>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

AC-7Unsuccessful Logon Attempts

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Enforce a limit of organization-defined number consecutive invalid logon attempts by a user during a organization-defined time period; and

b

Automatically [Selection (one or more): lock the account or node for an organization-defined time period; lock the account or node until released by an administrator; delay next logon prompt per organization-defined delay algorithm; notify system administrator; take other organization-defined action] when the maximum number of unsuccessful attempts is exceeded.

>DoD Impact Level Requirements

DoD FedRAMP+ Parameters

For privileged users, DOD limits to three unsuccessful attempts and requires an administrator to unlock. For nonprivileged users, if rate limiting, DOD will allow 10 attempts with the account automatically unlocked after 30 minutes. If rate limiting is not used, normal DSPAV will be required.

Additional Requirements and Guidance

AC-7 Requirement: In alignment with NIST SP 800-63B

>Discussion

The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components.

Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks.

In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.

>Programmatic Queries

Beta

Related Services

CloudTrail
CloudWatch
IAM

CLI Commands

Query failed console logins
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin --query 'Events[?contains(CloudTrailEvent, `"responseElements":{"ConsoleLogin":"Failure"}`)]'
Check CloudWatch alarm for failed logins
aws cloudwatch describe-alarms --alarm-name-prefix 'FailedLogin'
Get credential report for lockouts
aws iam generate-credential-report && aws iam get-credential-report
Query failed API authentications
aws logs filter-log-events --log-group-name CloudTrail/logs --filter-pattern '{ $.errorCode = "*UnauthorizedAccess*" }'
Open AWS ConsoleDocumentation

>Related Controls

AC-2
AC-9
AU-2
AU-6
IA-5

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AC-7 (Unsuccessful Logon Attempts)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AC-7?
  • How frequently is the AC-7 policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AC-7?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AC-7 requirements.
  • What automated tools, systems, or technologies are deployed to implement AC-7?
  • How is AC-7 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AC-7 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AC-7?
  • What audit logs, records, reports, or monitoring data validate AC-7 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AC-7 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AC-7 compliance?

Ask AI

Configure your API key to use AI features.