CCC.Core.TH01: Access is Granted to Unauthorized Users
Threat ID:CCC.Core.TH01
Title:Access is Granted to Unauthorized Users
Description:
Logic designed to give different permissions to different entities may be misconfigured or manipulated, allowing unauthorized entities to access restricted parts of the service, its data, or its child resources. This could result in a loss of data confidentiality or tolerance of unauthorized actions which impact the integrity and availability of resources and data.
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.Core.F06 | Access Control | The service automatically enforces user configurations to restrict or allow access to a specific component or a child resource based on factors such as user identities, roles, groups, or attributes. |
External Mappings
| Reference ID | Entry ID | Strength | Remarks |
|---|---|---|---|
MITRE-ATT&CK | T1078 | 0 | Valid Accounts |
MITRE-ATT&CK | T1548 | 0 | Abuse Elevation Control Mechanism |
MITRE-ATT&CK | T1203 | 0 | Exploitation for Credential Access |
MITRE-ATT&CK | T1098 | 0 | Account Manipulation |
MITRE-ATT&CK | T1484 | 0 | Domain or Tenant Policy Modification |
MITRE-ATT&CK | T1546 | 0 | Event Triggered Execution |
MITRE-ATT&CK | T1537 | 0 | Transfer Data to Cloud Account |
MITRE-ATT&CK | T1567 | 0 | Exfiltration Over Web Services |
MITRE-ATT&CK | T1048 | 0 | Exfiltration Over Alternative Protocol |
MITRE-ATT&CK | T1485 | 0 | Data Destruction |
MITRE-ATT&CK | T1565 | 0 | Data Manipulation |
MITRE-ATT&CK | T1027 | 0 | Obfuscated Files or Information |
Controls
| ID | Title | Objective | Control Family | Threat Mappings | Guideline Mappings | Assessment Requirements |
|---|---|---|---|---|---|---|
| CCC.ObjStor.C01 | Prevent Requests to Buckets or Objects with Untrusted KMS Keys | Prevent any requests to object storage buckets or objects using untrusted KMS keys to protect against unauthorized data encryption that can impact data availability and integrity. | Data | 2 | 5 | 4 |
| CCC.Core.C02 | Encrypt Data for Storage | Ensure that all data stored is encrypted at rest using strong encryption algorithms. | Data | 1 | 7 | 1 |
| CCC.ObjStor.C02 | Enforce Uniform Bucket-level Access to Prevent Inconsistent Permissions | Ensure that uniform bucket-level access is enforced across all object storage buckets. This prevents the use of ad-hoc or inconsistent object-level permissions, ensuring centralized, consistent, and secure access management in accordance with the principle of least privilege. | Identity and Access Management | 1 | 5 | 2 |
| CCC.Core.C03 | Implement Multi-factor Authentication (MFA) for Access | Ensure that all sensitive activities require two or more identity factors during authentication to prevent unauthorized access. | Identity and Access Management | 1 | 6 | 4 |
| CCC.Core.C05 | Prevent Access from Untrusted Entities | Ensure that secure access controls enforce the principle of least privilege to restrict access to authorized entities from explicitly trusted sources only. | Identity and Access Management | 1 | 8 | 6 |
| CCC.Core.C04 | Log All Access and Changes | Ensure that all access attempts are logged to maintain a detailed audit trail for security and compliance purposes. | Logging & Monitoring | 1 | 5 | 3 |