Check: SRG-OS-000001-CLD-000010
Cloud Computing Mission Owner SRG:
SRG-OS-000001-CLD-000010
(in version v1 r0.1)
Title
The Mission Owner must configure the customer portal credentials and the Mission Owner application/system privileged accounts for least privilege. (Cat I impact)
Discussion
Specific individuals or entities must be appointed by the DoD Mission Owner’s Authorizing Official (AO) to establish plans and policies for the control of privileged user access (to include root account credentials) used to establish, configure, and control a Mission Owner’s Virtual Private Cloud (VPC) configuration once connected to the DISN. These individuals or entities established and manage Least-Privilege Attribute-Based Access Control (ABAC) accounts and credentials used by privileged DoD users and systems to administer and control DoD cloud service offering configurations. This role is intended to operate at all DoD information Impact Levels. However, it may not apply to some SaaS solutions where DoD account owners are not required to use the CSP’s Identity and Access Management (IdAM) system to administer user accounts and service configurations.
Check Content
If the DoD account owners are required to use the CSP’s IdAM system to administer user accounts and service configurations, this is not a finding. Review the site's approval documentation to ensure an individual or entity has been appointed to manage the cloud management service portal. This may be a group or contracted service. Verify the cloud service offering has been configured to allow only these individuals for portal service and virtual instance configuration. If the cloud Mission Owner Authorizing Official has not configured the cloud service offering for access using PKI, this is a finding.
Fix Text
Have the Mission Owner's AO appoint an individual or entity to manage portal services. Application and enclave administrators should also be appointed. Configure access for these individuals using PKI to access and configure services and virtual instances.
Additional Identifiers
Rule ID: SRG-OS-000001-CLD-000010_rule
Vulnerability ID: SRG-OS-000001-CLD-000010
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000015 |
The organization employs automated mechanisms to support the information system account management functions. |
Controls
Number | Title |
---|---|
AC-2 (1) |
Automated System Account Management |