💼 CC6.1-3 Restricts Logical Access

Contextual name: 💼 CC6.1-3 Restricts Logical Access
ID: /frameworks/soc-2/cc6/01/03
Located in: 💼 CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.

Description

Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets.

Similar

Internal
- ID: dec-c-ee31bffc

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags

Policies (21)

Policy	Logic Count	Flags
📝 AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports 🟢	1	🟢 x6
📝 Google BigQuery Dataset is anonymously or publicly accessible 🟢	1	🟢 x6
📝 Google BigQuery Dataset is not encrypted with Customer-Managed Encryption Key (CMEK) 🟢	1	🟢 x6
📝 Google BigQuery Table is not encrypted with Customer-Managed Encryption Key (CMEK) 🟢	1	🟢 x6
📝 Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on 🟢	1	🟢 x6
📝 Google Cloud SQL Instance External Authorized Networks do not whitelist all public IP addresses 🟢	1	🟢 x6
📝 Google Cloud SQL Instance has public IP addresses 🟢	1	🟢 x6
📝 Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off 🟢	1	🟢 x6
📝 Google Dataproc Cluster is not encrypted using Customer-Managed Encryption Key 🟢	1	🟢 x6
📝 Google GCE Disk for critical VMs is not encrypted with Customer-Supplied Encryption Key (CSEK) 🟢	1	🟢 x6
📝 Google GCE Instance Block Project-Wide SSH Keys is not enabled 🟢	1	🟢 x6
📝 Google GCE Instance Confidential Compute is not enabled 🟢	1	🟢 x6
📝 Google GCE Instance has a public IP address 🟢	1	🟢 x6
📝 Google IAM Service Account has admin privileges 🟢	1	🟢 x6
📝 Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level 🟢	1	🟢 x6
📝 Google KMS Crypto Key is anonymously or publicly accessible 🟠🟢		🟠 x1, 🟢 x3
📝 Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock 🟢	1	🟢 x6
📝 Google Storage Bucket is anonymously or publicly accessible 🟢	1	🟢 x6
📝 Google Storage Bucket Uniform Bucket-Level Access is not enabled 🟢	1	🟢 x6
📝 Google User has both Service Account Admin and Service Account User roles assigned 🟢	1	🟢 x6

Internal Rules

Rule	Policies	Flags
✉️ dec-x-bcae85fb	2

Description​

Similar​

Sub Sections​

Policies (21)​

Internal Rules​

Description

Similar

Sub Sections

Policies (21)

Internal Rules