Compliance Frameworks

NIST 800 53 Revision 4

nist_800_53_revision_4_aws

64 Requirements

76 Checks

Description

NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security. The controls defined in this standard are customizable and address a diverse set of security and privacy requirements.

Check your compliance status

prowler aws --compliance nist_800_53_revision_4_aws

Run in Prowler Cloud

Compliance Frameworks

NIST 800 53 Revision 4

Description

Compliance MetadataEdit

Check your compliance status

Requirements

The information system automatically disables inactive accounts after 90 days for user accounts.2 Checks

The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].11 Checks

Monitors and reports atypical usage of information system accounts to organization-defined personnel or roles.2 Checks

Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations.18 Checks

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.14 Checks

The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies.17 Checks

Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations.3 Checks

The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.1 Checks

The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.18 Checks

The information system monitors and controls remote access methods.2 Checks

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.3 Checks

The information system routes all remote accesses through organization-defined managed network access control points.0 Checks

Facilitate information sharing. Enable authorized users to grant access to partners.11 Checks

Automate security audit function with other organizational entities. Enable mutual support of audit of auditable events.12 Checks

The organization employs automated mechanisms to integrate audit review, analysis,and reporting processes to support organizational processes for investigation and response to suspicious activities.7 Checks

The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.7 Checks

The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].5 Checks

The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.0 Checks

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.2 Checks

The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.1 Checks

Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events.12 Checks

Continuously monitor configuration management processes. Determine security impact, environment and operational risks.9 Checks

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.6 Checks

The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of the functions, ports, protocols, and/or services.2 Checks

The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.7 Checks

The information system implements multi-factor authentication for network access to privileged accounts.4 Checks

The information system implements multifactor authentication for network access to non-privileged accounts.2 Checks

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).1 Checks

The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].1 Checks

The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.0 Checks

The organization employs automated mechanisms to support the incident handling process.5 Checks

The organization employs automated mechanisms to assist in the reporting of security incidents.1 Checks

The organization employs automated mechanisms to increase the availability of incident response-related information and support.1 Checks

Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities.2 Checks

The information system separates user functionality (including user interface services) from information system management functionality.3 Checks

The information system prevents unauthorized and unintended information transfer via shared system resources.0 Checks

The organization limits the number of external network connections to the information system.16 Checks

The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].3 Checks

The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.3 Checks

The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].2 Checks

The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.1 Checks

The information system protects the authenticity of communications sessions.0 Checks

The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].12 Checks

The organization employs automated mechanisms to determine the state of information system components with regard to flaw remediation.3 Checks

The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.1 Checks

The organization employs automated tools to support near real-time analysis of events.8 Checks

The information system monitors inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions.7 Checks

The information system alerts organization-defined personnel or roles when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].7 Checks

The organization correlates information from monitoring tools employed throughout the information system.2 Checks

The information system performs an integrity check of security relevant events at least monthly.3 Checks

The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].1 Checks

The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.6 Checks