Ensure that backup snapshots and replicas of the file system are not more accessible than the primary file system.
Storage / File Storage / Controls / DEV
Restrict Snapshot Access for File Systems
CCC.FileStor.CN05 · Data
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.FileStor.CP07 | Multi-Availability-Zone Durability | The service can replicate file system data across multiple availability zones within a region to improve availability during zone failures. |
| CCC.Core.CP08 | Data Replication | The service automatically replicates data across multiple deployments simultaneously with parity, or may be configured to do so. |
| CCC.Core.CP11 | Backup | The service can generate copies of its data or configurations in the form of automated backups, snapshot-based backups, or incremental backups. |
| CCC.Core.CP12 | Recovery | The service can be reverted to a previous state by providing a compatible backup or snapshot identifier. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.FileStor.TH05 | Snapshots or Replicas Expose File System Contents | Backup snapshots, replicas, or cross-region copies of the file system may be configured with access controls broader than the primary mount. Unauthorized users or external systems can read file content from the copy without mounting the live file system. This impacts confidentiality of data retained in snapshots and replicas. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.FileStor.CN05.AR01 | When a snapshot or replica of the file system is created, the service MUST apply access controls that are equivalent to or stricter than those on the primary file system. | tlp-clear, tlp-green, tlp-amber, tlp-red |