NIST 800-53 r5 · Controls catalogue · Family AC

AC-6Least Privilege

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (4)

aws-config-iam-root-access-key-check Root account has no active access keys AWS::IAM::AccountSummary partial
aws-config-iam-policy-no-statements-with-admin-access No IAM policy grants full admin (*:*) AWS::IAM::Policy mostly
aws-config-iam-no-inline-policy-check IAM identities have no inline policies AWS::IAM::Role partial
gcp-cis-iam-no-primitive-roles No primitive roles granted at the project level cloudresourcemanager.googleapis.com/Project mostly

ATT&CK techniques this control mitigates (268)

T1003 OS Credential Dumping Credential Access
T1003.001 LSASS Memory Credential Access
T1003.002 Security Account Manager Credential Access
T1003.003 NTDS Credential Access
T1003.004 LSA Secrets Credential Access
T1003.005 Cached Domain Credentials Credential Access
T1003.006 DCSync Credential Access
T1003.007 Proc Filesystem Credential Access
T1003.008 /etc/passwd and /etc/shadow Credential Access
T1005 Data from Local System Collection
T1020.001 Traffic Duplication Exfiltration
T1021 Remote Services Lateral Movement
T1021.001 Remote Desktop Protocol Lateral Movement
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1021.003 Distributed Component Object Model Lateral Movement
T1021.004 SSH Lateral Movement
T1021.005 VNC Lateral Movement
T1021.006 Windows Remote Management Lateral Movement
T1021.007 Cloud Services Lateral Movement
T1021.008 Direct Cloud VM Connections Lateral Movement
T1025 Data from Removable Media Collection
T1036 Masquerading Stealth
T1036.003 Rename Legitimate Utilities Stealth
T1036.005 Match Legitimate Resource Name or Location Stealth
T1041 Exfiltration Over C2 Channel Exfiltration
T1047 Windows Management Instrumentation Execution
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
T1052 Exfiltration Over Physical Medium Exfiltration
T1052.001 Exfiltration over USB Exfiltration
T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
T1053.002 At Execution, Persistence, Privilege Escalation
T1053.003 Cron Execution, Persistence, Privilege Escalation
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
T1053.006 Systemd Timers Execution, Persistence, Privilege Escalation
T1053.007 Container Orchestration Job Execution, Persistence, Privilege Escalation
T1055 Process Injection Stealth, Privilege Escalation
T1055.001 Dynamic-link Library Injection Stealth, Privilege Escalation
T1055.002 Portable Executable Injection Stealth, Privilege Escalation
T1055.003 Thread Execution Hijacking Stealth, Privilege Escalation
T1055.004 Asynchronous Procedure Call Stealth, Privilege Escalation
T1055.005 Thread Local Storage Stealth, Privilege Escalation
T1055.008 Ptrace System Calls Stealth, Privilege Escalation
T1055.009 Proc Memory Stealth, Privilege Escalation
T1055.011 Extra Window Memory Injection Stealth, Privilege Escalation
T1055.012 Process Hollowing Stealth, Privilege Escalation
T1055.013 Process Doppelgänging Stealth, Privilege Escalation
T1055.014 VDSO Hijacking Stealth, Privilege Escalation
T1056.003 Web Portal Capture Collection, Credential Access

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-284`	Improper Access Control	4,832	Supports proper access control through restriction to only authorized necessary accesses.
`CWE-269`	Improper Privilege Management	2,907	Implements core proper privilege management by restricting to only required rights.
`CWE-732`	Incorrect Permission Assignment for Critical Resource	1,824	Prevents overly permissive assignments to critical resources by limiting to task needs.
`CWE-276`	Incorrect Default Permissions	1,757	Guides setting of default permissions to the minimum required level.
`CWE-285`	Improper Authorization	1,230	Requires authorization to grant only the minimal privileges needed for tasks.
`CWE-266`	Incorrect Privilege Assignment	826	Ensures privileges are assigned only as necessary rather than incorrectly over-granted.
`CWE-250`	Execution with Unnecessary Privileges	305	Directly prevents execution with more privileges than needed for assigned tasks.
`CWE-272`	Least Privilege Violation	25	Enforces the least privilege principle to avoid violations of minimal necessary access.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
`CVE-2024-57726` KEV	6.9	9.9	0.4916	good
`CVE-2015-10139`	4.7	8.8	0.4855	good
`CVE-2026-33825` KEV	3.9	7.8	0.0485	good
`CVE-2024-57778`	2.4	8.8	0.1138	good
`CVE-2026-31852`	2.0	10.0	0.0012	good
`CVE-2026-26725`	2.0	9.8	0.0023	good
`CVE-2025-13563`	2.0	9.8	0.0004	good
`CVE-2024-12284`	2.0	8.8	0.0424	good
`CVE-2025-34274`	2.0	9.8	0.0082	good
`CVE-2026-32922`	2.0	9.9	0.0028	good
`CVE-2025-62645`	2.0	9.9	0.0021	good
`CVE-2025-31194`	2.0	9.8	0.0048	good
`CVE-2026-25212`	2.0	9.9	0.0006	good
`CVE-2024-36046`	2.0	9.8	0.0026	good
`CVE-2022-41572`	2.0	9.8	0.0024	good
`CVE-2025-13619`	2.0	9.8	0.0019	good
`CVE-2025-8900`	2.0	9.8	0.0018	good
`CVE-2025-34515`	2.0	9.8	0.0016	good
`CVE-2025-11533`	2.0	9.8	0.0021	good
`CVE-2025-0180`	2.0	9.8	0.0033	good
`CVE-2025-33223`	2.0	9.8	0.0017	good
`CVE-2025-13538`	2.0	9.8	0.0018	good
`CVE-2026-4880`	2.0	9.8	0.0014	good
`CVE-2025-13542`	2.0	9.8	0.0015	good
`CVE-2025-13540`	2.0	9.8	0.0018	good

Other controls in family AC

AC-1 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-2 AC-20 AC-21 AC-22 AC-23 AC-24 AC-25 AC-3 AC-4 AC-5 AC-7 AC-8 AC-9