Network access rules or mount configuration may allow clients outside the intended virtual network scope to mount the file system over NFS. Mount requests from unauthorized clients are accepted and read-write access to the shared namespace is granted. This impacts confidentiality and integrity of stored file content and may affect availability through unauthorized modification or deletion.
Storage / File Storage / Threats / DEV
Unauthorized NFS Mount Access is Permitted
CCC.FileStor.TH01
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.FileStor.CP02 | NFS Protocol Mount Access | The service always supports mounting the file system from compute instances using the Network File System (NFS) protocol over the provider network. |
| CCC.FileStor.CP03 | Private Network Mount Access | The service can restrict mount and data-plane access to clients within designated virtual network subnets or private connectivity endpoints. |
| CCC.Core.CP06 | Access Control | The service automatically enforces user configurations to restrict or allow access to a specific component or a child resource based on factors such as user identities, roles, groups, or attributes. |
| CCC.Core.CP23 | Network Access Rules | The service restricts access to child or networked resources based on user-defined network parameters such as IP address, protocol, port, or source. |
Related Controls
| ID | Title | Description |
|---|---|---|
| CCC.FileStor.CN01 | Restrict NFS Mount to Approved Network Sources | Ensure that NFS mount and data-plane access is limited to explicitly approved virtual network sources within the organizational trust perimeter. |