NIST 800-53 r5 · Controls catalogue · Family AC

AC-5Separation of Duties

Identify and document {{ insert: param, ac-05_odp }} ; and Define system access authorizations to support separation of duties.

Last updated: 19 May 2026 14:18 UTC

Implementations targeting this control (6)

aws-config-iam-policy-no-statements-with-admin-access No IAM policy grants full admin (*:*) AWS::IAM::Policy partial protect enforce
aws-config-ecs-containers-readonly-access Ecs Containers Readonly Access AWS::ECS::Service partial protect enforce
aws-config-ecs-task-definition-user-for-host-mode-check Ecs Task Definition User For Host Mode Check AWS::ECS::Service partial protect enforce
aws-config-iam-customer-policy-blocked-kms-actions Iam Customer Policy Blocked Kms Actions AWS::IAM::Policy partial protect enforce
aws-config-iam-inline-policy-blocked-kms-actions Iam Inline Policy Blocked Kms Actions AWS::IAM::Policy partial protect enforce
aws-config-iam-policy-no-statements-with-full-access Iam Policy No Statements With Full Access AWS::IAM::Policy partial protect enforce

ATT&CK techniques this control mitigates (165)

T1003 OS Credential Dumping Credential Access
T1003.001 LSASS Memory Credential Access
T1003.002 Security Account Manager Credential Access
T1003.003 NTDS Credential Access
T1003.004 LSA Secrets Credential Access
T1003.005 Cached Domain Credentials Credential Access
T1003.006 DCSync Credential Access
T1003.007 Proc Filesystem Credential Access
T1003.008 /etc/passwd and /etc/shadow Credential Access
T1021 Remote Services Lateral Movement
T1021.001 Remote Desktop Protocol Lateral Movement
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1021.003 Distributed Component Object Model Lateral Movement
T1021.004 SSH Lateral Movement
T1021.006 Windows Remote Management Lateral Movement
T1021.007 Cloud Services Lateral Movement
T1047 Windows Management Instrumentation Execution
T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
T1053.002 At Execution, Persistence, Privilege Escalation
T1053.003 Cron Execution, Persistence, Privilege Escalation
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
T1053.006 Systemd Timers Execution, Persistence, Privilege Escalation
T1053.007 Container Orchestration Job Execution, Persistence, Privilege Escalation
T1055 Process Injection Stealth, Privilege Escalation
T1055.008 Ptrace System Calls Stealth, Privilege Escalation
T1056.003 Web Portal Capture Collection, Credential Access
T1059 Command and Scripting Interpreter Execution
T1059.001 PowerShell Execution
T1059.008 Network Device CLI Execution
T1070 Indicator Removal Stealth
T1070.003 Clear Command History Stealth
T1070.007 Clear Network Connection History and Configurations Stealth
T1070.008 Clear Mailbox Data Stealth
T1070.009 Clear Persistence Stealth
T1072 Software Deployment Tools Execution, Lateral Movement
T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
T1078.001 Default Accounts Stealth, Persistence, Privilege Escalation, Initial Access
T1078.002 Domain Accounts Stealth, Persistence, Privilege Escalation, Initial Access
T1078.003 Local Accounts Stealth, Persistence, Privilege Escalation, Initial Access
T1078.004 Cloud Accounts Stealth, Persistence, Privilege Escalation, Initial Access
T1087.004 Cloud Account Discovery
T1098 Account Manipulation Persistence, Privilege Escalation
T1098.001 Additional Cloud Credentials Persistence, Privilege Escalation
T1098.002 Additional Email Delegate Permissions Persistence, Privilege Escalation
T1098.003 Additional Cloud Roles Persistence, Privilege Escalation
T1098.004 SSH Authorized Keys Persistence, Privilege Escalation
T1098.005 Device Registration Persistence, Privilege Escalation
T1098.007 Additional Local or Domain Groups Persistence, Privilege Escalation
T1110 Brute Force Credential Access
T1110.001 Password Guessing Credential Access

Weaknesses this control addresses (6)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-284`	Improper Access Control	4,905	Defining authorizations to support separation of duties strengthens overall access control by preventing unauthorized combinations of actions within a single account.
`CWE-269`	Improper Privilege Management	2,936	By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.
`CWE-285`	Improper Authorization	1,252	The control requires authorizations to be structured around separated duties, mitigating improper authorization that would otherwise allow one user to perform conflicting operations.
`CWE-266`	Incorrect Privilege Assignment	836	The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.
`CWE-250`	Execution with Unnecessary Privileges	311	Separation of duties prevents any single user from holding all privileges needed to complete a critical task, directly reducing execution with unnecessary privileges.
`CWE-272`	Least Privilege Violation	26	Separation of duties is a direct mechanism to enforce least privilege by ensuring no individual receives more access than required for their isolated responsibilities.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
`CVE-2026-29789`	2.0	9.9	0.0007	partial
`CVE-2026-27668`	1.8	8.8	0.0005	good
`CVE-2026-29073`	1.8	8.8	0.0007	partial
`CVE-2026-30944`	1.8	8.8	0.0006	partial
`CVE-2026-26416`	1.8	8.8	0.0005	good
`CVE-2026-25859`	1.8	8.8	0.0002	partial
`CVE-2026-34587`	1.6	8.1	0.0003	partial
`CVE-2026-40591`	1.4	7.1	0.0003	partial
`CVE-2025-0849`	1.3	6.3	0.0003	partial
`CVE-2025-25616`	0.9	4.3	0.0057	partial

Other controls in family AC

AC-1 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-2 AC-20 AC-21 AC-22 AC-23 AC-24 AC-25 AC-3 AC-4 AC-6 AC-7 AC-8 AC-9