NIST 800-53 r5 · Controls catalogue · Family AC
AC-3Access Enforcement
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Last updated: 19 May 2026 14:18 UTC
Implementations targeting this control (32)
- aws-config-s3-bucket-public-read-prohibited S3 buckets prohibit public read access AWS::S3::Bucket partial protect enforce
- aws-config-s3-bucket-public-write-prohibited S3 buckets prohibit public write access AWS::S3::Bucket partial protect enforce CIS §2.1.4Hub S3.8
- aws-config-rds-instance-public-access-check RDS instances are not publicly accessible AWS::RDS::DBInstance partial protect enforce CIS v5 §2.2.3CIS v3 §2.3.3Hub RDS.2
- aws-config-rds-snapshots-public-prohibited RDS snapshots are not publicly restorable AWS::RDS::DBSnapshot partial recover enforce
- aws-config-ec2-imdsv2-check EC2 instances require IMDSv2 AWS::EC2::Instance partial protect enforce CIS v5 §5.7CIS v3 §5.6Hub EC2.8
- aws-config-iam-policy-no-statements-with-admin-access No IAM policy grants full admin (*:*) AWS::IAM::Policy partial protect enforce
- aws-config-iam-no-inline-policy-check IAM identities have no inline policies AWS::IAM::Role partial protect enforce
- aws-config-lambda-function-public-access-prohibited Lambda function policies prohibit public invocation AWS::Lambda::Function partial protect enforce
- azure-mcsb-network-restrict-public-storage Storage accounts deny public-blob access Microsoft.Storage/storageAccounts partial protect enforce
- gcp-cis-storage-bucket-public-access-prohibited Cloud Storage buckets disallow allUsers / allAuthenticatedUsers storage.googleapis.com/Bucket partial protect enforce
- aws-config-autoscaling-launch-config-public-ip-disabled Autoscaling Launch Config Public Ip Disabled AWS::AutoScaling::AutoScalingGroup partial protect enforce
- aws-config-dms-replication-not-public Dms Replication Not Public AWS::DMS::ReplicationInstance partial recover enforce
- aws-config-ebs-snapshot-public-restorable-check Ebs Snapshot Public Restorable Check AWS::EC2::Volume partial recover enforce
- aws-config-ec2-instance-no-public-ip Ec2 Instance No Public Ip AWS::EC2::Instance partial protect enforce
- aws-config-ec2-instance-profile-attached Ec2 Instance Profile Attached AWS::EC2::Instance partial protect enforce
- aws-config-ecs-containers-readonly-access Ecs Containers Readonly Access AWS::ECS::Service partial protect enforce
- aws-config-ecs-task-definition-user-for-host-mode-check Ecs Task Definition User For Host Mode Check AWS::ECS::Service partial protect enforce
- aws-config-elasticsearch-in-vpc-only Elasticsearch In Vpc Only AWS::OpenSearchService::Domain partial protect enforce
- aws-config-emr-master-no-public-ip Emr Master No Public Ip AWS::EMR::Cluster partial protect enforce
- aws-config-iam-customer-policy-blocked-kms-actions Iam Customer Policy Blocked Kms Actions AWS::IAM::Policy partial protect enforce
- aws-config-iam-inline-policy-blocked-kms-actions Iam Inline Policy Blocked Kms Actions AWS::IAM::Policy partial protect enforce
- aws-config-iam-policy-no-statements-with-full-access Iam Policy No Statements With Full Access AWS::IAM::Policy partial protect enforce
- aws-config-iam-user-group-membership-check Iam User Group Membership Check AWS::IAM::User partial protect enforce
- aws-config-iam-user-unused-credentials-check Iam User Unused Credentials Check AWS::IAM::User partial protect enforce CIS v5 §1.11CIS v3 §1.12Hub IAM.22
- aws-config-lambda-inside-vpc Lambda Inside Vpc AWS::Lambda::Function partial protect enforce
- aws-config-opensearch-in-vpc-only Opensearch In Vpc Only AWS::OpenSearchService::Domain partial protect enforce
- aws-config-redshift-cluster-public-access-check Redshift Cluster Public Access Check AWS::Redshift::Cluster partial protect enforce
- aws-config-s3-account-level-public-access-blocks-periodic S3 Account Level Public Access Blocks Periodic AWS::S3::Bucket partial protect enforce CIS §2.1.4Hub S3.1
- aws-config-s3-bucket-level-public-access-prohibited S3 Bucket Level Public Access Prohibited AWS::S3::Bucket partial protect enforce
- aws-config-sagemaker-notebook-no-direct-internet-access Sagemaker Notebook No Direct Internet Access AWS::SageMaker::NotebookInstance partial protect enforce
- aws-config-ssm-document-not-public Ssm Document Not Public AWS::SSM::Document partial protect enforce
- aws-config-subnet-auto-assign-public-ip-disabled Subnet Auto Assign Public Ip Disabled AWS::EC2::Subnet partial protect enforce
ATT&CK techniques this control mitigates (279)
- T1003 OS Credential Dumping Credential Access
- T1003.001 LSASS Memory Credential Access
- T1003.002 Security Account Manager Credential Access
- T1003.003 NTDS Credential Access
- T1003.004 LSA Secrets Credential Access
- T1003.005 Cached Domain Credentials Credential Access
- T1003.006 DCSync Credential Access
- T1003.007 Proc Filesystem Credential Access
- T1003.008 /etc/passwd and /etc/shadow Credential Access
- T1005 Data from Local System Collection
- T1020.001 Traffic Duplication Exfiltration
- T1021 Remote Services Lateral Movement
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.002 SMB/Windows Admin Shares Lateral Movement
- T1021.003 Distributed Component Object Model Lateral Movement
- T1021.004 SSH Lateral Movement
- T1021.005 VNC Lateral Movement
- T1021.006 Windows Remote Management Lateral Movement
- T1021.007 Cloud Services Lateral Movement
- T1021.008 Direct Cloud VM Connections Lateral Movement
- T1025 Data from Removable Media Collection
- T1027 Obfuscated Files or Information Stealth
- T1036 Masquerading Stealth
- T1036.003 Rename Legitimate Utilities Stealth
- T1036.005 Match Legitimate Resource Name or Location Stealth
- T1036.010 Masquerade Account Name Stealth
- T1037 Boot or Logon Initialization Scripts Persistence, Privilege Escalation
- T1037.002 Login Hook Persistence, Privilege Escalation
- T1037.003 Network Logon Script Persistence, Privilege Escalation
- T1037.004 RC Scripts Persistence, Privilege Escalation
- T1037.005 Startup Items Persistence, Privilege Escalation
- T1041 Exfiltration Over C2 Channel Exfiltration
- T1047 Windows Management Instrumentation Execution
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1052 Exfiltration Over Physical Medium Exfiltration
- T1052.001 Exfiltration over USB Exfiltration
- T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
- T1053.002 At Execution, Persistence, Privilege Escalation
- T1053.003 Cron Execution, Persistence, Privilege Escalation
- T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
- T1053.006 Systemd Timers Execution, Persistence, Privilege Escalation
- T1053.007 Container Orchestration Job Execution, Persistence, Privilege Escalation
- T1055 Process Injection Stealth, Privilege Escalation
- T1055.008 Ptrace System Calls Stealth, Privilege Escalation
- T1055.009 Proc Memory Stealth, Privilege Escalation
- T1056.003 Web Portal Capture Collection, Credential Access
- T1059 Command and Scripting Interpreter Execution
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,796 | Requiring enforcement of authorizations ensures checks are performed rather than omitted for resources. |
CWE-284 | Improper Access Control | 4,905 | Enforcing approved authorizations directly implements access control policies to block unauthorized access. |
CWE-863 | Incorrect Authorization | 3,303 | Mandating policy-based enforcement reduces the chance of incorrect authorization logic being used. |
CWE-639 | Authorization Bypass Through User-Controlled Key | 1,897 | Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective. |
CWE-285 | Improper Authorization | 1,252 | The control requires checking and applying authorization decisions per policy, preventing improper authorization. |
CWE-425 | Direct Request ('Forced Browsing') | 255 | Enforcing access for all logical requests prevents unauthorized direct access to protected resources. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-12480 KEV | 8.5 | 9.1 | 0.7832 | good |
CVE-2025-6205 KEV | 8.0 | 9.1 | 0.6951 | good |
CVE-2025-13315 | 7.1 | 9.8 | 0.8499 | good |
CVE-2024-46310 | 6.8 | 9.1 | 0.8300 | good |
CVE-2024-57968 KEV | 6.4 | 9.9 | 0.4106 | good |
CVE-2015-10140 | 6.2 | 8.8 | 0.7387 | good |
CVE-2015-10143 | 6.0 | 9.8 | 0.6745 | good |
CVE-2024-12252 | 5.9 | 9.8 | 0.6649 | good |
CVE-2012-10030 | 5.6 | 9.8 | 0.6098 | good |
CVE-2025-24989 KEV | 5.5 | 8.2 | 0.3162 | good |
CVE-2026-27180 | 4.9 | 9.8 | 0.4880 | good |
CVE-2026-28515 | 4.4 | 8.8 | 0.4425 | good |
CVE-2024-57049 | 4.0 | 9.8 | 0.3460 | good |
CVE-2025-48572 KEV | 3.6 | 7.8 | 0.0021 | good |
CVE-2024-12542 | 3.5 | 8.6 | 0.3039 | good |
CVE-2024-55963 | 3.5 | 6.5 | 0.3723 | good |
CVE-2025-66301 | 3.5 | 9.6 | 0.2622 | good |
CVE-2026-20133 KEV UPD | 3.4 | 6.5 | 0.0136 | good |
CVE-2025-40602 KEV | 3.3 | 6.6 | 0.0015 | good |
CVE-2026-2025 | 3.2 | 7.5 | 0.2881 | good |
CVE-2026-39339 | 3.1 | 9.1 | 0.2127 | good |
CVE-2023-47179 UPD | 2.9 | 8.8 | 0.1915 | good |
CVE-2025-11833 | 2.9 | 9.8 | 0.1525 | good |
CVE-2026-31816 | 2.8 | 9.1 | 0.1643 | good |
CVE-2024-12365 | 2.8 | 8.5 | 0.1826 | good |