AWS AWS Single Sign-On Capability Group

All Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name Notes
aws_single_sign-on AWS Single Sign-On protect partial T1078 Valid Accounts
aws_single_sign-on AWS Single Sign-On protect partial T1078.004 Cloud Accounts
Comments
This control may protect against malicious use of valid accounts by implementing fine grained and least privilege access through use of permission sets (a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account). The ability to reduce the set of credentials and accounts needed for a user allows for simpler and safer access and privilege management.
References
    aws_single_sign-on AWS Single Sign-On protect partial T1078.002 Domain Accounts
    Comments
    This control may protect against malicious use of valid accounts by implementing fine grained and least privilege access through use of permission sets (a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account). The ability to reduce the set of credentials and accounts needed for a user allows for simpler and safer access and privilege management.
    References
      aws_single_sign-on AWS Single Sign-On protect significant T1133 External Remote Services
      Comments
      This control may protect against abuse of external remote services by requiring multi-factor authentication for single sign-on accounts.
      References
      aws_single_sign-on AWS Single Sign-On protect partial T1110 Brute Force
      Comments
      This control may not provide any mitigation against password cracking.
      References
      aws_single_sign-on AWS Single Sign-On protect significant T1110.001 Password Guessing
      Comments
      This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.
      References
        aws_single_sign-on AWS Single Sign-On protect significant T1110.003 Password Spraying
        Comments
        This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.
        References
          aws_single_sign-on AWS Single Sign-On protect significant T1110.004 Credential Stuffing
          Comments
          This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.
          References

            Capabilities

            Capability ID Capability Name Number of Mappings
            aws_single_sign-on AWS Single Sign-On 8