Ensure that encryption keys are managed securely by enforcing the use of approved algorithms, regular key rotation, and customer-managed encryption keys (CMEKs).
Core / Ccc / Controls / v2025.10
Protect Encryption Keys
CCC.Core.CN11 · Encryption
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.Core.CP10 | Log Publication | The service automatically publishes structured, verbose records of activities, operations, or events that occur within the service. |
| CCC.Core.CP09 | Metrics Publication | The service automatically publishes structured, numeric, time-series data points related to the performance, availability, and health of the service or its child resources. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.Core.TH16 | Publications are Disabled | Publication of events, metrics, and runtime logs may be disabled, leading to a lack of expected security and operational information being shared. This can impact system availability by delaying the detection of incidents while also impacting system design decisions and enforcement of operational thresholds, such as autoscaling or cost management. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.Core.CN11.AR01 | When encryption keys are used, the service MUST verify that all encryption keys use the latest industry-standard cryptographic algorithms. | tlp-amber, tlp-red |
| CCC.Core.CN11.AR02 | When encryption keys are used, the service MUST rotate active keys within 180 days of issuance. | tlp-amber |
| CCC.Core.CN11.AR03 | When encrypting data, the service MUST verify that customer-managed encryption keys (CMEKs) are used. | tlp-amber, tlp-red |
| CCC.Core.CN11.AR04 | When encryption keys are accessed, the service MUST verify that access to encryption keys is restricted to authorized personnel and services, following the principle of least privilege. | tlp-clear, tlp-green, tlp-amber, tlp-red |
| CCC.Core.CN11.AR05 | When encryption keys are used, the service MUST rotate active keys within 365 days of issuance. | tlp-clear, tlp-green |
| CCC.Core.CN11.AR06 | When encryption keys are used, the service MUST rotate active keys within 90 days of issuance. | tlp-red |