| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| vpc_service_controls | VPC Service Controls | protect | significant | T1078 | Valid Accounts |
Comments
This control is able to mitigate against abuse of compromised valid accounts by restricting access from those accounts to resources contained within the VPC perimeter the account belongs to. Resources and services contained in other VPC networks also cannot be accessed by user accounts that are not within the VPC network perimeter.
References
|
| vpc_service_controls | VPC Service Controls | protect | significant | T1537 | Transfer Data to Cloud Account |
Comments
This control may mitigate against exfiltration attempts to external cloud accounts by limiting egress of data from accounts and services contained within the VPC network perimeter.
References
|
| vpc_service_controls | VPC Service Controls | protect | significant | T1530 | Data from Cloud Storage Object |
Comments
This control may mitigate against access to cloud storage objects by limiting access to accounts and services contained within the VPC network perimeter that contains those cloud storage objects.
References
|
| vpc_service_controls | VPC Service Controls | protect | partial | T1567 | Exfiltration Over Web Service |
Comments
This control is able to mitigate against exfiltration of data over a web service. Data contained within a VPC network perimeter can not be moved to a Google cloud resource or service outside of the perimeter but may be moved to third party services or storage.
References
|
| vpc_service_controls | VPC Service Controls | protect | partial | T1619 | Cloud Storage Object Discovery |
Comments
This control may mitigate against discovery of cloud storage objects. This control is not able to protect metadata, such as cloud storage bucket names but can protect against discovery of the contents of a storage bucket.
References
|