Ensure Log Bucket is Not Publicly Accessible

CCC.Logging.C05: Ensure Log Bucket is Not Publicly Accessible

Control ID:CCC.Logging.C05

Title:Ensure Log Bucket is Not Publicly Accessible

Objective:Ensure that log storage buckets are not publicly accessible to prevent unauthorized access to sensitive log data. In addition, logs should be replicated to another cloud region to enhance availability, durability, and support disaster recovery requirements.

Control Family:

Identity and Access Management

Related Threats

ID	Title	Description	External Mappings	Capability Mappings	Control Mappings
CCC.Core.TH01	Access is Granted to Unauthorized Users	Logic designed to give different permissions to different entities may be misconfigured or manipulated, allowing unauthorized entities to access restricted parts of the service, its data, or its child resources. This could result in a loss of data confidentiality or tolerance of unauthorized actions which impact the integrity and availability of resources and data.	1	1	0

Related Capabilities

ID	Title	Description
CCC.Core.F06	Access Control	The service automatically enforces user configurations to restrict or allow access to a specific component or a child resource based on factors such as user identities, roles, groups, or attributes.

Guideline Mappings

Reference ID	Entry ID	Remarks
NIST-CSF	PR.AA-05	-
NIST_800_53	AC-3	-
NIST_800_53	SC-7	-

Assessment Requirements

ID	Description	Applicability
CCC.Logging.C05.TR01	When a log storage bucket is created, the bucket's access control settings MUST explicitly deny public read and write access.	tlp-red tlp-amber tlp-green
CCC.Logging.C05.TR02	When the URL of a log storage bucket's object is accessed publicly, the action MUST be denied by bucket policy.	tlp-red tlp-amber tlp-green