Updating testing requirements for VPC

services/networking/vpc/controls.yaml

@@ -1,19 +1,18 @@
 common_controls:
-  - CCC.C01  # Prevent unencrypted requests
-  - CCC.C03  # Implement multi-factor authentication (MFA) for access
-  - CCC.C04  # Log all access and changes
-  - CCC.C05  # Prevent access from untrusted entities
-  - CCC.C06  # Prevent deployment in restricted regions
+  - CCC.C01 # Prevent unencrypted requests
+  - CCC.C03 # Implement multi-factor authentication (MFA) for access
+  - CCC.C04 # Log all access and changes
+  - CCC.C05 # Prevent access from untrusted entities
+  - CCC.C06 # Prevent deployment in restricted regions
 
 controls:
   - id: CCC.VPC.C01
-    title: Skip Default Network Creation
+    title: Restrict Default Network Creation
     objective: |
-      Prevent the automatic creation of default virtual networks and related resources during cloud project initialization to avoid insecure default configurations and enforce custom network policies.
+      Restrict the automatic creation of default virtual networks and related resources during subscription initialization to avoid insecure default configurations and enforce custom network policies.
     control_family: Network Security
     threats:
       - CCC.VPC.TH01
-      - CCC.TH01  # Access control is misconfigured (common threat)
     nist_csf: PR.AC-5
     control_mappings:
       CCM:
@@ -25,23 +24,17 @@ controls:
     test_requirements:
       - id: CCC.VPC.C01.TR01
         text: |
-          Verify that default networks are not automatically created upon project initialization.
-        tlp_levels:
-          - tlp_red
-      - id: CCC.VPC.C01.TR02
-        text: |
-          Confirm that only custom networks with appropriate security controls are in place.
+          When a subscription is created, the subscription must not contain any default network resources.
         tlp_levels:
           - tlp_red
 
   - id: CCC.VPC.C02
-    title: Limit External IP Addresses for Virtual Machines
+    title: Limit External IP Addresses
     objective: |
-      Restrict the assignment of external (public) IP addresses to virtual machines to reduce exposure to the public internet and minimize attack surfaces.
+      Restrict the assignment of external (public) IP addresses to resources to reduce exposure to the public internet and minimize attack surfaces.
     control_family: Network Security
     threats:
       - CCC.VPC.TH02
-      - CCC.TH02  # Data is intercepted in transit (common threat)
     nist_csf: PR.AC-3
     control_mappings:
       CCM:
@@ -53,146 +46,83 @@ controls:
     test_requirements:
       - id: CCC.VPC.C02.TR01
         text: |
-          Verify that policies are in place to prevent unauthorized assignment of external IPs to virtual machines containing sensitive data.
+          When a resource is created, then the resource must not be assigned an external IP address by default.
         tlp_levels:
           - tlp_red
-      - id: CCC.VPC.C02.TR02
-        text: |
-          Ensure that external IP assignments are approved and monitored for virtual machines without sensitive data.
-        tlp_levels:
-          - tlp_green
-
-  - id: CCC.VPC.C03
-    title: Restrict IP Forwarding on Virtual Machines
-    objective: |
-      Control the use of IP forwarding on virtual machines to prevent unauthorized network traffic routing and potential security risks.
-    control_family: Network Security
-    threats:
-      - CCC.VPC.TH03
-    nist_csf: PR.AC-5
-    control_mappings:
-      CCM:
-        - SEF-05
-      ISO_27001:
-        - 2013 A.13.1.1
-      NIST_800_53:
-        - SC-7
-    test_requirements:
-      - id: CCC.VPC.C03.TR01
-        text: |
-          Verify that IP forwarding is disabled on all virtual machines containing sensitive data.
-        tlp_levels:
-          - tlp_red
-      - id: CCC.VPC.C03.TR02
-        text: |
-          Attempt to enable IP forwarding on a sensitive VM and confirm that it is denied.
-        tlp_levels:
-          - tlp_red
-      - id: CCC.VPC.C03.TR03
-        text: |
-          Confirm that IP forwarding is only enabled on virtual machines without sensitive data and with a justified operational need.
-        tlp_levels:
-          - tlp_green
-      - id: CCC.VPC.C03.TR04
-        text: |
-          Review and document the instances where IP forwarding is enabled under TLP Green classification.
-        tlp_levels:
-          - tlp_green
 
   - id: CCC.VPC.C04
-    title: Restrict Public IP Access to ML Development Environments
+    title: Restrict VPC Peering to Authorized Accounts
     objective: |
-      Prevent public IP access to Machine Learning (ML) development environments (e.g., ML notebooks) to reduce exposure to the internet and enhance security.
+      Ensure VPC peering connections are only established with explicitly authorized destinations to limit network exposure and enforce boundary controls.
     control_family: Network Security
     threats:
-      - CCC.VPC.TH04
+      - CCC.VPC.TH07
     nist_csf: PR.AC-3
     control_mappings:
       CCM:
-        - SEF-05
+        - IVS-01
       ISO_27001:
-        - 2013 A.13.1.1
+        - 2013 A.13.1.3
       NIST_800_53:
-        - SC-7
+        - AC-4
     test_requirements:
       - id: CCC.VPC.C04.TR01
         text: |
-          Verify that ML development environments containing sensitive data cannot be accessed via public IP addresses.
+          When a VPC peering connection is requested for an untrusted
+          destination, the VPC’s peering configuration must remain unchanged.
         tlp_levels:
           - tlp_red
-      - id: CCC.VPC.C04.TR02
-        text: |
-          Attempt to access an ML notebook via a public IP and confirm that access is denied.
-        tlp_levels:
-          - tlp_red
-      - id: CCC.VPC.C04.TR03
-        text: |
-          Ensure that any ML development environments without sensitive data requiring public access are approved and have appropriate security controls.
-        tlp_levels:
-          - tlp_green
 
   - id: CCC.VPC.C05
-    title: Restrict Virtual Networks for ML Development Environments
+    title: Enforce VPC Flow Logs on VPCs.
     objective: |
-      Limit the virtual networks that can be used when creating new ML development environment instances to ensure they are deployed within approved and secure network environments.
+      Ensure VPCs are configured with flow logs enabled to capture traffic information.
     control_family: Network Security
     threats:
-      - CCC.VPC.TH05
-      - CCC.TH01  # Access control is misconfigured (common threat)
-    nist_csf: PR.AC-4
+      - CCC.VPC.TH08
+    nist_csf: PR.PT-1
     control_mappings:
       CCM:
-        - IAM-12
+        - IVS-06
       ISO_27001:
-        - 2013 A.9.1.2
+        - 2013 A.12.4.1
       NIST_800_53:
-        - AC-6
+        - AU-2
     test_requirements:
       - id: CCC.VPC.C05.TR01
         text: |
-          Verify that ML development environments containing sensitive data can only be deployed in approved virtual networks with appropriate security controls.
+          When any network traffic goes to or from an interface in the VPC, VPC flow logs must capture and log all relevant information.
         tlp_levels:
           - tlp_red
       - id: CCC.VPC.C05.TR02
         text: |
-          Attempt to deploy an ML development environment in an unapproved network and confirm that it is denied.
+          When VPC flow logs are disabled, then the activity is logged in the cloud native logging service.
         tlp_levels:
           - tlp_red
-      - id: CCC.VPC.C05.TR03
-        text: |
-          Ensure that ML development environments without sensitive data are deployed in networks that meet organizational security standards.
-        tlp_levels:
-          - tlp_green
 
   - id: CCC.VPC.C06
-    title: Disable Nested Virtualization on Virtual Machines
+    title: Restrict Route Table Entries from Internet Gateway Access
     objective: |
-      Disable hardware-accelerated nested virtualization on virtual machines to prevent potential security risks associated with nested environments.
-    control_family: Virtualization Security
+      Ensure that route tables do not contain routes to an Internet Gateway.
+    control_family: Network Security
     threats:
-      - CCC.VPC.TH06
-      - CCC.TH06  # Data is lost or corrupted (common threat)
-    nist_csf: PR.DS-7
+      - CCC.VPC.TH09
+    nist_csf: PR.AC-5
     control_mappings:
       CCM:
-        - IVS-08
+        - DSI-04
       ISO_27001:
-        - 2013 A.12.6.2
+        - 2013 A.13.1.3
       NIST_800_53:
         - SC-7
     test_requirements:
       - id: CCC.VPC.C06.TR01
         text: |
-          Verify that nested virtualization cannot be enabled on virtual machines containing sensitive data.
+          When a route table is created or updated, then it must not include a route to an Internet Gateway.
         tlp_levels:
           - tlp_red
       - id: CCC.VPC.C06.TR02
         text: |
-          Attempt to enable nested virtualization on a sensitive VM and confirm that it is denied.
+          When an unauthorized route to an Internet Gateway is detected in any route table, then this must be logged.
         tlp_levels:
           - tlp_red
-      - id: CCC.VPC.C06.TR03
-        text: |
-          For virtual machines without sensitive data, ensure that nested virtualization is only enabled when necessary and with appropriate security measures.
-        tlp_levels:
-          - tlp_green

services/networking/vpc/threats.yaml

@@ -29,7 +29,7 @@
       - T1078  # Valid Accounts
 
   - id: CCC.VPC.TH03
-    title: Unauthorized Network Traffic Routing
+    title: Unauthorized Network Traffic Routing via IP Forwarding
     description: |
       Enabling IP forwarding on virtual machines allows them to route traffic, which can be exploited to redirect traffic, bypass network controls, or launch attacks within the network.
     features:
@@ -39,33 +39,31 @@
       - T1021  # Remote Services
 
   - id: CCC.VPC.TH04
-    title: Unauthorized Access to ML Development Environments via Public IP
+    title: Unauthorized Network Access through VPC Peering
     description: |
-      Public IP access to ML development environments can lead to unauthorized access if proper security controls are not in place, increasing the risk of compromise and data breaches.
+      Unauthorized VPC peering connections can allow network traffic between untrusted or unapproved accounts/projects/subscriptions, leading to potential data exposure or exfiltration.
     features:
-      - CCC.VPC.F04  # Public IP Access Control
-      - CCC.F06      # Identity Based Access Control (common feature)
+      - CCC.VPC.FXX # TO DO: VPC Peering
     mitre_technique:
-      - T1133  # External Remote Services
-      - T1078  # Valid Accounts
+      - T1599  # Network Boundary Bridging
 
   - id: CCC.VPC.TH05
-    title: Deployment of ML Development Environments in Unapproved Networks
+    title: Lack of Network Visibility Due to Disabled VPC Flow Logs
     description: |
-      Deploying ML development environments in unapproved or less secure networks can expose them to vulnerabilities and unauthorized access, compromising sensitive data and security policies.
+      VPC subnets with disabled flow logs lack critical network traffic visibility, which can lead to undetected unauthorized access, data exfiltration, and network misconfigurations. This lack of visibility increases the risk of undetected security incidents.
     features:
-      - CCC.VPC.F05  # Virtual Network Selection
-      - CCC.F06      # Identity Based Access Control (common feature)
+      - CCC.VPC.FXX  # VPC Flow Logs
     mitre_technique:
-      - T1578  # Modify Cloud Compute Infrastructure
+      - T1580 # Cloud Infrastructure Discovery
 
   - id: CCC.VPC.TH06
-    title: Security Risks from Nested Virtualization
+    title: Unauthorized Exposure to the Internet via Internet Gateway Routes
     description: |
-      Nested virtualization can introduce additional layers of abstraction, increasing complexity and potentially leading to security vulnerabilities that can be exploited.
+      Route tables configured with routes to an Internet Gateway allow direct exposure of network resources to the public internet. 
     features:
-      - CCC.VPC.F06  # Nested Virtualization
-      - CCC.F09      # Monitoring (common feature)
+      - CCC.VPC.XX  # Route Table
     mitre_technique:
-      - T1497  # Virtualization/Sandbox Evasion
-      - T1059  # Command and Scripting Interpreter
+      - T1011  # Exfiltration Over Alternative Protocol
+
+
+