diff --git a/services/storage/object/controls.md b/services/storage/object/controls.md index 5d79ad20..97f21048 100644 --- a/services/storage/object/controls.md +++ b/services/storage/object/controls.md @@ -30,9 +30,9 @@ Prevent any unencrypted requests to the object storage bucket, ensuring that all The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: -1. **CCC.OS.C1.TR.01** {#CCC.OS.C1.TR.01}: All supported network data protocols must be running on secure channels. -2. **CCC.OS.C1.TR.02** {#CCC.OS.C1.TR.02}: All clear text channels should be disabled. -3. **CCC.OS.C1.TR.03** {#CCC.OS.C1.TR.03}: The cipher suite implemented for ensuring the integrity and confidentiality of data should conform with the latest suggested cipher suites. [NIST/MITRE proposed latest standard cipher suites](#). +1. [**CCC.OS.C1.TR01**](./tests/ccc-os-c1.feature#CCC.OS.C1.TR01): All supported network data protocols must be running on secure channels. +2. [**CCC.OS.C1.TR02**](./tests/ccc-os-c1.feature#CCC.OS.C1.TR02): All clear text channels should be disabled. +3. [**CCC.OS.C1.TR03**](./tests/ccc-os-c1.feature#CCC.OS.C1.TR03): The cipher suite implemented for ensuring the integrity and confidentiality of data should conform with the latest suggested cipher suites. [NIST/MITRE proposed latest standard cipher suites](#). --- @@ -82,9 +82,9 @@ Ensure that all human user access to object storage buckets requires multi-facto The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: -1. **CCC.OS.C3.TR.01** {#CCC.OS.C3.TR.01}: Verify that MFA is enforced for all access attempts to the object storage bucket. -2. **CCC.OS.C3.TR.02** {#CCC.OS.C3.TR.02}: Ensure that MFA is required for all administrative access to the storage management interface. -3. **CCC.OS.C3.TR.03** {#CCC.OS.C3.TR.03}: Confirm that users are unable to access the object storage bucket without completing MFA. +1. [**CCC.OS.C3.TR01**](./tests/ccc-os-c3.feature#CCC.OS.C3.TR01): Verify that MFA is enforced for all access attempts to the object storage bucket. +2. [**CCC.OS.C3.TR02**](./tests/ccc-os-c3.feature#CCC.OS.C3.TR02): Ensure that MFA is required for all administrative access to the storage management interface. +3. [**CCC.OS.C3.TR03**](./tests/ccc-os-c3.feature#CCC.OS.C3.TR03): Confirm that users are unable to access the object storage bucket without completing MFA. --- diff --git a/services/storage/object/tests/ccc-os-c1.feature b/services/storage/object/tests/ccc-os-c1.feature new file mode 100644 index 00000000..7aaccf15 --- /dev/null +++ b/services/storage/object/tests/ccc-os-c1.feature @@ -0,0 +1,66 @@ +@CCC.OS.C1.TR01 +Feature: All supported network data protocols must be running on secure channels + +""" +This feature ensures that all supported network data protocols are running on secure channels to protect data in transit. +""" + +@CCC.OS.C1.TR01.T01 +Scenario: Ensure HTTPS succeeds + Given you own the object storage bucket + When an encrypted HTTPS request is made to the bucket + Then the request is allowed + +@CCC.OS.C1.TR01.T02 +Scenario: Ensure SFTP succeeds + Given you own the object storage bucket + When an encrypted SFTP request is made to the bucket + Then the request is allowed + +@CCC.OS.C1.TR01.T03 +Scenario: Ensure gRPC over TLS succeeds + Given you own the object storage bucket + When an encrypted gRPC request is made to the bucket + Then the request is allowed + +--- + +@CCC.OS.C1.TR02 +Feature: All clear text channels should be disabled + +""" +This feature ensures that all clear text channels are disabled to prevent unencrypted data transmission. +""" + +@CCC.OS.C1.TR02.T01 +Scenario: Ensure HTTP fails + Given you own the object storage bucket + When an HTTP request is made to the bucket + Then the request is denied + +@CCC.OS.C1.TR02.T02 +Scenario: Ensure FTP fails + Given you own the object storage bucket + When an FTP request is made to the bucket + Then the request is denied + +@CCC.OS.C1.TR02.T03 +Scenario: Ensure unencrypted gRPC fails + Given you own the object storage bucket + When an unencrypted gRPC request is made to the bucket + Then the request is denied + +--- + +@CCC.OS.C1.TR03 +Feature: The cipher suite implemented should conform with the latest suggested cipher suites + +""" +This feature ensures that the cipher suite implemented for data encryption conforms with the latest suggested standards. +""" + +@CCC.OS.C1.TR03.T01 +Scenario: Ensure all known weak cipher suites are not supported + Given you own the object storage bucket + When a request with a weak cipher suite is made to the bucket + Then the request must fail diff --git a/services/storage/object/tests/ccc-os-c3.feature b/services/storage/object/tests/ccc-os-c3.feature new file mode 100644 index 00000000..f42bdaeb --- /dev/null +++ b/services/storage/object/tests/ccc-os-c3.feature @@ -0,0 +1,42 @@ +@CCC.OS.C3.TR01 +Feature: Verify that MFA is enforced for all access attempts to the object storage bucket + +""" +This feature ensures that multi-factor authentication (MFA) is enforced for all access attempts to the object storage bucket. +""" + +@CCC.OS.C3.TR01.T01 +Scenario: Enforce MFA for access + Given you own the object storage bucket + When an access attempt is made to the bucket + Then MFA is enforced + +--- + +@CCC.OS.C3.TR02 +Feature: Verify that MFA is enforced for all access attempts to the object storage bucket + +""" +This feature ensures that multi-factor authentication (MFA) is required for all administrative access to the object storage bucket. +""" + +@CCC.OS.C3.TR02.T01 +Scenario: Require MFA for administrative access + Given you own the object storage bucket + When administrative access is attempted + Then MFA is required + +--- + +@CCC.OS.C3.TR03 +Feature: Verify that MFA is enforced for all access attempts to the object storage bucket + +""" +This feature ensures that access to the object storage bucket is blocked if multi-factor authentication (MFA) is not used. +""" + +@CCC.OS.C3.TR03.T01 +Scenario: Block access without MFA + Given you own the object storage bucket + When an access attempt is made without MFA + Then access is denied \ No newline at end of file