GRC Store

Search / finos-ccc/ccc.vpc.th / v2026.06-rc5

Release · v2026.06-rc5

FINOS-CCC/CCC.VPC.TH Threat Catalog

FINOS-CCC/CCC.VPC.TH

Threats for Virtual Private Cloud technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.vpc.th --tag v2026.06-rc5
Coordinate
oci.grc.store/finos-ccc/ccc.vpc.th:v2026.06-rc5
Manifest digest
sha256:f12a1e4c2907cdec76bd293950f77c76134be05d966543aa08a8c2d03fee6a2d

Provenance

1 layer
Digest Media type Size
00a6e1786270… application/vnd.gemara.artifact.v1+yaml 4.2 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.VPC.TH",
            "type": "ThreatCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.vpc.th",
            "tag": "v2026.06-rc5"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "1",
          "GITHUB_RUN_ID": "26771723499",
          "GITHUB_SHA": "a9503345caf59a144d8ab9b4bede212b393ca56a",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/networking/vpc/threats.yaml",
            "uri": "file://artifacts/networking/vpc/threats.yaml",
            "digest": {
              "sha256": "00a6e1786270d3cffb4952648dd288b448b7d0c899e4e4ca1cf0193e969cce5a"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@a9503345caf59a144d8ab9b4bede212b393ca56a",
            "digest": {
              "gitCommit": "a9503345caf59a144d8ab9b4bede212b393ca56a"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26771723499",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26771723499-1",
          "startedOn": "2026-06-01T17:48:43.977256438Z",
          "finishedOn": "2026-06-01T17:48:44.103897576Z"
        },
        "byproducts": [
          {
            "name": "threats.yaml",
            "digest": {
              "sha256": "00a6e1786270d3cffb4952648dd288b448b7d0c899e4e4ca1cf0193e969cce5a"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "threats.yaml",
      "type": "ThreatCatalog",
      "id": "CCC.VPC.TH",
      "role": "artifact"
    }
  ]
}

CCC Virtual Private Cloud Threats

Threats for Virtual Private Cloud technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.VPC.TH
Version
v2026.06-rc5
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Networking

The Networking group covers entries related to network infrastructure, connectivity, and traffic management. This includes virtual networks, subnets, load balancing, DNS, routing, peering, and network-level access controls.

  1. CCC.VPC.TH01 Unauthorized Access via Insecure Default Networks

    Default network configurations may include insecure settings and open firewall rules,leading to unauthorized access and potential data breaches.

    Capabilities
    • CCC.VPC.Capabilities
      • CCC.VPC.CP01

  2. CCC.VPC.TH02 Exposure of Resources to Public Internet

    Assignment of external IP addresses to resources exposes resources to the public internet, increasing the risk of attacks such as brute force, exploitation of vulnerabilities, or unauthorized access.

    Capabilities
    • CCC.VPC.Capabilities
      • CCC.VPC.CP04

  3. CCC.VPC.TH03 Unauthorized Network Access Through VPC Peering

    Unauthorized VPC peering connections can allow network traffic between untrusted or unapproved subscriptions, leading to potential data exposure or exfiltration.

    Capabilities
    • CCC.VPC.Capabilities
      • CCC.VPC.CP11

  4. CCC.VPC.TH05 Overly Permissive VPC Endpoint Policies

    VPC Endpoint policies that are overly permissive may inadvertently expose resources within the VPC to unintended principals or external threats.

    Capabilities
    • CCC.VPC.Capabilities
      • CCC.VPC.CP17

Observability

The Observability group covers entries related to logging, monitoring, metrics, alerting, and event publication. This includes audit trail integrity, enumeration detection, and protection against tampering or unauthorized access to operational telemetry.

  1. CCC.VPC.TH04 Lack of Network Visibility due to Disabled VPC Flow Logs

    VPC subnets with disabled flow logs lack critical network traffic visibility, which can lead to undetected unauthorized access, data exfiltration, and network misconfigurations. This lack of visibility increases the risk of undetected security incidents.

    Capabilities
    • CCC.VPC.Capabilities
      • CCC.VPC.CP16