CCCS Medium Cloud Control Profile
Best for: Canadian federal departments and agencies deploying cloud workloads for data categorized at Protected B, Medium Integrity, Medium Availability (PBMM). Cloud service providers seeking authorization to host GC workloads must also meet this profile. Provincial governments and Crown corporations sometimes adopt it voluntarily. If you deliver cloud services through GC procurement vehicles, this profile is expected for in-scope workloads.
| Mandatory? | Mandatory for Canadian federal departments adopting cloud (Protected B) |
| Who validates? | CCCS security assessment; departmental ATO Β· No self-assessment |
| Renewal | Reassessment at major system changes; no fixed cycle |
| Scope | Cloud services handling Protected B, Medium Integrity, Medium Availability data |
π Treasury Board of Canada Secretariat (TBS), with technical input from the Canadian Centre for Cyber Security (CCCS) within the Communications Security Establishment (CSE) Β· CCCS Medium Cloud Control Profile Official source β
Get Started
module "..." {
source = "cccsmedium.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- IAM Password Policy: Runs 9 controls against the AWS IAM account password policy, covering minimum length (14 characters), complexity requirements (uppercase, lowercase, number, symbol), reuse history (24 passwords), and the 90-day expiration setting.
- IAM Privilege Management: Checks root MFA status, flags access keys inactive for 45 or more days, and scans both managed and inline policies for wildcard service actions and blocked KMS actions.
- Encryption in Transit: Validates SSL/TLS certificate assignment on Application Load Balancers, Network Load Balancers, and Classic Load Balancers, and confirms HTTPS-only listeners on Classic LBs.
- Backup and Recovery: Verifies that configured AWS Backup plan rules enforce a minimum 35-day retention period.
- Monitoring and Incident Detection: Confirms CloudWatch alarms have associated actions configured, catching orphaned alarms that would otherwise generate no notification or automated response.
What you handle
- IAM Password Policy: Password policy enforcement for federated identity providers (Azure AD, Okta) outside AWS IAM is out of scope for these checks. Document policy exceptions and the approval workflows behind them.
- IAM Privilege Management: Periodic access reviews and RBAC documentation remain manual tasks. You also need to define the organization-specific list of blocked KMS actions and rotate or remove keys on the identified timeline.
- Encryption in Transit: TLS policy version selection (e.g., ELBSecurityPolicy-TLS13-1-2-2021-06), certificate lifecycle and renewal, and end-to-end encryption between load balancers and backend targets.
- Backup and Recovery: Test restoration procedures, document recovery time and recovery point objectives, and confirm backup plans cover all in-scope resources including databases and file systems.
- Monitoring and Incident Detection: Set thresholds appropriate to your workload, build incident response runbooks, and connect CloudWatch to your SIEM or GC-approved security operations tooling.
Controls by Category
Backup and Recovery (1 control)
The 35-day retention floor is the specific threshold assessors verify against configured backup rules. It supports the Medium Availability requirement by ensuring recovery points span a reasonable operational window. Watch for non-production environments that still hold Protected B data and have shorter retention configured; those create compliance gaps.
Encryption in Transit (1 control)
No HTTP-only listeners are acceptable; every load balancer endpoint must enforce TLS. Classic load balancers are a persistent source of findings because teams defer migration or forget to apply updated TLS policies. Assessors check the TLS policy version specifically to confirm TLS 1.2 as the minimum.
compliance.tf moduleIAM Password Policy (9 controls)
A common finding here is organizations setting minimum password length to 8 when this profile requires 14 characters. Assessors check every parameter of the AWS account-level policy: minimum length, all four complexity flags, 24-password history, and 90-day expiration. Evidence typically includes an IAM credential report alongside a screenshot of the active policy configuration.
Monitoring and Alerting (1 control)
An alarm with no configured action is useless for incident response. Assessors verify that every CloudWatch alarm routes to an SNS topic, Auto Scaling action, or Lambda trigger, per the CCCS requirement for timely notification of security events.
Additional Controls (9)
AWS Secrets Manager (1)
Amazon S3 (3)
Related Frameworks
NIST 800-53 Rev 4 β π’ High overlap (80%)
CCCS Medium is derived from ITSG-33 tailored controls, which are based on NIST SP 800-53 Rev. 4. Most controls map to families including AC, IA, SC, AU, and CP, with Canadian tailoring for Government of Canada implementation context.
NIST CSF β π‘ Medium overlap (45%)
NIST CSF provides a higher-level risk management structure built on the same NIST 800-53 foundations underlying CCCS Medium. CCCS Medium controls are more technically prescriptive than CSF subcategories.
AWS Foundational Security Best Practices β π‘ Medium overlap (55%)
AWS Foundational Security Best Practices covers common ground on IAM, encryption, and monitoring controls. CCCS Medium adds Government of Canada SA&A evidence requirements and control tailoring that go beyond AWS service-level checks.