Object Storage
Object storage is a data storage architecture that manages data as objects, rather than as files or blocks. Each object contains the data itself, metadata, and a unique identifier, making it ideal for storing large amounts of unstructured data such as multimedia files, backups, and archives. It is highly scalable and often used in cloud environments due to its flexibility and accessibility.
Release Details
Contributors
SM
Sonali Mendissmendis-scottlogic
Scott Logic
EK
Eddie Knighteddie-knight
Sonatype
ML
Michael Lysaghtmlysaght2017
Citi
DO
Dave Ogledogle-scottlogic
Scott Logic
DB
Damien Burksdamienjburks
Citi
NM
Naseer Mohammadnas-hub
Google
Change Log
- This initial release contains a variety of commits designed to capture all of the features, threats, and controls for this service category.
Features
| ID | Title | Description |
|---|---|---|
| CCC.F01 | Encryption in Transit Enabled by Default | Provides default encryption of data in transit through SSL or TLS. |
| CCC.F02 | Encryption at Rest Enabled by Default | Provides default encryption of data before storage, with the option for clients to maintain control over the encryption keys. |
| CCC.F03 | Access/Activity Logs | Provides users with the ability to track all requests made to or activities performed on resources for audit purposes. |
| CCC.F04 | Transaction Rate Limits | Allows the setting of a threshold where industry-standard throughput is achieved up to the specified rate limit. |
| CCC.F05 | Signed URLs | Provides the ability to grant temporary or restricted access to a resource through a custom URL that contains authentication information. |
| CCC.F06 | Identity Based Access Control | Provides the ability to determine access to resources based on attributes associated with a user identity. |
| CCC.F07 | Event Notifications | Publishes events for creation, deletion, and modification of objects in a way that enables users to trigger actions in response. |
| CCC.F08 | Multi-zone Deployment | Provides the ability for the service to be deployed in multiple availability zones or regions to increase availability and fault tolerance. |
| CCC.F09 | Monitoring | Provides the ability to continuously observe, track, and analyze the performance, availability, and health of the service resources or applications. |
| CCC.F10 | Logging | Provides the ability to transmit system events, application activities, and/or user interactions to a logging service |
| CCC.F11 | Backup | Provides the ability to create copies of associated data or configurations in the form of automated backups, snapshot-based backups, and/or incremental backups. |
| CCC.F12 | Recovery | Provides the ability to restore data, a system, or an application to a functional state after an incident such as data loss, corruption or a disaster. |
| CCC.F13 | Infrastructure as Code | Allows for managing and provisioning service resources through machine-readable configuration files, such as templates. |
| CCC.F14 | API Access | Allows users to interact programmatically with the service and its resources using APIs, SDKs and CLI. |
| CCC.F15 | Cost Management | Provides the ability to filter spending and to detect cost anomalies for the service. |
| CCC.F16 | Budgeting | Provides the ability to trigger alerts when spending thresholds are approached or exceeded for the service. |
| CCC.F17 | Alerting | Provides the ability to set an alarm based on performance metrics, logs, events or spending thresholds of the service. |
| CCC.F18 | Versioning | Provides the ability to maintain multiple versions of the same resource. |
| CCC.F19 | On-demand Scaling | Provide scaling of resources based on demand. |
| CCC.F20 | Tagging | Provide the ability to tag a resource to effectively manage and gain insights of the resource. |
| CCC.F21 | Replication | Provides the ability to copy data or resource to multiple locations to ensure availability and durability. |
| CCC.F22 | Location Lock-In | Provides the ability to control where the resources are created. |
| CCC.F23 | Network Access Rules | Ability to control access to the resource by defining network access rules. |
| CCC.ObjStor.F01 | Storage Buckets | Provides uniquely identifiable segmentations in which data elements may be stored. |
| CCC.ObjStor.F02 | Storage Objects | Supports storing, accessing, and managing data elements which contain both data and metadata. |
| CCC.ObjStor.F03 | Bucket Capacity Limit | Provides the ability to set a maximum total capacity for objects within a bucket. |
| CCC.ObjStor.F04 | Object Size Limit | Supports setting a maximum object size for storing objects. |
| CCC.ObjStor.F05 | Store New Objects | Supports for storing a new object in the bucket. |
| CCC.ObjStor.F06 | Replace Stored Objects | Supports for replacing an object in the bucket with a new object for the same key. |
| CCC.ObjStor.F07 | Delete Stored Objects | Supports for deleting objects from the bucket given the object key. |
| CCC.ObjStor.F08 | Lifecycle Policies | Supports defining policies to automate data management tasks. |
| CCC.ObjStor.F09 | Object Modification Locks | Allows locking of objects to disable modification and/or deletion of an object for a defined period of time. |
| CCC.ObjStor.F10 | Object Level Access Control | Supports controlling access to specific objects within the object store. |
| CCC.ObjStor.F11 | Querying | Supports performing simple select queries to retrieve only a subset of objects from the bucket. |
| CCC.ObjStor.F12 | Storage Classes | Provides different storage classes for frequently and infrequently accessed objects. |
Threats
| ID | Title | Description | MITRE ATT&CK |
|---|---|---|---|
| CCC.TH01 | Access Control is Misconfigured | An attacker can exploit misconfigured access controls to grant excessive privileges or gain unauthorized access to sensitive resources. | |
| CCC.TH02 | Data is Intercepted in Transit | In the event that encrypted communication is not properly in effect, an attacker can intercept traffic between clients and the service to read or modify the data during transmission. | |
| CCC.TH03 | Deployment Region Network is Untrusted | If any part of the service is deployed in a hostile, unstable, or insecure location, an attacker may attempt to access the resource or intercept data by exploiting privileged network access or physical vulnerabilities. | |
| CCC.TH04 | Data is Replicated to Untrusted or External Locations | An attacker could replicate data to untrusted or external locations if replication configurations are not properly restricted. This could result in data leakage or exposure to unauthorized entities outside the organization's trusted perimeter. | |
| CCC.TH05 | Data is Corrupted During Replication | Malicious actors may attempt to corrupt, delay, or delete data during replication processes across multiple regions or availability zones, affecting the integrity and availability of data. | |
| CCC.TH06 | Data is Lost or Corrupted | Data loss or corruption can occur due to accidental deletion, misconfiguration, or malicious activity. This can result in the loss of critical data, service disruption, or unauthorized access to sensitive information. | |
| CCC.TH07 | Logs are Tampered With or Deleted | Attackers may tamper with or delete logs to cover their tracks and evade detection. This prevents security teams from identifying the full scope of an attack and may disrupt forensic investigations. | |
| CCC.TH08 | Cost Management Data is Manipulated | Attackers may manipulate cost management data to hide excessive resource consumption or to deceive users about resource usage. This could be used to exhaust budgets, cause financial losses, or evade detection of other attacks. | |
| CCC.TH09 | Logs or Monitoring Data are Read by Unauthorized Users | Unauthorized access to logs or monitoring data can provide attackers with valuable information about the system's configuration, operations, and security mechanisms. This can be used to identify vulnerabilities, plan attacks, or evade detection. | |
| CCC.TH10 | Alerts are Intercepted | Malicious actors may exploit event notifications to monitor and intercept information about sensitive operations or access patterns. | |
| CCC.TH11 | Event Notifications are Incorrectly Triggered | Malicious actors may exploit event notifications to trigger sensitive operations or access patterns. Alternately, attackers may flood the system with notifications to obfuscate another attack or overwhelm the service to disrupt legitimate operations. | |
| CCC.TH12 | Resource Constraints are Exhausted | An attack or misconfiguration can consume all available resources, such as memory, CPU, or storage, to disrupt the service or deny access to legitimate users. This can be achieved through repeated requests, resource-intensive operations, or the lowering of rate/budget limits. Through auto-scaling, the attacker may also attempt to exhaust higher-level budget thresholds to impact other systems in the same scope. | |
| CCC.TH13 | Resource Tags are Manipulated | Attackers may manipulate resource tags to alter organizational policies, disrupt billing, or evade detection. This can result in mismanaged resources, unauthorized access, or financial abuse. | |
| CCC.TH14 | Older Resource Versions are Exploited | Attackers may exploit vulnerabilities in older versions of resources, taking advantage of deprecated or insecure configurations. Without proper version control and monitoring, outdated versions can be used to bypass security measures. | |
| CCC.TH15 | Automated Enumeration and Reconnaissance by Non-human Entities | Attackers may deploy automated processes or bots to perform reconnaissance activities by enumerating resources such as APIs, file systems, or directories. These activities can help attackers identify vulnerabilities, misconfigurations, or unsecured resources, which can then be exploited for unauthorized access or data theft. | |
| CCC.ObjStor.TH01 | Data Exfiltration via Insecure Lifecycle Policies | Misconfigured lifecycle policies may unintentionally allow data to be exfiltrated or destroyed prematurely, resulting in a loss of availability and potential exposure of sensitive data. | |
| CCC.ObjStor.TH02 | Improper Enforcement of Object Modification Locks | Attackers may exploit vulnerabilities in object modification locks to delete or alter objects despite the lock being in place, leading to data loss or tampering. |
Controls
| ID | Title | Objective | Control Family |
|---|---|---|---|
| CCC.C01 | Prevent Unencrypted Requests | Ensure that all communications are encrypted in transit to protect data integrity and confidentiality. | Data |
| CCC.C02 | Ensure Data Encryption at Rest for All Stored Data | Ensure that all data stored is encrypted at rest to maintain confidentiality and integrity. | Encryption |
| CCC.C03 | Implement Multi-factor Authentication (MFA) for Access | Ensure that all sensitive activities require two or more identity factors during authentication to prevent unauthorized access. This may include something you know, something you have, or something you are. In the case of programattically accessible services, such as API endpoints, this includes a combination of API keys or tokens and network restrictions. | Identity and Access Management |
| CCC.C04 | Log All Access and Changes | Ensure that all access and changes are logged to maintain a detailed audit trail for security and compliance purposes. | Logging & Monitoring |
| CCC.C05 | Prevent Access from Untrusted Entities | Ensure that secure access controls prevent unauthorized access, mitigate risks of data exfiltration, and block misuse of services by adversaries. This includes restricting access based on trust criteria such as IP allowlists, domain restrictions, and tenant isolation. | Identity and Access Management |
| CCC.C06 | Prevent Deployment in Restricted Regions | Ensure that resources are not provisioned or deployed in geographic regions or cloud availability zones that have been designated as restricted or prohibited, to comply with regulatory requirements and reduce exposure to geopolitical risks. | Data |
| CCC.C07 | Alert on Unusual Enumeration Activity | Ensure that logs and associated alerts are generated when unusual enumeration activity is detected that may indicate reconnaissance activities. | Logging & Monitoring |
| CCC.C08 | Enable Multi-zone or Multi-region Data Replication | Ensure that data is replicated across multiple zones or regions to protect against data loss due to hardware failures, natural disasters, or other catastrophic events. | Data |
| CCC.C09 | Prevent Tampering, Deletion, or Unauthorized Access to Access Logs | Access logs should always be considered sensitive. Ensure that access logs are protected against unauthorized access, tampering, or deletion. | Data |
| CCC.C10 | Prevent Data Replication to Destinations Outside of Defined Trust Perimeter | Prevent replication of data to untrusted destinations outside of defined trust perimeter. An untrusted destination is defined as a resource that exists outside of a specified trusted identity or network or data perimeter. | Data |
| CCC.C11 | Enforce Key Management Policies | Ensure that encryption keys are managed securely by enforcing the use of approved algorithms, regular key rotation, and customer-managed encryption keys (CMEKs). | Encryption |
| CCC.ObjStor.C01 | Prevent Requests to Buckets or Objects with Untrusted KMS Keys | Prevent any requests to object storage buckets or objects using untrusted KMS keys to protect against unauthorized data encryption that can impact data availability and integrity. | Data |
| CCC.ObjStor.C02 | Enforce Uniform Bucket-level Access to Prevent Inconsistent Permissions | Ensure that uniform bucket-level access is enforced across all object storage buckets. This prevents the use of ad-hoc or inconsistent object-level permissions, ensuring centralized, consistent, and secure access management in accordance with the principle of least privilege. | Identity and Access Management |
| CCC.ObjStor.C03 | Prevent Bucket Deletion Through Irrevocable Bucket Retention Policy | Ensure that object storage bucket is not deleted after creation, and that the preventative measure cannot be unset. | Data |
| CCC.ObjStor.C04 | Objects have an Effective Retention Policy by Default | Ensure that all objects stored in the object storage system have a retention policy applied by default, preventing premature deletion or modification of objects and ensuring compliance with data retention regulations. | Data |
| CCC.ObjStor.C05 | Versioning is Enabled for All Objects in the Bucket | Ensure that versioning is enabled for all objects stored in the object storage bucket to enable recovery of previous versions of objects in case of loss or corruption. | Data |
| CCC.ObjStor.C06 | Access Logs are Stored in a Separate Data Store | Ensure that access logs for object storage buckets are stored in a separate data store to protect against unauthorized access, tampering, or deletion of logs (Logbuckets are exempt from this requirement, but must be tlp_red). | Data |