From 8d262fc047300fa5aa8a08750c5b263aad6154d4 Mon Sep 17 00:00:00 2001 From: mlysaght Date: Mon, 11 Nov 2024 13:23:29 +0100 Subject: [PATCH 01/12] Add in to do on testing requirments for VPC --- services/networking/vpc/controls.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/services/networking/vpc/controls.yaml b/services/networking/vpc/controls.yaml index e6266086..ca69de56 100644 --- a/services/networking/vpc/controls.yaml +++ b/services/networking/vpc/controls.yaml @@ -24,6 +24,7 @@ controls: - SC-7 test_requirements: - id: CCC.VPC.C01.TR01 + # TO DO: When a new project/account/subscription is created, then default networks are not automatically created. text: | Verify that default networks are not automatically created upon project initialization. tlp_levels: From 31808ecf386296dc5df7bce00bad1cf44ca411fa Mon Sep 17 00:00:00 2001 From: mlysaght Date: Mon, 11 Nov 2024 13:40:49 +0100 Subject: [PATCH 02/12] Update testing requirments for VPC --- services/networking/vpc/controls.yaml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/services/networking/vpc/controls.yaml b/services/networking/vpc/controls.yaml index ca69de56..eb410b88 100644 --- a/services/networking/vpc/controls.yaml +++ b/services/networking/vpc/controls.yaml @@ -54,9 +54,10 @@ controls: test_requirements: - id: CCC.VPC.C02.TR01 text: | - Verify that policies are in place to prevent unauthorized assignment of external IPs to virtual machines containing sensitive data. + When assigning IP addresses within VPCs, then IP ranges MUST be private. tlp_levels: - tlp_red + # TO DO: Remove CCC.VPC.C02.TR02? - id: CCC.VPC.C02.TR02 text: | Ensure that external IP assignments are approved and monitored for virtual machines without sensitive data. @@ -81,25 +82,27 @@ controls: test_requirements: - id: CCC.VPC.C03.TR01 text: | - Verify that IP forwarding is disabled on all virtual machines containing sensitive data. + When a virtual machine is created, then IP forwarding MUST be disabled by default. tlp_levels: - tlp_red - id: CCC.VPC.C03.TR02 text: | - Attempt to enable IP forwarding on a sensitive VM and confirm that it is denied. + When an attempt is made to enable IP forwarding on a VM, then the attempt MUST be denied. tlp_levels: - tlp_red - id: CCC.VPC.C03.TR03 + # TO DO: Remove? Is this testable? text: | Confirm that IP forwarding is only enabled on virtual machines without sensitive data and with a justified operational need. tlp_levels: - tlp_green + # TO DO: Remove? Is this testable? - id: CCC.VPC.C03.TR04 text: | Review and document the instances where IP forwarding is enabled under TLP Green classification. tlp_levels: - tlp_green - + # TO DO: Remove? This is written is a way that it is specific to ML. - id: CCC.VPC.C04 title: Restrict Public IP Access to ML Development Environments objective: | @@ -131,7 +134,7 @@ controls: Ensure that any ML development environments without sensitive data requiring public access are approved and have appropriate security controls. tlp_levels: - tlp_green - + # TO DO: Remove? This is written is a way that it is specific to ML. - id: CCC.VPC.C05 title: Restrict Virtual Networks for ML Development Environments objective: | @@ -164,7 +167,7 @@ controls: Ensure that ML development environments without sensitive data are deployed in networks that meet organizational security standards. tlp_levels: - tlp_green - + # TO DO: Remove? Nested virtualization is not a feature of VPCs. - id: CCC.VPC.C06 title: Disable Nested Virtualization on Virtual Machines objective: | From cdf2562d3d1c56140d5eb01f7b70f291d8d4a808 Mon Sep 17 00:00:00 2001 From: mlysaght Date: Mon, 11 Nov 2024 14:01:54 +0100 Subject: [PATCH 03/12] Add in VPC peering control --- services/networking/vpc/controls.yaml | 23 +++++++++++++++++++++++ services/networking/vpc/threats.yaml | 10 ++++++++++ 2 files changed, 33 insertions(+) diff --git a/services/networking/vpc/controls.yaml b/services/networking/vpc/controls.yaml index eb410b88..d31e71a3 100644 --- a/services/networking/vpc/controls.yaml +++ b/services/networking/vpc/controls.yaml @@ -200,3 +200,26 @@ controls: For virtual machines without sensitive data, ensure that nested virtualization is only enabled when necessary and with appropriate security measures. tlp_levels: - tlp_green + + - id: CCC.VPC.C07 + title: Restrict VPC Peering to Authorized Accounts + objective: | + Ensure VPC peering connections are only established with explicitly authorized destinations to limit network exposure and enforce boundary controls. + control_family: Network Security + threats: + - CCC.VPC.TH02 + nist_csf: PR.AC-3 + control_mappings: + CCM: + - IVS-01 + ISO_27001: + - 2013 A.13.1.3 + NIST_800_53: + - AC-4 + test_requirements: + - id: CCC.VPC.C07.TR01 + text: | + When a VPC peering connection request is made, then it MUST be prevented if the target destination is not on an approved authorized list. + tlp_levels: + - tlp_red + diff --git a/services/networking/vpc/threats.yaml b/services/networking/vpc/threats.yaml index feef1b42..6df253cb 100644 --- a/services/networking/vpc/threats.yaml +++ b/services/networking/vpc/threats.yaml @@ -69,3 +69,13 @@ threats: mitre_technique: - T1497 # Virtualization/Sandbox Evasion - T1059 # Command and Scripting Interpreter + + - id: CCC.VPC.TH07 + title: Unauthorized Network Access through VPC Peering + description: | + Unauthorized VPC peering connections can allow network traffic between untrusted or unapproved accounts/projects, leading to potential data exposure or exfiltration. + features: + - CCC.VPC.FXX # TO DO: VPC Peering + mitre_technique: + - T1071 # Application Layer Protocol + From 4abd7758a27a321234febd13f69ad6312e07cb0f Mon Sep 17 00:00:00 2001 From: mlysaght Date: Mon, 11 Nov 2024 18:05:46 +0100 Subject: [PATCH 04/12] Add in VPC peering control --- services/networking/vpc/controls.yaml | 57 ++++++++++++++++++++++++++- services/networking/vpc/threats.yaml | 45 +++++++++++---------- 2 files changed, 78 insertions(+), 24 deletions(-) diff --git a/services/networking/vpc/controls.yaml b/services/networking/vpc/controls.yaml index d31e71a3..fb9312c4 100644 --- a/services/networking/vpc/controls.yaml +++ b/services/networking/vpc/controls.yaml @@ -207,7 +207,7 @@ controls: Ensure VPC peering connections are only established with explicitly authorized destinations to limit network exposure and enforce boundary controls. control_family: Network Security threats: - - CCC.VPC.TH02 + - CCC.VPC.TH07 nist_csf: PR.AC-3 control_mappings: CCM: @@ -222,4 +222,59 @@ controls: When a VPC peering connection request is made, then it MUST be prevented if the target destination is not on an approved authorized list. tlp_levels: - tlp_red + + - id: CCC.VPC.C08 + title: Enforce VPC Flow Logs on VPCs. + objective: | + Ensure VPCs are configured with flow logs enabled to capture traffic information, support auditing, and enhance network visibility and security. + control_family: Network Security + threats: + - CCC.VPC.TH08 + nist_csf: PR.PT-1 + control_mappings: + CCM: + - IVS-06 + ISO_27001: + - 2013 A.12.4.1 + NIST_800_53: + - AU-2 + test_requirements: + - id: CCC.VPC.C08.TR01 + text: | + When a VPC is created or updated, then VPC flow logs MUST be enabled to capture and log all network traffic within the VPC. + tlp_levels: + - tlp_red + - id: CCC.VPC.C08.TR02 + text: | + When VPC flow logs are disabled, then an alert MUST trigger. + tlp_levels: + - tlp_red + + - id: CCC.VPC.C09 + title: Restrict Route Table Entries from Internet Gateway Access + objective: | + Ensure that route tables do not contain routes to an Internet Gateway. + control_family: Network Security + threats: + - CCC.VPC.TH09 + nist_csf: PR.AC-5 + control_mappings: + CCM: + - DSI-04 + ISO_27001: + - 2013 A.13.1.3 + NIST_800_53: + - SC-7 + test_requirements: + - id: CCC.VPC.C09.TR01 + text: | + When a route table is created or updated, then it MUST NOT include a route to an Internet Gateway unless explicitly required and approved for specific use cases. + tlp_levels: + - tlp_red + - id: CCC.VPC.C09.TR02 + text: | + When an unauthorized route to an Internet Gateway is detected in any route table, then an alert MUST trigger. + tlp_levels: + - tlp_red + diff --git a/services/networking/vpc/threats.yaml b/services/networking/vpc/threats.yaml index 6df253cb..3e08f649 100644 --- a/services/networking/vpc/threats.yaml +++ b/services/networking/vpc/threats.yaml @@ -38,27 +38,6 @@ threats: - T1590 # Gather Victim Network Information - T1021 # Remote Services - - id: CCC.VPC.TH04 - title: Unauthorized Access to ML Development Environments via Public IP - description: | - Public IP access to ML development environments can lead to unauthorized access if proper security controls are not in place, increasing the risk of compromise and data breaches. - features: - - CCC.VPC.F04 # Public IP Access Control - - CCC.F06 # Identity Based Access Control (common feature) - mitre_technique: - - T1133 # External Remote Services - - T1078 # Valid Accounts - - - id: CCC.VPC.TH05 - title: Deployment of ML Development Environments in Unapproved Networks - description: | - Deploying ML development environments in unapproved or less secure networks can expose them to vulnerabilities and unauthorized access, compromising sensitive data and security policies. - features: - - CCC.VPC.F05 # Virtual Network Selection - - CCC.F06 # Identity Based Access Control (common feature) - mitre_technique: - - T1578 # Modify Cloud Compute Infrastructure - - id: CCC.VPC.TH06 title: Security Risks from Nested Virtualization description: | @@ -73,9 +52,29 @@ threats: - id: CCC.VPC.TH07 title: Unauthorized Network Access through VPC Peering description: | - Unauthorized VPC peering connections can allow network traffic between untrusted or unapproved accounts/projects, leading to potential data exposure or exfiltration. + Unauthorized VPC peering connections can allow network traffic between untrusted or unapproved accounts/projects/subscriptions, leading to potential data exposure or exfiltration. features: - CCC.VPC.FXX # TO DO: VPC Peering mitre_technique: - - T1071 # Application Layer Protocol + - T1599 # Network Boundary Bridging + + - id: CCC.VPC.TH08 + title: Lack of Network Visibility Due to Disabled VPC Flow Logs + description: | + VPC subnets with disabled flow logs lack critical network traffic visibility, which can lead to undetected unauthorized access, data exfiltration, and network misconfigurations. This lack of visibility increases the risk of undetected security incidents. + features: + - CCC.VPC.FXX # VPC Flow Logs + mitre_technique: + - T1580 # Cloud Infrastructure Discovery + + - id: CCC.VPC.TH09 + title: Unauthorized Exposure to the Internet via Internet Gateway Routes + description: | + Route tables configured with routes to an Internet Gateway allow direct exposure of network resources to the public internet. + features: + - CCC.VPC.XX # Route Table + mitre_technique: + - T1011 # Exfiltration Over Alternative Protocol + + From bad62bfabea71b7fff55c37682f5cec0593977a2 Mon Sep 17 00:00:00 2001 From: mlysaght Date: Mon, 11 Nov 2024 19:42:07 +0100 Subject: [PATCH 05/12] Fix testing requirement --- services/networking/vpc/controls.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/networking/vpc/controls.yaml b/services/networking/vpc/controls.yaml index fb9312c4..55064610 100644 --- a/services/networking/vpc/controls.yaml +++ b/services/networking/vpc/controls.yaml @@ -268,7 +268,7 @@ controls: test_requirements: - id: CCC.VPC.C09.TR01 text: | - When a route table is created or updated, then it MUST NOT include a route to an Internet Gateway unless explicitly required and approved for specific use cases. + When a route table is created or updated, then it MUST NOT include a route to an Internet Gateway. tlp_levels: - tlp_red - id: CCC.VPC.C09.TR02 From 9c26f9c59f91599a0b260e2d9629f7c7214bdd71 Mon Sep 17 00:00:00 2001 From: Michael Lysaght <31510876+mlysaght2017@users.noreply.github.com> Date: Tue, 12 Nov 2024 11:12:29 +0100 Subject: [PATCH 06/12] Update services/networking/vpc/controls.yaml Co-authored-by: Eddie Knight --- services/networking/vpc/controls.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/networking/vpc/controls.yaml b/services/networking/vpc/controls.yaml index 55064610..726a582e 100644 --- a/services/networking/vpc/controls.yaml +++ b/services/networking/vpc/controls.yaml @@ -241,7 +241,7 @@ controls: test_requirements: - id: CCC.VPC.C08.TR01 text: | - When a VPC is created or updated, then VPC flow logs MUST be enabled to capture and log all network traffic within the VPC. + When any network traffic goes to or from an interface in the VPC, VPC flow logs MUST capture and log all relevant information. tlp_levels: - tlp_red - id: CCC.VPC.C08.TR02 From d63fbb42bd2f41e7e9e1a9a91468d5d1ec889958 Mon Sep 17 00:00:00 2001 From: Michael Lysaght <31510876+mlysaght2017@users.noreply.github.com> Date: Tue, 12 Nov 2024 11:12:54 +0100 Subject: [PATCH 07/12] Update services/networking/vpc/controls.yaml Co-authored-by: Eddie Knight --- services/networking/vpc/controls.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/networking/vpc/controls.yaml b/services/networking/vpc/controls.yaml index 726a582e..73494272 100644 --- a/services/networking/vpc/controls.yaml +++ b/services/networking/vpc/controls.yaml @@ -87,7 +87,7 @@ controls: - tlp_red - id: CCC.VPC.C03.TR02 text: | - When an attempt is made to enable IP forwarding on a VM, then the attempt MUST be denied. + When an attempt is made to enable IP forwarding on a VM, then the VM configuration MUST remain unchanged. tlp_levels: - tlp_red - id: CCC.VPC.C03.TR03 From 519a3541d319b8f4aa020d7de3722aa3fad93f75 Mon Sep 17 00:00:00 2001 From: Michael Lysaght <31510876+mlysaght2017@users.noreply.github.com> Date: Tue, 12 Nov 2024 11:13:05 +0100 Subject: [PATCH 08/12] Update services/networking/vpc/controls.yaml Co-authored-by: Eddie Knight --- services/networking/vpc/controls.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/services/networking/vpc/controls.yaml b/services/networking/vpc/controls.yaml index 73494272..93f6e846 100644 --- a/services/networking/vpc/controls.yaml +++ b/services/networking/vpc/controls.yaml @@ -82,7 +82,8 @@ controls: test_requirements: - id: CCC.VPC.C03.TR01 text: | - When a virtual machine is created, then IP forwarding MUST be disabled by default. + When a VPC peering connection is requested for an untrusted + destination, the VPC’s peering configuration MUST remain unchanged. tlp_levels: - tlp_red - id: CCC.VPC.C03.TR02 From 29df0fab3a0feb9a21ff7059384f2bf1cd1e087d Mon Sep 17 00:00:00 2001 From: mlysaght Date: Tue, 12 Nov 2024 11:38:55 +0100 Subject: [PATCH 09/12] Clean up remaining controls and threats --- services/networking/vpc/controls.yaml | 171 +++----------------------- services/networking/vpc/threats.yaml | 19 +-- 2 files changed, 24 insertions(+), 166 deletions(-) diff --git a/services/networking/vpc/controls.yaml b/services/networking/vpc/controls.yaml index 93f6e846..069f2c82 100644 --- a/services/networking/vpc/controls.yaml +++ b/services/networking/vpc/controls.yaml @@ -1,19 +1,18 @@ common_controls: - - CCC.C01 # Prevent unencrypted requests - - CCC.C03 # Implement multi-factor authentication (MFA) for access - - CCC.C04 # Log all access and changes - - CCC.C05 # Prevent access from untrusted entities - - CCC.C06 # Prevent deployment in restricted regions + - CCC.C01 # Prevent unencrypted requests + - CCC.C03 # Implement multi-factor authentication (MFA) for access + - CCC.C04 # Log all access and changes + - CCC.C05 # Prevent access from untrusted entities + - CCC.C06 # Prevent deployment in restricted regions controls: - id: CCC.VPC.C01 - title: Skip Default Network Creation + title: Prevent Default Network Creation objective: | Prevent the automatic creation of default virtual networks and related resources during cloud project initialization to avoid insecure default configurations and enforce custom network policies. control_family: Network Security threats: - CCC.VPC.TH01 - - CCC.TH01 # Access control is misconfigured (common threat) nist_csf: PR.AC-5 control_mappings: CCM: @@ -24,25 +23,18 @@ controls: - SC-7 test_requirements: - id: CCC.VPC.C01.TR01 - # TO DO: When a new project/account/subscription is created, then default networks are not automatically created. text: | - Verify that default networks are not automatically created upon project initialization. - tlp_levels: - - tlp_red - - id: CCC.VPC.C01.TR02 - text: | - Confirm that only custom networks with appropriate security controls are in place. + When a new project/account/subscription is created, then the project/account/subscription MUST NOT contain any default network resources. tlp_levels: - tlp_red - id: CCC.VPC.C02 - title: Limit External IP Addresses for Virtual Machines + title: Limit External IP Addresses objective: | - Restrict the assignment of external (public) IP addresses to virtual machines to reduce exposure to the public internet and minimize attack surfaces. + Restrict the assignment of external (public) IP addresses to resources to reduce exposure to the public internet and minimize attack surfaces. control_family: Network Security threats: - CCC.VPC.TH02 - - CCC.TH02 # Data is intercepted in transit (common threat) nist_csf: PR.AC-3 control_mappings: CCM: @@ -54,15 +46,9 @@ controls: test_requirements: - id: CCC.VPC.C02.TR01 text: | - When assigning IP addresses within VPCs, then IP ranges MUST be private. + When a resource is created, then the resource MUST NOT be assigned an external IP address by default. tlp_levels: - tlp_red - # TO DO: Remove CCC.VPC.C02.TR02? - - id: CCC.VPC.C02.TR02 - text: | - Ensure that external IP assignments are approved and monitored for virtual machines without sensitive data. - tlp_levels: - - tlp_green - id: CCC.VPC.C03 title: Restrict IP Forwarding on Virtual Machines @@ -81,128 +67,12 @@ controls: - SC-7 test_requirements: - id: CCC.VPC.C03.TR01 - text: | - When a VPC peering connection is requested for an untrusted - destination, the VPC’s peering configuration MUST remain unchanged. - tlp_levels: - - tlp_red - - id: CCC.VPC.C03.TR02 text: | When an attempt is made to enable IP forwarding on a VM, then the VM configuration MUST remain unchanged. tlp_levels: - tlp_red - - id: CCC.VPC.C03.TR03 - # TO DO: Remove? Is this testable? - text: | - Confirm that IP forwarding is only enabled on virtual machines without sensitive data and with a justified operational need. - tlp_levels: - - tlp_green - # TO DO: Remove? Is this testable? - - id: CCC.VPC.C03.TR04 - text: | - Review and document the instances where IP forwarding is enabled under TLP Green classification. - tlp_levels: - - tlp_green - # TO DO: Remove? This is written is a way that it is specific to ML. - - id: CCC.VPC.C04 - title: Restrict Public IP Access to ML Development Environments - objective: | - Prevent public IP access to Machine Learning (ML) development environments (e.g., ML notebooks) to reduce exposure to the internet and enhance security. - control_family: Network Security - threats: - - CCC.VPC.TH04 - nist_csf: PR.AC-3 - control_mappings: - CCM: - - SEF-05 - ISO_27001: - - 2013 A.13.1.1 - NIST_800_53: - - SC-7 - test_requirements: - - id: CCC.VPC.C04.TR01 - text: | - Verify that ML development environments containing sensitive data cannot be accessed via public IP addresses. - tlp_levels: - - tlp_red - - id: CCC.VPC.C04.TR02 - text: | - Attempt to access an ML notebook via a public IP and confirm that access is denied. - tlp_levels: - - tlp_red - - id: CCC.VPC.C04.TR03 - text: | - Ensure that any ML development environments without sensitive data requiring public access are approved and have appropriate security controls. - tlp_levels: - - tlp_green - # TO DO: Remove? This is written is a way that it is specific to ML. - - id: CCC.VPC.C05 - title: Restrict Virtual Networks for ML Development Environments - objective: | - Limit the virtual networks that can be used when creating new ML development environment instances to ensure they are deployed within approved and secure network environments. - control_family: Network Security - threats: - - CCC.VPC.TH05 - - CCC.TH01 # Access control is misconfigured (common threat) - nist_csf: PR.AC-4 - control_mappings: - CCM: - - IAM-12 - ISO_27001: - - 2013 A.9.1.2 - NIST_800_53: - - AC-6 - test_requirements: - - id: CCC.VPC.C05.TR01 - text: | - Verify that ML development environments containing sensitive data can only be deployed in approved virtual networks with appropriate security controls. - tlp_levels: - - tlp_red - - id: CCC.VPC.C05.TR02 - text: | - Attempt to deploy an ML development environment in an unapproved network and confirm that it is denied. - tlp_levels: - - tlp_red - - id: CCC.VPC.C05.TR03 - text: | - Ensure that ML development environments without sensitive data are deployed in networks that meet organizational security standards. - tlp_levels: - - tlp_green - # TO DO: Remove? Nested virtualization is not a feature of VPCs. - - id: CCC.VPC.C06 - title: Disable Nested Virtualization on Virtual Machines - objective: | - Disable hardware-accelerated nested virtualization on virtual machines to prevent potential security risks associated with nested environments. - control_family: Virtualization Security - threats: - - CCC.VPC.TH06 - - CCC.TH06 # Data is lost or corrupted (common threat) - nist_csf: PR.DS-7 - control_mappings: - CCM: - - IVS-08 - ISO_27001: - - 2013 A.12.6.2 - NIST_800_53: - - SC-7 - test_requirements: - - id: CCC.VPC.C06.TR01 - text: | - Verify that nested virtualization cannot be enabled on virtual machines containing sensitive data. - tlp_levels: - - tlp_red - - id: CCC.VPC.C06.TR02 - text: | - Attempt to enable nested virtualization on a sensitive VM and confirm that it is denied. - tlp_levels: - - tlp_red - - id: CCC.VPC.C06.TR03 - text: | - For virtual machines without sensitive data, ensure that nested virtualization is only enabled when necessary and with appropriate security measures. - tlp_levels: - - tlp_green - - id: CCC.VPC.C07 + - id: CCC.VPC.C04 title: Restrict VPC Peering to Authorized Accounts objective: | Ensure VPC peering connections are only established with explicitly authorized destinations to limit network exposure and enforce boundary controls. @@ -218,13 +88,14 @@ controls: NIST_800_53: - AC-4 test_requirements: - - id: CCC.VPC.C07.TR01 + - id: CCC.VPC.C04.TR01 text: | - When a VPC peering connection request is made, then it MUST be prevented if the target destination is not on an approved authorized list. + When a VPC peering connection is requested for an untrusted + destination, the VPC’s peering configuration MUST remain unchanged. tlp_levels: - tlp_red - - id: CCC.VPC.C08 + - id: CCC.VPC.C05 title: Enforce VPC Flow Logs on VPCs. objective: | Ensure VPCs are configured with flow logs enabled to capture traffic information, support auditing, and enhance network visibility and security. @@ -240,18 +111,18 @@ controls: NIST_800_53: - AU-2 test_requirements: - - id: CCC.VPC.C08.TR01 + - id: CCC.VPC.C05.TR01 text: | When any network traffic goes to or from an interface in the VPC, VPC flow logs MUST capture and log all relevant information. tlp_levels: - tlp_red - - id: CCC.VPC.C08.TR02 + - id: CCC.VPC.C05.TR02 text: | When VPC flow logs are disabled, then an alert MUST trigger. tlp_levels: - tlp_red - - id: CCC.VPC.C09 + - id: CCC.VPC.C06 title: Restrict Route Table Entries from Internet Gateway Access objective: | Ensure that route tables do not contain routes to an Internet Gateway. @@ -267,15 +138,13 @@ controls: NIST_800_53: - SC-7 test_requirements: - - id: CCC.VPC.C09.TR01 + - id: CCC.VPC.C06.TR01 text: | When a route table is created or updated, then it MUST NOT include a route to an Internet Gateway. tlp_levels: - tlp_red - - id: CCC.VPC.C09.TR02 + - id: CCC.VPC.C06.TR02 text: | When an unauthorized route to an Internet Gateway is detected in any route table, then an alert MUST trigger. tlp_levels: - tlp_red - - diff --git a/services/networking/vpc/threats.yaml b/services/networking/vpc/threats.yaml index 3e08f649..3464b481 100644 --- a/services/networking/vpc/threats.yaml +++ b/services/networking/vpc/threats.yaml @@ -29,7 +29,7 @@ threats: - T1078 # Valid Accounts - id: CCC.VPC.TH03 - title: Unauthorized Network Traffic Routing + title: Unauthorized Network Traffic Routing via IP Forwarding description: | Enabling IP forwarding on virtual machines allows them to route traffic, which can be exploited to redirect traffic, bypass network controls, or launch attacks within the network. features: @@ -38,18 +38,7 @@ threats: - T1590 # Gather Victim Network Information - T1021 # Remote Services - - id: CCC.VPC.TH06 - title: Security Risks from Nested Virtualization - description: | - Nested virtualization can introduce additional layers of abstraction, increasing complexity and potentially leading to security vulnerabilities that can be exploited. - features: - - CCC.VPC.F06 # Nested Virtualization - - CCC.F09 # Monitoring (common feature) - mitre_technique: - - T1497 # Virtualization/Sandbox Evasion - - T1059 # Command and Scripting Interpreter - - - id: CCC.VPC.TH07 + - id: CCC.VPC.TH04 title: Unauthorized Network Access through VPC Peering description: | Unauthorized VPC peering connections can allow network traffic between untrusted or unapproved accounts/projects/subscriptions, leading to potential data exposure or exfiltration. @@ -58,7 +47,7 @@ threats: mitre_technique: - T1599 # Network Boundary Bridging - - id: CCC.VPC.TH08 + - id: CCC.VPC.TH05 title: Lack of Network Visibility Due to Disabled VPC Flow Logs description: | VPC subnets with disabled flow logs lack critical network traffic visibility, which can lead to undetected unauthorized access, data exfiltration, and network misconfigurations. This lack of visibility increases the risk of undetected security incidents. @@ -67,7 +56,7 @@ threats: mitre_technique: - T1580 # Cloud Infrastructure Discovery - - id: CCC.VPC.TH09 + - id: CCC.VPC.TH06 title: Unauthorized Exposure to the Internet via Internet Gateway Routes description: | Route tables configured with routes to an Internet Gateway allow direct exposure of network resources to the public internet. From 304f97b47e5d8807c8319975da9334dfd4fc2e61 Mon Sep 17 00:00:00 2001 From: mlysaght Date: Tue, 12 Nov 2024 12:56:59 +0100 Subject: [PATCH 10/12] Add in all fixes --- services/networking/vpc/controls.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/networking/vpc/controls.yaml b/services/networking/vpc/controls.yaml index 069f2c82..3987b45b 100644 --- a/services/networking/vpc/controls.yaml +++ b/services/networking/vpc/controls.yaml @@ -118,7 +118,7 @@ controls: - tlp_red - id: CCC.VPC.C05.TR02 text: | - When VPC flow logs are disabled, then an alert MUST trigger. + When VPC flow logs are disabled, then the activity is logged in the cloud native logging service. tlp_levels: - tlp_red @@ -145,6 +145,6 @@ controls: - tlp_red - id: CCC.VPC.C06.TR02 text: | - When an unauthorized route to an Internet Gateway is detected in any route table, then an alert MUST trigger. + When an unauthorized route to an Internet Gateway is detected in any route table, then this must be logged. tlp_levels: - tlp_red From f7556b7e0d218005c3e43a91e13c05f773a5541f Mon Sep 17 00:00:00 2001 From: mlysaght Date: Tue, 12 Nov 2024 13:25:14 +0100 Subject: [PATCH 11/12] Removing upper case on must --- services/networking/vpc/controls.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/services/networking/vpc/controls.yaml b/services/networking/vpc/controls.yaml index 3987b45b..94c834bb 100644 --- a/services/networking/vpc/controls.yaml +++ b/services/networking/vpc/controls.yaml @@ -24,7 +24,7 @@ controls: test_requirements: - id: CCC.VPC.C01.TR01 text: | - When a new project/account/subscription is created, then the project/account/subscription MUST NOT contain any default network resources. + When a new project/account/subscription is created, then the project/account/subscription must not contain any default network resources. tlp_levels: - tlp_red @@ -46,7 +46,7 @@ controls: test_requirements: - id: CCC.VPC.C02.TR01 text: | - When a resource is created, then the resource MUST NOT be assigned an external IP address by default. + When a resource is created, then the resource must not be assigned an external IP address by default. tlp_levels: - tlp_red @@ -68,7 +68,7 @@ controls: test_requirements: - id: CCC.VPC.C03.TR01 text: | - When an attempt is made to enable IP forwarding on a VM, then the VM configuration MUST remain unchanged. + When an attempt is made to enable IP forwarding on a VM, then the VM configuration must remain unchanged. tlp_levels: - tlp_red @@ -91,7 +91,7 @@ controls: - id: CCC.VPC.C04.TR01 text: | When a VPC peering connection is requested for an untrusted - destination, the VPC’s peering configuration MUST remain unchanged. + destination, the VPC’s peering configuration must remain unchanged. tlp_levels: - tlp_red @@ -113,7 +113,7 @@ controls: test_requirements: - id: CCC.VPC.C05.TR01 text: | - When any network traffic goes to or from an interface in the VPC, VPC flow logs MUST capture and log all relevant information. + When any network traffic goes to or from an interface in the VPC, VPC flow logs must capture and log all relevant information. tlp_levels: - tlp_red - id: CCC.VPC.C05.TR02 @@ -140,7 +140,7 @@ controls: test_requirements: - id: CCC.VPC.C06.TR01 text: | - When a route table is created or updated, then it MUST NOT include a route to an Internet Gateway. + When a route table is created or updated, then it must not include a route to an Internet Gateway. tlp_levels: - tlp_red - id: CCC.VPC.C06.TR02 From 907f84c70b27552afd020cebe51fa3aaf6556024 Mon Sep 17 00:00:00 2001 From: mlysaght Date: Mon, 18 Nov 2024 13:49:15 +0100 Subject: [PATCH 12/12] Remove IP forwarding --- services/networking/vpc/controls.yaml | 30 ++++----------------------- 1 file changed, 4 insertions(+), 26 deletions(-) diff --git a/services/networking/vpc/controls.yaml b/services/networking/vpc/controls.yaml index 94c834bb..4895c2bf 100644 --- a/services/networking/vpc/controls.yaml +++ b/services/networking/vpc/controls.yaml @@ -7,9 +7,9 @@ common_controls: controls: - id: CCC.VPC.C01 - title: Prevent Default Network Creation + title: Restrict Default Network Creation objective: | - Prevent the automatic creation of default virtual networks and related resources during cloud project initialization to avoid insecure default configurations and enforce custom network policies. + Restrict the automatic creation of default virtual networks and related resources during subscription initialization to avoid insecure default configurations and enforce custom network policies. control_family: Network Security threats: - CCC.VPC.TH01 @@ -24,7 +24,7 @@ controls: test_requirements: - id: CCC.VPC.C01.TR01 text: | - When a new project/account/subscription is created, then the project/account/subscription must not contain any default network resources. + When a subscription is created, the subscription must not contain any default network resources. tlp_levels: - tlp_red @@ -50,28 +50,6 @@ controls: tlp_levels: - tlp_red - - id: CCC.VPC.C03 - title: Restrict IP Forwarding on Virtual Machines - objective: | - Control the use of IP forwarding on virtual machines to prevent unauthorized network traffic routing and potential security risks. - control_family: Network Security - threats: - - CCC.VPC.TH03 - nist_csf: PR.AC-5 - control_mappings: - CCM: - - SEF-05 - ISO_27001: - - 2013 A.13.1.1 - NIST_800_53: - - SC-7 - test_requirements: - - id: CCC.VPC.C03.TR01 - text: | - When an attempt is made to enable IP forwarding on a VM, then the VM configuration must remain unchanged. - tlp_levels: - - tlp_red - - id: CCC.VPC.C04 title: Restrict VPC Peering to Authorized Accounts objective: | @@ -98,7 +76,7 @@ controls: - id: CCC.VPC.C05 title: Enforce VPC Flow Logs on VPCs. objective: | - Ensure VPCs are configured with flow logs enabled to capture traffic information, support auditing, and enhance network visibility and security. + Ensure VPCs are configured with flow logs enabled to capture traffic information. control_family: Network Security threats: - CCC.VPC.TH08