CCC.Core.TH01: Access Control is Misconfigured
Threat ID:CCC.Core.TH01
Title:Access Control is Misconfigured
Description:
Misconfigured access controls may grant excessive privileges or fail to restrict unauthorized access to the service and its child resources. This could result in a loss of data confidentiality or tolerance of unauthorized actions which impact the integrity and availability of resources and data.
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.Core.F06 | Access Control | The service automatically enforces user configurations to restrict or allow access to a specific component or a child resource based on factors such as user identities, roles, groups, or attributes. |
External Mappings
| Reference ID | Entry ID | Strength | Remarks |
|---|---|---|---|
MITRE-ATT&CK | T1078 | 0 | Valid Accounts |
MITRE-ATT&CK | T1548 | 0 | Abuse Elevation Control Mechanism |
MITRE-ATT&CK | T1203 | 0 | Exploitation for Credential Access |
MITRE-ATT&CK | T1098 | 0 | Account Manipulation |
MITRE-ATT&CK | T1484 | 0 | Domain or Tenant Policy Modification |
MITRE-ATT&CK | T1546 | 0 | Event Triggered Execution |
MITRE-ATT&CK | T1537 | 0 | Transfer Data to Cloud Account |
MITRE-ATT&CK | T1567 | 0 | Exfiltration Over Web Services |
MITRE-ATT&CK | T1048 | 0 | Exfiltration Over Alternative Protocol |
MITRE-ATT&CK | T1485 | 0 | Data Destruction |
MITRE-ATT&CK | T1565 | 0 | Data Manipulation |
MITRE-ATT&CK | T1027 | 0 | Obfuscated Files or Information |
Controls
| ID | Title | Objective | Control Family | Threat Mappings | Guideline Mappings | Assessment Requirements |
|---|---|---|---|---|---|---|
| CCC.ObjStor.C01 | Prevent Requests to Buckets or Objects with Untrusted KMS Keys | Prevent any requests to object storage buckets or objects using untrusted KMS keys to protect against unauthorized data encryption that can impact data availability and integrity. | Data | 2 | 5 | 4 |
| CCC.Core.C02 | Encrypt Data for Storage | Ensure that all data stored is encrypted at rest using strong encryption algorithms. | Data | 1 | 4 | 1 |
| CCC.ObjStor.C02 | Enforce Uniform Bucket-level Access to Prevent Inconsistent Permissions | Ensure that uniform bucket-level access is enforced across all object storage buckets. This prevents the use of ad-hoc or inconsistent object-level permissions, ensuring centralized, consistent, and secure access management in accordance with the principle of least privilege. | Identity and Access Management | 1 | 5 | 2 |
| CCC.Core.C03 | Implement Multi-factor Authentication (MFA) for Access | Ensure that all sensitive activities require two or more identity factors during authentication to prevent unauthorized access. | Identity and Access Management | 1 | 5 | 4 |
| CCC.Core.C05 | Prevent Access from Untrusted Entities | Ensure that secure access controls enforce the principle of least privilege to restrict access to authorized entities from explicitly trusted sources only. | Identity and Access Management | 1 | 4 | 6 |
| CCC.Core.C04 | Log All Access and Changes | Ensure that all access attempts are logged to maintain a detailed audit trail for security and compliance purposes. | Logging & Monitoring | 1 | 5 | 3 |