myctrl.tools
Compare

AC-6(2)Non-Privileged Access For Nonsecurity Functions

MODERATE
HIGH

>Control Description

Require that users of system accounts (or roles) with access to organization-defined security functions or security-relevant information use non-privileged accounts or roles, when accessing nonsecurity functions.

>Cross-Framework Mappings

SCF

IAC-21.2
Compare

>Programmatic Queries

Beta

Related Services

IAM
AWS Organizations
IAM Identity Center

CLI Commands

List users without MFA (potential non-compliant privileged users)
aws iam get-credential-report --query 'Content' --output text | base64 -d | awk -F, '$4 == "false" {print $1}'
List inline policies attached to users (should be minimized)
aws iam list-user-policies --user-name USERNAME
Check if user has both admin and non-admin roles
aws iam list-groups-for-user --user-name USERNAME --query 'Groups[].GroupName'
List permission sets with non-admin access
aws sso-admin list-permission-sets --instance-arn INSTANCE_ARN --query 'PermissionSets'
Open AWS ConsoleDocumentation

>Supplemental Guidance

Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

>Related Controls

AC-17
AC-18
AC-19
PL-4

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AC-6(2) (Non-Privileged Access For Nonsecurity Functions)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AC-6(2)?
  • How frequently is the AC-6(2) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AC-6(2)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AC-6(2) requirements.
  • What automated tools, systems, or technologies are deployed to implement AC-6(2)?
  • How is AC-6(2) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AC-6(2) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AC-6(2)?
  • What audit logs, records, reports, or monitoring data validate AC-6(2) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AC-6(2) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AC-6(2) compliance?

Ask AI

Configure your API key to use AI features.