NIST 800-53 r5 · Controls catalogue · Family AU
AU-9Protection of Audit Information
Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information.
Last updated: 19 May 2026 14:18 UTC
Implementations targeting this control (5)
- aws-config-s3-bucket-server-side-encryption-enabled S3 bucket has default server-side encryption AWS::S3::Bucket partial protect enforce
- aws-config-cloudtrail-enabled CloudTrail is enabled in the account AWS::CloudTrail::Trail partial detect enforce
- aws-config-cloud-trail-log-file-validation-enabled CloudTrail log file validation is enabled AWS::CloudTrail::Trail partial detect enforce CIS §3.2Hub CloudTrail.4
- aws-config-cloud-trail-encryption-enabled Cloud Trail Encryption Enabled AWS::CloudTrail::Trail partial detect enforce CIS §3.5Hub CloudTrail.2
- aws-config-s3-default-encryption-kms S3 Default Encryption Kms AWS::S3::Bucket partial protect enforce
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (3)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,259 | Protecting audit information prevents exposure of sensitive data contained within logs to unauthorized actors. |
CWE-284 | Improper Access Control | 4,905 | The control directly enforces access controls to prevent unauthorized access, modification, or deletion of audit information and tools. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,837 | Audit logs and logging tools are critical resources whose protection requires correct permission assignments to block unauthorized actions. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-27682 | 2.0 | 9.8 | 0.0021 | good |
CVE-2024-13513 | 2.0 | 9.8 | 0.0015 | good |
CVE-2026-4788 | 1.7 | 8.4 | 0.0001 | good |
CVE-2025-22960 | 1.6 | 8.0 | 0.0026 | good |
CVE-2026-28261 | 1.6 | 7.8 | 0.0002 | good |
CVE-2026-0383 | 1.6 | 7.8 | 0.0001 | good |
CVE-2024-57957 | 1.3 | 6.6 | 0.0010 | good |
CVE-2025-13315 | 7.1 | 9.8 | 0.8499 | good |
CVE-2024-48852 | 2.0 | 9.4 | 0.0270 | good |
CVE-2025-30424 | 2.0 | 9.8 | 0.0022 | good |
CVE-2025-11008 | 2.0 | 9.8 | 0.0021 | good |
CVE-2026-0905 | 2.0 | 9.8 | 0.0003 | good |
CVE-2024-52975 | 1.8 | 9.0 | 0.0034 | good |
CVE-2026-23493 | 1.7 | 8.6 | 0.0000 | good |
CVE-2026-22038 | 1.6 | 8.1 | 0.0011 | good |
CVE-2024-8474 | 1.6 | 7.5 | 0.0084 | partial |
CVE-2026-23775 | 1.5 | 7.6 | 0.0002 | good |
CVE-2025-67223 | 1.5 | 7.5 | 0.0015 | good |
CVE-2026-4276 | 1.5 | 7.5 | 0.0007 | good |
CVE-2025-1075 | 1.5 | 7.5 | 0.0021 | good |
CVE-2025-26495 | 1.5 | 7.5 | 0.0012 | good |
CVE-2026-34487 | 1.5 | 7.5 | 0.0009 | good |
CVE-2026-34969 UPD | 1.5 | 7.5 | 0.0006 | partial |
CVE-2025-24169 | 1.5 | 7.5 | 0.0004 | partial |
CVE-2025-24556 UPD | 1.5 | 7.5 | 0.0006 | good |