>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

AC-6(9)Least Privilege | Log Use of Privileged Functions

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Log the execution of privileged functions.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat.

>Programmatic Queries

Beta

Related Services

AWS CloudTrail
Amazon CloudWatch Logs
AWS Config

CLI Commands

Search CloudTrail for privileged IAM actions
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AttachRolePolicy --max-results 20
Search for role assumption events
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AssumeRole --max-results 20
Create CloudWatch metric filter for privileged actions
aws logs put-metric-filter --log-group-name CloudTrail/logs --filter-name privileged-actions --filter-pattern '{($.eventName=AttachRolePolicy)||($.eventName=CreateUser)||($.eventName=DeleteUser)}' --metric-transformations metricName=PrivilegedActions,metricNamespace=Security,metricValue=1
Check CloudTrail logging status
aws cloudtrail get-trail-status --name TRAIL_NAME
Open AWS ConsoleDocumentation

>Related Controls

AU-2
AU-3
AU-12

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AC-6(9) (Log Use Of Privileged Functions)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AC-6(9)?
  • How frequently is the AC-6(9) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AC-6(9)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AC-6(9) requirements.
  • What automated tools, systems, or technologies are deployed to implement AC-6(9)?
  • How is AC-6(9) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AC-6(9) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AC-6(9)?
  • What audit logs, records, reports, or monitoring data validate AC-6(9) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AC-6(9) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AC-6(9) compliance?

Ask AI

Configure your API key to use AI features.