Restrict administrative privileges

Essential Eight control	Implementation guidance	AWS resources	AWS Well-Architected guidance
Requests for privileged access to systems and applications are validated when first requested.	Theme 4: Manage identities: Implement identity federation	Require human users to federate with an identity provider to access AWS by using temporary credentials	SEC02-BP04 Rely on a centralized identity provider SEC03-BP01 Define access requirements
Privileged access to systems and applications is automatically disabled after 12 months unless revalidated.	Theme 4: Manage identities: Implement identity federation	Require human users to federate with an identity provider to access AWS by using temporary credentials	SEC02-BP04 Rely on a centralized identity provider
	Theme 4: Manage identities: Rotate credentials	Require workloads to use IAM roles to access AWS Automate deletion of unused IAM roles Rotate access keys regularly for use cases that require long-term credentials AWS Summit ANZ 2023: Your journey to temporary credentials in the cloud (YouTube video)	SEC02-BP05 Audit and rotate credentials periodically
Privileged access to systems and applications is automatically disabled after 45 days of inactivity.	Theme 4: Manage identities: Implement identity federation Theme 4: Manage identities: Rotate credentials	Require human users to federate with an identity provider to access AWS by using temporary credentials Require workloads to use IAM roles to access AWS Automate deletion of unused IAM roles Rotate access keys regularly for use cases that require long-term credentials AWS Summit ANZ 2023: Your journey to temporary credentials in the cloud (YouTube video)	SEC02-BP04 Rely on a centralized identity provider SEC02-BP05 Audit and rotate credentials periodically
Privileged access to systems and applications is limited to only what is required for users and services to undertake their duties.	Theme 4: Manage identities: Apply least privilege permissions	Safeguard your root user credentials and don't use them for everyday tasks Use IAM Access Analyzer to generate least-privilege policies based on access activity Verify public and cross-account access to resources with IAM Access Analyzer Use IAM Access Analyzer to validate your IAM policies for secure and functional permissions Establish permissions guardrails across multiple accounts Use permissions boundaries to set the maximum permissions that an identity-based policy can grant Use conditions in IAM policies to further restrict access Regularly review and remove unused users, roles, permissions, policies, and credentials Get started with AWS managed policies and move toward least-privilege permissions Use the permission sets feature in IAM Identity Center	SEC01-BP02 Secure account root user and properties SEC03-BP02 Grant least privilege access
Privileged accounts are prevented from accessing the internet, email and web services.	See Technical example: Restrict administrative privileges (ACSC website)	Consider implementing an SCP that prevents any VPC that doesn't already have internet access from getting it	Not applicable
Privileged users use separate privileged and unprivileged operating environments.	Theme 5: Establish a data perimeter	Establish a data perimeter. Consider implementing data perimeters between environments of different data classifications, such as OFFICIAL:SENSITIVE or PROTECTED, or different risk levels, such as development, test, or production.	SEC06-BP03 Reduce manual management and interactive access
Privileged operating environments are not virtualised within unprivileged operating environments.
Unprivileged accounts cannot logon to privileged operating environments.
Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.
Just-in-time administration is used for administering systems and applications.	Theme 4: Manage identities: Implement identity federation	Require human users to federate with an identity provider to access AWS by using temporary credentials Implement temporary elevated access to your AWS environments (AWS blog post)	SEC02-BP04 Rely on a centralized identity provider
Administrative activities are conducted through jump servers.	Theme 1: Use managed services Theme 3: Manage mutable infrastructure with automation: Use automation rather than manual processes	Use Session Manager or Run Command instead of direct SSH or RDP access	SEC01-BP05 Reduce security management scope SEC06-BP03 Reduce manual management and interactive access
Credentials for local administrator accounts and service accounts are unique, unpredictable and managed.	See Technical example: Restrict administrative privileges (ACSC website)	Not applicable	Not applicable
Windows Defender Credential Guard and Windows Defender Remote Credential Guard are enabled.
Use of privileged access is centrally logged and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.	Theme 7: Centralise logging and monitoring: Enable logging Theme 7: Centralise logging and monitoring: Centralise logs	Use CloudWatch Agent to publish OS-level logs to CloudWatch Logs Enable CloudTrail for your organization Centralise CloudWatch Logs in an account for auditing and analysis (AWS blog post) Centralize management of Amazon Inspector Centralise management of Security Hub Create an organisation-wide aggregator in AWS Config (AWS blog post) Centralise management of GuardDuty Consider using Amazon Security Lake Receive CloudTrail logs from multiple accounts Send logs to a log archive account	SEC04-BP01 Configure service and application logging SEC04-BP02 Capture logs, findings, and metrics in standardized locations
Changes to privileged accounts and groups are centrally logged and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.