This repository has been archived by the owner on Apr 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 62
/
Copy pathVPCServiceControls.yaml
65 lines (65 loc) · 2.7 KB
/
VPCServiceControls.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
version: 1
ATT&CK version: 10
creation date: 02/14/2022
last update: 06/07/2022
name: VPC Service Controls
contact: [email protected]
organization: Center for Threat Informed Defense (CTID)
platform: GCP
tags:
- Virtual Private Cloud
- Access Control Policies
- Network
description: >-
VPC Service Controls improves your ability to mitigate the risk of data exfiltration from Google
Cloud services such as Cloud Storage and BigQuery. You can use VPC Service Controls to create
perimeters that protect the resources and data of services that you explicitly specify.
techniques:
- id: T1078
name: Valid Accounts
technique-scores:
- category: Protect
value: Significant
comments: >-
This control is able to mitigate against abuse of compromised valid accounts by
restricting access from those accounts to resources contained within the VPC perimeter the
account belongs to. Resources and services contained in other VPC networks also cannot be
accessed by user accounts that are not within the VPC network perimeter.
- id: T1537
name: Transfer Data to Cloud Account
technique-scores:
- category: Protect
value: Significant
comments: >-
This control may mitigate against exfiltration attempts to external cloud accounts by
limiting egress of data from accounts and services contained within the VPC network
perimeter.
- id: T1530
name: Data from Cloud Storage Object
technique-scores:
- category: Protect
value: Significant
comments: >-
This control may mitigate against access to cloud storage objects by limiting access to
accounts and services contained within the VPC network perimeter that contains those cloud
storage objects.
- id: T1567
name: Exfiltration Over Web Service
technique-scores:
- category: Protect
value: Partial
comments: >-
This control is able to mitigate against exfiltration of data over a web service. Data
contained within a VPC network perimeter can not be moved to a Google cloud resource or
service outside of the perimeter but may be moved to third party services or storage.
- id: T1619
name: Cloud Storage Object Discovery
technique-scores:
- category: Protect
value: Partial
comments: >-
This control may mitigate against discovery of cloud storage objects. This control is not
able to protect metadata, such as cloud storage bucket names but can protect against
discovery of the contents of a storage bucket.
references:
- 'https://cloud.google.com/vpc-service-controls/docs/overview'