>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

RA-5(5)Vulnerability Monitoring and Scanning | Privileged Access

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Implement privileged access authorization to organization-defined system components for organization-defined vulnerability scanning activities.

>DoD Impact Level Requirements

FedRAMP Parameter Values

RA-5 (5)-1 [all components that support authentication] RA-5 (5)-2 [all scans]

>Discussion

In certain situations, the nature of the vulnerability scanning may be more intrusive, or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning.

>Programmatic Queries

Beta

Related Services

AWS Systems Manager Session Manager
AWS CloudTrail
AWS Access Analyzer

CLI Commands

Enable Session Manager for privileged scanning
aws ssm create-document --content file://session-manager-config.json --name SSM_SessionManagerRunShell --document-type Session
Review privileged access audit logs
aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=admin-role --max-results 50
Analyze IAM role trust relationships
aws accessanalyzer validate-policy --policy-document file://iam-policy.json --policy-type IDENTITY_POLICY
List privileged users with scanning permissions
aws iam list-users --query 'Users[].UserName' | xargs -I {} aws iam list-attached-user-policies --user-name {} --query 'AttachedPolicies[].PolicyName'
Open AWS ConsoleDocumentation

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is your organization's documented risk assessment policy and how does it address the requirements of RA-5(5)?
  • Who has been designated as responsible for conducting and maintaining risk assessments?
  • How frequently are risk assessments conducted and what triggers an update to the risk assessment?

Technical Implementation:

  • What methodology or framework do you use to conduct risk assessments?
  • How do you identify and categorize threats and vulnerabilities during the risk assessment process?
  • What tools or systems support your risk assessment activities?
  • What vulnerability scanning tools are used and how often are scans performed?

Evidence & Documentation:

  • Can you provide the most recent risk assessment report?
  • What evidence demonstrates that risk assessment findings are communicated to appropriate stakeholders?
  • Where are risk assessment results documented and how long are they retained?
  • Can you provide recent vulnerability scan reports and evidence of remediation?

Ask AI

Configure your API key to use AI features.