| ID | Title | Objective | Control Family | Threat Mappings | Guideline Mappings | Assessment Requirements |
|---|---|---|---|---|---|---|
| CCC.ObjStor.CN01 | Prevent Requests to Buckets or Objects with Untrusted KMS Keys | Prevent any requests to object storage buckets or objects using untrusted KMS keys to protect against unauthorized data encryption, or sensitive data decryption. | Encryption | 2 | 3 | 4 |
| CCC.ObjStor.CN02 | Enforce Uniform Bucket-level Access to Prevent Inconsistent Permissions | Ensure that uniform bucket-level access is enforced across all object storage buckets. This prevents the use of ad-hoc or inconsistent object-level permissions, ensuring centralized, consistent, and secure access management in accordance with the principle of least privilege. | Access | 1 | 1 | 2 |
| CCC.ObjStor.CN03 | Prevent Bucket Deletion Through Irrevocable Bucket Retention Policy | Ensure that object storage bucket is not deleted after creation, and that the preventative measure cannot be unset. | Data | 1 | 2 | 2 |
| CCC.ObjStor.CN04 | Objects have an Effective Retention Policy by Default | Ensure that all objects stored in the object storage system have a retention policy applied by default, preventing premature deletion or modification of objects. | Data | 2 | 2 | 2 |
| CCC.ObjStor.CN05 | Versioning is Enabled for All Objects in the Bucket | Ensure that versioning is enabled for all objects stored in the object storage bucket to enable recovery of previous versions of objects in case of loss or corruption. | Data | 1 | 2 | 4 |
| CCC.ObjStor.CN07 | Multi-Factor Authentication Is Required for Object Deletion | Ensure that deletion of objects stored in the object storage system is protected by multi-factor authentication (MFA), reducing the risk of accidental, unauthorized, or compromised-credential–based data destruction. | Access | 3 | 2 | 3 |
Storage / Object
FINOS CCC Object Storage Controls
Version: DEV