Skip to main content

CCC Logging

Logging is the process of collecting, storing and analyzing event data generated by your cloud infrastructure. Logs can cover detailed timestamped records of activities in your infrastructure or application layer.

Release Details

Version:
DEV
Assurance Level:
Release Manager:
DB
Development Build

Contributors

DT
Development Team

Change Log

  • Development build - no formal changelog available

Capabilities

IDTitleDescriptionThreat Mappings
CCC.Logging.F01Service Log CaptureAbility to capture logs from all relevant cloud services at varying levels of verbosity.
2
CCC.Logging.F02Application Log IngestionSupport for ingesting logs from custom applications deployed within the cloud environment.
2
CCC.Logging.F03Real-Time Log IngestionLogs should be ingested in near real-time to enable timely detection and response.
1
CCC.Logging.F04Centralised Log CollectionAbility to centralise logs from different resources within a signle logging solution or platform.
1
CCC.Logging.F05Custom Log Format SupportAbility to ingest custom log formats or data from on-premises systems or other cloud environments via agents.
1
CCC.Logging.F06Log Filtering & TransformationAbility to to filter, normalise, and transform raw log data at ingestion to optimise storage and enhance usability.
3
CCC.Logging.F07Immutable StorageAbility to prevent unauthorized alteration or deletion of logs, ensuring their integrity for auditing and forensic purposes.
1
CCC.Logging.F08Retention PoliciesAbility to define and enforce granular retention periods for different log types based on regulatory requirements and internal policies.
2
CCC.Logging.F09Internal SinkAbility to continuously stream log data to a hosted storage bucket or data lake solution within the cloud service provider.
0
CCC.Logging.F10External SinkLog events can be configured to be sent to a external SIEM or data analysis provider outside of the cloud platform.
0
CCC.Logging.F11Log-based MetricsAbility to extract quantitative metrics from log data for performance monitoring and operational analysis.
1
CCC.Logging.F12Log ArchivingAbility to archive logs that are no longer needed but must be retained.
1
CCC.Logging.F13Field IndexingSupports field-based indexing to improve log query performace.
0
CCC.Core.F01Encryption in Transit Enabled by DefaultThe service automatically encrypts all data using industry-standard cryptographic protocols prior to transmission via a network interface.
0
CCC.Core.F02Encryption at Rest Enabled by DefaultThe service automatically encrypts all data using industry-standard cryptographic protocols prior to being written to a storage medium.
0
CCC.Core.F03Access Log PublicationThe service automatically publishes structured, verbose records of activities performed within the scope of the service by external actors.
3
CCC.Core.F06Access ControlThe service automatically enforces user configurations to restrict or allow access to a specific component or a child resource based on factors such as user identities, roles, groups, or attributes.
2
CCC.Core.F10Log PublicationThe service automatically publishes structured, verbose records of activities, operations, or events that occur within the service.
4
CCC.Core.F11BackupThe service can generate copies of its data or configurations in the form of automated backups, snapshot-based backups, or incremental backups.
1
CCC.Core.F12RecoveryThe service can be reverted to a previous state by providing a compatible backup or snapshot identifier.
1
CCC.Core.F14API AccessThe service exposes a port enabling external actors to interact programmatically with the service and its resources using HTTP protocol methods such as GET, POST, PUT, and DELETE.
2
CCC.Core.F17AlertingThe service may be configured to emit a notification based on a user-defined condition related to the data published by a child or networked resource.
2
CCC.Core.F18Resource VersioningThe service automatically assigns versions to child resources which can be used to preserve, retrieve, and restore past iterations.
2
CCC.Core.F20Resource TaggingThe service provides users with the ability to tag a child resource with metadata that can be reviewed or queried.
1
CCC.Core.F22Location Lock-InThe service may be configured to restrict the deployment of child resources to specific geographic locations.
2

Threats

IDTitleDescriptionExternal MappingsCapability MappingsControl Mappings
CCC.Logging.TH01Log Ingestion Performance DegradationThe logging service's ingestion pipeline experiences performance degradation due to overwhelming log volumes, network bottlenecks, or inefficient processing, leading to delayed availability of log data for analysis and potential log loss if buffers overflow.
1
1
0
CCC.Logging.TH02Unauthorized Data Transfer Out of a Trusted BoundarySensitive log data, including PII, financial transaction details, or system vulnerabilities, is exfiltrated directly from the logging service's query or API interfaces by authorized but malicious insiders or compromised accounts exploiting legitimate access.
1
2
1
CCC.Logging.TH03Log Schema or Format DriftChanges in source application or cloud service log formats, schemas, or underlying data structures lead to parsing failures, incomplete log ingestion, or render existing queries and dashboards ineffective, hindering comprehensive analysis.
1
1
0
CCC.Logging.TH04Inadequate Log Anonymization/MaskingSensitive data (e.g., PII, secrets, authentication tokens) is ingested into logs without proper anonymization, masking, or redaction at source or during ingestion. This creates a significant data exposure risk, particularly for data not intended for broad log access.
1
1
1
CCC.Logging.TH05Log Retention Policy Evasion or MisconfigurationLog data is deleted prematurely or retained longer than legally required due to misconfigured retention policies, manual overrides, or evasion tactics. This can lead to non-compliance with regulatory requirements or loss of critical forensic evidence.
1
1
1
CCC.Logging.TH06Log InjectionUser-supplied data such as scripts, control characters, escape sequences, or code fragments may be written to logs without proper encoding or sanitization. This can result in malformed or unexpected log entries that could disrupt or compromise systems that process or display these logs, including log viewers or downstream services.
2
1
0
CCC.Logging.TH07Insufficient LoggingIf security-critical actions are not logged, it becomes more difficult to detect threats and conduct post-incident analysis.
2
1
1
CCC.Core.TH01Access is Granted to Unauthorized UsersLogic designed to give different permissions to different entities may be misconfigured or manipulated, allowing unauthorized entities to access restricted parts of the service, its data, or its child resources. This could result in a loss of data confidentiality or tolerance of unauthorized actions which impact the integrity and availability of resources and data.
1
1
5
CCC.Core.TH02Data is Intercepted in TransitData transmitted by the service is susceptible to collection by any entity with access to any part of the transmission path. Packet observations can be used to support the planning of attacks by profiling origin points, destinations, and usage patterns. The data may also be vulnerable to interception or modification in transit if not properly encrypted, impacting the confidentiality or integrity of the transmitted data.
1
1
1
CCC.Core.TH03Deployment Region Network is UntrustedSystems are susceptible to unauthorized access or interception by actors with social or physical control over the network in which they are deployed. If the geopolitical status of the deployment network is untrusted, unstable, or insecure, this could result in a loss of confidentiality, integrity, or availability of the service and its data.
1
1
1
CCC.Core.TH04Data is Replicated to Untrusted or External LocationsSystems are susceptible to unauthorized access or interception by actors with political or physical control over the network in which they are deployed. Confidentiality may be impacted if the data is replicated to a network where the geopolitical status is untrusted, unstable, or insecure.
1
1
2
CCC.Core.TH05Interference with Replication ProcessesMisconfigured or manipulated replication processes may lead to data being copied to unintended locations, delayed, modified, or not being copied at all. This could lead to compromised data confidentiality and integrity, potentially also affecting recovery processes and data availability.
1
1
0
CCC.Core.TH06Data is Lost or CorruptedServices that rely on accurate data are susceptible to disruption in the event of data loss or corruption. Any actions that lead to the unintended deletion, alteration, or limited access to data can impact the availability of the service and the system it is part of.
1
1
1
CCC.Core.TH07Logs are Tampered With or DeletedTampering or deletion of service logs will reduce the system's ability to maintain an accurate record of events. Any actions that compromise the integrity of logs could disrupt system availability by disrupting monitoring, hindering forensic investigations, and reducing the accuracy of audit trails.
1
1
2
CCC.Core.TH09Runtime Logs are Read by Unauthorized EntitiesUnauthorized access to logs may expose valuable information about the system's configuration, operations, and security mechanisms. This could jeopardize system availability through the exposure of vulnerabilities and support the planning of attacks on the service, system, or network. If logs are not adequately sanitized, this may also directly impact the confidentiality of sensitive data.
1
1
1
CCC.Core.TH10State-change Events are Read by Unauthorized EntitiesUnauthorized access to state-change events can reveal information about the system's design and usage patterns. This opens the system up to attacks of opportunity and support the planning of attacks on the service, system, or network.
1
1
0
CCC.Core.TH11Publications are Incorrectly TriggeredIncorrectly triggered publications may disseminate inaccurate or misleading information, creating a data integrity risk. Such misinformation can cause unintended operations to be initiated, conceal legitimate issues, and disrupt the availability or reliability of systems and their data.
1
1
0
CCC.Core.TH12Resource Constraints are ExhaustedExceeding the resource constraints through excessive consumption, resource-intensive operations, or lowering of rate-limit thresholds can impact the availability of elements such as memory, CPU, or storage. This may disrupt availability of the service or child resources by denying the associated functionality to users. If the impacted system is not designed to expect such a failure, the effect could also cascade to other services and resources.
1
1
0
CCC.Core.TH13Resource Tags are ManipulatedWhen resource tags are altered, it can lead to misclassification or mismanagement of resources. This can reduce the efficacy of organizational policies, billing rules, or network access rules. Such changes could cause compromised confidentiality, integrity, or availability of the system and its data.
1
1
0
CCC.Core.TH14Older Resource Versions are UsedRunning older versions of child resources can expose the system to known vulnerabilities that have been addressed in more recent versions. If the version identifier is detected by an attacker, it may be possible to exploit these vulnerabilities to compromise the confidentiality, integrity, or availability of the system and its data.
1
1
0
CCC.Core.TH15Automated Enumeration and Reconnaissance by Non-human EntitiesAutomated processes may be used to gather details about service and child resource elements such as APIs, file systems, or directories. This information can reveal vulnerabilities, misconfigurations, and the network topology, which can be used to plan an attack against the system, the service, or its child resources.
1
1
1
CCC.Core.TH16Publications are DisabledPublication of events, metrics, and runtime logs may be disabled, leading to a lack of expected security and operational information being shared. This can impact system availability by delaying the detection of incidents while also impacting system design decisions and enforcement of operational thresholds, such as autoscaling or cost management.
1
1
2
CCC.Core.TH17Responses are Generated for Unauthorized RequestsThe service may generate responses to requests from unauthorized entities. This could lead to the exposure of system details, which may be used to plan an attack against the service, system, or network. Additionally, allocating resources to service the request could lead to a denial of service for legitimate users, leading to a loss of availability anywhere in the system.
1
1
0

Controls

IDTitleObjectiveControl FamilyThreat MappingsGuideline MappingsAssessment Requirements
CCC.Logging.C01Centralized and Comprehensive Log AggregationEnsure all operational and security logs from across the cloud environment, including applications, operating systems, network traffic, and cloud service activity, are captured automatically and streamed to a central, secure log management service. Data
1
3
2
CCC.Logging.C02Enforce Data Retention Policy for LogsEnsure that the retention period configured for logs aligns with the organization's data retention policy. Data
1
2
2
CCC.Logging.C03Enable Object Lock On Log BucketEnsure log immutability by enabling Write Once, Read Many (WORM) protection using object lock on log storage buckets. This prevents logs from being modified or deleted during the defined retention period, supporting compliance and forensic integrity. Data
1
3
1
CCC.Core.C01Encrypt Data for TransmissionEnsure that all communications are encrypted in transit to protect data integrity and confidentiality. Data
1
8
5
CCC.Core.C02Encrypt Data for StorageEnsure that all data stored is encrypted at rest using strong encryption algorithms. Data
1
7
1
CCC.Core.C06Restrict Deployments to Trust PerimeterEnsure that the service and its child resources are only deployed on infrastructure in locations that are explicitly included within a defined trust perimeter. Data
1
4
2
CCC.Core.C08Replicate Data to Multiple LocationsEnsure that data is replicated across multiple physical locations to protect against data loss due to hardware failures, natural disasters, or other catastrophic events. Data
1
6
2
CCC.Core.C09Ensure Integrity of Access LogsEnsure that access logs are always recorded to an external location that cannot be manipulated from the context of the service(s) it contains logs for. Data
3
5
3
CCC.Core.C10Restrict Data Replication to Trust PerimeterEnsure that data is only replicated on infrastructure in locations that are explicitly included within a defined trust perimeter. Data
1
4
1
CCC.Core.C11Protect Encryption KeysEnsure that encryption keys are managed securely by enforcing the use of approved algorithms, regular key rotation, and customer-managed encryption keys (CMEKs). Data
1
7
6
CCC.Logging.C04Restrict Field And Log Type AccessConfigure access to logs to follow the principle of least privilege in particular where technically possible limit the log fields users have access to to prevent accidental exposure to sensitive information such as PII. Identity and Access Management
1
7
1
CCC.Logging.C05Ensure Log Bucket is Not Publicly AccessibleEnsure that log storage buckets are not publicly accessible to prevent unauthorized access to sensitive log data. In addition, logs should be replicated to another cloud region to enhance availability, durability, and support disaster recovery requirements. Identity and Access Management
1
3
2
CCC.Core.C03Implement Multi-factor Authentication (MFA) for AccessEnsure that all sensitive activities require two or more identity factors during authentication to prevent unauthorized access. Identity and Access Management
1
6
4
CCC.Core.C05Prevent Access from Untrusted EntitiesEnsure that secure access controls enforce the principle of least privilege to restrict access to authorized entities from explicitly trusted sources only. Identity and Access Management
1
8
6
CCC.Logging.C06Detect and Alert on Potential Log ExfiltrationIdentify and alert on anomalous data access patterns that may indicate an attempt to exfiltrate log data. Logging and Monitoring
1
5
1
CCC.Logging.C07Detect and Alert on Log Service TamperingAlert when any component of the critical logging infrastructure is disabled, modified, or deleted, indicating a defense evasion attempt. Logging and Monitoring
1
5
1
CCC.Core.C04Log All Access and ChangesEnsure that all access attempts are logged to maintain a detailed audit trail for security and compliance purposes. Logging & Monitoring
1
5
3
CCC.Core.C07Alert on Unusual Enumeration ActivityEnsure that logs and associated alerts are generated when unusual enumeration activity is detected that may indicate reconnaissance activities. Logging & Monitoring
1
4
2