Ensure that write access to the shared file system is granted only to clients explicitly authorized for modification.
Storage / File Storage / Controls / DEV
Restrict Writable Mount Access to Authorized Clients
CCC.FileStor.CN03 · Data
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.FileStor.CP01 | Managed File Systems | The service always provisions managed file system resources that expose a hierarchical namespace of files and directories for shared read-write access by networked clients. |
| CCC.FileStor.CP02 | NFS Protocol Mount Access | The service always supports mounting the file system from compute instances using the Network File System (NFS) protocol over the provider network. |
| CCC.FileStor.CP04 | POSIX File Semantics | The service always exposes standard POSIX file and directory operations, including permissions and ownership metadata, with concurrent multi-client access to the same file system. |
| CCC.Core.CP01 | Encryption in Transit Enabled by Default | The service automatically encrypts all data using industry-standard cryptographic protocols prior to transmission via a network interface. |
| CCC.Core.CP02 | Encryption at Rest Enabled by Default | The service automatically encrypts all data using industry-standard cryptographic protocols prior to being written to a storage medium. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.FileStor.TH03 | File Content is Modified Through Shared Writable Mount | A writable NFS mount exposed to multiple clients may be used to modify, encrypt, or delete files across the shared namespace without application-level coordination. File content is altered or rendered inaccessible at scale across the mounted file system. This impacts integrity and availability of stored data and dependent workloads. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.FileStor.CN03.AR01 | When a client that is not authorized for write access mounts the file system, the service MUST enforce a read-only mount or MUST reject write operations from that client. | tlp-green, tlp-amber, tlp-red |
| CCC.FileStor.CN03.AR02 | When the file system is used by multiple concurrent clients, the service MUST support configuration that limits destructive file operations to authorized administrative principals. | tlp-amber, tlp-red |