Limit Decrypt Permissions | CCC

Skip to main content

CCC.KeyMgmt.CN02: Limit Decrypt Permissions

Control ID:CCC.KeyMgmt.CN02

Title:Limit Decrypt Permissions

Objective:Restrict the Decrypt operation to authorised principals only, applying the principle of least privilege to protect sensitive data.

Control Family:

Identity and Access Management

Related Threats

ID	Title	Description	External Mappings	Capability Mappings	Control Mappings
CCC.KeyMgmt.TH02	Unrestricted Use of a KMS Key to Decrypt Data	Misconfigured permissions that allow broad invocation of the Decrypt API can expose plaintext data, enabling unintended disclosure or exfiltration of sensitive information.	1	1	0

Related Capabilities

ID	Title	Description
CCC.KeyMgmt.CP10	Decrypt data	Provides the ability to securely decrypt data using a managed key in the supported encryption algorithms.
CCC.KeyMgmt.CP17	Enable key	Supports the ability to re-enable a disabled managed key.

Guideline Mappings

Reference ID	Entry ID	Strength	Remarks
NIST-CSF	PR.AC-4	0	Access to assets is managed
NIST_800_53	AC-6	0	Least Privilege

Assessment Requirements

ID	Description	Applicability
CCC.KeyMgmt.CN02.AR01	When IAM roles and key policies are reviewed, Decrypt permission MUST be granted exclusively to documented authorised principals.	tlp-green