GRC Store

Search / finos-ccc/ccc.vpc.th / v2026.06-rc3

Release · v2026.06-rc3

FINOS-CCC/CCC.VPC.TH Threat Catalog

FINOS-CCC/CCC.VPC.TH

Threats for Virtual Private Cloud technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.vpc.th --tag v2026.06-rc3
Coordinate
oci.grc.store/finos-ccc/ccc.vpc.th:v2026.06-rc3
Manifest digest
sha256:38547842bc6428626ca1a400eea21ebeef31496339e423ea7dbaea889e347927

Provenance

1 layer
Digest Media type Size
7a3a01f8be1d… application/vnd.gemara.artifact.v1+yaml 4.2 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.VPC.TH",
            "type": "ThreatCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.vpc.th",
            "tag": "v2026.06-rc3"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "2",
          "GITHUB_RUN_ID": "26768391088",
          "GITHUB_SHA": "24594e28430c12318cacffe7fdda6a3ea272d975",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/networking/vpc/threats.yaml",
            "uri": "file://artifacts/networking/vpc/threats.yaml",
            "digest": {
              "sha256": "7a3a01f8be1d81b4c768037db429c155defe5427a671713a0865dbfe9ea6c24c"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@24594e28430c12318cacffe7fdda6a3ea272d975",
            "digest": {
              "gitCommit": "24594e28430c12318cacffe7fdda6a3ea272d975"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26768391088",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26768391088-2",
          "startedOn": "2026-06-01T16:45:29.26229452Z",
          "finishedOn": "2026-06-01T16:45:29.382236726Z"
        },
        "byproducts": [
          {
            "name": "threats.yaml",
            "digest": {
              "sha256": "7a3a01f8be1d81b4c768037db429c155defe5427a671713a0865dbfe9ea6c24c"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "threats.yaml",
      "type": "ThreatCatalog",
      "id": "CCC.VPC.TH",
      "role": "artifact"
    }
  ]
}

CCC Virtual Private Cloud Threats

Threats for Virtual Private Cloud technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.VPC.TH
Version
v2026.06-rc3
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Networking

The Networking group covers entries related to network infrastructure, connectivity, and traffic management. This includes virtual networks, subnets, load balancing, DNS, routing, peering, and network-level access controls.

  1. CCC.VPC.TH01 Unauthorized Access via Insecure Default Networks

    Default network configurations may include insecure settings and open firewall rules,leading to unauthorized access and potential data breaches.

    Capabilities
    • CCC.VPC.Capabilities
      • CCC.VPC.CP01

  2. CCC.VPC.TH02 Exposure of Resources to Public Internet

    Assignment of external IP addresses to resources exposes resources to the public internet, increasing the risk of attacks such as brute force, exploitation of vulnerabilities, or unauthorized access.

    Capabilities
    • CCC.VPC.Capabilities
      • CCC.VPC.CP04

  3. CCC.VPC.TH03 Unauthorized Network Access Through VPC Peering

    Unauthorized VPC peering connections can allow network traffic between untrusted or unapproved subscriptions, leading to potential data exposure or exfiltration.

    Capabilities
    • CCC.VPC.Capabilities
      • CCC.VPC.CP11

  4. CCC.VPC.TH05 Overly Permissive VPC Endpoint Policies

    VPC Endpoint policies that are overly permissive may inadvertently expose resources within the VPC to unintended principals or external threats.

    Capabilities
    • CCC.VPC.Capabilities
      • CCC.VPC.CP17

Observability

The Observability group covers entries related to logging, monitoring, metrics, alerting, and event publication. This includes audit trail integrity, enumeration detection, and protection against tampering or unauthorized access to operational telemetry.

  1. CCC.VPC.TH04 Lack of Network Visibility due to Disabled VPC Flow Logs

    VPC subnets with disabled flow logs lack critical network traffic visibility, which can lead to undetected unauthorized access, data exfiltration, and network misconfigurations. This lack of visibility increases the risk of undetected security incidents.

    Capabilities
    • CCC.VPC.Capabilities
      • CCC.VPC.CP16