You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Establish access control policies and procedures for management of all accounts.
Applicable Service Models
IaaS, PaaS, SaaS
Mandatory Requirements
Activity
Validation
Implement a mechanism to enforce access authorizations for all user accounts, based on criteria in the Directive on Service and Digital, Appendix G: Standard on Enterprise Information Technology Service Common Configurations, and in section 3 of the Account Management Configuration Requirements
Demonstrate access configurations and policies are implemented for different classes of users (non-privileged, and privileged users).
Confirm that the access authorization mechanisms have been implemented to:
Uniquely identify and authenticate users to the cloud service
Validating that the least privilege role is assigned
Validating that Role Based Access is implemented
terminate role assignment upon job change or termination
Perform periodic reviews of role assignment (minimum yearly)
Disable default and dormant accounts
Avoid using of user generic accounts.
Verify that a review of role assignment for root or global administrator accounts is performed at least every 12 months.
Leverage role-based access and configure for least privilege doing so can include built-in roles or custom roles that have been established with only the minimum number of privileges required to perform the job function.
Demonstrate that built-in roles on cloud platforms are configured for least privilege. Custom roles can be used but a rationale should be documented and approved.
Change default passwords in accordance with the GC Password Guidance.
Confirm that the default passwords have been changed for all the built-in accounts for the cloud service.
Configure the default password policy in accordance with GC Password Guidance.
Demonstrate that password policy for the cloud platform has been configured according to the Password Guidance by:
requiring passwords that are at least 12 characters long without a maximum length limit
countering online guessing or brute force of passwords using throttling, account lockout policies, monitoring and multi-factor authentication
protecting against offline attacks using effective hashing, salting and keyed hashing.
Implement password protection mechanisms to protect against password brute force attacks.
Confirm that mechanisms, such as throttling, account lock out policies, monitoring and risk-based authentication, to protect against password brute force attacks have been implemented.
Establish a guest user access policy and procedures that minimize the number of guest users and that manage the life cycle of such accounts so that such accounts are terminated when they are no longer needed.
Note: a guest is someone who is not an employee, student or member of your organization (a guest does not have an existing account with the organization’s cloud tenant).
Confirm that only required guest user accounts are enabled (according to the business requirements of the service)
Provide a list of non-organizational users with elevated privileges.
Verify that reviews of guest access are performed periodically.
Confirm that the access control procedure for management of administrative accounts has been documented for the cloud service. The access control procedure:
should include provision for any guest accounts and custom accounts
must refer to the emergency break glass procedure
Enforce just-in-time access for privileged user accounts to provide time-based and approval-based role activation to mitigate the risks of excessive, unnecessary or misused access permissions.
Confirm just-in-time access for all privileged user accounts to provide time-based and approval-based role activation.
Enforce attribute-based access control to restrict access based on a combination of authentication factors, such as devices issued and managed by the GC, device compliance, sign-in and user risks, and location
Provide evidence that attribute-based access control mechanisms are in place to restrict access based on attributes or signals, such as authentication factors, devices issued and managed by the GC, device compliance, sign-in and user risks, and location..
Leverage tools, such as privilege access management systems, to enforce access control to privileged functions by configuring roles that require approval for activation
Choose one or multiple users or groups as delegated approvers
Provide evidence that all role activation for privileged user accounts require approval, and that privilege elevation is temporary (time-bound).