From cf393c9bc38dd59d9a5bf53ed339d5b7a50d0bc7 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Fri, 30 Aug 2024 06:21:14 -0700 Subject: [PATCH] Convert Object Storage development files from MD to YAML (#325) Signed-off-by: Eddie Knight --- services/storage/object/controls.md | 229 ------------------ services/storage/object/controls.yaml | 181 ++++++++++++++ .../storage/object/tests/ccc-os-c1.feature | 20 +- .../storage/object/tests/ccc-os-c3.feature | 12 +- services/storage/object/threats.md | 11 - services/storage/object/threats.yaml | 24 ++ 6 files changed, 221 insertions(+), 256 deletions(-) delete mode 100644 services/storage/object/controls.md create mode 100644 services/storage/object/controls.yaml delete mode 100644 services/storage/object/threats.md create mode 100644 services/storage/object/threats.yaml diff --git a/services/storage/object/controls.md b/services/storage/object/controls.md deleted file mode 100644 index 458f4ec2..00000000 --- a/services/storage/object/controls.md +++ /dev/null @@ -1,229 +0,0 @@ -# CCC.OS: Object Storage - -| Control Id | Service Taxonomy Id | Control | -| ---------- | ------------------- | ------------------------------------------------------------------------------ | -| CCC.OS.C1 | CCC-020115 | Prevent unencrypted requests to object storage bucket | -| CCC.OS.C2 | CCC-020114 | Ensure data encryption at rest | -| CCC.OS.C3 | CCC-020116 | Implement multi-factor authentication (MFA) for access | -| CCC.OS.C4 | CCC-020112 | Maintain immutable backups of data | -| CCC.OS.C5 | CCC-020118 | Log all access and changes to object storage bucket | -| CCC.OS.C6 | CCC-020118 | Prevent access to object storage from trusted cloud tenants and cloud services | -| CCC.OS.C7 | CCC-020118 | Prevent deploying object storage in restricted regions | -| CCC.OS.C8 | CCC-020114 | Prevent requests to object storage that use untrusted encryption keys | -| CCC.OS.C9 | CCC-020106 | Prevent object storage replication of data to untrusted destinations | - ---- - -## CCC.OS.C1: Prevent unencrypted requests to object storage bucket - -- Corresponding Feature: CCC-020115 (Encryption in Transit) -- NIST CSF: Protect (PR.DS-2) -- MITRE ATT&CK TTP: T1573 - Encrypted Channels - -### Objective - -Prevent any unencrypted requests to the object storage bucket, ensuring that all communications are encrypted in transit to protect data integrity and confidentiality. - -### Control Mappings - -- CCM: IVS-09, DSI-03 -- ISO/IEC 27001:2013 A.13.1.1 -- NIST SP 800-53: SC-8, SC-13 - -### Testing Requirements - -The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: - -1. [**CCC.OS.C1.TR01**](./tests/ccc-os-c1.feature#CCC.OS.C1.TR01): All supported network data protocols must be running on secure channels. -2. [**CCC.OS.C1.TR02**](./tests/ccc-os-c1.feature#CCC.OS.C1.TR02): All clear text channels should be disabled. -3. [**CCC.OS.C1.TR03**](./tests/ccc-os-c1.feature#CCC.OS.C1.TR03): The cipher suite implemented for ensuring the integrity and confidentiality of data should conform with the latest suggested cipher suites. [NIST proposed latest standard cipher suites](https://csrc.nist.gov/pubs/sp/800/52/r2/final). - ---- - -## CCC.OS.C2: Ensure data encryption at rest - -- Corresponding Feature: CCC-020114 (Encryption at Rest) -- NIST CSF: Protect (PR.DS-1) -- MITRE ATT&CK TTP: [T1486 - Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486/) - -### Objective - -Ensure that all data stored within the object storage service is encrypted at rest to maintain confidentiality and integrity. - -### Control Mappings - -- CCM: DSI-01, DSI-02 -- ISO/IEC 27001:2013 A.10.1.1 -- NIST SP 800-53: SC-28 - -### Testing Requirements - -The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: - -1. **CCC.OS.C2.TR.01** {#CCC.OS.C2.TR.01}: Verify that data stored in the object storage bucket is encrypted using industry-standard algorithms. -2. **CCC.OS.C2.TR.02** {#CCC.OS.C2.TR.02}: Ensure that encryption keys are managed securely and rotated periodically. -3. **CCC.OS.C2.TR.03** {#CCC.OS.C2.TR.03}: Confirm that decryption is only possible through authorized access mechanisms. - ---- - -## CCC.OS.C3: Implement multi-factor authentication (MFA) for access - -- Corresponding Feature: CCC-020116 (Identity Based Access Control) -- NIST CSF: Protect (PR.AC-7) -- MITRE ATT&CK TTP: [T1078 - Valid Accounts](https://attack.mitre.org/techniques/T1078/) - -### Objective - -Ensure that all human user access to object storage buckets requires multi-factor authentication (MFA), minimizing the risk of unauthorized access by enforcing strong authentication mechanisms. - -### Control Mappings - -- CCM: IAM-03, IAM-08 -- ISO/IEC 27001:2013 A.9.4.2 -- NIST SP 800-53: IA-2 - -### Testing Requirements - -The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: - -1. [**CCC.OS.C3.TR01**](./tests/ccc-os-c3.feature#CCC.OS.C3.TR01): Verify that MFA is enforced for all access attempts to the object storage bucket. -2. [**CCC.OS.C3.TR02**](./tests/ccc-os-c3.feature#CCC.OS.C3.TR02): Ensure that MFA is required for all administrative access to the storage management interface. -3. [**CCC.OS.C3.TR03**](./tests/ccc-os-c3.feature#CCC.OS.C3.TR03): Confirm that users are unable to access the object storage bucket without completing MFA. - ---- - -## CCC.OS.C4: Maintain immutable backups of data - -- Corresponding Feature: CCC-020112 (Compliance and Governance) -- NIST CSF: Protect (PR.DS-1) -- MITRE ATT&CK TTP: [T1485 - Data Destruction](https://attack.mitre.org/techniques/T1485/) - -### Objective - -Ensure that data stored in the object storage bucket is immutable for a defined period, preventing unauthorized modifications or deletions and thereby mitigating data destruction. - -### Control Mappings - -- CCM: DSI-05, DSI-07 -- ISO/IEC 27001:2013 A.12.3.1 -- NIST SP 800-53: CP-9 - -### Testing Requirements - -The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: - -1. **CCC.OS.C4.TR.01** {#CCC.OS.C4.TR.01}: Verify that data in the object storage bucket is protected by immutability settings. -2. **CCC.OS.C4.TR.02** {#CCC.OS.C4.TR.02}: Ensure that attempts to modify or delete data within the immutability period are denied. -3. **CCC.OS.C4.TR.03** {#CCC.OS.C4.TR.03}: Confirm that immutable data remains unchanged throughout the defined retention period. - ---- - -## CCC.OS.C5: Log all access and changes to object storage - -- Corresponding Feature: CCC-020118 (Logging) -- NIST CSF: Detect (DE.AE-3) -- MITRE ATT&CK TTP: [T1530: Data from Cloud Storage Object](https://attack.mitre.org/techniques/T1530) - -### Objective - -Ensure that all access and changes to the object storage bucket are logged to maintain a detailed audit trail for security and compliance purposes. - -### Control Mappings - -- CCM: DSI-06, STA-04 -- ISO/IEC 27001:2013 A.12.4.1 -- NIST SP 800-53: AU-2, AU-3 - -### Testing Requirements - -The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: - -1. **CCC.OS.C5.TR.01** {#CCC.OS.C5.TR.01}: Verify that all access attempts to the object storage bucket are logged. -2. **CCC.OS.C5.TR.02** {#CCC.OS.C5.TR.02}: Ensure that all changes to the object storage bucket configurations are logged. -3. **CCC.OS.C5.TR.03** {#CCC.OS.C5.TR.03}: Confirm that logs are protected against unauthorized access and tampering. - -## CCC.OS.C6: Prevent access to object storage from trusted cloud tenants and cloud services - -### Objective - -Ensure secure management of access to object storage resources, preventing unauthorized data access, exfiltration, and misuse of legitimate services by adversaries. - -### Control Mappings - -- NIST CSF: PR.PT-3: Remote access is managed. -- NIST CSF: PR.PT-4: Communications and control networks are protected. -- MITRE ATT&CK Remote Services (T1021) -- CSA-CCM DS-5: Data Loss Prevention - Implement controls to prevent the unauthorized exfiltration of sensitive data. - -### Testing Requirements - -The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: - -1. **CCC.OS.C6.TR.01** {#CCC.OS.C6.TR.01}: Verify that object storage endpoint can be blocked from public access. -2. **CCC.OS.C6.TR.02** {#CCC.OS.C6.TR.02}: Verify that object storage can be blocked from cloud services deployed on the same cloud tenant. -3. **CCC.OS.C6.TR.03** {#CCC.OS.C6.TR.03}: Confirm that it's possible to prevent access to object storage from other cloud tenants, even if those tenants have network connectivity to the cloud tenant hosting the object storage. - -## CCC.OS.C7: Prevent deploying object storage in restricted regions - -### Objective - -Ensure that object storage resources are not provisioned or deployed in geographic regions or cloud availability zones that have been designated as restricted or prohibited - -### Control Mappings - -- NIST CSF: PR.AC-3 Access Control Policy -- NIST CSF: PR.DS-5 Data Location and Protection -- NIST CSF: RS.AN-3 Security Analysis -- MITRE ATT&CK Cloud Accounts (T1583) - -### Testing Requirements - -The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: - -1. **CCC.OS.C7.TR.01** {#CCC.OS.C7.TR.01}: Verify that object storage are not deployed in any of the restricted regions and zones. -2. **CCC.OS.C7.TR.02** {#CCC.OS.C7.TR.02}: Verify that object storage cannot be deployed in any of the restricted regions and zones. -3. **CCC.OS.C7.TR.03** {#CCC.OS.C7.TR.03}: Verify that object storage cannot be backedup or copied to any of the restriced regions and zones. - -## CCC.OS.C8: Prevent Requests to Object Storage Buckets or Objects with Untrusted KMS Keys - -- Corresponding Feature: CCC-020116 (Access Control) -- NIST CSF: Protect (PR.DS-4) -- MITRE ATT&CK TTP: T1486 - Data Encrypted for Impact - -### Objective - -Prevent any requests to object storage buckets or objects using untrusted KMS keys to protect against unauthorized data encryption that can impact data availability and integrity. - -### Control Mappings - -- CCM: DSI-04, DSI-05 -- ISO/IEC 27001:2013 A.12.3.1 -- NIST SP 800-53: CP-6, CP-9 - -### Testing Requirements - -The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: - -1. [**CCC.OS.C8.TR01**]{#CCC.OS.C8.TR.01}: Verify that access policies for cloud storage buckets and objects prevent requests with untrusted KMS keys. In this case, an untrusted KMS key is one that is not specified as trusted by the cloud storage bucket owner. - -## CCC.OS.C9: Prevent Replication to Untrusted Destinations - -- Corresponding Feature: CCC-020106 (Availability) -- NIST CSF: Protect (PR.DS-4) -- MITRE ATT&CK TTP: T1537 - Transfer Data to Cloud Account - -### Objective - -Prevent object storage replication feature from replicating data to untrusted destinations. In this case, an untrusted destination is a resource that exists outside of a specified trusted identity or network perimeter (i.e. a data perimeter). - -### Control Mappings - -- CCM: DSI-04, DSI-05 -- ISO/IEC 27001:2013 A.12.3.1 -- NIST SP 800-53: CP-6, CP-9 - -### Testing Requirements - -The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: - -1. [**CCC.OS.C9.TR01**]{#CCC.OS.C9.TR.01}: Verify that object storage replication configurations are prevented from replicating to untrusted destinations. diff --git a/services/storage/object/controls.yaml b/services/storage/object/controls.yaml new file mode 100644 index 00000000..77f90a94 --- /dev/null +++ b/services/storage/object/controls.yaml @@ -0,0 +1,181 @@ +title: CCC Object Storage Security Controls +category_id: CCC.ObjStor +controls: + - id: CCC.ObjStor.C01 + feature_id: CCC.ObjStor.F15 + title: Prevent unencrypted requests to object storage bucket + objective: Prevent any unencrypted requests to the object storage bucket, ensuring that all communications are encrypted in transit to protect data integrity and confidentiality. + control_family: Data + nist_csf: PR.DS-2 + mitre_attack: T1573 + control_mappings: + CCM: + - IVS-09 + - DSI-03 + ISO_27001: + - 2013 A.13.1.1 + NIST_800_53: + - SC-8 + - SC-13 + test_requirements: + 01: All supported network data protocols must be running on secure channels. + 02: All clear text channels should be disabled. + 03: The cipher suite implemented for ensuring the integrity and confidentiality of data should conform with the latest suggested cipher suites. [NIST proposed latest standard cipher suites](<[#](https://csrc.nist.gov/pubs/sp/800/52/r2/final)>). + - id: CCC.ObjStor.C02 + feature_id: CCC.ObjStor.F14 + title: Ensure data encryption at rest + objective: Ensure that all data stored within the object storage service is encrypted at rest to maintain confidentiality and integrity. + control_family: Encryption + nist_csf: PR.DS-1 + mitre_attack: T1486 + control_mappings: + CCM: + - DSI-01 + - DSI-02 + ISO_27001: + - 2013 A.10.1.1 + NIST_800_53: + - SC-28 + test_requirements: + 01: Verify that data stored in the object storage bucket is encrypted using industry-standard algorithms. + 02: Ensure that encryption keys are managed securely and rotated periodically. + 03: Confirm that decryption is only possible through authorized access mechanisms. + - id: CCC.ObjStor.C03 + feature_id: CCC.ObjStor.F16 + title: Implement multi-factor authentication (MFA) for access + objective: Ensure that all human user access to object storage buckets requires multi-factor authentication (MFA), minimizing the risk of unauthorized access by enforcing strong authentication mechanisms. + control_family: Identity and Access Management + nist_csf: PR.AC-7 + mitre_attack: T1078 + control_mappings: + CCM: + - IAM-03 + - IAM-08 + ISO_27001: + - 2013 A.9.4.2 + NIST_800_53: + - IA-2 + test_requirements: + 01: Verify that MFA is enforced for all access attempts to the object storage bucket. + 02: Ensure that MFA is required for all administrative access to the storage management interface. + 03: Confirm that users are unable to access the object storage bucket without completing MFA. + - id: CCC.ObjStor.C04 + feature_id: CCC.ObjStor.F12 + title: Maintain immutable backups of data + objective: Ensure that data stored in the object storage bucket is immutable for a defined period, preventing unauthorized modifications or deletions and thereby mitigating data destruction. + control_family: Data + nist_csf: PR.DS-1 + mitre_attack: T1485 + control_mappings: + CCM: + - DSI-05 + - DSI-07 + ISO_27001: + - 2013 A.12.3.1 + NIST_800_53: + - CP-9 + test_requirements: + 01: Verify that data in the object storage bucket is protected by immutability settings. + 02: Ensure that attempts to modify or delete data within the immutability period are denied. + 03: Confirm that immutable data remains unchanged throughout the defined retention period. + - id: CCC.ObjStor.C05 + feature_id: CCC.ObjStor.F18 + title: Log all access and changes to object storage + objective: Ensure that all access and changes to the object storage bucket are logged to maintain a detailed audit trail for security and compliance purposes. + control_family: Logging & Monitoring + nist_csf: DE.AE-3 + mitre_attack: T1530 + control_mappings: + CCM: + - DSI-06 + - STA-04 + ISO_27001: + - 2013 A.12.4.1 + NIST_800_53: + - AU-2 + - AU-3 + test_requirements: + 01: Verify that all access attempts to the object storage bucket are logged. + 02: Ensure that all changes to the object storage bucket configurations are logged. + 03: Confirm that logs are protected against unauthorized access and tampering. + - id: CCC.ObjStor.C06 + feature_id: CCC.ObjStor.F19 + title: Prevent access to object storage from untrusted cloud tenants and services + objective: Ensure secure management of access to object storage resources, preventing unauthorized data access, exfiltration, and misuse of legitimate services by adversaries. + control_family: Identity and Access Management + nist_csf: + - PR.PT-3 + - PR.PT-4 + mitre_attack: + - T1021 + control_mappings: + CCM: + - DS-5 + ISO_27001: + - 2013 A.13.1.3 + NIST_800_53: + - AC-3 + test_requirements: + 01: Verify that object storage endpoint can be blocked from public access. + 02: Verify that object storage can be blocked from cloud services deployed on the same cloud tenant. + 03: Confirm that it's possible to prevent access to object storage from other cloud tenants, even if those tenants have network connectivity to the cloud tenant hosting the object storage. + - id: CCC.ObjStor.C07 + feature_id: CCC.ObjStor.F20 + title: Prevent deploying object storage in restricted regions + objective: Ensure that object storage resources are not provisioned or deployed in geographic regions or cloud availability zones that have been designated as restricted or prohibited, to comply with regulatory requirements and reduce exposure to geopolitical risks. + control_family: Data + nist_csf: + - PR.AC-3 + - PR.DS-5 + - RS.AN-3 + mitre_attack: + - T1583 + control_mappings: + CCM: + - DSI-06 + - DSI-08 + ISO_27001: + - 2013 A.11.1.1 + NIST_800_53: + - AC-6 + test_requirements: + 01: Verify that object storage resources are not deployed in any of the restricted regions or cloud availability zones. + 02: Ensure that the cloud provider's configuration management tools are used to enforce restrictions on provisioning in prohibited regions. + 03: Confirm that object storage backups and copies are not allowed to be stored in restricted regions or cloud availability zones. + - id: CCC.ObjStor.C08 + feature_id: CCC.ObjStor.F15 + title: Prevent Requests to Object Storage Buckets or Objects with Untrusted KMS Keys + objective: Prevent any requests to object storage buckets or objects using untrusted KMS keys to protect against unauthorized data encryption that can impact data availability and integrity. + control_family: Data + nist_csf: PR.DS-4 + mitre_attack: T1486 + control_mappings: + CCM: + - DSI-04 + - DSI-05 + ISO_27001: + - 2013 A.12.3.1 + NIST_800_53: + - CP-6 + - CP-9 + test_requirements: + 01: Verify that access policies for cloud storage buckets and objects prevent requests with untrusted KMS keys. In this case, an untrusted KMS key is one that is not specified as trusted by the cloud storage bucket owner. + - id: CCC.ObjStor.C09 + feature_id: CCC.ObjStor.F07 + title: Prevent Replication to Untrusted Destinations + objective: Prevent object storage replication feature from replicating data to untrusted destinations. In this case, an untrusted destination is a resource that exists outside of a specified trusted identity or network perimeter (i.e. a data perimeter). + control_family: Data + nist_csf: PR.DS-4 + mitre_attack: T1537 + control_mappings: + CCM: + - DSI-04 + - DSI-05 + ISO_27001: + - 2013 A.12.3.1 + NIST_800_53: + - CP-6 + - CP-9 + test_requirements: + 01: Verify that object storage replication configurations are prevented from replicating to untrusted destinations. + diff --git a/services/storage/object/tests/ccc-os-c1.feature b/services/storage/object/tests/ccc-os-c1.feature index 7aaccf15..008e8111 100644 --- a/services/storage/object/tests/ccc-os-c1.feature +++ b/services/storage/object/tests/ccc-os-c1.feature @@ -1,23 +1,23 @@ -@CCC.OS.C1.TR01 +@CCC.ObjStor.C01.TR01 Feature: All supported network data protocols must be running on secure channels """ This feature ensures that all supported network data protocols are running on secure channels to protect data in transit. """ -@CCC.OS.C1.TR01.T01 +@CCC.ObjStor.C01.TR01.TE01 Scenario: Ensure HTTPS succeeds Given you own the object storage bucket When an encrypted HTTPS request is made to the bucket Then the request is allowed -@CCC.OS.C1.TR01.T02 +@CCC.ObjStor.C01.TR01.TE02 Scenario: Ensure SFTP succeeds Given you own the object storage bucket When an encrypted SFTP request is made to the bucket Then the request is allowed -@CCC.OS.C1.TR01.T03 +@CCC.ObjStor.C01.TR01.TE03 Scenario: Ensure gRPC over TLS succeeds Given you own the object storage bucket When an encrypted gRPC request is made to the bucket @@ -25,26 +25,26 @@ Scenario: Ensure gRPC over TLS succeeds --- -@CCC.OS.C1.TR02 +@CCC.ObjStor.C01.TR02 Feature: All clear text channels should be disabled """ This feature ensures that all clear text channels are disabled to prevent unencrypted data transmission. """ -@CCC.OS.C1.TR02.T01 +@CCC.ObjStor.C01.TR02.TE01 Scenario: Ensure HTTP fails Given you own the object storage bucket When an HTTP request is made to the bucket Then the request is denied -@CCC.OS.C1.TR02.T02 +@CCC.ObjStor.C01.TR02.TE02 Scenario: Ensure FTP fails Given you own the object storage bucket When an FTP request is made to the bucket Then the request is denied -@CCC.OS.C1.TR02.T03 +@CCC.ObjStor.C01.TR02.TE03 Scenario: Ensure unencrypted gRPC fails Given you own the object storage bucket When an unencrypted gRPC request is made to the bucket @@ -52,14 +52,14 @@ Scenario: Ensure unencrypted gRPC fails --- -@CCC.OS.C1.TR03 +@CCC.ObjStor.C01.TR03 Feature: The cipher suite implemented should conform with the latest suggested cipher suites """ This feature ensures that the cipher suite implemented for data encryption conforms with the latest suggested standards. """ -@CCC.OS.C1.TR03.T01 +@CCC.ObjStor.C01.TR03.TE01 Scenario: Ensure all known weak cipher suites are not supported Given you own the object storage bucket When a request with a weak cipher suite is made to the bucket diff --git a/services/storage/object/tests/ccc-os-c3.feature b/services/storage/object/tests/ccc-os-c3.feature index f42bdaeb..74cad808 100644 --- a/services/storage/object/tests/ccc-os-c3.feature +++ b/services/storage/object/tests/ccc-os-c3.feature @@ -1,11 +1,11 @@ -@CCC.OS.C3.TR01 +@CCC.ObjStor.C03.TR01 Feature: Verify that MFA is enforced for all access attempts to the object storage bucket """ This feature ensures that multi-factor authentication (MFA) is enforced for all access attempts to the object storage bucket. """ -@CCC.OS.C3.TR01.T01 +@CCC.ObjStor.C03.TR01.TE01 Scenario: Enforce MFA for access Given you own the object storage bucket When an access attempt is made to the bucket @@ -13,14 +13,14 @@ Scenario: Enforce MFA for access --- -@CCC.OS.C3.TR02 +@CCC.ObjStor.C03.TR02 Feature: Verify that MFA is enforced for all access attempts to the object storage bucket """ This feature ensures that multi-factor authentication (MFA) is required for all administrative access to the object storage bucket. """ -@CCC.OS.C3.TR02.T01 +@CCC.ObjStor.C03.TR02.TE01 Scenario: Require MFA for administrative access Given you own the object storage bucket When administrative access is attempted @@ -28,14 +28,14 @@ Scenario: Require MFA for administrative access --- -@CCC.OS.C3.TR03 +@CCC.ObjStor.C03.TR03 Feature: Verify that MFA is enforced for all access attempts to the object storage bucket """ This feature ensures that access to the object storage bucket is blocked if multi-factor authentication (MFA) is not used. """ -@CCC.OS.C3.TR03.T01 +@CCC.ObjStor.C03.TR03.TE01 Scenario: Block access without MFA Given you own the object storage bucket When an access attempt is made without MFA diff --git a/services/storage/object/threats.md b/services/storage/object/threats.md deleted file mode 100644 index e4e51e8f..00000000 --- a/services/storage/object/threats.md +++ /dev/null @@ -1,11 +0,0 @@ -# Object Storage Threats Catalog - -This service-level threats documents the most common list of threats that impacts Object Storage. The scope of these threats expand across various cloud service providers. - -## Threats - -| Threat Id | Name | Description | Service Taxonomy Id | MITRE ATT&CK TTPs | -| --------- | ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | ------------------------------------------------------------------------------------------------------ | -| CCC.OS.T1 | Attacker intercepts data in transit to a bucket | The object storage service allows communication over HTTP. An attacker can intercept the traffic you send to bucket, in order to read or modify the data. | CCC-020115 | [TA009](https://attack.mitre.org/tactics/TA0009/) [T1557](https://attack.mitre.org/techniques/T1557/) | -| CCC.OS.T2 | Attacker encrypts objects for ransomware | The object storage service provides several types of encryption where the key is not operated by the CSP. An attacker can encrypt all the data stored in the bucket to ransom the data owner to get the decryption key. Alternatively, an attacker can change the default encryption key, for a similar effect on any new data uploaded. | CCC-020114 | [TA0040](https://attack.mitre.org/tactics/TA0040/) [T1486](https://attack.mitre.org/techniques/T1486/) | -| CCC.OS.T3 | Attacker grants bucket access to untrusted principals | The bucket access controls (e.g. ACLs, bucket policies) can enable access to objects owned by the bucket. An attacker (or someone by negligence) can change (i.e., impair) the bucket access controls and make the content accessible to untrusted principals (via public endpoints, cross-account VPC endpoints, or cross-account access point). | CCC-020116 | [TA0005](https://attack.mitre.org/tactics/TA0005/) [T1562](https://attack.mitre.org/techniques/T1562/) | diff --git a/services/storage/object/threats.yaml b/services/storage/object/threats.yaml new file mode 100644 index 00000000..5e37fe25 --- /dev/null +++ b/services/storage/object/threats.yaml @@ -0,0 +1,24 @@ +title: CCC Object Storage Security Threats +category-id: CCC.ObjStor +threats: + - id: CCC.ObjStor.TH01 + title: Attacker intercepts data in transit to a bucket + description: The object storage service allows communication over HTTP. An attacker can intercept the traffic you send to bucket, in order to read or modify the data. + feature_id: CCC.ObjStor.F15 + mitre_attack: + - TA009 + - T1557 + - id: CCC.ObjStor.TH02 + title: Attacker encrypts objects for ransomware + description: The object storage service provides several types of encryption where the key is not operated by the CSP. An attacker can encrypt all the data stored in the bucket to ransom the data owner to get the decryption key. Alternatively, an attacker can change the default encryption key, for a similar effect on any new data uploaded. + feature_id: CCC.ObjStor.F14 + mitre_attack: + - TA0040 + - T1486 + - id: CCC.ObjStor.TH03 + title: Attacker grants bucket access to untrusted principals + description: The bucket access controls (e.g. ACLs, bucket policies) can enable access to objects owned by the bucket. An attacker (or someone by negligence) can change (i.e., impair) the bucket access controls and make the content accessible to untrusted principals (via public endpoints, cross-account VPC endpoints, or cross-account access point). + feature_id: CCC.ObjStor.F16 + mitre_attack: + - TA0005 + - T1562 \ No newline at end of file