Skip to main content

CCC.AuditLog.C10: Ensure Audit Bucket is Not Publicly Accessible

Control ID:CCC.AuditLog.C10
Title:Ensure Audit Bucket is Not Publicly Accessible
Objective:Ensure that audit log storage buckets are not publicly accessible to prevent unauthorized exposure of sensitive log data.
Control Family:
Confidentiality

Related Threats

IDTitleDescriptionExternal MappingsCapability MappingsControl Mappings
CCC.Core.TH01Access is Granted to Unauthorized UsersLogic designed to give different permissions to different entities may be misconfigured or manipulated, allowing unauthorized entities to access restricted parts of the service, its data, or its child resources. This could result in a loss of data confidentiality or tolerance of unauthorized actions which impact the integrity and availability of resources and data.
1
1
0

Related Capabilities

IDTitleDescription
CCC.Core.F06Access ControlThe service automatically enforces user configurations to restrict or allow access to a specific component or a child resource based on factors such as user identities, roles, groups, or attributes.

Guideline Mappings

Reference IDEntry IDStrengthRemarks
NIST-CSF
PR.AA-05
0
-
NIST_800_53
AC-3
0
-
NIST_800_53
SC-7
0
-

Assessment Requirements

IDDescriptionApplicability
CCC.AuditLog.C10.TR01When audit log storage bucket's are created then, bucket's access control settings MUST explicitly deny public read and write access.
tlp-red
tlp-amber
tlp-green
CCC.AuditLog.C10.TR02When the URL of a audit log storage bucket's object is accessed publicly then, it should be denied by bucket policy.
tlp-red
tlp-amber
tlp-green