Hi Team,
I have enabled "NIST Special Publication 800-53 Revision 5" standard in Security hub and it has covered majority of service control
But some service controls are not covered by Security hub ,i just want know how to remediate/setting in aws account
please provide remidataion steps to fix below service control ::::
- Service control ID : AC-10
Service Control Title :
CONCURRENT SESSION CONTROL
Control: Limit the number of concurrent sessions for each [Assignment: organization-defined
account and/or account type] to [Assignment: organization-defined number].
- Service control ID : AC-12
Service Control Title :
Control: Automatically terminate a user session after [Assignment: organization-defined
conditions or trigger events requiring session disconnect].
- Service control ID : IA-4 (6)
Service Control Title :
CROSS-ORGANIZATION MANAGEMENT
Coordinate with the following external organizations for cross-organization management of identifiers: [Assignment: organization-defined external organizations].
Discussion: Cross-organization identifier management provides the capability to identify individuals, groups, roles, or devices when conducting cross-organization activities involving the processing, storage, or transmission of information.
- Service control ID : PM-31
Service Control Title :
"CONTINUOUS MONITORING STRATEGY
Control: Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:
a. Establishing the following organization-wide metrics to be monitored: [Assignment:
organization-defined metrics];
b. Establishing [Assignment: organization-defined frequencies] for monitoring and
[Assignment: organization-defined frequencies] for assessment of control effectiveness;
c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;
d. Correlation and analysis of information generated by control assessments and monitoring;
e. Response actions to address results of the analysis of control assessment and monitoring information; and
f. Reporting the security and privacy status of organizational systems to [Assignment:
organization-defined personnel or roles] [Assignment: organization-defined frequency]."