Alibaba Cloud
AWS
Google Cloud
Microsoft Azure
Microsoft Entra ID
OktaOverview
Policy Statement
This policy is to provide a framework for how user accounts and privileges are created, managed, and deleted.
Access control helps your organization to implement security best practices concerning logical security, account management, and remote access.
It includes details on how new users are authorized and granted appropriate privileges, as well as how these are reviewed and revoked when necessary. It also includes appropriate controls to prevent users from obtaining unauthorized privileges or access.
Purpose
This policy is intended to:
-
Protect the confidentiality and the integrity of data for which your organization is responsible. A limited number of exceptions may occur due to specific business needs. Any exception should be carefully risk assessed, approved, and signed off by the Security Director.
-
Mitigate against loss of confidentiality, integrity, or availability due to:
- Misuse of privileges
- Introduction of viruses and malware to the network.
Scope
This policy applies to:
- All employees and suppliers who have access to your organization information and information systems.
- Information systems and services in program, project, and operational business areas.
- your organization boundary domain
- Systems outside of the your organization boundary that fall under your organization's responsibility as employees gain access to these systems.
Some access roles require implementing stronger controls than those intended for standard users.
Objectives
- Access to all computing resources, including servers, end-user computing devices, network equipment, services, and applications, must be protected by strong authentication, authorization, and auditing.
- Interactive user access must be associated with an account or login unique to each user.
- All credentials, including user passwords, service accounts, and access keys must meet the length, complexity, age, and rotation requirements defined in your organization security standards.
- Use a strong password and multi-factor authentication (MFA) whenever possible to authenticate to all computing resources (including both devices and applications).
- MFA is required to access any critical system or resource, including but not limited to resources in your organization production environments.
- Unused accounts, passwords, access keys must be removed within 30 days. See Systems Audit Policy for more info.
- A unique access key or service account must be used for different applications or user access.
- Authenticated sessions must time out after a defined period of inactivity.
Procedures
Procedures and mapped controls
User Identity
Each organization selects a standard on how to define and manage user identities
- your organization selected
[email protected]as User Identity - your organization can create aliases for the user identity only with prior approval and justification for a business need. Example: simplifying an email address for the ease of communication (
[email protected]) - Access to your organization systems is done through the use of at least the user identity and password
- Users must set strong passwords based on the your organization Password Policy
- Passwords are not displayed anywhere, transmitted unencrypted, or stored in plain text
- your organization selected to group users by departments (Sales, Marketing, Business, Security and Development). Each user identity is added to one or more groups in the IdP solution, depending on their roles
Mapped controls
Ensure IAM password policy requires a minimum length of 14 or greater
Ensure IAM password policy requires at least one lowercase letter
Ensure IAM password policy requires at least one number
Ensure IAM password policy requires at least one symbol
Ensure IAM password policy requires at least one uppercase letter
Ensure there are no weak password policies
Single Sign-On (SSO)
- It is the responsibility of the Security Team to manage access to applications and systems
- your organization is using an IdP to manage access to systems and applications
- Authentication is preferred using SSO instead of local auth.
Multi-factor Authentication (MFA)
The purpose of Multi‐Factor Authentication (MFA) is to enable a means of strong authentication for those users with access to sensitive information and information systems resources or that have a privileged level of system support access while ensuring ease of use and adoption for the user(s). This will reduce the likelihood of unauthorized access, provide demonstrated compliance to federal and industry mandates, as well as enable the solicitation, assessment, and selection of MFA solutions that will implement the requirements of this policy.
Users will use the MFA self-enrollment process to register their authentication device(s) and install an MFA application (such as Google Authenticator, Microsoft Authenticator, or similar). The process guide for registration is located in the IdP documentation page.
MFA methods
- Hardware MFA token, for the Executives and IT Operations on Production Environments
- One-Time Password (time-based) using Google Authenticator, Microsoft Authenticator, or similar
- IdP mobile app for authentication
Access Provisioning
The your organization Security team adheres to a formal access control procedure that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
As "Complexity is the enemy of security", authorization must be configured using attribute-based access control (ABAC) or role-based access control (RBAC) mechanisms.
-
Access to your organization systems is made as part of the user onboarding process, initiated by HR:
- A new ticket is created in the onboarding project
- The HR Team must attach the New Joiner Request Form which states the role and additional systems the new joiner must have access granted for
- The Security Team picks up the ticket and starts evaluating the access request
-
The Security Team must:
- Configure IT and Cloud Services to enforce strong passwords based on the your organization Password Policy
- Establish conditions for group membership
- Review accounts periodically or at least annually
- Provide clear classification for data and systems
- Not grant access to any Production environments by default
-
Once approved, the accounts are created with temporary passwords and are forced to change their password at first login.
-
For Local accounts on laptops/workstations, your organization uses Azure AD and users must be added to designated groups.
-
Online accounts are provisioned in the IdP
-
Accounts are created by default for the following services:
- Productivity solution account for productivity and access to email, office suite, collaboration, etc.
- Developers receive VPN Access for access to the internal your organization infrastructure
- CI/CD
- VCS
- Ticket management
- Company Wiki
- HR solution for paperwork, payroll, expense reporting, etc.
- Time management solution for timesheets and logging work
Additional access can be requested in another ticket and must include a justification.
-
Access control for Mobile Devices is defined in the Mobile Device Management Policy
-
Guest access to your organization IT and Cloud Systems is permitted only if it is approved by the Security Team
For each New Joiner, there is a master checklist in the ticketing solution that must be filled out by the Security Team after access has been granted.
Mapped controls
Ensure management ports are restricted from the internet
Ensure access keys are rotated every 90 days or less
Ensure no "root" user account access key exists
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Eliminate use of the "root" user for administrative and daily tasks
Do not setup access keys during initial user setup for all IAM users that have a console password
Ensure there is only one active access key available for any single IAM user
Ensure IAM Users receive permissions only through Groups
Ensure IAM policies that allow full "*:*" administrative privileges are not attached
Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Enable Role-Based Access Control (RBAC) within Azure Kubernetes Services
Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
Ensure No Custom Subscription Administrator Roles Exist
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets
Ensure default Service account is not used for Project access in Kubernetes Clusters
Ensure Kubernetes Clusters are created with limited service account Access scopes for Project access
Ensure instances are not configured to use the default service account
Ensure Compute instances are launched with Shielded VM enabled
Ensure Compute instances do not have public IP addresses
Ensure Cloud Storage buckets have uniform bucket-level access enabled
Ensure application assignments are configured through groups
Access Termination
Access termination is received as a ticket assigned to the Security Team. Access termination can result from:
- Access is no longer required for the user to perform a specific function on a protected system
- Access has not been used for more than 90 days, in which case your organization Security Team assumes it is not required anymore (has no function)
- An access review based on the Systems Audit Policy may terminate access rights
- Employee/Contractor leaving or terminating the relationship with your organization
Tasks for Security Team:
- Password must be changed to strong random ones following the Password Policy
- For security and auditing reasons, accounts are disabled and deleted only after 1 year after the person left your organization.
- For each Leaver, there is a master checklist in the ticketing solution that must be filled out by the Security Team after access to all systems has been revoked.
Least Privilege
Privileged User/Accounts is a User/Account that by function, and/or by seniority, has been allocated powers within the computer system, which are significantly greater than those available to the majority of users. Such entities are either root accounts on Linux systems, administrator accounts on Windows, or highly privileged users in the Cloud Service Providers.
In defining access control for groups and individuals, your organization adopts the concept of least privilege, allowing only authorized access for users (and processes acting on behalf of users) which is necessary to accomplish assigned tasks following organizational missions and business functions. In case Privileged Access is needed, accessing the system is done using the user identity of the employee/contractor, then switching to the privileged user.
Mapped controls
Ensure management ports are restricted from the internet
Ensure the default security group of every VPC restricts all traffic
Eliminate use of the "root" user for administrative and daily tasks
Ensure IAM Users receive permissions only through Groups
Ensure IAM policies that allow full "*:*" administrative privileges are not attached
Ensure IAM instance roles are used for AWS resource access from instances
Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure instances are not configured to use the default service account
Endpoints Access
your organization is using Device Management tools (Microsoft Intune, Jamf Pro, VMWare AirWatch, or similar) for company-owned devices. Guidelines are encouraged (and sometimes enforced) to ensure that these devices have been kept up to date and that they have the proper access configured:
- Endpoints must have antivirus/endpoint security agents installed and configured to avoid malware infiltration
- Firewall is a requirement which is pushed and audited by the device management tool
- Hard drives and other removable media will be encrypted - see Data Protection Policy
- Engaging in any illegal activity is strictly prohibited (hacking, crypto mining, racism, discriminations, harassments, etc.)
- Periodic assessments, as defined in the Systems Audit Policy, are performed and may result in access being suspended or terminated in case of non-compliance with your organization's Mobile Device Management Policy
Session Lock
Access to your organization information systems should be locked after periods of inactivity or upon receiving a request from a user. The session lock must be retained until the user re-establishes access using established identification and authentication procedures.
Mapped controls
Ensure credentials unused for 45 days or greater are disabled
Ensure access keys are rotated every 90 days or less
Ensure IAM password policy expires passwords within 90 days or less
Ensure user-managed/external keys for service accounts are rotated every 90 days or less
Ensure KMS encryption keys are rotated within a period of 90 days
VPN Access for Remote Working
- your organization follows the principle of Zero Trust Software-Defined Perimeter (SDP) and has implemented an SDP solution that helps with micro-segmentation of the access to network and cloud resources
- Developers receive VPN Access for access to the internal your organization infrastructure
- VPN access to Production environments is restricted and can be proxied only using a Bastion Service
WiFi Wireless Access
your organization manages and grants access to wireless networks based on:
- Access to Wireless Networks is managed and pushed automatically on devices using MDM - See Mobile Device Management Policy
- Wireless connection is encrypted using WPA2 encryption or higher;
- Connection to insecure networks (unsecured wireless hotspots) is not allowed for company-owned devices unless the device does not proxy the traffic using a VPN connection
- Wireless guest access is separated from the your organization main network
Query logic
These are the stored checks tied to this policy.
IAM password policy requires a minimum length of 14 or greater
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{minimumPasswordLength_LT:14}){...AssetFragment}IAM password policy requires at least one lowercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireLowercaseCharacters:false}){...AssetFragment}IAM password policy requires at least one number
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireNumbers:false}){...AssetFragment}IAM password policy requires at least one symbol
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireSymbols:false}){...AssetFragment}IAM password policy requires at least one uppercase letter
Connectors
Covered asset types
Expected check: eq []
iamPasswordPolicies(where:{requireUppercaseCharacters:false}){...AssetFragment}There are no weak password policies
Connectors
Covered asset types
Expected check: eq []
passwordPolicies(where: { OR:[{minLength_LT: 14}, {minLowerCase_LT: 1}, {minUpperCase_LT: 1}, {minNumber_LT: 1}, {minSymbol_LT: 1}, {reuseCount_LT: 1}]}) {...AssetFragment}Multi-factor authentication (MFA) is enabled for all IAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserCredentials:{passwordEnabled:true,mfaActive:false}}){...AssetFragment}Google Cloud IAMUsers Without MFA
Connectors
Covered asset types
Expected check: eq []
{
iamUsers(where: { NOT: { user: { isEnrolledIn2Sv: true } } }) {
...AssetFragment
}
}Entra Users Without MFA With Access to Azure
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false, NOT: { iamRoleAssignments_SOME: null } }) {
...AssetFragment
}
}Multi-factor authentication is enabled for all RAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserLoginProfile_SOME:{mfaBindRequired:false}}){...AssetFragment}Entra users without mfa
Connectors
Covered asset types
Expected check: eq []
{
users(where: { mfaActive: false }) {
...AssetFragment
}
}MFA is enabled for the "root" account
Connectors
Covered asset types
Expected check: eq []
AWSIAM13{...AssetFragment}Hardware MFA is enabled for the "root" account (Hardware MFA)
Connectors
Covered asset types
Expected check: eq []
AWSIAM14{...AssetFragment}MFA is configured with strong factors
Connectors
Covered asset types
Expected check: eq []
oktaPolicies(where: { type: "MFA_ENROLL", OR:[{allowedFactors_INCLUDES: "phone_number"}, {allowedFactors_INCLUDES: "security_question"}, {allowedFactors_INCLUDES: "okta_email"}]}) {...AssetFragment}Security Groups with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(
where: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}Firewalls with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
firewalls(
where: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}
Access keys are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
AWSIAM4{...AssetFragment}AWS Root users with access key
Connectors
Covered asset types
Expected check: eq []
{
rootUsers(
where: {
hasIAMUserCredentials: {
OR: [{ accessKey1Active: true }, { accessKey2Active: true }]
}
}
) {
connector {...AssetFragment}
}
}
The S3 bucket used to store CloudTrail logs is not publicly accessible
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { trails_NOT: null publicAccessBlocked: false OR: [ { hasBucketACLGrant_SOME: { OR: [ { granteeURI: "http://acs.amazonaws.com/groups/global/AllUsers" } { granteeURI: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" } ] } } { AND: [ { policyDocument_MATCHES: ".+\"Effect\":\"Allow\".+" } { policyDocument_MATCHES: ".+\"Principal\":\"*\".+" } ] } ] } ) {...AssetFragment}}S3 bucket access logging is enabled on the CloudTrail S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets(where:{trails_NOT: null, loggingEnabled:false}){...AssetFragment}}A log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Connectors
Covered asset types
Expected check: eq []
AWSMonitoring(filterPattern:".*\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateNetworkAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?CreateNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteNetworkAcl[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?DeleteNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceNetworkAclEntry[\"]?\\s*\\)\\s*\\|\\|\\s*\\(\\s*\\$\\.eventName\\s*=\\s*[\"]?ReplaceNetworkAclAssociation[\"]?\\s*\\)\\s*.*"){...AssetFragment}Eliminate use of the "root" user for administrative and daily tasks
Connectors
Covered asset types
Expected check: eq []
AWSIAM1 {...AssetFragment}Do not setup access keys during initial user setup for all IAM users that have a console password
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{hasIAMUserCredentials:{OR:[{accessKey1Active:true,accessKey1LastUsedDate:null}{accessKey2Active:true,accessKey2LastUsedDate: null }]}}){...AssetFragment}There is only one active access key available for any single IAM user
Connectors
Covered asset types
Expected check: eq []
AWS130IAM13 {...AssetFragment}IAM Users receive permissions only through Groups
Connectors
Covered asset types
Expected check: eq []
iamUsers(where: { cloudProvider: "aws", iamPolicies_NOT: null }) {...AssetFragment}IAM policies that allow full "*:*" administrative privileges are not attached to IAMRoles
Connectors
Covered asset types
Expected check: eq []
{iamRoles(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}}IAM policies that allow full "*:*" administrative privileges are not attached to IAMUsers
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}IAM policies that allow full "*:*" administrative privileges are not attached to IAMGroups
Connectors
Covered asset types
Expected check: eq []
iamGroups(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}S3 Buckets are configured with 'Block public access (bucket settings)'
Connectors
Covered asset types
Expected check: eq []
buckets(where: { publicAccessBlocked: false }) {...AssetFragment}No Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
Connectors
Covered asset types
Expected check: eq []
networkAcls(where:{rules_SOME:{AND:[{direction:"Inbound"},{action:"Allow"},{OR:[{sources_INCLUDES:"cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]},{OR:[{destFromPort_LTE: 22, destToPort_GTE: 22}, {destFromPort_LTE: 3389, destToPort_GTE: 3389}]}]}}){...AssetFragment}Enable role-based access control (RBAC) within Azure Kubernetes Services
Connectors
Covered asset types
Expected check: eq []
{aksClusters(where:{enableRBAC_NOT:true}){...AssetFragment}}Azure IAM Custom roles with lock permission
Connectors
Covered asset types
Expected check: eq []
{
AzureConnectorsWithoutCustomLockRoles{
...AssetFragment
}
}Azure Custom Subscription Administrator Roles
Connectors
Covered asset types
Expected check: eq []
query ($subscriptionResourceId: String!) {
iamRoles(
where: {
type: "CustomRole"
permissions_INCLUDES: "*"
assignableScopes_INCLUDES: $subscriptionResourceId
}
) {
...AssetFragment
}
}Instances are not configured to use the default service account with full access to all Cloud APIs
Connectors
Covered asset types
Expected check: eq []
GCPVM1{...AssetFragment}Private Google Access is set on Kubernetes Engine Cluster Subnets
Connectors
Covered asset types
Expected check: eq []
gkeClusters(where:{subnetworks_SOME:{privateIpGoogleAccess:false}}){...AssetFragment}Default Service account is not used for Project access in Kubernetes Clusters
Connectors
Covered asset types
Expected check: eq []
{gkeClusters(where:{nodePools_SOME:{nodeConfig:{serviceAccount:"default"}}}){...AssetFragment}}Kubernetes Clusters are created with limited service account Access scopes for Project access
Connectors
Covered asset types
Expected check: eq []
{gkeClusters(where: {nodePools_SOME: {nodeConfig: { oauthScopes_INCLUDES:"https://www.googleapis.com/auth/cloud-platform"}}}) {...AssetFragment}}Instances are not configured to use the default service account
Connectors
Covered asset types
Expected check: eq []
vms(where: {serviceAccountEmail_CONTAINS: "[email protected]"}) {...AssetFragment}GCP VMs with security features disabled
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
OR: [
{ shieldedInstanceConfigEnableVtpm: false }
{ shieldedInstanceConfigEnableSecureBoot: false }
{ shieldedInstanceConfigEnableIntegrityMonitoring: false }
]
}
) {
...AssetFragment
}
}Compute instances do not have public IP addresses
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
}
) {
...AssetFragment
}
}Cloud Storage buckets have uniform bucket-level access enabled
Connectors
Covered asset types
Expected check: eq []
buckets(where:{iamConfigurationUniformBucketLevelAccessEnabled:false}){...AssetFragment}Application assignments are configured through groups
Connectors
Covered asset types
Expected check: eq []
users(where: { applicationsConnection_SOME: {edge: {scope_NOT: "GROUP"}}}) {...AssetFragment}The default security group of every VPC restricts all traffic
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(where: { groupName: "default", NOT: { rules_SOME: null } }) {
...AssetFragment
}
}IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Connectors
Covered asset types
Expected check: eq []
GCP110IAM6{...AssetFragment}Credentials unused for 45 days or greater are disabled
Connectors
Covered asset types
Expected check: eq []
AWSIAM3(days: 45){...AssetFragment}IAM password policy expires passwords within 90 days or less
Connectors
Covered asset types
Expected check: eq []
{ iamPasswordPolicies( where: { OR: [{ maxPasswordAge: 0 }, { maxPasswordAge_GT: 90 }] } ) {...AssetFragment} } User-managed/external keys for service accounts are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
GCPIAM5{...AssetFragment}KMS encryption keys are rotated within a period of 90 days
Connectors
Covered asset types
Expected check: eq []
GCP110IAM10{...AssetFragment}
