

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AC-6(2) (Non-Privileged Access For Nonsecurity Functions)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AC-6(2)?
  • How frequently is the AC-6(2) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AC-6(2)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AC-6(2) requirements.
  • What automated tools, systems, or technologies are deployed to implement AC-6(2)?
  • How is AC-6(2) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AC-6(2) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AC-6(2)?
  • What audit logs, records, reports, or monitoring data validate AC-6(2) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AC-6(2) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AC-6(2) compliance?

Ask AI

Configure your API key to use AI features.