GRC Store

Search / finos-ccc/ccc.vpc.cn / v2026.06-rc4

Release · v2026.06-rc4

FINOS-CCC/CCC.VPC.CN Control Catalog

FINOS-CCC/CCC.VPC.CN

Controls for Virtual Private Cloud technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.vpc.cn --tag v2026.06-rc4
Coordinate
oci.grc.store/finos-ccc/ccc.vpc.cn:v2026.06-rc4
Manifest digest
sha256:fe311ff51f5cf3eb7dd777817b26f508664a99722e3cca7050ae11d7c3e74484

Provenance

1 layer
Digest Media type Size
a0ea6dfa1468… application/vnd.gemara.artifact.v1+yaml 6.6 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.VPC.CN",
            "type": "ControlCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.vpc.cn",
            "tag": "v2026.06-rc4"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "1",
          "GITHUB_RUN_ID": "26770748733",
          "GITHUB_SHA": "2b6dab4c1307a0ac67d90c99829f6c1825154c84",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/networking/vpc/controls.yaml",
            "uri": "file://artifacts/networking/vpc/controls.yaml",
            "digest": {
              "sha256": "a0ea6dfa1468c7ca9fde99da32a99e9db93cea56b6e413256d4f410dea455743"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@2b6dab4c1307a0ac67d90c99829f6c1825154c84",
            "digest": {
              "gitCommit": "2b6dab4c1307a0ac67d90c99829f6c1825154c84"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26770748733",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26770748733-1",
          "startedOn": "2026-06-01T17:30:28.079874161Z",
          "finishedOn": "2026-06-01T17:30:28.312097164Z"
        },
        "byproducts": [
          {
            "name": "controls.yaml",
            "digest": {
              "sha256": "a0ea6dfa1468c7ca9fde99da32a99e9db93cea56b6e413256d4f410dea455743"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "controls.yaml",
      "type": "ControlCatalog",
      "id": "CCC.VPC.CN",
      "role": "artifact"
    }
  ]
}

CCC Virtual Private Cloud Controls

Controls for Virtual Private Cloud technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.VPC.CN
Version
v2026.06-rc4
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Networking

The Networking group covers entries related to network infrastructure, connectivity, and traffic management. This includes virtual networks, subnets, load balancing, DNS, routing, peering, and network-level access controls.

  1. CCC.VPC.CN01 Restrict Default Network Creation

    Objective

    Restrict the automatic creation of default virtual networks and related resources during subscription initialization to avoid insecure default configurations and enforce custom network policies.

    Assessment requirements

    1. When a subscription is created, the subscription MUST NOT contain default network resources.

      Applicability: tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.AC-5
    • CCM
      • TVM-02
    • ISO_27001
      • 2013 A.12.3.1
    • NIST_800_53
      • SC-7
    Threats
    • CCC.VPC.Threats
      • CCC.VPC.TH01

  2. CCC.VPC.CN02 Limit Resource Creation in Public Subnet

    Objective

    Restrict the creation of resources in the public subnet with direct access to the internet to minimize attack surfaces.

    Assessment requirements

    1. When a resource is created in a public subnet, that resource MUST NOT be assigned an external IP address by default.

      Applicability: tlp-red

    Guidelines
    • NIST-CSF
      • PR.AC-3
    • CCM
      • SEF-05
    • ISO_27001
      • 2013 A.13.1.1
    • NIST_800_53
      • AC-4
    Threats
    • CCC.VPC.Threats
      • CCC.VPC.TH02

  3. CCC.VPC.CN03 Restrict VPC Peering to Authorized Accounts

    Objective

    Ensure VPC peering connections are only established with explicitly authorized destinations to limit network exposure and enforce boundary controls.

    Assessment requirements

    1. When a VPC peering connection is requested, the service MUST prevent connections from VPCs that are not explicitly allowed.

      Applicability: tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.AC-3
    • CCM
      • IVS-01
    • ISO_27001
      • 2013 A.13.1.3
    • NIST_800_53
      • AC-4
    Threats
    • CCC.VPC.Threats
      • CCC.VPC.TH03

Observability

The Observability group covers entries related to logging, monitoring, metrics, alerting, and event publication. This includes audit trail integrity, enumeration detection, and protection against tampering or unauthorized access to operational telemetry.

  1. CCC.VPC.CN04 Enforce VPC Flow Logs on VPCs

    Objective

    Ensure VPCs are configured with flow logs enabled to capture traffic information.

    Assessment requirements

    1. When any network traffic goes to or from an interface in the VPC, the service MUST capture and log all relevant information.

      Applicability: tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.PT-1
    • ISO_27001
      • 2013 A.12.4.1
    • NIST_800_53
      • AU-2
    • CCM
      • IVS-06
    Threats
    • CCC.VPC.Threats
      • CCC.VPC.TH04