This implementation automates reporting to verify compliance with GC Cloud Guardrails. SSC and TBS review the results. Cette mise en œuvre automatise la production de rapports afin de vérifier la conformité aux mesures de sécurité infonuagique du GC. SPC et SCT examinent les résultats.
Other
7
stars
4
forks
source link
GR1 | Validation 3| MFA and Count for Global Administrator Accounts (M) #134
ItemName ENG: “MFA and Count for Global Administrator Accounts (M)”
ItemName FR: "AMF et compte pour des comptes d'administrateur général (M)"
Description: This is an existing control “Global Administrators Accounts MFA check” however the logic has added a count and the check can be improved.
Update logic to look for a minimum of 2 Global Administrators and fail the control if there is 6 or more.
Update logic to identify GA accounts automatically if possible.
Ideal Control check would follow the following flow…
Getting a list of Azure Cloud Native Accounts automatically (MS Entra ID)
a. OR using the current attestation logic and,
then determine which users have the Global Administrator role (Indirect and Direct).
If all identified accounts (excl. BG Accounts) have 2+ methods of authentication then the department is compliant
Note: This check excludes the breakglass accounts provided by the department in the config.json.
If any of the identified accounts (excl. BG Accounts) do not have MFA then the department is non-compliant
If the identified accounts are less than 2 or more than 6 the department is non-compliant.
New French Comment to add:
globalAdminAccntsSurplus = Il doit y avoir six comptes d’administrateur général ou moins.
globalAdminAccntsSurplus = There must be six or fewer global administrator accounts.
ItemName ENG: “MFA and Count for Global Administrator Accounts (M)” ItemName FR: "AMF et compte pour des comptes d'administrateur général (M)"
Description: This is an existing control “Global Administrators Accounts MFA check” however the logic has added a count and the check can be improved.
Ideal Control check would follow the following flow…
Getting a list of Azure Cloud Native Accounts automatically (MS Entra ID) a. OR using the current attestation logic and,
then determine which users have the Global Administrator role (Indirect and Direct).
If all identified accounts (excl. BG Accounts) have 2+ methods of authentication then the department is compliant Note: This check excludes the breakglass accounts provided by the department in the config.json.
If any of the identified accounts (excl. BG Accounts) do not have MFA then the department is non-compliant
If the identified accounts are less than 2 or more than 6 the department is non-compliant.
New French Comment to add: globalAdminAccntsSurplus = Il doit y avoir six comptes d’administrateur général ou moins.
globalAdminAccntsSurplus = There must be six or fewer global administrator accounts.