Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating testing requirements for VPC #523

Open
wants to merge 20 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
94 changes: 88 additions & 6 deletions services/networking/vpc/controls.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ controls:
- SC-7
test_requirements:
- id: CCC.VPC.C01.TR01
# TO DO: When a new project/account/subscription is created, then default networks are not automatically created.
text: |
Verify that default networks are not automatically created upon project initialization.
tlp_levels:
Expand Down Expand Up @@ -53,9 +54,10 @@ controls:
test_requirements:
- id: CCC.VPC.C02.TR01
text: |
Verify that policies are in place to prevent unauthorized assignment of external IPs to virtual machines containing sensitive data.
When assigning IP addresses within VPCs, then IP ranges MUST be private.
mlysaght2017 marked this conversation as resolved.
Show resolved Hide resolved
tlp_levels:
- tlp_red
# TO DO: Remove CCC.VPC.C02.TR02?
- id: CCC.VPC.C02.TR02
text: |
Ensure that external IP assignments are approved and monitored for virtual machines without sensitive data.
Expand All @@ -80,25 +82,27 @@ controls:
test_requirements:
- id: CCC.VPC.C03.TR01
text: |
Verify that IP forwarding is disabled on all virtual machines containing sensitive data.
When a virtual machine is created, then IP forwarding MUST be disabled by default.
mlysaght2017 marked this conversation as resolved.
Show resolved Hide resolved
tlp_levels:
- tlp_red
- id: CCC.VPC.C03.TR02
text: |
Attempt to enable IP forwarding on a sensitive VM and confirm that it is denied.
When an attempt is made to enable IP forwarding on a VM, then the attempt MUST be denied.
mlysaght2017 marked this conversation as resolved.
Show resolved Hide resolved
tlp_levels:
- tlp_red
- id: CCC.VPC.C03.TR03
# TO DO: Remove? Is this testable?
text: |
Confirm that IP forwarding is only enabled on virtual machines without sensitive data and with a justified operational need.
tlp_levels:
- tlp_green
# TO DO: Remove? Is this testable?
- id: CCC.VPC.C03.TR04
text: |
Review and document the instances where IP forwarding is enabled under TLP Green classification.
tlp_levels:
- tlp_green

# TO DO: Remove? This is written is a way that it is specific to ML.
- id: CCC.VPC.C04
title: Restrict Public IP Access to ML Development Environments
objective: |
Expand Down Expand Up @@ -130,7 +134,7 @@ controls:
Ensure that any ML development environments without sensitive data requiring public access are approved and have appropriate security controls.
tlp_levels:
- tlp_green

# TO DO: Remove? This is written is a way that it is specific to ML.
- id: CCC.VPC.C05
title: Restrict Virtual Networks for ML Development Environments
objective: |
Expand Down Expand Up @@ -163,7 +167,7 @@ controls:
Ensure that ML development environments without sensitive data are deployed in networks that meet organizational security standards.
tlp_levels:
- tlp_green

# TO DO: Remove? Nested virtualization is not a feature of VPCs.
- id: CCC.VPC.C06
title: Disable Nested Virtualization on Virtual Machines
objective: |
Expand Down Expand Up @@ -196,3 +200,81 @@ controls:
For virtual machines without sensitive data, ensure that nested virtualization is only enabled when necessary and with appropriate security measures.
tlp_levels:
- tlp_green

- id: CCC.VPC.C07
title: Restrict VPC Peering to Authorized Accounts
objective: |
Ensure VPC peering connections are only established with explicitly authorized destinations to limit network exposure and enforce boundary controls.
control_family: Network Security
threats:
- CCC.VPC.TH07
nist_csf: PR.AC-3
control_mappings:
CCM:
- IVS-01
ISO_27001:
- 2013 A.13.1.3
NIST_800_53:
- AC-4
test_requirements:
- id: CCC.VPC.C07.TR01
text: |
When a VPC peering connection request is made, then it MUST be prevented if the target destination is not on an approved authorized list.
tlp_levels:
- tlp_red

- id: CCC.VPC.C08
title: Enforce VPC Flow Logs on VPCs.
objective: |
Ensure VPCs are configured with flow logs enabled to capture traffic information, support auditing, and enhance network visibility and security.
control_family: Network Security
threats:
- CCC.VPC.TH08
nist_csf: PR.PT-1
control_mappings:
CCM:
- IVS-06
ISO_27001:
- 2013 A.12.4.1
NIST_800_53:
- AU-2
test_requirements:
- id: CCC.VPC.C08.TR01
text: |
When a VPC is created or updated, then VPC flow logs MUST be enabled to capture and log all network traffic within the VPC.
mlysaght2017 marked this conversation as resolved.
Show resolved Hide resolved
tlp_levels:
- tlp_red
- id: CCC.VPC.C08.TR02
text: |
When VPC flow logs are disabled, then an alert MUST trigger.
tlp_levels:
- tlp_red

- id: CCC.VPC.C09
title: Restrict Route Table Entries from Internet Gateway Access
objective: |
Ensure that route tables do not contain routes to an Internet Gateway.
control_family: Network Security
threats:
- CCC.VPC.TH09
nist_csf: PR.AC-5
control_mappings:
CCM:
- DSI-04
ISO_27001:
- 2013 A.13.1.3
NIST_800_53:
- SC-7
test_requirements:
- id: CCC.VPC.C09.TR01
text: |
When a route table is created or updated, then it MUST NOT include a route to an Internet Gateway unless explicitly required and approved for specific use cases.
tlp_levels:
- tlp_red
- id: CCC.VPC.C09.TR02
text: |
When an unauthorized route to an Internet Gateway is detected in any route table, then an alert MUST trigger.
tlp_levels:
- tlp_red


49 changes: 29 additions & 20 deletions services/networking/vpc/threats.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,34 +38,43 @@
- T1590 # Gather Victim Network Information
- T1021 # Remote Services

- id: CCC.VPC.TH04
title: Unauthorized Access to ML Development Environments via Public IP
- id: CCC.VPC.TH06
title: Security Risks from Nested Virtualization
description: |
Public IP access to ML development environments can lead to unauthorized access if proper security controls are not in place, increasing the risk of compromise and data breaches.
Nested virtualization can introduce additional layers of abstraction, increasing complexity and potentially leading to security vulnerabilities that can be exploited.
features:
- CCC.VPC.F04 # Public IP Access Control
- CCC.F06 # Identity Based Access Control (common feature)
- CCC.VPC.F06 # Nested Virtualization
- CCC.F09 # Monitoring (common feature)
mitre_technique:
- T1133 # External Remote Services
- T1078 # Valid Accounts
- T1497 # Virtualization/Sandbox Evasion
- T1059 # Command and Scripting Interpreter

- id: CCC.VPC.TH05
title: Deployment of ML Development Environments in Unapproved Networks
- id: CCC.VPC.TH07
title: Unauthorized Network Access through VPC Peering
description: |
Deploying ML development environments in unapproved or less secure networks can expose them to vulnerabilities and unauthorized access, compromising sensitive data and security policies.
Unauthorized VPC peering connections can allow network traffic between untrusted or unapproved accounts/projects/subscriptions, leading to potential data exposure or exfiltration.
features:
- CCC.VPC.F05 # Virtual Network Selection
- CCC.F06 # Identity Based Access Control (common feature)
- CCC.VPC.FXX # TO DO: VPC Peering

Check failure on line 57 in services/networking/vpc/threats.yaml

View workflow job for this annotation

GitHub Actions / yaml-checker / yaml-check

String does not match the pattern of "^CCC(\.[a-zA-Z0-9]+)?\.F\d+$". yaml-schema: file:///schemas/threats-schema.json.

String does not match the pattern of "^CCC(\.[a-zA-Z0-9]+)?\.F\d+$". Feature ID in the format <category-id>.F<#> Source: threats-schema.json (schemas/threats-schema.json)
mitre_technique:
- T1578 # Modify Cloud Compute Infrastructure
- T1599 # Network Boundary Bridging

- id: CCC.VPC.TH06
title: Security Risks from Nested Virtualization
- id: CCC.VPC.TH08
title: Lack of Network Visibility Due to Disabled VPC Flow Logs
description: |
Nested virtualization can introduce additional layers of abstraction, increasing complexity and potentially leading to security vulnerabilities that can be exploited.
VPC subnets with disabled flow logs lack critical network traffic visibility, which can lead to undetected unauthorized access, data exfiltration, and network misconfigurations. This lack of visibility increases the risk of undetected security incidents.
features:
- CCC.VPC.F06 # Nested Virtualization
- CCC.F09 # Monitoring (common feature)
- CCC.VPC.FXX # VPC Flow Logs

Check failure on line 66 in services/networking/vpc/threats.yaml

View workflow job for this annotation

GitHub Actions / yaml-checker / yaml-check

String does not match the pattern of "^CCC(\.[a-zA-Z0-9]+)?\.F\d+$". yaml-schema: file:///schemas/threats-schema.json.

String does not match the pattern of "^CCC(\.[a-zA-Z0-9]+)?\.F\d+$". Feature ID in the format <category-id>.F<#> Source: threats-schema.json (schemas/threats-schema.json)
mitre_technique:
- T1497 # Virtualization/Sandbox Evasion
- T1059 # Command and Scripting Interpreter
- T1580 # Cloud Infrastructure Discovery

- id: CCC.VPC.TH09
title: Unauthorized Exposure to the Internet via Internet Gateway Routes
description: |
Route tables configured with routes to an Internet Gateway allow direct exposure of network resources to the public internet.
features:
- CCC.VPC.XX # Route Table

Check failure on line 75 in services/networking/vpc/threats.yaml

View workflow job for this annotation

GitHub Actions / yaml-checker / yaml-check

String does not match the pattern of "^CCC(\.[a-zA-Z0-9]+)?\.F\d+$". yaml-schema: file:///schemas/threats-schema.json.

String does not match the pattern of "^CCC(\.[a-zA-Z0-9]+)?\.F\d+$". Feature ID in the format <category-id>.F<#> Source: threats-schema.json (schemas/threats-schema.json)
mitre_technique:
- T1011 # Exfiltration Over Alternative Protocol



Loading