GRC Store

Search / finos-ccc/ccc.lb.cn / v2026.06-rc4

Release · v2026.06-rc4

FINOS-CCC/CCC.LB.CN Control Catalog

FINOS-CCC/CCC.LB.CN

Controls for Load Balancer Capabilities technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.lb.cn --tag v2026.06-rc4
Coordinate
oci.grc.store/finos-ccc/ccc.lb.cn:v2026.06-rc4
Manifest digest
sha256:476ef65f74594b132185d403f56c6f758afbd8c02f3e11a462810b35f3ed74f3

Provenance

1 layer
Digest Media type Size
e81b2f8aa82f… application/vnd.gemara.artifact.v1+yaml 13.1 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.LB.CN",
            "type": "ControlCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.lb.cn",
            "tag": "v2026.06-rc4"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "1",
          "GITHUB_RUN_ID": "26770748733",
          "GITHUB_SHA": "2b6dab4c1307a0ac67d90c99829f6c1825154c84",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/networking/loadbalancer/controls.yaml",
            "uri": "file://artifacts/networking/loadbalancer/controls.yaml",
            "digest": {
              "sha256": "e81b2f8aa82f81946d555a819d341b2afc2b1ebaa7d0dedc1c6dfb746f13821d"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@2b6dab4c1307a0ac67d90c99829f6c1825154c84",
            "digest": {
              "gitCommit": "2b6dab4c1307a0ac67d90c99829f6c1825154c84"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26770748733",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26770748733-1",
          "startedOn": "2026-06-01T17:30:17.193613802Z",
          "finishedOn": "2026-06-01T17:30:17.409590123Z"
        },
        "byproducts": [
          {
            "name": "controls.yaml",
            "digest": {
              "sha256": "e81b2f8aa82f81946d555a819d341b2afc2b1ebaa7d0dedc1c6dfb746f13821d"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "controls.yaml",
      "type": "ControlCatalog",
      "id": "CCC.LB.CN",
      "role": "artifact"
    }
  ]
}

CCC Load Balancer Capabilities Controls

Controls for Load Balancer Capabilities technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.LB.CN
Version
v2026.06-rc4
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Networking

The Networking group covers entries related to network infrastructure, connectivity, and traffic management. This includes virtual networks, subnets, load balancing, DNS, routing, peering, and network-level access controls.

  1. CCC.LB.CN01 Enforce and Detect Rate Limiting

    Objective

    Detect and throttle malicious or excessive requests to prevent downstream resource exhaustion and brute-force activity.

    Assessment requirements

    1. When a single client sends more than 2000 requests within any 5-minute sliding window, the load balancer MUST throttle all subsequent requests from that client for at least 60 seconds.

      Applicability: tlp-green, tlp-amber, tlp-red

    2. When throttling is invoked, the load balancer MUST record the event in the access log within 5 minutes for alerting and trend analysis.

      Applicability: tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • DE.CM-1Monitor to detect events
      • PR.AC-7Prevent brute-force
      • PR.PT-4Protective technology
    • NIST_800_53
      • AU-6Audit review, analysis, reporting
      • SC-5Denial-of-Service protection
      • AC-7Unsuccessful logon attempts
    Threats
    • CCC.LB.Threats
      • CCC.LB.TH01Malicious Traffic
      • CCC.LB.TH09Resource Exhaustion

  2. CCC.LB.CN05 Validate Session Affinity

    Objective

    Configure session persistence to minimise fixation and hijacking risks.

    Assessment requirements

    1. When stickiness is enabled, session cookies MUST expire within 30 minutes of inactivity.

      Applicability: tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.AC-7Least functionality is enforced
    • NIST_800_53
      • SC-23Session authenticity
    Threats
    • CCC.LB.Threats
      • CCC.LB.TH04Session Persistence Exploited

  3. CCC.LB.CN07 Scrub Sensitive Headers

    Objective

    Remove headers that disclose internal details or software versions from HTTP responses.

    Assessment requirements

    1. When responses pass through the load balancer, the "Server" header MUST be replaced with "lb".

      Applicability: tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.DS-2Data in transit is protected
    • NIST_800_53
      • SC-13Cryptographic protection
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH15Automated Enumeration and Reconnaissance by Non-human

Observability

The Observability group covers entries related to logging, monitoring, metrics, alerting, and event publication. This includes audit trail integrity, enumeration detection, and protection against tampering or unauthorized access to operational telemetry.

  1. CCC.LB.CN06 Secure Health-Check Telemetry

    Objective

    Monitor health-check endpoints for tampering and alert on abnormal status changes.

    Assessment requirements

    1. When more than 10 percent of targets change from healthy to unhealthy within five minutes, an alert MUST be issued.

      Applicability: tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • DE.AE-2Detected events are analyzed
    • NIST_800_53
      • SI-4System monitoring
    Threats
    • CCC.LB.Threats
      • CCC.LB.TH05Health Checks Exploited

Access Control

The Access Control group covers entries related to authentication, authorization, and trust perimeter enforcement. This includes multi-factor authentication, least privilege access, network access rules, and prevention of unauthorized access or reconnaissance.

  1. CCC.LB.CN04 Enforce Distribution Policies

    Objective

    Ensure traffic-splitting weights and algorithms are modified only by trusted identities.

    Assessment requirements

    1. When routing weights change, the request MUST originate from an explicitly defined and trusted identity and MUST be logged.

      Applicability: tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.AC-1Identities and credentials are managed
    • NIST_800_53
      • AC-3Access enforcement
    Threats
    • CCC.LB.Threats
      • CCC.LB.TH03Traffic Distribution Manipulated

  2. CCC.LB.CN09 Restrict Management API Access

    Objective

    Limit load-balancer API calls to authorised identities and trusted networks.

    Assessment requirements

    1. When an API call originates outside the approved CIDR set, the request MUST be denied.

      Applicability: tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.AC-5Network integrity is protected
    • NIST_800_53
      • SC-7Boundary protection
    Threats
    • CCC.LB.Threats
      • CCC.LB.TH08API Exposed and Attacked

Resource Management

The Resource Management group covers entries related to the lifecycle, configuration, and operational integrity of cloud resources. This includes resource exhaustion, tag manipulation, version rollback, scaling, and cost management.

  1. CCC.LB.CN02 Auto-Scale Load Balancer Capacity

    Objective

    Expand load-balancer capacity to maintain availability during traffic spikes.

    Assessment requirements

    1. When concurrent connections reach 80 percent of capacity, the autoscaling group MUST add at least one instance within five minutes.

      Applicability: tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • ID.BE-5Resilience requirements are established
    • NIST_800_53
      • CP-10System recovery and reconstitution
    Threats
    • CCC.LB.Threats
      • CCC.LB.TH09Resource Exhaustion

Encryption

The Encryption group covers entries related to protecting data confidentiality and integrity through cryptographic mechanisms. This includes encryption in transit and at rest, key management, and certificate lifecycle management.

  1. CCC.LB.CN08 Automate Certificate Renewal

    Objective

    Maintain valid TLS certificates by automating renewal and deployment before expiry.

    Assessment requirements

    1. When a certificate is within 30 days of expiry, automated renewal MUST complete and deploy a new certificate within 24 hours.

      Applicability: tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.DS-6Integrity checking mechanisms are used
    • NIST_800_53
      • SC-17PKI certificates
    Threats
    • CCC.LB.Threats
      • CCC.LB.TH07Certificates Expired or Invalid