Skip to content

MCSB_v1 - Privileged Access

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders:
PA-1 Privileged Access 4.3 - Ensure the Use of Dedicated Administrative Accounts 5.4 - Restrict Administrator Privileges to Dedicated Administrator Accounts AC-2: ACCOUNT MANAGEMENT 7.1 Separate and limit highly privileged/administrative users Ensure you identify all high business impact accounts. Limit the number of privileged/administrative accounts in your cloud's control plane, management plane and data/workload plane. You must secure all roles with direct or indirect administrative access to Azure hosted resources. Administrator role permissions in Azure AD: You must secure all roles with direct or indirect administrative access to AWS hosted resources. AWS Best Practices for Root User: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
14.6 - Protect Information Through Access Control Lists 6.8 - Define and Maintain Role-Based Access Control AC-6: LEAST PRIVILEGE 7.2 https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles https://docs.aws.amazon.com/accounts/latest/reference/best-practices-root-user.html
8.1 Azure Active Directory (Azure AD) is Azure's default identity and access management service. The most critical built-in roles in Azure AD are Global Administrator and Privileged Role Administrator, because users assigned to these two roles can delegate administrator roles. With these privileges, users can directly or indirectly read and modify every resource in your Azure environment: The privileged/administrative users need to be secured include: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
- Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD as well as services that use Azure AD identities. Use Azure Privileged Identity Management security alerts: - Root user: Root user is the highest-level privileged accounts in your AWS account. Root accounts should be highly restricted and only used in emergency situation. Refer to emergency access controls in PA-5 (Setup emergency access).
- Privileged Role Administrator: Users with this role can manage role assignments in Azure AD, as well as within Azure AD Privileged Identity Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units. https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts - IAM identities (users, groups, roles) with the privileged permission policy: IAM identities assigned with a permission policy such as AdministratorAccess can have full access to AWS services and resources. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Outside of Azure AD, Azure has built-in roles that can be critical for privileged access at the resource level. Securing privileged access for hybrid and cloud deployments in Azure AD: If you are using Azure Active Directory (Azure AD) as the identity provider for AWS, refer to the Azure guidance for managing the privileged roles in Azure AD. Security Operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
- Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-admin-roles-secure
- Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. Ensure that you also restrict privileged accounts in other management, identity, and security systems that have administrative access to your business-critical assets, such as AWS Cognito, security tools, and system management tools with agents installed on business critical systems. Attackers who compromise these management and security systems can immediately weaponize them to compromise business critical assets.
- User Access Administrator: Lets you manage user access to Azure resources.
Note: You may have other critical roles that need to be governed if you use custom roles in the Azure AD level or resource level with certain privileged permissions assigned.
In addition, users with the following three roles in Azure Enterprise Agreement (EA) portal should also be restricted as they can be used to directly or indirectly manage Azure subscriptions.
- Account Owner: Users with this role can manage subscriptions, including the creation and deletion of subscriptions.
- Enterprise Administrator: Users assigned with this role can manage (EA) portal users.
- Department Administrator: Users assigned with this role can change account owners within the department.
Lastly, ensure that you also restrict privileged accounts in other management, identity, and security systems that have administrative access to your business-critical assets, such as Active Directory Domain Controllers (DCs), security tools, and system management tools with agents installed on business-critical systems. Attackers who compromise these management and security systems can immediately weaponize them to compromise business critical assets.
PA-2 Privileged Access nan nan AC-2: ACCOUNT MANAGEMENT N/A Avoid standing access for user accounts and permissions Instead of creating standing privileges, use just-in-time (JIT) mechanism to assign privileged access to the different resource tiers. Enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD Privileged Identity Management (PIM). JIT is a model in which users receive temporary permissions to perform privileged tasks, which prevents malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it. PIM can also generate security alerts when there is suspicious or unsafe activity in your Azure AD organization. Azure PIM just-in-time access deployment: Use AWS Security Token Service (AWS STS) to create temporary security credentials to access the resources through the AWS API. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use, with the following differences: IAM Temporary credentials through AWS Security Token Service (AWS STS): Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan - Temporary security credentials have a short-term life, from minutes to hours. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
Restrict inbound traffic to your sensitive virtual machines (VM) management ports with Microsoft Defender for Cloud's just-in-time (JIT) for VM access feature. This ensures privileged access to the VM is granted only when users need it. - Temporary security credentials are not stored with the user but are generated dynamically and provided to the user when requested. Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Understanding just-in-time (JIT) VM access:
https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Security Operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
PA-3 Privileged Access 16.7 - Establish Process for Revoking Access 6.1 - Establish an Access Granting Process AC-2: ACCOUNT MANAGEMENT 7.1 Manage lifecycle of identities and entitlements Use an automated process or technical control to manage the identity and access lifecycle including the request, review, approval, provision, and deprovision. Use Azure AD entitlement management features to automate access request workflows (for Azure resource groups). This enables workflows for Azure resource groups to manage access assignments, reviews, expiration, and dual or multi-stage approval. What are Azure AD access reviews: Use AWS Access Advisor to pull the access logs for the user accounts and entitlements for resources. Build a manual or automated workflow to integrate with AWS IAM to manage access assignments, reviews, and deletions. IAM Access Advisor: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
6.2 - Establish an Access Revoking Process AC-5: SEPARATION OF DUTIES 7.2 https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-view-data.html
AC-6: LEAST PRIVILEGE 8.1 Use Permissions Management to detect, automatically right-size, and continuously monitor unused and excessive permissions assigned to user and workload identities across multi-cloud infrastructures. Note: There are third-party solutions available on AWS Marketplace for managing the lifecycle of identities and entitlements. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
What is Azure AD entitlement management: AWS Marketplace Identity and Access Management solutions:
https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-overview https://aws.amazon.com/marketplace/solutions/security/identity-access-management Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Overview of Permissions Management:
https://learn.microsoft.com/azure/active-directory/cloud-infrastructure-entitlement-management/overview
PA-4 Privileged Access 4.1 - Maintain Inventory of Administrative Accounts 5.1 - Establish and Maintain an Inventory of Accounts AC-2: ACCOUNT MANAGEMENT 7.1 Review and reconcile user access regularly Conduct regular review of privileged account entitlements. Ensure the access granted to the accounts are valid for administration of control plane, management plane, and workloads. Review all privileged accounts and the access entitlements in Azure including Azure tenants, Azure services, VM/IaaS, CI/CD processes, and enterprise management and security tools. Create an access review of Azure resource roles in Privileged Identity Management (PIM): Review all privileged accounts and the access entitlements in AWS including AWS accounts, services, VM/IaaS, CI/CD processes, and enterprise management and security tools. IAM Access Analyzer: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
16.6 - Maintain an Inventory of Accounts 5.3 - Disable Dormant Accounts AC-6: LEAST PRIVILEGE 7.2 https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-resource-roles-start-access-review https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
16.8 - Disable Any Unassociated Accounts 5.5 - Establish and Maintain an Inventory of Service Accounts 8.1 Use Azure AD access reviews to review Azure AD roles, Azure resource access roles, group memberships, and access to enterprise applications. Azure AD reporting can also provide logs to help discover stale accounts, or accounts which have not been used for certain amount of time. Use IAM Access Advisor, Access Analyzer and Credential Reports to review resource access roles, group memberships, and access to enterprise applications. IAM Access Analyzer and Credential Reports reporting can also provide logs to help discover stale accounts, or accounts which have not been used for certain amount of time. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Disable Dormant Accounts A3.4 How to use Azure AD identity and access reviews: Credential report:
16.9 - Disable Dormant Accounts In addition, Azure AD Privileged Identity Management can be configured to alert when an excessive number of administrator accounts are created for a specific role, and to identify administrator accounts that are stale or improperly configured. https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview If you are using Azure Active Directory (Azure AD) as the identity provider for AWS, use Azure AD access review to review the privileged accounts and access entitlements periodically. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
IAM Access Advisor:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-view-data.html
PA-5 Privileged Access nan nan AC-2: ACCOUNT MANAGEMENT nan Set up emergency access Set up emergency access to ensure that you are not accidentally locked out of your critical cloud infrastructure (such as your identity and access management system) in an emergency. To prevent being accidentally locked out of your Azure AD organization, set up an emergency access account (e.g., an account with Global Administrator role) for access when normal administrative accounts cannot be used. Emergency access accounts are usually highly privileged, and they should not be assigned to specific individuals. Emergency access accounts are limited to emergency or "break glass"' scenarios where normal administrative accounts can't be used. Manage emergency access accounts in Azure AD: AWS "root" accounts should not be used for regular administrative tasks. As the "root" account is highly privileged, it should not be assigned to specific individuals. It's use should be limited to only emergency or "break glass” scenarios when normal administrative accounts can't be used. For daily administrative tasks, separate privileged user accounts should be used and assigned the appropriate permissions via IAM roles. Best practices to protect your account's root user: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-emergency-access https://docs.aws.amazon.com/accounts/latest/reference/best-practices-root-user.html
Emergency access accounts should be rarely used and can be highly damaging to the organization if compromised, but their availability to the organization is also critically important for the few scenarios when they are required. You should ensure that the credentials (such as password, certificate, or smart card) for emergency access accounts are kept secure and known only to individuals who are authorized to use them only in an emergency. You may also use additional controls, such dual controls (e.g., splitting the credential into two pieces and giving it to separate persons) to enhance the security of this process. You should also monitor the sign-in and audit logs to ensure that emergency access accounts are only used when authorized. You should also ensure that the credentials (such as password, MFA tokens and access keys) for root accounts are kept secure and known only to individuals who are authorized to use them only in an emergency. MFA should be enabled for the root account, and you may also use additional controls, such as dual controls (e.g., splitting the credential into two pieces and giving it to separate persons) to enhance the security of this process. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
You should also monitor the sign-in and audit logs in CloudTrail or EventBridge to ensure that root access accounts are only used when authorized. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Security Operations (SecOps): https://docs.microsoft.com//azure/cloud-adoption-framework/organize/cloud-security-operations-center
PA-6 Privileged Access 4.6 - Use Dedicated Workstations For All Administrative Tasks 12.8 - Establish and Maintain Dedicated Computing Resources for All Administrative Work AC-2: ACCOUNT MANAGEMENT nan Use privileged access workstations / channel for administrative tasks Secured, isolated workstations are critically important for the security of sensitive roles like administrator, developer, and critical service operator. Use Azure Active Directory, Microsoft Defender, and/or Microsoft Intune to deploy privileged access workstations (PAW) on-premises or in Azure for privileged tasks. The PAW should be centrally managed to enforce secured configuration, including strong authentication, software and hardware baselines, and restricted logical and network access. Understand privileged access workstations: Use Session Manager in AWS Systems Manager to create an access path (a connection session) to the EC2 instance or a browser session to the AWS resources for privileged tasks. Session Manager allows RDP, SSH, and HTTPS connectivity to your destination hosts through port forwarding. AWS Systems Manager Session Manager: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
11.6 - Use Dedicated Machines For All Network Administrative Tasks 13.5 Manage Access Control for Remote Assets SC-2 APPLICATION PARTITIONING https://learn.microsoft.com/en-us/security/privileged-access-workstations/overview https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
12.12 - Manage All Devices Remotely Logging into Internal Network SC-7: BOUNDARY PROTECTION You may also use Azure Bastion which is a fully platform-managed PaaS service that can be provisioned inside your virtual network. Azure Bastion allows RDP/SSH connectivity to your virtual machines directly from the Azure portal using a web browser. You may also choose to deploy a privileged access workstations (PAW) centrally managed through Azure Active Directory, Microsoft Defender, and/or Microsoft Intune. The central management should enforce secured configuration, including strong authentication, software and hardware baselines, and restricted logical and network access. Security Operations (SecOps): https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-operations-center
Privileged access workstations deployment:
https://docs.microsoft.com/security/compass/privileged-access-deploymenthttps Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
PA-7 Privileged Access 14.6 - Protect Information Through Access Control Lists 3.3 - Configure Data Access Control Lists AC-2: ACCOUNT MANAGEMENT 7.1 Follow just enough administration (least privilege) principle Follow the just enough administration (least privilege) principle to manage permissions at fine-grained level. Use features such as role-based access control (RBAC) to manage resource access through role assignments. Use Azure role-based access control (Azure RBAC) to manage Azure resource access through role assignments. Through RBAC, you can assign roles to users, groups, service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, and the Azure portal. What is Azure role-based access control (Azure RBAC): Use AWS policy to manage AWS resource access. There are six types of policies: identity-based policies, resource-based policies, permissions boundaries, AWS Organizations service control policy (SCP), Access Control List, and session policies. You may use AWS managed policies for common permission use cases. However, you should be mindful that managed policies may carry excessive permissions that should not be assigned to the users. IAM access policies: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
6.8 - Define and Maintain Role-Based Access Control AC-3: ACCESS ENFORCEMENT 7.2 https://docs.microsoft.com/azure/role-based-access-control/overview https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
AC-6: LEAST PRIVILEGE The privileges you assign to resources through Azure RBAC should always be limited to what's required by the roles. Limited privileges will complement the just-in-time (JIT) approach of Azure AD Privileged Identity Management (PIM), and those privileges should be reviewed periodically. If required, you can also use PIM to define a time-bound assignment, which is a condition in a role assignment where a user can only activate the role within the specified start and end dates. You may also use AWS ABAC (attribute-based access control) to assign permissions based on attributes (tags) attached to IAM resources, including IAM entities (users or roles) and AWS resources. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
How to configure RBAC in Azure: AWS ABAC:
Note: Use Azure built-in roles to allocate permissions and only create custom roles when required. https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
How to use Azure AD identity and access reviews: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview
Azure AD Privileged Identity Management - Time-bound assignment:
https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure#what-does-it-do
PA-8 Privileged Access 16.7 - Establish Process for Revoking Access 6.1 - Establish an Access Granting Process AC-4: INFORMATION FLOW ENFORCEMENT nan Determine access process for cloud provider support Establish an approval process and access path for requesting and approving vendor support request and temporary access to your data through a secure channel. In support scenarios where Microsoft needs to access your data, use Customer Lockbox to review and either approve or reject each data access request made by Microsoft. Understand Customer Lockbox: In support scenarios where AWS support teams need to access your data, create an account in the AWS Support portal to request support. Review the available options such as providing read-only data access, or the screen sharing option for AWS support to access to your data. Access permissions for AWS Support: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
6.2 - Establish an Access Revoking Process AC-2: ACCOUNT MANAGEMENT https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html
AC-3: ACCESS ENFORCEMENT Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys