Ensure that NFS mount and data-plane access is limited to explicitly approved virtual network sources within the organizational trust perimeter.
Storage / File Storage / Controls / DEV
Restrict NFS Mount to Approved Network Sources
CCC.FileStor.CN01 · Access
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.FileStor.CP02 | NFS Protocol Mount Access | The service always supports mounting the file system from compute instances using the Network File System (NFS) protocol over the provider network. |
| CCC.FileStor.CP03 | Private Network Mount Access | The service can restrict mount and data-plane access to clients within designated virtual network subnets or private connectivity endpoints. |
| CCC.Core.CP06 | Access Control | The service automatically enforces user configurations to restrict or allow access to a specific component or a child resource based on factors such as user identities, roles, groups, or attributes. |
| CCC.Core.CP23 | Network Access Rules | The service restricts access to child or networked resources based on user-defined network parameters such as IP address, protocol, port, or source. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.FileStor.TH01 | Unauthorized NFS Mount Access is Permitted | Network access rules or mount configuration may allow clients outside the intended virtual network scope to mount the file system over NFS. Mount requests from unauthorized clients are accepted and read-write access to the shared namespace is granted. This impacts confidentiality and integrity of stored file content and may affect availability through unauthorized modification or deletion. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.FileStor.CN01.AR01 | When an NFS mount is attempted from a network source outside the approved virtual network scope, the service MUST reject the mount request. | tlp-clear, tlp-green, tlp-amber, tlp-red |
| CCC.FileStor.CN01.AR02 | When mount targets or private connectivity endpoints are configured, the service MUST restrict inbound NFS traffic to an explicit allowlist of source network identifiers. | tlp-amber, tlp-red |