CCC Audit Logging
Provides the ability to transmit system events, application activities, and/or user interactions to a logging service.
Release Details
Version:
DEV
Assurance Level:
Release Manager:
DB
Development Build
Contributors
DT
Development Team
Change Log
- Development build - no formal changelog available
Capabilities
| ID | Title | Description | Threat Mappings |
|---|---|---|---|
| CCC.AuditLog.F01 | Default Retention Period | Cloud providers support a default minimum retention of audit log data. | 0 |
| CCC.AuditLog.F02 | Export | Support for manual "one off" exporting or downloading of raw log events. | 0 |
| CCC.AuditLog.F03 | Sink | Ability to continually stream audit log data to a hosted storage bucket or data lake solution. | 2 |
| CCC.AuditLog.F04 | Event Types | Audit events are generated with different data types to provide specific fields for the system which generated the event, such as Management Event, Data Event and Policy Event. | 0 |
| CCC.AuditLog.F05 | Time Search | Ability to search for audit events across a specific time range. | 0 |
| CCC.AuditLog.F06 | Filtering | Ability to filter audit events based on specific attribute. | 0 |
| CCC.AuditLog.F07 | Immutable Log Entries | Audit Log events are immutable and cannot be altered or deleted once generated. | 0 |
| CCC.AuditLog.F08 | External Sink | Audit log events can be configured to be sent to a external SIEM or data analysis provider outside of the cloud platform. | 2 |
| CCC.Core.F01 | Encryption in Transit Enabled by Default | The service automatically encrypts all data using industry-standard cryptographic protocols prior to transmission via a network interface. | 0 |
| CCC.Core.F02 | Encryption at Rest Enabled by Default | The service automatically encrypts all data using industry-standard cryptographic protocols prior to being written to a storage medium. | 0 |
| CCC.Core.F03 | Access Log Publication | The service automatically publishes structured, verbose records of activities performed within the scope of the service by external actors. | 7 |
| CCC.Core.F06 | Access Control | The service automatically enforces user configurations to restrict or allow access to a specific component or a child resource based on factors such as user identities, roles, groups, or attributes. | 1 |
| CCC.Core.F07 | Event Publication | The service automatically publishes a structured state-change record upon creation, deletion, or modification of data, configuration, components, or child resources. | 0 |
| CCC.Core.F08 | Data Replication | The service automatically replicates data across multiple deployments simultaneously with parity, or may be configured to do so. | 0 |
| CCC.Core.F09 | Metrics Publication | The service automatically publishes structured, numeric, time-series data points related to the performance, availability, and health of the service or its child resources. | 2 |
| CCC.Core.F10 | Log Publication | The service automatically publishes structured, verbose records of activities, operations, or events that occur within the service. | 7 |
| CCC.Core.F14 | API Access | The service exposes a port enabling external actors to interact programmatically with the service and its resources using HTTP protocol methods such as GET, POST, PUT, and DELETE. | 0 |
| CCC.Core.F17 | Alerting | The service may be configured to emit a notification based on a user-defined condition related to the data published by a child or networked resource. | 0 |
Threats
| ID | Title | Description | External Mappings | Capability Mappings | Control Mappings |
|---|---|---|---|---|---|
| CCC.AUDITLOG.TH01 | Insufficient Audit Logs | If security critical audit events are not logged then it increases the difficulty to detect threats and perform post incident analysis. | 2 | 1 | 0 |
| CCC.AUDITLOG.TH02 | Log Ingestion Latency | Large spikes or sustained delays in log ingestion may degrade the timeliness and completeness of security telemetry. This can increase the time required to detect and investigate threats, potentially impacting incident response effectiveness. | 3 | 1 | 0 |
| CCC.AUDITLOG.TH03 | Sensitive Data Logged | Sensitive information such as passwords, environment variables, or personally identifiable information (PII) may be included in audit logs due to a number of reasons such as; end user human error, developers not sanitizing fields or maliciously by a threat actor attempting to exfil data. This can lead to unauthorized disclosure if logs are accessed by unintended parties or forwarded to external systems. | 3 | 1 | 0 |
| CCC.AUDITLOG.TH04 | Insufficient encoding of audit logs | User-supplied data such as scripts, control characters, escape sequences, or code fragments may be written to audit logs without proper encoding or sanitization. This can result in malformed or unexpected log entries that could disrupt or compromise systems that process or display these logs, including log viewers or downstream services. | 2 | 1 | 0 |
| CCC.AUDITLOG.TH05 | Logging Evasion via violating size constraints | An attacker can evade detection by intentionally crafting input that violates the size constraints of a clouds audit logging mechanism. Many systems impose a maximum size limit on individual log entries. By performing an action with oversized data such as whitespace or Unicode injection, the resulting log event, which often includes the offending data, exceeds this limit, which often is redacted in the audit logs. | 2 | 1 | 0 |
| CCC.Core.TH01 | Access is Granted to Unauthorized Users | Logic designed to give different permissions to different entities may be misconfigured or manipulated, allowing unauthorized entities to access restricted parts of the service, its data, or its child resources. This could result in a loss of data confidentiality or tolerance of unauthorized actions which impact the integrity and availability of resources and data. | 1 | 1 | 6 |
| CCC.Core.TH04 | Data is Replicated to Untrusted or External Locations | Systems are susceptible to unauthorized access or interception by actors with political or physical control over the network in which they are deployed. Confidentiality may be impacted if the data is replicated to a network where the geopolitical status is untrusted, unstable, or insecure. | 1 | 1 | 2 |
| CCC.Core.TH06 | Data is Lost or Corrupted | Services that rely on accurate data are susceptible to disruption in the event of data loss or corruption. Any actions that lead to the unintended deletion, alteration, or limited access to data can impact the availability of the service and the system it is part of. | 1 | 1 | 5 |
| CCC.Core.TH07 | Logs are Tampered With or Deleted | Tampering or deletion of service logs will reduce the system's ability to maintain an accurate record of events. Any actions that compromise the integrity of logs could disrupt system availability by disrupting monitoring, hindering forensic investigations, and reducing the accuracy of audit trails. | 1 | 1 | 8 |
| CCC.Core.TH09 | Runtime Logs are Read by Unauthorized Entities | Unauthorized access to logs may expose valuable information about the system's configuration, operations, and security mechanisms. This could jeopardize system availability through the exposure of vulnerabilities and support the planning of attacks on the service, system, or network. If logs are not adequately sanitized, this may also directly impact the confidentiality of sensitive data. | 1 | 1 | 2 |
| CCC.Core.TH16 | Publications are Disabled | Publication of events, metrics, and runtime logs may be disabled, leading to a lack of expected security and operational information being shared. This can impact system availability by delaying the detection of incidents while also impacting system design decisions and enforcement of operational thresholds, such as autoscaling or cost management. | 1 | 1 | 1 |
Controls
| ID | Title | Objective | Control Family | Threat Mappings | Guideline Mappings | Assessment Requirements |
|---|---|---|---|---|---|---|
| CCC.AuditLog.C01 | Implement Digital Signatures With Hash Chaining | Digital signatures allows for external verification of log data tampering and hash chaining allows for deleted log files to be detected. | Integrity | 2 | 2 | 2 |
| CCC.AuditLog.C02 | Enable And Validate All Audit Log Types | Review audit log configuration and ensure that all audit log types are being generated and replicated to configured sinks | Integrity | 1 | 4 | 1 |
| CCC.AuditLog.C03 | Alert On Audit Log Changes And Access | Ensure that specific alerts have been configured to detect changes in audit log configuration such as disabling exporting of logs. Alerts MUST also be created to detect changes in retention/object lock policies for exported data log sources/buckets. | Integrity | 1 | 3 | 2 |
| CCC.AuditLog.C04 | Ensure Access Logging Is Enabled on the Audit Log Bucket | Ensure that access logging is enabled for the audit log storage bucket to capture all requests made to the bucket, providing an audit trail of data access. | Integrity | 2 | 3 | 1 |
| CCC.AuditLog.C05 | Export Audit Logs To Bucket | Configure audit logs to be sent to a external bucket where they can be globally replicated and can be subject to greater access control and data retention polices. | Availability | 1 | 4 | 1 |
| CCC.AuditLog.C06 | Enforce Retention Policy on Audit Log Bucket | Configure a custom retention policy on the designated audit log bucket to ensure that logs are retained for the correct number of days as defined by your organization's policy. | Availability | 2 | 3 | 1 |
| CCC.AuditLog.C07 | Enforce MFA Delete on Audit Log Bucket | Enable Multi-Factor Authentication (MFA) delete on the audit log bucket to provide greater protection against accidental or malicious deletion of audit data. | Availability | 2 | 3 | 1 |
| CCC.AuditLog.C08 | Enable Object Lock On Audit Log Bucket | Ensure that object log is enabled globally on all objects with the bucket. The lock time MUST be configured to meet your organization, legal and compliance goals. Deletion attempts before the lock period MUST be denied. | Availability | 1 | 3 | 1 |
| CCC.AuditLog.C09 | Restrict Field And Log Type Access | Configure access to audit logs to follow the principle of least privilege in particular where technically possible limit the log fields users have access to to prevent accidental exposure to sensitive information such as PII. | Confidentiality | 1 | 7 | 1 |
| CCC.AuditLog.C10 | Ensure Audit Bucket is Not Publicly Accessible | Ensure that audit log storage buckets are not publicly accessible to prevent unauthorized exposure of sensitive log data. | Confidentiality | 1 | 3 | 2 |
| CCC.Core.C01 | Encrypt Data for Transmission | Ensure that all communications are encrypted in transit to protect data integrity and confidentiality. | Data | 1 | 8 | 5 |
| CCC.Core.C02 | Encrypt Data for Storage | Ensure that all data stored is encrypted at rest using strong encryption algorithms. | Data | 1 | 7 | 1 |
| CCC.Core.C06 | Restrict Deployments to Trust Perimeter | Ensure that the service and its child resources are only deployed on infrastructure in locations that are explicitly included within a defined trust perimeter. | Data | 1 | 4 | 2 |
| CCC.Core.C08 | Replicate Data to Multiple Locations | Ensure that data is replicated across multiple physical locations to protect against data loss due to hardware failures, natural disasters, or other catastrophic events. | Data | 1 | 6 | 2 |
| CCC.Core.C09 | Ensure Integrity of Access Logs | Ensure that access logs are always recorded to an external location that cannot be manipulated from the context of the service(s) it contains logs for. | Data | 3 | 5 | 3 |
| CCC.Core.C10 | Restrict Data Replication to Trust Perimeter | Ensure that data is only replicated on infrastructure in locations that are explicitly included within a defined trust perimeter. | Data | 1 | 4 | 1 |
| CCC.Core.C11 | Protect Encryption Keys | Ensure that encryption keys are managed securely by enforcing the use of approved algorithms, regular key rotation, and customer-managed encryption keys (CMEKs). | Data | 1 | 7 | 6 |
| CCC.Core.C03 | Implement Multi-factor Authentication (MFA) for Access | Ensure that all sensitive activities require two or more identity factors during authentication to prevent unauthorized access. | Identity and Access Management | 1 | 6 | 4 |
| CCC.Core.C05 | Prevent Access from Untrusted Entities | Ensure that secure access controls enforce the principle of least privilege to restrict access to authorized entities from explicitly trusted sources only. | Identity and Access Management | 1 | 8 | 6 |
| CCC.Core.C04 | Log All Access and Changes | Ensure that all access attempts are logged to maintain a detailed audit trail for security and compliance purposes. | Logging & Monitoring | 1 | 5 | 3 |
| CCC.Core.C07 | Alert on Unusual Enumeration Activity | Ensure that logs and associated alerts are generated when unusual enumeration activity is detected that may indicate reconnaissance activities. | Logging & Monitoring | 1 | 4 | 2 |