Added C6 & C7 to yaml

Signed-off-by: Eddie Knight <[email protected]>
finos · Aug 15, 2024 · 90817d8 · 90817d8
1 parent 80c770b
commit 90817d8
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 183 deletions.
diff --git a/services/storage/object/controls.md b/services/storage/object/controls.md
diff --git a/services/storage/object/controls.yaml b/services/storage/object/controls.yaml
@@ -93,3 +93,45 @@ controls:
       01: Verify that all access attempts to the object storage bucket are logged.
       02: Ensure that all changes to the object storage bucket configurations are logged.
       03: Confirm that logs are protected against unauthorized access and tampering.
+  - id: CCC.OS.C6
+    feature_id: CCC.OS.F19
+    title: Prevent access to object storage from untrusted cloud tenants and services
+    objective: Ensure secure management of access to object storage resources, preventing unauthorized data access, exfiltration, and misuse of legitimate services by adversaries.
+    nist_csf: 
+      - PR.PT-3
+      - PR.PT-4
+    mitre_attack: 
+      - T1021
+    control_mappings:
+      CCM: 
+        - DS-5
+      ISO_27001: 
+        - 2013 A.13.1.3
+      NIST_800_53: 
+        - AC-3
+    test_requirements:
+      01: Verify that object storage endpoint can be blocked from public access.
+      02: Verify that object storage can be blocked from cloud services deployed on the same cloud tenant.
+      03: Confirm that it's possible to prevent access to object storage from other cloud tenants, even if those tenants have network connectivity to the cloud tenant hosting the object storage.
+  - id: CCC.OS.C7
+    feature_id: CCC.OS.F20
+    title: Prevent deploying object storage in restricted regions
+    objective: Ensure that object storage resources are not provisioned or deployed in geographic regions or cloud availability zones that have been designated as restricted or prohibited, to comply with regulatory requirements and reduce exposure to geopolitical risks.
+    nist_csf: 
+      - PR.AC-3
+      - PR.DS-5
+      - RS.AN-3
+    mitre_attack: 
+      - T1583
+    control_mappings:
+      CCM: 
+        - DSI-06
+        - DSI-08
+      ISO_27001: 
+        - 2013 A.11.1.1
+      NIST_800_53: 
+        - AC-6
+    test_requirements:
+      01: Verify that object storage resources are not deployed in any of the restricted regions or cloud availability zones.
+      02: Ensure that the cloud provider's configuration management tools are used to enforce restrictions on provisioning in prohibited regions.
+      03: Confirm that object storage backups and copies are not allowed to be stored in restricted regions or cloud availability zones.