GRC Store

Search / finos-ccc/ccc.keymgmt.th / v2026.06-rc3

Release · v2026.06-rc3

FINOS-CCC/CCC.KeyMgmt.TH Threat Catalog

FINOS-CCC/CCC.KeyMgmt.TH

Threats for Key Management technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.keymgmt.th --tag v2026.06-rc3
Coordinate
oci.grc.store/finos-ccc/ccc.keymgmt.th:v2026.06-rc3
Manifest digest
sha256:7bc60a9b1161b9ac656d6188076109c156a61bc0a113576e9b435e6441ce60cc

Provenance

1 layer
Digest Media type Size
fd898dd6e88e… application/vnd.gemara.artifact.v1+yaml 3.8 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.KeyMgmt.TH",
            "type": "ThreatCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.keymgmt.th",
            "tag": "v2026.06-rc3"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "2",
          "GITHUB_RUN_ID": "26768391088",
          "GITHUB_SHA": "24594e28430c12318cacffe7fdda6a3ea272d975",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/crypto/key/threats.yaml",
            "uri": "file://artifacts/crypto/key/threats.yaml",
            "digest": {
              "sha256": "fd898dd6e88efb168f7fd3b5794d2479640afff7be37225c45bffb67a0cff7e9"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@24594e28430c12318cacffe7fdda6a3ea272d975",
            "digest": {
              "gitCommit": "24594e28430c12318cacffe7fdda6a3ea272d975"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26768391088",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26768391088-2",
          "startedOn": "2026-06-01T16:43:53.507624259Z",
          "finishedOn": "2026-06-01T16:43:53.636409798Z"
        },
        "byproducts": [
          {
            "name": "threats.yaml",
            "digest": {
              "sha256": "fd898dd6e88efb168f7fd3b5794d2479640afff7be37225c45bffb67a0cff7e9"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "threats.yaml",
      "type": "ThreatCatalog",
      "id": "CCC.KeyMgmt.TH",
      "role": "artifact"
    }
  ]
}

CCC Key Management Threats

Threats for Key Management technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.KeyMgmt.TH
Version
v2026.06-rc3
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Encryption

The Encryption group covers entries related to protecting data confidentiality and integrity through cryptographic mechanisms. This includes encryption in transit and at rest, key management, and certificate lifecycle management.

  1. CCC.KeyMgmt.TH01 Deletion or Disabling of Key Versions Causing Denial of Service or Data Loss

    Disabling, scheduling deletion, or permanently purging KMS key versions that protect sensitive data can prevent required decryption or signing operations. Service interruption or irreversible data loss may occur if the key material is no longer recoverable.

    Capabilities
    • CCC.KeyMgmt.Capabilities
      • CCC.KeyMgmt.CP14Key Versioning
      • CCC.KeyMgmt.CP16Disable key
      • CCC.KeyMgmt.CP18Soft Delete
      • CCC.KeyMgmt.CP19Delete Key

  2. CCC.KeyMgmt.TH02 Unrestricted Use of a KMS Key to Decrypt Data

    Misconfigured permissions that allow broad invocation of the Decrypt API can expose plaintext data, enabling unintended disclosure or exfiltration of sensitive information.

    Capabilities
    • CCC.KeyMgmt.Capabilities
      • CCC.KeyMgmt.CP10Decrypt data
      • CCC.KeyMgmt.CP17Enable key

  3. CCC.KeyMgmt.TH03 Key Rotation is Disabled or Delayed Beyond Policy Limits

    Modification of automatic or manual rotation settings can keep older key material active longer than intended, decreasing cryptographic resilience and extending exposure in the event of key compromise.

    Capabilities
    • CCC.KeyMgmt.Capabilities
      • CCC.KeyMgmt.CP20Automatic Symmetric Key Rotation
      • CCC.KeyMgmt.CP21Manual Key Rotation

  4. CCC.KeyMgmt.TH04 Introduction of Weak or Compromised Key Material During Import

    Insufficient validation during the key-import process may allow weak, back-doored, or otherwise compromised key material to be introduced, reducing the overall strength of subsequent cryptographic operations.

    Capabilities
    • CCC.KeyMgmt.Capabilities
      • CCC.KeyMgmt.CP22Key Import