Ensure that uniform bucket-level access is enforced across all object storage buckets. This prevents the use of ad-hoc or inconsistent object-level permissions, ensuring centralized, consistent, and secure access management in accordance with the principle of least privilege.
Storage / Object / Controls / DEV
Enforce Uniform Bucket-level Access to Prevent Inconsistent Permissions
CCC.ObjStor.CN02 · Access
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.Core.CP06 | Access Control | The service automatically enforces user configurations to restrict or allow access to a specific component or a child resource based on factors such as user identities, roles, groups, or attributes. |
| CCC.Core.CP29 | Active Ingestion | While running, the service itself can fetch or reach out to some other service or external source to get data, inputs or commands for the service to process or operate on. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.Core.TH01 | Access is Granted to Unauthorized Users | Logic designed to give different permissions to different entities may be misconfigured or manipulated, allowing unauthorized entities to access restricted parts of the service, its data, or its child resources. This could result in a loss of data confidentiality or tolerance of unauthorized actions which impact the integrity and availability of resources and data. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.ObjStor.CN02.AR01 | When a permission set is allowed for an object in a bucket, the service MUST allow the same permission set to access all objects in the same bucket. | tlp-clear, tlp-green, tlp-amber, tlp-red |
| CCC.ObjStor.CN02.AR02 | When a permission set is denied for an object in a bucket, the service MUST deny the same permission set to access all objects in the same bucket. | tlp-clear, tlp-green, tlp-amber, tlp-red |
Guideline Mappings
| Framework | ID | Remarks |
|---|---|---|
| CCM | IAM-08 | User Access Review |