# Restrict administrative privileges
<a name="restrict-administrative-privileges"></a>


****  


- **Requests for privileged access to systems and applications are validated when first requested.**
  - **Implementation guidance:** [Theme 4: Manage identities](theme-4.md): Implement identity federation
  - **AWS resources:** [Require human users to federate with an identity provider to access AWS by using temporary credentials](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source.html)
  - **AWS Well-Architected guidance:** [SEC02-BP04 Rely on a centralized identity provider](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_identity_provider.html)<br />[SEC03-BP01 Define access requirements](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_permissions_define.html)

- **Privileged access to systems and applications is automatically disabled after 12 months unless revalidated.**
  - **Implementation guidance:** [Theme 4: Manage identities](theme-4.md): Implement identity federation / **AWS resources:** [Require human users to federate with an identity provider to access AWS by using temporary credentials](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source.html) / **AWS Well-Architected guidance:** [SEC02-BP04 Rely on a centralized identity provider](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_identity_provider.html)
  - **Implementation guidance:** [Theme 4: Manage identities](theme-4.md): Rotate credentials / **AWS resources:** [Require workloads to use IAM roles to access AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)<br />[Automate deletion of unused IAM roles](https://aws.amazon.com/blogs/security/how-to-centralize-findings-and-automate-deletion-for-unused-iam-roles/)<br />[Rotate access keys regularly for use cases that require long-term credentials](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-rotate-iam-user-access-keys-at-scale-with-aws-organizations-and-aws-secrets-manager.html)<br />[AWS Summit ANZ 2023: Your journey to temporary credentials in the cloud](https://www.youtube.com/watch?v=jZnh9U-TA6Q) (YouTube video) / **AWS Well-Architected guidance:** [SEC02-BP05 Audit and rotate credentials periodically](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_audit.html)

- **Privileged access to systems and applications is automatically disabled after 45 days of inactivity.**
  - **Implementation guidance:** [Theme 4: Manage identities](theme-4.md): Implement identity federation<br />[Theme 4: Manage identities](theme-4.md): Rotate credentials
  - **AWS resources:** [Require human users to federate with an identity provider to access AWS by using temporary credentials](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source.html)<br />[Require workloads to use IAM roles to access AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)<br />[Automate deletion of unused IAM roles](https://aws.amazon.com/blogs/security/how-to-centralize-findings-and-automate-deletion-for-unused-iam-roles/)<br />[Rotate access keys regularly for use cases that require long-term credentials](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-rotate-iam-user-access-keys-at-scale-with-aws-organizations-and-aws-secrets-manager.html)<br />[AWS Summit ANZ 2023: Your journey to temporary credentials in the cloud](https://www.youtube.com/watch?v=jZnh9U-TA6Q) (YouTube video)
  - **AWS Well-Architected guidance:** [SEC02-BP04 Rely on a centralized identity provider](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_identity_provider.html)<br />[SEC02-BP05 Audit and rotate credentials periodically](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_audit.html)

- **Privileged access to systems and applications is limited to only what is required for users and services to undertake their duties.**
  - **Implementation guidance:** [Theme 4: Manage identities](theme-4.md): Apply least privilege permissions
  - **AWS resources:** [Safeguard your root user credentials and don't use them for everyday tasks](https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-best-practices.html)<br />[Use IAM Access Analyzer to generate least-privilege policies based on access activity](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/dynamically-generate-an-iam-policy-with-iam-access-analyzer-by-using-step-functions.html)<br />[Verify public and cross-account access to resources with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html)<br />[Use IAM Access Analyzer to validate your IAM policies for secure and functional permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html)<br />[Establish permissions guardrails across multiple accounts](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/organizations.html)<br />[Use permissions boundaries to set the maximum permissions that an identity-based policy can grant](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)<br />[Use conditions in IAM policies to further restrict access](https://aws.amazon.com/blogs/apn/top-recommendations-for-working-with-iam-from-our-aws-heroes-part-3-permissions-boundaries-and-conditions/)<br />[Regularly review and remove unused users, roles, permissions, policies, and credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_last-accessed.html)<br />[Get started with AWS managed policies and move toward least-privilege permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html)<br />[Use the permission sets feature in IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html)
  - **AWS Well-Architected guidance:** [SEC01-BP02 Secure account root user and properties](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_aws_account.html)<br />[SEC03-BP02 Grant least privilege access](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_permissions_least_privileges.html)

- **Privileged accounts are prevented from accessing the internet, email and web services.**
  - **Implementation guidance:** See [Technical example: Restrict administrative privileges](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/small-business-cyber-security/small-business-cloud-security-guide/technical-example-restrict-administrative-privileges) (ACSC website)
  - **AWS resources:** Consider implementing an SCP that [prevents any VPC that doesn't already have internet access from getting it](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_vpc.html#example_vpc_2)
  - **AWS Well-Architected guidance:** Not applicable

- **Privileged users use separate privileged and unprivileged operating environments.**
  - **Implementation guidance:** [Theme 5: Establish a data perimeter](theme-5.md)
  - **AWS resources:** [Establish a data perimeter](https://docs.aws.amazon.com/whitepapers/latest/building-a-data-perimeter-on-aws/building-a-data-perimeter-on-aws.html). Consider implementing data perimeters between environments of different data classifications, such as OFFICIAL:SENSITIVE or PROTECTED, or different risk levels, such as development, test, or production.
  - **AWS Well-Architected guidance:** [SEC06-BP03 Reduce manual management and interactive access](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_reduce_manual_management.html)

- **Privileged operating environments are not virtualised within unprivileged operating environments.**

- **Unprivileged accounts cannot logon to privileged operating environments.**

- **Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.**

- **Just-in-time administration is used for administering systems and applications.**
  - **Implementation guidance:** [Theme 4: Manage identities](theme-4.md): Implement identity federation
  - **AWS resources:** [Require human users to federate with an identity provider to access AWS by using temporary credentials](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source.html)<br />[Implement temporary elevated access to your AWS environments](https://aws.amazon.com/blogs/security/managing-temporary-elevated-access-to-your-aws-environment/) (AWS blog post)
  - **AWS Well-Architected guidance:** [SEC02-BP04 Rely on a centralized identity provider](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_identities_identity_provider.html)

- **Administrative activities are conducted through jump servers.**
  - **Implementation guidance:** [Theme 1: Use managed services](theme-1.md)<br />[Theme 3: Manage mutable infrastructure with automation](theme-3.md): Use automation rather than manual processes
  - **AWS resources:** Use [Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html) or [Run Command](https://docs.aws.amazon.com/systems-manager/latest/userguide/run-command.html) instead of direct SSH or RDP access
  - **AWS Well-Architected guidance:** [SEC01-BP05 Reduce security management scope](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_reduce_management_scope.html)<br />[SEC06-BP03 Reduce manual management and interactive access](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_reduce_manual_management.html)

- **Credentials for local administrator accounts and service accounts are unique, unpredictable and managed.**
  - **Implementation guidance:** See [Technical example: Restrict administrative privileges](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/small-business-cyber-security/small-business-cloud-security-guide/technical-example-restrict-administrative-privileges) (ACSC website)
  - **AWS resources:** Not applicable
  - **AWS Well-Architected guidance:** Not applicable

- **Windows Defender Credential Guard and Windows Defender Remote Credential Guard are enabled.**

- **Use of privileged access is centrally logged and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.**
  - **Implementation guidance:** [Theme 7: Centralise logging and monitoring](theme-7.md): Enable logging<br />[Theme 7: Centralise logging and monitoring](theme-7.md): Centralise logs
  - **AWS resources:** [Use CloudWatch Agent to publish OS-level logs to CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Install-CloudWatch-Agent.html)<br />[Enable CloudTrail for your organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html)<br />[Centralise CloudWatch Logs in an account for auditing and analysis](https://aws.amazon.com/blogs/architecture/stream-amazon-cloudwatch-logs-to-a-centralized-account-for-audit-and-analysis/) (AWS blog post)<br />[Centralize management of Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/user/managing-multiple-accounts.html)<br />[Centralise management of Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html)<br />[Create an organisation-wide aggregator in AWS Config](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html) (AWS blog post)<br />[Centralise management of GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html)<br />[Consider using Amazon Security Lake](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html)<br />[Receive CloudTrail logs from multiple accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)<br />[Send logs to a log archive account](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/security-ou-and-accounts.html#log-archive-account)
  - **AWS Well-Architected guidance:** [SEC04-BP01 Configure service and application logging](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_app_service_logging.html)<br />[SEC04-BP02 Capture logs, findings, and metrics in standardized locations](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_logs.html)

- **Changes to privileged accounts and groups are centrally logged and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.**