From 284f34aa722633f0b98e75ee80de51bbd12ae42a Mon Sep 17 00:00:00 2001
From: kazmik23 <kkazmi@google.com>
Date: Thu, 24 Oct 2024 12:00:33 -0500
Subject: [PATCH 1/3] Create controls.yaml

controls for Cloud functions - in Collab with @nas-hub
---
 .../serverless-computing/controls.yaml        | 52 +++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 services/compute/serverless-computing/controls.yaml

diff --git a/services/compute/serverless-computing/controls.yaml b/services/compute/serverless-computing/controls.yaml
new file mode 100644
index 00000000..fc98064c
--- /dev/null
+++ b/services/compute/serverless-computing/controls.yaml
@@ -0,0 +1,52 @@
+common_controls:
+  - CCC.C01  # Prevent unencrypted requests
+  - CCC.C02  # Ensure data encryption at rest for all stored data
+  - CCC.C03  # Implement multi-factor authentication (MFA) for access
+  - CCC.C04  # Log all access and changes
+  - CCC.C05  # Prevent access from untrusted entities
+  - CCC.C06  # Prevent deployment in restricted regions
+  - CCC.C07  # Alert on non-human enumeration
+  - CCC.C09  # Prevent tampering, deletion, or unauthorized access to access logs
+  - CCC.C10  # Prevent data replication to destinations outside of defined trust perimeter
+
+controls:
+  - id: CCC.SvlsComp.C01  # Require VPC Connector for Serverless Functions
+    title: Require VPC Connector for Serverless Functions
+    objective: |
+      Ensure that all serverless functions are configured with a Virtual Private Cloud (VPC) connector. This enforces network controls, restricts unauthorized network access, and allows functions to securely access resources within a private network.
+    control_family: Network Security
+    threats:
+      - CCC.TH01  # Access control is misconfigured
+    nist_csf: PR.AC-5  # Network integrity is protected
+    control_mappings:
+      NIST_800_53:
+        - SC-7  # Boundary Protection
+        - SC-8  # Transmission Confidentiality and Integrity
+    test_requirements:
+      - id: CCC.SvlsComp.C01.TR01
+        text: |
+          Verify that all deployed serverless functions have a VPC connector configured, enforcing network isolation and secure access.
+        tlp_levels:
+          - tlp_red
+          - tlp_amber
+
+  - id: CCC.SvlsComp.C02  # Implement Function Invocation Rate Limits
+    title: Implement Function Invocation Rate Limits
+    objective: |
+      Prevent resource exhaustion and potential denial of service by setting appropriate concurrency and invocation limits on serverless functions.
+    control_family: Availability
+    threats:
+      - CCC.TH12  # Resource constraints are exhausted
+    nist_csf: PR.DS-4  # Adequate capacity to ensure availability
+    control_mappings:
+      NIST_800_53:
+        - SC-5  # Denial of Service Protection
+    test_requirements:
+      - id: CCC.SvlsComp.C02.TR01
+        text: |
+          Verify that functions have concurrency and rate limits configured to prevent excessive resource consumption.
+        tlp_levels:
+          - tlp_red
+          - tlp_amber
+          - tlp_green
+          - tlp_clear

From f8015ce9c21f6df5d0319c190074fd17cad5d34d Mon Sep 17 00:00:00 2001
From: kazmik23 <kkazmi@google.com>
Date: Thu, 7 Nov 2024 08:37:53 -0600
Subject: [PATCH 2/3] Update controls.yaml

Updated GCP naming conventions and Testing Req.
---
 .../serverless-computing/controls.yaml        | 48 +++++++++----------
 1 file changed, 23 insertions(+), 25 deletions(-)

diff --git a/services/compute/serverless-computing/controls.yaml b/services/compute/serverless-computing/controls.yaml
index fc98064c..55805b3e 100644
--- a/services/compute/serverless-computing/controls.yaml
+++ b/services/compute/serverless-computing/controls.yaml
@@ -1,52 +1,50 @@
 common_controls:
-  - CCC.C01  # Prevent unencrypted requests
-  - CCC.C02  # Ensure data encryption at rest for all stored data
-  - CCC.C03  # Implement multi-factor authentication (MFA) for access
-  - CCC.C04  # Log all access and changes
-  - CCC.C05  # Prevent access from untrusted entities
-  - CCC.C06  # Prevent deployment in restricted regions
-  - CCC.C07  # Alert on non-human enumeration
-  - CCC.C09  # Prevent tampering, deletion, or unauthorized access to access logs
-  - CCC.C10  # Prevent data replication to destinations outside of defined trust perimeter
+  - CCC.C01 # Prevent unencrypted requests
+  - CCC.C02 # Ensure data encryption at rest for all stored data
+  - CCC.C03 # Implement multi-factor authentication (MFA) for access
+  - CCC.C04 # Log all access and changes
+  - CCC.C05 # Prevent access from untrusted entities
+  - CCC.C06 # Prevent deployment in restricted regions
+  - CCC.C07 # Alert on non-human enumeration
+  - CCC.C09 # Prevent tampering, deletion, or unauthorized access to access logs
+  - CCC.C10 # Prevent data replication to destinations outside of defined trust perimeter
 
 controls:
-  - id: CCC.SvlsComp.C01  # Require VPC Connector for Serverless Functions
-    title: Require VPC Connector for Serverless Functions
+  - id: CCC.SvlsComp.C01 # Enforce Virtual Network Integration for Serverless Function
+    title: Enforce Virtual Private Network Integration for Serverless Function
     objective: |
-      Ensure that all serverless functions are configured with a Virtual Private Cloud (VPC) connector. This enforces network controls, restricts unauthorized network access, and allows functions to securely access resources within a private network.
+      Ensure that the serverless function is integrated with a virtual private network, allowing it to access resources securely within the network and preventing unauthorized external access.
     control_family: Network Security
     threats:
-      - CCC.TH01  # Access control is misconfigured
-    nist_csf: PR.AC-5  # Network integrity is protected
+      - CCC.TH01 # Access control is misconfigured
+    nist_csf: PR.AC-5 # Network integrity is protected
     control_mappings:
       NIST_800_53:
-        - SC-7  # Boundary Protection
-        - SC-8  # Transmission Confidentiality and Integrity
+        - SC-7 # Boundary Protection
+        - SC-8 # Transmission Confidentiality and Integrity
     test_requirements:
       - id: CCC.SvlsComp.C01.TR01
         text: |
-          Verify that all deployed serverless functions have a VPC connector configured, enforcing network isolation and secure access.
+          Attempt to access the serverless function from outside the virtual private network and verify that access is denied.
         tlp_levels:
           - tlp_red
           - tlp_amber
 
-  - id: CCC.SvlsComp.C02  # Implement Function Invocation Rate Limits
+  - id: CCC.SvlsComp.C02 # Implement Function Invocation Rate Limits
     title: Implement Function Invocation Rate Limits
     objective: |
-      Prevent resource exhaustion and potential denial of service by setting appropriate concurrency and invocation limits on serverless functions.
+      Ensure that function invocation is limited to a specified threshold from any single entity, preventing resource exhaustion and denial of service attacks.
     control_family: Availability
     threats:
-      - CCC.TH12  # Resource constraints are exhausted
-    nist_csf: PR.DS-4  # Adequate capacity to ensure availability
+      - CCC.TH12 # Resource constraints are exhausted
+    nist_csf: PR.DS-4 # Adequate capacity to ensure availability
     control_mappings:
       NIST_800_53:
-        - SC-5  # Denial of Service Protection
+        - SC-5 # Denial of Service Protection
     test_requirements:
       - id: CCC.SvlsComp.C02.TR01
         text: |
-          Verify that functions have concurrency and rate limits configured to prevent excessive resource consumption.
+          Send requests to invoke the function up to the allowed threshold and confirm they are successful; then send additional requests exceeding the threshold from the same entity and verify that they are denied.
         tlp_levels:
           - tlp_red
           - tlp_amber
-          - tlp_green
-          - tlp_clear

From 1de5ad5c559f9fd15059b77804f6b66bdc443c8c Mon Sep 17 00:00:00 2001
From: kazmik23 <kkazmi@google.com>
Date: Thu, 7 Nov 2024 08:55:16 -0600
Subject: [PATCH 3/3] Update controls.yaml

Updated term to Private Endpoint
---
 services/compute/serverless-computing/controls.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/services/compute/serverless-computing/controls.yaml b/services/compute/serverless-computing/controls.yaml
index 55805b3e..bdc468b3 100644
--- a/services/compute/serverless-computing/controls.yaml
+++ b/services/compute/serverless-computing/controls.yaml
@@ -11,9 +11,9 @@ common_controls:
 
 controls:
   - id: CCC.SvlsComp.C01 # Enforce Virtual Network Integration for Serverless Function
-    title: Enforce Virtual Private Network Integration for Serverless Function
+    title: Enforce Use of Private Endpoints for Serverless Function
     objective: |
-      Ensure that the serverless function is integrated with a virtual private network, allowing it to access resources securely within the network and preventing unauthorized external access.
+      Ensure that the serverless function is accessible only through a private endpoint, allowing it to communicate securely within a virtual private network and preventing unauthorized external access.
     control_family: Network Security
     threats:
       - CCC.TH01 # Access control is misconfigured
@@ -25,7 +25,7 @@ controls:
     test_requirements:
       - id: CCC.SvlsComp.C01.TR01
         text: |
-          Attempt to access the serverless function from outside the virtual private network and verify that access is denied.
+          Attempt to access the serverless function over the public internet and verify that access is denied.
         tlp_levels:
           - tlp_red
           - tlp_amber