CCC Virtual Private Cloud
This documents the minimal set of features that should be present for a virtual private cloud service to be considered for use in financial services ecosystems.
Release Details
Contributors
ML
Michael Lysaghtmlysaght2017
Citi
SM
Sonali Mendissmendis-scottlogic
Scott Logic
EK
Eddie Knighteddie-knight
Sonatype
DO
Dave Ogledogle-scottlogic
Scott Logic
K
kazmik23kazmik23
Google
Change Log
- This initial release contains a variety of commits designed to capture all of the features, threats, and controls for this service category.
Features
| ID | Title | Description |
|---|---|---|
| CCC.F01 | Encryption in Transit Enabled by Default | Provides default encryption of data in transit through SSL or TLS. |
| CCC.F02 | Encryption at Rest Enabled by Default | Provides default encryption of data before storage, with the option for clients to maintain control over the encryption keys. |
| CCC.F03 | Access/Activity Logs | Provides users with the ability to track all requests made to or activities performed on resources for audit purposes. |
| CCC.F04 | Transaction Rate Limits | Allows the setting of a threshold where industry-standard throughput is achieved up to the specified rate limit. |
| CCC.F05 | Signed URLs | Provides the ability to grant temporary or restricted access to a resource through a custom URL that contains authentication information. |
| CCC.F06 | Identity Based Access Control | Provides the ability to determine access to resources based on attributes associated with a user identity. |
| CCC.F07 | Event Notifications | Publishes events for creation, deletion, and modification of objects in a way that enables users to trigger actions in response. |
| CCC.F08 | Multi-zone Deployment | Provides the ability for the service to be deployed in multiple availability zones or regions to increase availability and fault tolerance. |
| CCC.F09 | Monitoring | Provides the ability to continuously observe, track, and analyze the performance, availability, and health of the service resources or applications. |
| CCC.F10 | Logging | Provides the ability to transmit system events, application activities, and/or user interactions to a logging service |
| CCC.F11 | Backup | Provides the ability to create copies of associated data or configurations in the form of automated backups, snapshot-based backups, and/or incremental backups. |
| CCC.F12 | Recovery | Provides the ability to restore data, a system, or an application to a functional state after an incident such as data loss, corruption or a disaster. |
| CCC.F13 | Infrastructure as Code | Allows for managing and provisioning service resources through machine-readable configuration files, such as templates. |
| CCC.F14 | API Access | Allows users to interact programmatically with the service and its resources using APIs, SDKs and CLI. |
| CCC.F15 | Cost Management | Provides the ability to filter spending and to detect cost anomalies for the service. |
| CCC.F16 | Budgeting | Provides the ability to trigger alerts when spending thresholds are approached or exceeded for the service. |
| CCC.F17 | Alerting | Provides the ability to set an alarm based on performance metrics, logs, events or spending thresholds of the service. |
| CCC.F18 | Versioning | Provides the ability to maintain multiple versions of the same resource. |
| CCC.F19 | On-demand Scaling | Provide scaling of resources based on demand. |
| CCC.F20 | Tagging | Provide the ability to tag a resource to effectively manage and gain insights of the resource. |
| CCC.F21 | Replication | Provides the ability to copy data or resource to multiple locations to ensure availability and durability. |
| CCC.F22 | Location Lock-In | Provides the ability to control where the resources are created. |
| CCC.F23 | Network Access Rules | Ability to control access to the resource by defining network access rules. |
| CCC.VPC.F01 | Isolated Custom Network Creation | Ability to create a virtual network that is isolated from other users of the same public cloud. |
| CCC.VPC.F02 | IPv4 CIDR Block | Ability to specify a IPv4 CIDR block to the virtual network. |
| CCC.VPC.F03 | IPv6 CIDR Block | Ability to specify a IPv6 CIDR block to the virtual network. |
| CCC.VPC.F04 | Public Subnet Creation | Ability to create a subnet that allows resources within the subnet to communicate with the public internet. |
| CCC.VPC.F05 | Private Subnet Creation | Ability to create a subnet that resources within the subnet cannot directly access the public internet. |
| CCC.VPC.F06 | Multiple Availability Zones for Subnets | Ability to spread the subnets in more than one availability zones. |
| CCC.VPC.F07 | Routing Control | Ability to control traffic within the VPC and between the VPC and the internet or on-premises networks using customizable route tables. |
| CCC.VPC.F08 | Connectivity Options - Internet Gateway | Enables direct internet access for resources within a VPC. |
| CCC.VPC.F09 | Connectivity Options - NAT Gateways | Allows instances in private subnets to access the internet without exposing them to inbound internet traffic. |
| CCC.VPC.F10 | Connectivity Options - Private Connection | Dedicated, private, high-speed connections between on-premises networks and cloud VPC. |
| CCC.VPC.F11 | Connectivity Options - VPC Peering | Establishing a private connection between two VPCs to communicate seamlessly. |
| CCC.VPC.F12 | Connectivity Options - Transit Gateways | A hub-and-spoke model for connecting multiple VPCs and on-premises networks. |
| CCC.VPC.F13 | Connectivity Options - Site-to-site VPN | Provides an encrypted connection over the internet between a VPC and an on-premises network. |
| CCC.VPC.F14 | Built-in DNS Resolution | Resolves hostnames to IP addresses for instances within the VPC allowing instances to communicate using hostnames instead of IP addresses. |
| CCC.VPC.F15 | Built-in DHCP Resolution | Automatically assign IP addresses, subnet masks, default gateways and other network configurations to instances within the VPC. |
| CCC.VPC.F16 | Flow Logs | Ability to capture information about the IP traffic going through the VPC. |
| CCC.VPC.F17 | VPC Endpoints | Ability to allow secure, private connectivity between resources within a VPC and other services without the need for a public internet. |
Threats
| ID | Title | Description | MITRE ATT&CK |
|---|---|---|---|
| CCC.TH01 | Access Control is Misconfigured | An attacker can exploit misconfigured access controls to grant excessive privileges or gain unauthorized access to sensitive resources. | |
| CCC.TH02 | Data is Intercepted in Transit | In the event that encrypted communication is not properly in effect, an attacker can intercept traffic between clients and the service to read or modify the data during transmission. | |
| CCC.TH03 | Deployment Region Network is Untrusted | If any part of the service is deployed in a hostile, unstable, or insecure location, an attacker may attempt to access the resource or intercept data by exploiting privileged network access or physical vulnerabilities. | |
| CCC.TH04 | Data is Replicated to Untrusted or External Locations | An attacker could replicate data to untrusted or external locations if replication configurations are not properly restricted. This could result in data leakage or exposure to unauthorized entities outside the organization's trusted perimeter. | |
| CCC.TH05 | Data is Corrupted During Replication | Malicious actors may attempt to corrupt, delay, or delete data during replication processes across multiple regions or availability zones, affecting the integrity and availability of data. | |
| CCC.TH06 | Data is Lost or Corrupted | Data loss or corruption can occur due to accidental deletion, misconfiguration, or malicious activity. This can result in the loss of critical data, service disruption, or unauthorized access to sensitive information. | |
| CCC.TH07 | Logs are Tampered With or Deleted | Attackers may tamper with or delete logs to cover their tracks and evade detection. This prevents security teams from identifying the full scope of an attack and may disrupt forensic investigations. | |
| CCC.TH08 | Cost Management Data is Manipulated | Attackers may manipulate cost management data to hide excessive resource consumption or to deceive users about resource usage. This could be used to exhaust budgets, cause financial losses, or evade detection of other attacks. | |
| CCC.TH09 | Logs or Monitoring Data are Read by Unauthorized Users | Unauthorized access to logs or monitoring data can provide attackers with valuable information about the system's configuration, operations, and security mechanisms. This can be used to identify vulnerabilities, plan attacks, or evade detection. | |
| CCC.TH10 | Alerts are Intercepted | Malicious actors may exploit event notifications to monitor and intercept information about sensitive operations or access patterns. | |
| CCC.TH11 | Event Notifications are Incorrectly Triggered | Malicious actors may exploit event notifications to trigger sensitive operations or access patterns. Alternately, attackers may flood the system with notifications to obfuscate another attack or overwhelm the service to disrupt legitimate operations. | |
| CCC.TH12 | Resource Constraints are Exhausted | An attack or misconfiguration can consume all available resources, such as memory, CPU, or storage, to disrupt the service or deny access to legitimate users. This can be achieved through repeated requests, resource-intensive operations, or the lowering of rate/budget limits. Through auto-scaling, the attacker may also attempt to exhaust higher-level budget thresholds to impact other systems in the same scope. | |
| CCC.TH13 | Resource Tags are Manipulated | Attackers may manipulate resource tags to alter organizational policies, disrupt billing, or evade detection. This can result in mismanaged resources, unauthorized access, or financial abuse. | |
| CCC.TH14 | Older Resource Versions are Exploited | Attackers may exploit vulnerabilities in older versions of resources, taking advantage of deprecated or insecure configurations. Without proper version control and monitoring, outdated versions can be used to bypass security measures. | |
| CCC.TH15 | Automated Enumeration and Reconnaissance by Non-human Entities | Attackers may deploy automated processes or bots to perform reconnaissance activities by enumerating resources such as APIs, file systems, or directories. These activities can help attackers identify vulnerabilities, misconfigurations, or unsecured resources, which can then be exploited for unauthorized access or data theft. | |
| CCC.VPC.TH01 | Unauthorized Access via Insecure Default Networks | Default network configurations may include insecure settings and open firewall rules,leading to unauthorized access and potential data breaches. | |
| CCC.VPC.TH02 | Exposure of Resources to Public Internet | Assignment of external IP addresses to resources exposes resources to the public internet, increasing the risk of attacks such as brute force, exploitation of vulnerabilities, or unauthorized access. | |
| CCC.VPC.TH03 | Unauthorized Network Access Through VPC Peering | Unauthorized VPC peering connections can allow network traffic between untrusted or unapproved subscriptions, leading to potential data exposure or exfiltration. | |
| CCC.VPC.TH04 | Lack of Network Visibility due to Disabled VPC Flow Logs | VPC subnets with disabled flow logs lack critical network traffic visibility, which can lead to undetected unauthorized access, data exfiltration, and network misconfigurations. This lack of visibility increases the risk of undetected security incidents. | |
| CCC.VPC.TH05 | Overly Permissive VPC Endpoint Policies | VPC Endpoint policies that are overly permissive may inadvertently expose resources within the VPC to unintended principals or external threats. |
Controls
| ID | Title | Objective | Control Family |
|---|---|---|---|
| CCC.C01 | Prevent Unencrypted Requests | Ensure that all communications are encrypted in transit to protect data integrity and confidentiality. | Data |
| CCC.C02 | Ensure Data Encryption at Rest for All Stored Data | Ensure that all data stored is encrypted at rest to maintain confidentiality and integrity. | Encryption |
| CCC.C03 | Implement Multi-factor Authentication (MFA) for Access | Ensure that all sensitive activities require two or more identity factors during authentication to prevent unauthorized access. This may include something you know, something you have, or something you are. In the case of programattically accessible services, such as API endpoints, this includes a combination of API keys or tokens and network restrictions. | Identity and Access Management |
| CCC.C04 | Log All Access and Changes | Ensure that all access and changes are logged to maintain a detailed audit trail for security and compliance purposes. | Logging & Monitoring |
| CCC.C05 | Prevent Access from Untrusted Entities | Ensure that secure access controls prevent unauthorized access, mitigate risks of data exfiltration, and block misuse of services by adversaries. This includes restricting access based on trust criteria such as IP allowlists, domain restrictions, and tenant isolation. | Identity and Access Management |
| CCC.C06 | Prevent Deployment in Restricted Regions | Ensure that resources are not provisioned or deployed in geographic regions or cloud availability zones that have been designated as restricted or prohibited, to comply with regulatory requirements and reduce exposure to geopolitical risks. | Data |
| CCC.C07 | Alert on Unusual Enumeration Activity | Ensure that logs and associated alerts are generated when unusual enumeration activity is detected that may indicate reconnaissance activities. | Logging & Monitoring |
| CCC.C08 | Enable Multi-zone or Multi-region Data Replication | Ensure that data is replicated across multiple zones or regions to protect against data loss due to hardware failures, natural disasters, or other catastrophic events. | Data |
| CCC.C09 | Prevent Tampering, Deletion, or Unauthorized Access to Access Logs | Access logs should always be considered sensitive. Ensure that access logs are protected against unauthorized access, tampering, or deletion. | Data |
| CCC.C10 | Prevent Data Replication to Destinations Outside of Defined Trust Perimeter | Prevent replication of data to untrusted destinations outside of defined trust perimeter. An untrusted destination is defined as a resource that exists outside of a specified trusted identity or network or data perimeter. | Data |
| CCC.C11 | Enforce Key Management Policies | Ensure that encryption keys are managed securely by enforcing the use of approved algorithms, regular key rotation, and customer-managed encryption keys (CMEKs). | Encryption |
| CCC.VPC.C01 | Restrict Default Network Creation | Restrict the automatic creation of default virtual networks and related resources during subscription initialization to avoid insecure default configurations and enforce custom network policies. | Network Security |
| CCC.VPC.C02 | Limit Resource Creation in Public Subnet | Restrict the creation of resources in the public subnet with direct access to the internet to minimize attack surfaces. | Network Security |
| CCC.VPC.C03 | Restrict VPC Peering to Authorized Accounts | Ensure VPC peering connections are only established with explicitly authorized destinations to limit network exposure and enforce boundary controls. | Network Security |
| CCC.VPC.C04 | Enforce VPC Flow Logs on VPCs | Ensure VPCs are configured with flow logs enabled to capture traffic information. | Network Security |