AU-6 (7) Audit Review, Analysis, and Reporting | Permitted Actions (H)

This page is classified as INTERNAL.

NIST 800-53 (r4) Control:

The organization specifies the permitted actions for each [FedRAMP Selection (one or more): (H) information system process; role; user] associated with the review, analysis, and reporting of audit information.

NIST 800-53 (r4) Supplemental Guidance:

Organizations specify permitted actions for information system processes, roles, and/or users associated with the review, analysis, and reporting of audit records through account management techniques. Specifying permitted actions on audit information is a way to enforce the principle of least privilege. Permitted actions are enforced by the information system and include, for example, read, write, execute, append, and delete.

NIST 800-53 (r5) Discussion:

Organizations specify permitted actions for system processes, roles, and users associated with the review, analysis, and reporting of audit records through system account management activities. Specifying permitted actions on audit record information is a way to enforce the principle of least privilege. Permitted actions are enforced by the system and include read, write, execute, append, and delete.

38North Guidance:

Meets Minimum Requirement:

The Cloud Service Provider (CSP) needs to define within their audit and accountability policy and procedures the permitted actions for users and roles with Cloud Service Offering (CSO) audit information.
The CSP is required to implement an automated account management (ex. Windows Active Directory) solution to control and specify the permitted actions (read, write, execute, append, and delete) for users and roles with CSO audit information.

Best Practice:

CSO personnel should typically only have read access to audit logs. Providing a user the ability to append and delete audit records allows the user to cover their malicious activities within the CSO.

Unofficial FedRAMP Guidance:

Assessment Evidence:

Review the audit and accountability policy and procedures to determine the defined permitted actions for users and roles with CSO audit information.
Review an account management solution like Windows Active Directory to determine the specified permitted actions per user and roles for CSO audit information.

CSP Implementation Tips:

Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD

Page updated

Report abuse