NIST 800-53 r5 · Controls catalogue · Family AC
AC-3Access Enforcement
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (7)
- aws-config-s3-bucket-public-read-prohibited S3 buckets prohibit public read access AWS::S3::Bucket partial
- aws-config-s3-bucket-public-write-prohibited S3 buckets prohibit public write access AWS::S3::Bucket partial
- aws-config-rds-instance-public-access-check RDS instances are not publicly accessible AWS::RDS::DBInstance partial
- aws-config-rds-snapshots-public-prohibited RDS snapshots are not publicly restorable AWS::RDS::DBSnapshot partial
- aws-config-lambda-function-public-access-prohibited Lambda function policies prohibit public invocation AWS::Lambda::Function partial
- azure-mcsb-network-restrict-public-storage Storage accounts deny public-blob access Microsoft.Storage/storageAccounts partial
- gcp-cis-storage-bucket-public-access-prohibited Cloud Storage buckets disallow allUsers / allAuthenticatedUsers storage.googleapis.com/Bucket partial
ATT&CK techniques this control mitigates (279)
- T1003 OS Credential Dumping Credential Access
- T1003.001 LSASS Memory Credential Access
- T1003.002 Security Account Manager Credential Access
- T1003.003 NTDS Credential Access
- T1003.004 LSA Secrets Credential Access
- T1003.005 Cached Domain Credentials Credential Access
- T1003.006 DCSync Credential Access
- T1003.007 Proc Filesystem Credential Access
- T1003.008 /etc/passwd and /etc/shadow Credential Access
- T1005 Data from Local System Collection
- T1020.001 Traffic Duplication Exfiltration
- T1021 Remote Services Lateral Movement
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.002 SMB/Windows Admin Shares Lateral Movement
- T1021.003 Distributed Component Object Model Lateral Movement
- T1021.004 SSH Lateral Movement
- T1021.005 VNC Lateral Movement
- T1021.006 Windows Remote Management Lateral Movement
- T1021.007 Cloud Services Lateral Movement
- T1021.008 Direct Cloud VM Connections Lateral Movement
- T1025 Data from Removable Media Collection
- T1027 Obfuscated Files or Information Stealth
- T1036 Masquerading Stealth
- T1036.003 Rename Legitimate Utilities Stealth
- T1036.005 Match Legitimate Resource Name or Location Stealth
- T1036.010 Masquerade Account Name Stealth
- T1037 Boot or Logon Initialization Scripts Persistence, Privilege Escalation
- T1037.002 Login Hook Persistence, Privilege Escalation
- T1037.003 Network Logon Script Persistence, Privilege Escalation
- T1037.004 RC Scripts Persistence, Privilege Escalation
- T1037.005 Startup Items Persistence, Privilege Escalation
- T1041 Exfiltration Over C2 Channel Exfiltration
- T1047 Windows Management Instrumentation Execution
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1052 Exfiltration Over Physical Medium Exfiltration
- T1052.001 Exfiltration over USB Exfiltration
- T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
- T1053.002 At Execution, Persistence, Privilege Escalation
- T1053.003 Cron Execution, Persistence, Privilege Escalation
- T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
- T1053.006 Systemd Timers Execution, Persistence, Privilege Escalation
- T1053.007 Container Orchestration Job Execution, Persistence, Privilege Escalation
- T1055 Process Injection Stealth, Privilege Escalation
- T1055.008 Ptrace System Calls Stealth, Privilege Escalation
- T1055.009 Proc Memory Stealth, Privilege Escalation
- T1056.003 Web Portal Capture Collection, Credential Access
- T1059 Command and Scripting Interpreter Execution
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Requiring enforcement of authorizations ensures checks are performed rather than omitted for resources. |
CWE-284 | Improper Access Control | 4,832 | Enforcing approved authorizations directly implements access control policies to block unauthorized access. |
CWE-863 | Incorrect Authorization | 3,234 | Mandating policy-based enforcement reduces the chance of incorrect authorization logic being used. |
CWE-639 | Authorization Bypass Through User-Controlled Key | 1,837 | Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective. |
CWE-285 | Improper Authorization | 1,230 | The control requires checking and applying authorization decisions per policy, preventing improper authorization. |
CWE-425 | Direct Request ('Forced Browsing') | 255 | Enforcing access for all logical requests prevents unauthorized direct access to protected resources. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-12480 KEV | 8.5 | 9.1 | 0.7832 | good |
CVE-2025-6205 KEV | 8.5 | 9.1 | 0.7772 | good |
CVE-2025-13315 | 6.9 | 9.8 | 0.8288 | good |
CVE-2024-46310 | 6.8 | 9.1 | 0.8300 | good |
CVE-2024-57968 KEV | 6.6 | 9.9 | 0.4366 | good |
CVE-2015-10143 | 6.0 | 9.8 | 0.6745 | good |
CVE-2024-12252 | 5.9 | 9.8 | 0.6649 | good |
CVE-2012-10030 | 5.6 | 9.8 | 0.6098 | good |
CVE-2025-24989 KEV | 5.5 | 8.2 | 0.3162 | good |
CVE-2015-10140 | 5.2 | 8.8 | 0.5710 | good |
CVE-2026-27180 | 4.9 | 9.8 | 0.4880 | good |
CVE-2026-28515 | 4.4 | 8.8 | 0.4425 | good |
CVE-2024-57049 | 4.0 | 9.8 | 0.3460 | good |
CVE-2025-48572 KEV | 3.6 | 7.8 | 0.0021 | good |
CVE-2024-12542 | 3.5 | 8.6 | 0.3039 | good |
CVE-2024-55963 | 3.5 | 6.5 | 0.3723 | good |
CVE-2025-66301 | 3.5 | 9.6 | 0.2622 | good |
CVE-2026-20133 KEV | 3.4 | 6.5 | 0.0127 | good |
CVE-2025-40602 KEV | 3.3 | 6.6 | 0.0041 | good |
CVE-2026-2025 | 3.2 | 7.5 | 0.2799 | good |
CVE-2025-29814 | 3.1 | 9.3 | 0.2086 | good |
CVE-2023-47179 | 2.9 | 8.8 | 0.1915 | good |
CVE-2025-11833 | 2.9 | 9.8 | 0.1525 | good |
CVE-2026-31816 | 2.8 | 9.1 | 0.1586 | good |
CVE-2024-12365 | 2.8 | 8.5 | 0.1826 | good |