[ { "message": "Storage account enforces minimum TLS version", "metadata": { "event_code": "Storage account enforces minimum TLS version", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@CCC.Core", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.Core.CN01", "@Policy", "@PerService", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✗ I attempt policy check \"object-storage-tls-policy\" for control \"CCC.Core.CN01\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage Account TLS Policy Check: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN01.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775670034, "created_time_dt": "2026-04-08T17:40:34Z", "desc": "Compliance test scenario: Storage account enforces minimum TLS version", "title": "Storage account enforces minimum TLS version", "types": [], "uid": "ccc-test-138-1775670034" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775670034, "time_dt": "2026-04-08T17:40:34Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Object storage policy prevents the use of unencrypted ports", "metadata": { "event_code": "Object storage policy prevents the use of unencrypted ports", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.Core", "@CCC.Core.CN01", "@Policy", "@PerService", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✗ I attempt policy check \"object-storage-unencrypted-policy\" for control \"CCC.Core.CN01\" assessment requirement \"AR03\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage Unencrypted Traffic Block Check: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN01.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775670034, "created_time_dt": "2026-04-08T17:40:34Z", "desc": "Compliance test scenario: Object storage policy prevents the use of unencrypted ports", "title": "Object storage policy prevents the use of unencrypted ports", "types": [], "uid": "ccc-test-291-1775670034" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775670034, "time_dt": "2026-04-08T17:40:34Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Storage account enforces mutual TLS - NotTested", "metadata": { "event_code": "Storage account enforces mutual TLS - NotTested", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@tls", "@tlp-amber", "@tlp-red", "@CCC.Core", "@CCC.Core.CN01", "@Policy", "@NotTested", "@PerService", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "Update", "status_code": "FAIL", "status_detail": "✓ no-op required", "status_id": 2, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN01.AR08" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775670035, "created_time_dt": "2026-04-08T17:40:35Z", "desc": "Compliance test scenario: Storage account enforces mutual TLS - NotTested", "title": "Storage account enforces mutual TLS - NotTested", "types": [], "uid": "ccc-test-430-1775670035" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775670035, "time_dt": "2026-04-08T17:40:35Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Verify objects are encrypted at rest", "metadata": { "event_code": "Verify objects are encrypted at rest", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN02", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ \"{result}\" is not an error\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-encryption-check={Timestamp}.txt\", and \"encryption test data\"\n✓ \"{result}\" is not an error\n✓ I refer to \"{result}\" as \"uploadResult\"\n✓ \"{uploadResult.Encryption}\" is not null\n✓ \"{uploadResult.EncryptionAlgorithm}\" is \"AES256\"\n✓ I attach \"{uploadResult}\" to the test output as \"Upload Result with Encryption Details\"", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN02.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775670035, "created_time_dt": "2026-04-08T17:40:35Z", "desc": "Compliance test scenario: Verify objects are encrypted at rest", "title": "Verify objects are encrypted at rest", "types": [], "uid": "ccc-test-466-1775670035" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775670035, "time_dt": "2026-04-08T17:40:35Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Object storage encryption compliance", "metadata": { "event_code": "Object storage encryption compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN02", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I attempt policy check \"object-storage-encryption\" for control \"CCC.Core.CN02\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN02.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775670096, "created_time_dt": "2026-04-08T17:41:36Z", "desc": "Compliance test scenario: Object storage encryption compliance", "title": "Object storage encryption compliance", "types": [], "uid": "ccc-test-470-1775670096" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775670096, "time_dt": "2026-04-08T17:41:36Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Object storage delete protection compliance", "metadata": { "event_code": "Object storage delete protection compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN03", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I attempt policy check \"object-storage-delete-protection\" for control \"CCC.Core.CN03\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN03.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775670097, "created_time_dt": "2026-04-08T17:41:37Z", "desc": "Compliance test scenario: Object storage delete protection compliance", "title": "Object storage delete protection compliance", "types": [], "uid": "ccc-test-492-1775670097" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775670097, "time_dt": "2026-04-08T17:41:37Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "MFA requirement for destructive operations cannot be tested automatically", "metadata": { "event_code": "MFA requirement for destructive operations cannot be tested automatically", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN03", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@object-storage", "@load-balancer" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN03.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775670098, "created_time_dt": "2026-04-08T17:41:38Z", "desc": "Compliance test scenario: MFA requirement for destructive operations cannot be tested automatically", "title": "MFA requirement for destructive operations cannot be tested automatically", "types": [], "uid": "ccc-test-495-1775670098" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775670098, "time_dt": "2026-04-08T17:41:38Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "API modification requires credential and trust perimeter origin - NotTestable", "metadata": { "event_code": "API modification requires credential and trust perimeter origin - NotTestable", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN03", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@NotTestable", "@object-storage", "@load-balancer" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN03.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775670098, "created_time_dt": "2026-04-08T17:41:38Z", "desc": "Compliance test scenario: API modification requires credential and trust perimeter origin - NotTestable", "title": "API modification requires credential and trust perimeter origin - NotTestable", "types": [], "uid": "ccc-test-513-1775670098" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775670098, "time_dt": "2026-04-08T17:41:38Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "UI viewing requires multi-factor authentication - NotTestable", "metadata": { "event_code": "UI viewing requires multi-factor authentication - NotTestable", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN03", "@tlp-amber", "@tlp-red", "@Policy", "@NotTestable", "@object-storage", "@load-balancer" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN03.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775670098, "created_time_dt": "2026-04-08T17:41:38Z", "desc": "Compliance test scenario: UI viewing requires multi-factor authentication - NotTestable", "title": "UI viewing requires multi-factor authentication - NotTestable", "types": [], "uid": "ccc-test-529-1775670098" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775670098, "time_dt": "2026-04-08T17:41:38Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "API viewing requires credential and trust perimeter origin - NotTestable", "metadata": { "event_code": "API viewing requires credential and trust perimeter origin - NotTestable", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN03", "@tlp-amber", "@tlp-red", "@Policy", "@NotTestable", "@object-storage", "@load-balancer" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN03.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775670098, "created_time_dt": "2026-04-08T17:41:38Z", "desc": "Compliance test scenario: API viewing requires credential and trust perimeter origin - NotTestable", "title": "API viewing requires credential and trust perimeter origin - NotTestable", "types": [], "uid": "ccc-test-545-1775670098" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775670098, "time_dt": "2026-04-08T17:41:38Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Object storage admin logging compliance", "metadata": { "event_code": "Object storage admin logging compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN04", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ I attempt policy check \"admin-logging\" for control \"CCC.Core.CN04\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN04.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775670098, "created_time_dt": "2026-04-08T17:41:38Z", "desc": "Compliance test scenario: Object storage admin logging compliance", "title": "Object storage admin logging compliance", "types": [], "uid": "ccc-test-589-1775670098" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775670098, "time_dt": "2026-04-08T17:41:38Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Verify admin actions are logged with identity and timestamp", "metadata": { "event_code": "Verify admin actions are logged with identity and timestamp", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN04", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"{ServiceType}\"\n✓ I refer to \"{result}\" as \"theService\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"logging\"\n✓ I refer to \"{result}\" as \"loggingService\"\n✓ I call \"{theService}\" with \"UpdateResourcePolicy\"\n✓ \"{result}\" is not an error\n✓ I attach \"{result}\" to the test output as \"Policy Update Result\"\n✓ we wait for a period of \"10000\" ms\n✓ I call \"{loggingService}\" with \"QueryAdminLogs\" using arguments \"{ResourceName}\" and \"{20}\"\n✓ \"{result}\" is not an error\n✓ I refer to \"{result}\" as \"adminLogs\"\n✓ I attach \"{adminLogs}\" to the test output as \"Admin Activity Logs\"\n✓ \"{adminLogs}\" is an array of objects with at least the following contents", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN04.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775670107, "created_time_dt": "2026-04-08T17:41:47Z", "desc": "Compliance test scenario: Verify admin actions are logged with identity and timestamp", "title": "Verify admin actions are logged with identity and timestamp", "types": [], "uid": "ccc-test-610-1775670107" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775670107, "time_dt": "2026-04-08T17:41:47Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Object storage data modification logging compliance", "metadata": { "event_code": "Object storage data modification logging compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN04", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✗ I attempt policy check \"data-write-logging\" for control \"CCC.Core.CN04\" assessment requirement \"AR02\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Diagnostic Logging Write Configuration: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN04.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775670120, "created_time_dt": "2026-04-08T17:42:00Z", "desc": "Compliance test scenario: Object storage data modification logging compliance", "title": "Object storage data modification logging compliance", "types": [], "uid": "ccc-test-641-1775670120" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775670120, "time_dt": "2026-04-08T17:42:00Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Data read logging compliance", "metadata": { "event_code": "Data read logging compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN04", "@tlp-red", "@Policy", "@object-storage", "@vpc" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✗ I attempt policy check \"data-read-logging\" for control \"CCC.Core.CN04\" assessment requirement \"AR03\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Diagnostic Logging Read Configuration: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN04.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775670121, "created_time_dt": "2026-04-08T17:42:01Z", "desc": "Compliance test scenario: Data read logging compliance", "title": "Data read logging compliance", "types": [], "uid": "ccc-test-692-1775670121" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775670121, "time_dt": "2026-04-08T17:42:01Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Verify data read operations are logged with identity and timestamp", "metadata": { "event_code": "Verify data read operations are logged with identity and timestamp", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN04", "@tlp-red", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"logging\"\n✓ I refer to \"{result}\" as \"loggingService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-read-logging-object={Timestamp}.txt\", and \"test data for read logging verification\"\n✓ \"{result}\" is not an error\n✓ I refer to \"{result}\" as \"createResult\"\n✓ I call \"{storage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-read-logging-object={Timestamp}.txt\"\n✓ \"{result}\" is not an error\n✓ I refer to \"{result}\" as \"readResult\"\n✓ I attach \"{readResult}\" to the test output as \"Object Read Result\"\n✓ we wait for a period of \"10000\" ms\n✓ I call \"{loggingService}\" with \"QueryDataReadLogs\" using arguments \"{ResourceName}\" and \"{20}\"\n✓ \"{result}\" is not an error\n✓ I refer to \"{result}\" as \"readLogs\"\n✓ I attach \"{readLogs}\" to the test output as \"Data Read Logs\"\n✗ \"{readLogs}\" is an array of objects with at least the following contents - Error: expected row not found: map[result:Succeeded]", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN04.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775670122, "created_time_dt": "2026-04-08T17:42:02Z", "desc": "Compliance test scenario: Verify data read operations are logged with identity and timestamp", "title": "Verify data read operations are logged with identity and timestamp", "types": [], "uid": "ccc-test-711-1775670122" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775670122, "time_dt": "2026-04-08T17:42:02Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service prevents data modification by user with no access", "metadata": { "event_code": "Service prevents data modification by user with no access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Destructive", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-no-write-access\", \"{UID}\", and \"none\"\n✓ I refer to \"{result}\" as \"testUserNoAccess\"\n✓ I attach \"{result}\" to the test output as \"no-access-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserNoAccess}\", and \"{false}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-cn05-unauthorized-modify={Timestamp}.txt\", and \"unauthorized data\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"no-access-create-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775670138, "created_time_dt": "2026-04-08T17:42:18Z", "desc": "Compliance test scenario: Service prevents data modification by user with no access", "title": "Service prevents data modification by user with no access", "types": [], "uid": "ccc-test-775-1775670138" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775670138, "time_dt": "2026-04-08T17:42:18Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service allows data modification by user with write access", "metadata": { "event_code": "Service allows data modification by user with write access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Destructive", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-write-access\", \"{UID}\", and \"write\"\n✓ I refer to \"{result}\" as \"testUserWrite\"\n✓ I attach \"{result}\" to the test output as \"write-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserWrite}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-cn05-authorized-modify={Timestamp}.txt\", and \"authorized data\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"write-create-object-result.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775670381, "created_time_dt": "2026-04-08T17:46:21Z", "desc": "Compliance test scenario: Service allows data modification by user with write access", "title": "Service allows data modification by user with write access", "types": [], "uid": "ccc-test-790-1775670381" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775670381, "time_dt": "2026-04-08T17:46:21Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Storage is not configured for public write access", "metadata": { "event_code": "Storage is not configured for public write access", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I attempt policy check \"object-storage-block-public-write-access\" for control \"CCC.Core.CN05\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775670623, "created_time_dt": "2026-04-08T17:50:23Z", "desc": "Compliance test scenario: Storage is not configured for public write access", "title": "Storage is not configured for public write access", "types": [], "uid": "ccc-test-798-1775670623" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775670623, "time_dt": "2026-04-08T17:50:23Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service prevents administrative action (creating a new bucket) by user with no access", "metadata": { "event_code": "Service prevents administrative action (creating a new bucket) by user with no access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Destructive", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-no-admin-access\", \"{UID}\", and \"none\"\n✓ I refer to \"{result}\" as \"testUserNoAccess\"\n✓ I attach \"{result}\" to the test output as \"no-admin-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserNoAccess}\", and \"{false}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateBucket\" using argument \"test-cn05-unauthorized-admin-container\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"no-admin-create-bucket-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775670624, "created_time_dt": "2026-04-08T17:50:24Z", "desc": "Compliance test scenario: Service prevents administrative action (creating a new bucket) by user with no access", "title": "Service prevents administrative action (creating a new bucket) by user with no access", "types": [], "uid": "ccc-test-877-1775670624" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775670624, "time_dt": "2026-04-08T17:50:24Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service prevents administrative action (creating a new bucket) by user with read-only access", "metadata": { "event_code": "Service prevents administrative action (creating a new bucket) by user with read-only access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Destructive", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-read-only-admin\", \"{UID}\", and \"read\"\n✓ I refer to \"{result}\" as \"testUserRead\"\n✓ I attach \"{result}\" to the test output as \"read-only-admin-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserRead}\", and \"{false}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateBucket\" using argument \"test-cn05-read-only-create-container\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-only-create-bucket-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775670866, "created_time_dt": "2026-04-08T17:54:26Z", "desc": "Compliance test scenario: Service prevents administrative action (creating a new bucket) by user with read-only access", "title": "Service prevents administrative action (creating a new bucket) by user with read-only access", "types": [], "uid": "ccc-test-892-1775670866" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775670866, "time_dt": "2026-04-08T17:54:26Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service allows administrative action (creating a new bucket) by user with admin access", "metadata": { "event_code": "Service allows administrative action (creating a new bucket) by user with admin access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-admin-access\", \"{UID}\", and \"admin\"\n✓ I refer to \"{result}\" as \"testUserAdmin\"\n✓ I attach \"{result}\" to the test output as \"admin-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserAdmin}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateBucket\" using argument \"test-cn05-authorized-admin-container\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"admin-create-bucket-result.json\" (skipped)\n⊘ I call \"{storage}\" with \"DeleteBucket\" using argument \"test-cn05-authorized-admin-container\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671108, "created_time_dt": "2026-04-08T17:58:28Z", "desc": "Compliance test scenario: Service allows administrative action (creating a new bucket) by user with admin access", "title": "Service allows administrative action (creating a new bucket) by user with admin access", "types": [], "uid": "ccc-test-908-1775671108" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671108, "time_dt": "2026-04-08T17:58:28Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Unauthorized administrative access is blocked", "metadata": { "event_code": "Unauthorized administrative access is blocked", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671351, "created_time_dt": "2026-04-08T18:02:31Z", "desc": "Compliance test scenario: Unauthorized administrative access is blocked", "title": "Unauthorized administrative access is blocked", "types": [], "uid": "ccc-test-915-1775671351" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671351, "time_dt": "2026-04-08T18:02:31Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Cross-tenant access is blocked without explicit allowlist", "metadata": { "event_code": "Cross-tenant access is blocked without explicit allowlist", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I attempt policy check \"object-storage-cross-tenant-block\" for control \"CCC.Core.CN05\" assessment requirement \"AR03\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671351, "created_time_dt": "2026-04-08T18:02:31Z", "desc": "Compliance test scenario: Cross-tenant access is blocked without explicit allowlist", "title": "Cross-tenant access is blocked without explicit allowlist", "types": [], "uid": "ccc-test-933-1775671351" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671351, "time_dt": "2026-04-08T18:02:31Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "External unauthorized data requests are blocked", "metadata": { "event_code": "External unauthorized data requests are blocked", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I attempt policy check \"object-storage-block-public-read\" for control \"CCC.Core.CN05\" assessment requirement \"AR04\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671352, "created_time_dt": "2026-04-08T18:02:32Z", "desc": "Compliance test scenario: External unauthorized data requests are blocked", "title": "External unauthorized data requests are blocked", "types": [], "uid": "ccc-test-949-1775671352" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671352, "time_dt": "2026-04-08T18:02:32Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "External requests do not reveal service existence - NotTested", "metadata": { "event_code": "External requests do not reveal service existence - NotTested", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-red", "@Policy", "@NotTested", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "Update", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 2, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR05" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671353, "created_time_dt": "2026-04-08T18:02:33Z", "desc": "Compliance test scenario: External requests do not reveal service existence - NotTested", "title": "External requests do not reveal service existence - NotTested", "types": [], "uid": "ccc-test-963-1775671353" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671353, "time_dt": "2026-04-08T18:02:33Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service prevents data read by user with no access - Duplicate", "metadata": { "event_code": "Service prevents data read by user with no access - Duplicate", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-green", "@tlp-amber", "@tlp-red", "@Destructive", "@Behavioural", "@Duplicate", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR06" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671353, "created_time_dt": "2026-04-08T18:02:33Z", "desc": "Compliance test scenario: Service prevents data read by user with no access - Duplicate", "title": "Service prevents data read by user with no access - Duplicate", "types": [], "uid": "ccc-test-993-1775671353" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671353, "time_dt": "2026-04-08T18:02:33Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "All unauthorized requests are blocked - Duplicate", "metadata": { "event_code": "All unauthorized requests are blocked - Duplicate", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@Duplicate", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR06" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671353, "created_time_dt": "2026-04-08T18:02:33Z", "desc": "Compliance test scenario: All unauthorized requests are blocked - Duplicate", "title": "All unauthorized requests are blocked - Duplicate", "types": [], "uid": "ccc-test-1000-1775671353" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671353, "time_dt": "2026-04-08T18:02:33Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Object storage region compliance", "metadata": { "event_code": "Object storage region compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN06", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I attempt policy check \"object-storage-region\" for control \"CCC.Core.CN06\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN06.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671353, "created_time_dt": "2026-04-08T18:02:33Z", "desc": "Compliance test scenario: Object storage region compliance", "title": "Object storage region compliance", "types": [], "uid": "ccc-test-1036-1775671353" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671353, "time_dt": "2026-04-08T18:02:33Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Resource region can be retrieved for compliance verification", "metadata": { "event_code": "Resource region can be retrieved for compliance verification", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN06", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@object-storage", "@vpc" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"{ServiceType}\"\n✓ I refer to \"{result}\" as \"theService\"\n✓ I call \"{theService}\" with \"GetResourceRegion\" using argument \"{ResourceName}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: not yet implemented\n⊘ I refer to \"{result}\" as \"region\" (skipped)\n⊘ I attach \"{region}\" to the test output as \"Resource Region\" (skipped)\n⊘ \"{PermittedRegions}\" is an array of objects with at least the following contents (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN06.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671354, "created_time_dt": "2026-04-08T18:02:34Z", "desc": "Compliance test scenario: Resource region can be retrieved for compliance verification", "title": "Resource region can be retrieved for compliance verification", "types": [], "uid": "ccc-test-1050-1775671354" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671354, "time_dt": "2026-04-08T18:02:34Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Child resource region compliance - NotTestable", "metadata": { "event_code": "Child resource region compliance - NotTestable", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN06", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN06.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671354, "created_time_dt": "2026-04-08T18:02:34Z", "desc": "Compliance test scenario: Child resource region compliance - NotTestable", "title": "Child resource region compliance - NotTestable", "types": [], "uid": "ccc-test-1072-1775671354" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671354, "time_dt": "2026-04-08T18:02:34Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Child resource region compliance - NotTestable", "metadata": { "event_code": "Child resource region compliance - NotTestable", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN06", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN06.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671354, "created_time_dt": "2026-04-08T18:02:34Z", "desc": "Compliance test scenario: Child resource region compliance - NotTestable", "title": "Child resource region compliance - NotTestable", "types": [], "uid": "ccc-test-1075-1775671354" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671354, "time_dt": "2026-04-08T18:02:34Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Enumeration activities publish events to monitored channels", "metadata": { "event_code": "Enumeration activities publish events to monitored channels", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN07", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✗ I attempt policy check \"enumeration-monitoring-policy\" for control \"CCC.Core.CN07\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage Enumeration Monitoring Policy Check: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN07.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671354, "created_time_dt": "2026-04-08T18:02:34Z", "desc": "Compliance test scenario: Enumeration activities publish events to monitored channels", "title": "Enumeration activities publish events to monitored channels", "types": [], "uid": "ccc-test-1096-1775671354" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671354, "time_dt": "2026-04-08T18:02:34Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Enumeration event publishing cannot be tested automatically - NotTestable", "metadata": { "event_code": "Enumeration event publishing cannot be tested automatically - NotTestable", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN07", "@tlp-amber", "@tlp-red", "@Behavioural", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN07.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671355, "created_time_dt": "2026-04-08T18:02:35Z", "desc": "Compliance test scenario: Enumeration event publishing cannot be tested automatically - NotTestable", "title": "Enumeration event publishing cannot be tested automatically - NotTestable", "types": [], "uid": "ccc-test-1099-1775671355" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671355, "time_dt": "2026-04-08T18:02:35Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Enumeration activities are logged", "metadata": { "event_code": "Enumeration activities are logged", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN07", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✗ I attempt policy check \"enumeration-logging-policy\" for control \"CCC.Core.CN07\" assessment requirement \"AR02\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage Enumeration Logging Policy Check: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN07.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671355, "created_time_dt": "2026-04-08T18:02:35Z", "desc": "Compliance test scenario: Enumeration activities are logged", "title": "Enumeration activities are logged", "types": [], "uid": "ccc-test-1122-1775671355" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671355, "time_dt": "2026-04-08T18:02:35Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Enumeration logging cannot be verified automatically - NotTestable", "metadata": { "event_code": "Enumeration logging cannot be verified automatically - NotTestable", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN07", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN07.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671356, "created_time_dt": "2026-04-08T18:02:36Z", "desc": "Compliance test scenario: Enumeration logging cannot be verified automatically - NotTestable", "title": "Enumeration logging cannot be verified automatically - NotTestable", "types": [], "uid": "ccc-test-1125-1775671356" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671356, "time_dt": "2026-04-08T18:02:36Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Object storage replication compliance", "metadata": { "event_code": "Object storage replication compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN08", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I attempt policy check \"object-storage-replication\" for control \"CCC.Core.CN08\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN08.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671356, "created_time_dt": "2026-04-08T18:02:36Z", "desc": "Compliance test scenario: Object storage replication compliance", "title": "Object storage replication compliance", "types": [], "uid": "ccc-test-1160-1775671356" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671356, "time_dt": "2026-04-08T18:02:36Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Bucket data is replicated to physically separate locations", "metadata": { "event_code": "Bucket data is replicated to physically separate locations", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN08", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"GetReplicationStatus\" using argument \"{ResourceName}\"\n✓ I refer to \"{result}\" as \"replicationStatus\"\n✓ I refer to \"{replicationStatus.Locations}\" as \"locations\"\n✓ I attach \"{replicationStatus}\" to the test output as \"Replication Status\"\n✓ \"{locations}\" is an array of objects with length \"2\"\n✓ \"{PermittedRegions}\" is an array of objects with at least the following contents\n✓ \"{PermittedRegions}\" is an array of objects with at least the following contents", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN08.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671357, "created_time_dt": "2026-04-08T18:02:37Z", "desc": "Compliance test scenario: Bucket data is replicated to physically separate locations", "title": "Bucket data is replicated to physically separate locations", "types": [], "uid": "ccc-test-1171-1775671357" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671357, "time_dt": "2026-04-08T18:02:37Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Object storage replication status is visible", "metadata": { "event_code": "Object storage replication status is visible", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN08", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I attempt policy check \"object-storage-replication-status\" for control \"CCC.Core.CN08\" assessment requirement \"AR02\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN08.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671357, "created_time_dt": "2026-04-08T18:02:37Z", "desc": "Compliance test scenario: Object storage replication status is visible", "title": "Object storage replication status is visible", "types": [], "uid": "ccc-test-1203-1775671357" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671357, "time_dt": "2026-04-08T18:02:37Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Replication status can be retrieved for monitoring", "metadata": { "event_code": "Replication status can be retrieved for monitoring", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN08", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"GetReplicationStatus\" using argument \"{ResourceName}\"\n✓ I refer to \"{result}\" as \"replicationStatus\"\n✓ I attach \"{replicationStatus}\" to the test output as \"Replication Status\"\n✓ I refer to \"{replicationStatus.Locations}\" as \"locations\"\n✓ \"{locations}\" is an array of objects with at least the following contents", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN08.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671358, "created_time_dt": "2026-04-08T18:02:38Z", "desc": "Compliance test scenario: Replication status can be retrieved for monitoring", "title": "Replication status can be retrieved for monitoring", "types": [], "uid": "ccc-test-1212-1775671358" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671358, "time_dt": "2026-04-08T18:02:38Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Object storage access logging compliance", "metadata": { "event_code": "Object storage access logging compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN09", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✗ I attempt policy check \"object-storage-access-logging\" for control \"CCC.Core.CN09\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage Account Diagnostic Logging Configuration: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN09.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671358, "created_time_dt": "2026-04-08T18:02:38Z", "desc": "Compliance test scenario: Object storage access logging compliance", "title": "Object storage access logging compliance", "types": [], "uid": "ccc-test-1229-1775671358" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671358, "time_dt": "2026-04-08T18:02:38Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Disabling logs requires disabling the resource - NotTestable", "metadata": { "event_code": "Disabling logs requires disabling the resource - NotTestable", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN09", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN09.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671359, "created_time_dt": "2026-04-08T18:02:39Z", "desc": "Compliance test scenario: Disabling logs requires disabling the resource - NotTestable", "title": "Disabling logs requires disabling the resource - NotTestable", "types": [], "uid": "ccc-test-1246-1775671359" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671359, "time_dt": "2026-04-08T18:02:39Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Redirecting logs requires halting the resource - NotTestable", "metadata": { "event_code": "Redirecting logs requires halting the resource - NotTestable", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN09", "@tlp-amber", "@tlp-red", "@Policy", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN09.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671359, "created_time_dt": "2026-04-08T18:02:39Z", "desc": "Compliance test scenario: Redirecting logs requires halting the resource - NotTestable", "title": "Redirecting logs requires halting the resource - NotTestable", "types": [], "uid": "ccc-test-1261-1775671359" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671359, "time_dt": "2026-04-08T18:02:39Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Object storage replication destination compliance", "metadata": { "event_code": "Object storage replication destination compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN10", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I attempt policy check \"object-storage-replication-destination\" for control \"CCC.Core.CN10\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN10.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671359, "created_time_dt": "2026-04-08T18:02:39Z", "desc": "Compliance test scenario: Object storage replication destination compliance", "title": "Object storage replication destination compliance", "types": [], "uid": "ccc-test-1283-1775671359" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671359, "time_dt": "2026-04-08T18:02:39Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Replication destination trust cannot be verified automatically - NotTestable", "metadata": { "event_code": "Replication destination trust cannot be verified automatically - NotTestable", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN10", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN10.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671360, "created_time_dt": "2026-04-08T18:02:40Z", "desc": "Compliance test scenario: Replication destination trust cannot be verified automatically - NotTestable", "title": "Replication destination trust cannot be verified automatically - NotTestable", "types": [], "uid": "ccc-test-1286-1775671360" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671360, "time_dt": "2026-04-08T18:02:40Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service prevents reading bucket with no access", "metadata": { "event_code": "Service prevents reading bucket with no access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-no-access\", \"{UID}\", and \"none\"\n✓ I refer to \"{result}\" as \"testUserNoAccess\"\n✓ I attach \"{result}\" to the test output as \"no-access-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserNoAccess}\", and \"{false}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ListObjects\" using argument \"{ResourceName}\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"no-access-list-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671360, "created_time_dt": "2026-04-08T18:02:40Z", "desc": "Compliance test scenario: Service prevents reading bucket with no access", "title": "Service prevents reading bucket with no access", "types": [], "uid": "ccc-test-1340-1775671360" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671360, "time_dt": "2026-04-08T18:02:40Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service allows reading bucket with read access", "metadata": { "event_code": "Service allows reading bucket with read access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-read\", \"{UID}\", and \"read\"\n✓ I refer to \"{result}\" as \"testUserRead\"\n✓ I attach \"{result}\" to the test output as \"read-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserRead}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I attach \"{result}\" to the test output as \"read-storage-service.json\" (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ListObjects\" using argument \"{ResourceName}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-list-objects-result.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671602, "created_time_dt": "2026-04-08T18:06:42Z", "desc": "Compliance test scenario: Service allows reading bucket with read access", "title": "Service allows reading bucket with read access", "types": [], "uid": "ccc-test-1356-1775671602" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671602, "time_dt": "2026-04-08T18:06:42Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Test policy for bucket access control", "metadata": { "event_code": "Test policy for bucket access control", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Policy" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I attempt policy check \"no-public-access\" for control \"CCC.ObjStor.CN01\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671844, "created_time_dt": "2026-04-08T18:10:44Z", "desc": "Compliance test scenario: Test policy for bucket access control", "title": "Test policy for bucket access control", "types": [], "uid": "ccc-test-1364-1775671844" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671844, "time_dt": "2026-04-08T18:10:44Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service prevents reading object with no access", "metadata": { "event_code": "Service prevents reading object with no access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"test content\"\n✓ \"{result}\" is not an error\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-no-access\", \"{UID}\", and \"none\"\n✓ I refer to \"{result}\" as \"testUserNoAccess\"\n✓ I attach \"{result}\" to the test output as \"no-access-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserNoAccess}\", and \"{false}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"no-access-read-object-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775671845, "created_time_dt": "2026-04-08T18:10:45Z", "desc": "Compliance test scenario: Service prevents reading object with no access", "title": "Service prevents reading object with no access", "types": [], "uid": "ccc-test-1422-1775671845" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775671845, "time_dt": "2026-04-08T18:10:45Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service allows reading object with read access", "metadata": { "event_code": "Service allows reading object with read access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"test content\"\n✓ \"{result}\" is not an error\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-read\", \"{UID}\", and \"read\"\n✓ I refer to \"{result}\" as \"testUserRead\"\n✓ I attach \"{result}\" to the test output as \"read-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserRead}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I attach \"{result}\" to the test output as \"read-storage-service.json\" (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-read-object-result.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775672088, "created_time_dt": "2026-04-08T18:14:48Z", "desc": "Compliance test scenario: Service allows reading object with read access", "title": "Service allows reading object with read access", "types": [], "uid": "ccc-test-1440-1775672088" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775672088, "time_dt": "2026-04-08T18:14:48Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "All unauthorized requests are blocked", "metadata": { "event_code": "All unauthorized requests are blocked", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"test content\"\n✓ \"{result}\" is not an error\n✗ I attempt policy check \"object-storage-no-public-principals\" for control \"CCC.ObjStor.CN01\" assessment requirement \"AR02\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage RBAC in Use: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775672331, "created_time_dt": "2026-04-08T18:18:51Z", "desc": "Compliance test scenario: All unauthorized requests are blocked", "title": "All unauthorized requests are blocked", "types": [], "uid": "ccc-test-1450-1775672331" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775672331, "time_dt": "2026-04-08T18:18:51Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service prevents creating bucket with no access", "metadata": { "event_code": "Service prevents creating bucket with no access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-no-access\", \"{UID}\", and \"none\"\n✓ I refer to \"{result}\" as \"testUserNoAccess\"\n✓ I attach \"{result}\" to the test output as \"no-access-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserNoAccess}\", and \"{false}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateBucket\" using argument \"test-bucket-no-access\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"no-access-create-bucket-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775672334, "created_time_dt": "2026-04-08T18:18:54Z", "desc": "Compliance test scenario: Service prevents creating bucket with no access", "title": "Service prevents creating bucket with no access", "types": [], "uid": "ccc-test-1507-1775672334" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775672334, "time_dt": "2026-04-08T18:18:54Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service allows creating bucket with write access", "metadata": { "event_code": "Service allows creating bucket with write access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-write\", \"{UID}\", and \"write\"\n✓ I refer to \"{result}\" as \"testUserWrite\"\n✓ I attach \"{result}\" to the test output as \"write-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserWrite}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I attach \"{result}\" to the test output as \"write-storage-service.json\" (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateBucket\" using argument \"test-bucket-write\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"write-create-bucket-result.json\" (skipped)\n⊘ I call \"{storage}\" with \"DeleteBucket\" using argument \"{result.ID}\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775672576, "created_time_dt": "2026-04-08T18:22:56Z", "desc": "Compliance test scenario: Service allows creating bucket with write access", "title": "Service allows creating bucket with write access", "types": [], "uid": "ccc-test-1524-1775672576" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775672576, "time_dt": "2026-04-08T18:22:56Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "All unauthorized requests are blocked", "metadata": { "event_code": "All unauthorized requests are blocked", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✗ I attempt policy check \"object-storage-no-public-principals\" for control \"CCC.ObjStor.CN01\" assessment requirement \"AR03\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage RBAC in Use: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775672818, "created_time_dt": "2026-04-08T18:26:58Z", "desc": "Compliance test scenario: All unauthorized requests are blocked", "title": "All unauthorized requests are blocked", "types": [], "uid": "ccc-test-1532-1775672818" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775672818, "time_dt": "2026-04-08T18:26:58Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service prevents writing object with read-only access", "metadata": { "event_code": "Service prevents writing object with read-only access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ \"{result}\" is not an error\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ \"{result}\" is not an error\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-read\", \"{UID}\", and \"read\"\n✓ I refer to \"{result}\" as \"testUserRead\"\n✓ I attach \"{result}\" to the test output as \"read-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserRead}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-write-object={Timestamp}.txt\", and \"test content\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-create-object-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775672819, "created_time_dt": "2026-04-08T18:26:59Z", "desc": "Compliance test scenario: Service prevents writing object with read-only access", "title": "Service prevents writing object with read-only access", "types": [], "uid": "ccc-test-1592-1775672819" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775672819, "time_dt": "2026-04-08T18:26:59Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service allows writing object with write access", "metadata": { "event_code": "Service allows writing object with write access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ \"{result}\" is not an error\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ \"{result}\" is not an error\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-write\", \"{UID}\", and \"write\"\n✓ I refer to \"{result}\" as \"testUserWrite\"\n✓ I attach \"{result}\" to the test output as \"write-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserWrite}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I attach \"{result}\" to the test output as \"write-storage-service.json\" (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-write-object={Timestamp}.txt\", and \"test content\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"write-create-object-result.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775673062, "created_time_dt": "2026-04-08T18:31:02Z", "desc": "Compliance test scenario: Service allows writing object with write access", "title": "Service allows writing object with write access", "types": [], "uid": "ccc-test-1610-1775673062" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775673062, "time_dt": "2026-04-08T18:31:02Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "All unauthorized requests are blocked", "metadata": { "event_code": "All unauthorized requests are blocked", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ \"{result}\" is not an error\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ \"{result}\" is not an error\n✗ I attempt policy check \"object-storage-no-public-principals\" for control \"CCC.ObjStor.CN01\" assessment requirement \"AR04\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage RBAC in Use: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775673304, "created_time_dt": "2026-04-08T18:35:04Z", "desc": "Compliance test scenario: All unauthorized requests are blocked", "title": "All unauthorized requests are blocked", "types": [], "uid": "ccc-test-1620-1775673304" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775673304, "time_dt": "2026-04-08T18:35:04Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service enforces uniform bucket-level access by rejecting object-level permissions", "metadata": { "event_code": "Service enforces uniform bucket-level access by rejecting object-level permissions", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN02", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"test data\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob test-object=1775673305596.txt: AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-08T18:35:06.0038260Z, assertion valid from 2026-04-08T17:37:53.0000000Z, expiry time of assertion 2026-04-08T17:42:53.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 4549b10f-2eb7-4906-9af9-03b39e491400 Correlation ID: 1d2f5a44-bfc0-4b1f-94b3-cf890635e117 Timestamp: 2026-04-08 18:35:06Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-read\", \"{UID}\", and \"read\" (skipped)\n⊘ I refer to \"{result}\" as \"testUserRead\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-user-identity.json\" (skipped)\n⊘ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserRead}\", and \"{true}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I call \"{storage}\" with \"SetObjectPermission\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"none\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"set-object-permission-error.txt\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is not an error (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN02.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775673305, "created_time_dt": "2026-04-08T18:35:05Z", "desc": "Compliance test scenario: Service enforces uniform bucket-level access by rejecting object-level permissions", "title": "Service enforces uniform bucket-level access by rejecting object-level permissions", "types": [], "uid": "ccc-test-1674-1775673305" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775673305, "time_dt": "2026-04-08T18:35:05Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Test policy for uniform access", "metadata": { "event_code": "Test policy for uniform access", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN02", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✗ I attempt policy check \"uniform-bucket-level-access\" for control \"CCC.ObjStor.CN02\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Blob Uniform Access Check: query execution failed: exit status 1\nOutput: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-08T18:35:06.8631348Z, assertion valid from 2026-04-08T17:37:53.0000000Z, expiry time of assertion 2026-04-08T17:42:53.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: ab09e371-d8db-4951-abad-bc2c234a2e00 Correlation ID: b567dbef-fa9d-4a57-aa5a-004ad8939956 Timestamp: 2026-04-08 18:35:06Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN02.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775673306, "created_time_dt": "2026-04-08T18:35:06Z", "desc": "Compliance test scenario: Test policy for uniform access", "title": "Test policy for uniform access", "types": [], "uid": "ccc-test-1682-1775673306" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775673306, "time_dt": "2026-04-08T18:35:06Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service enforces uniform bucket-level access denial", "metadata": { "event_code": "Service enforces uniform bucket-level access denial", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN02", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"test data\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob test-object=1775673307093.txt: AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-08T18:35:07.4515245Z, assertion valid from 2026-04-08T17:37:53.0000000Z, expiry time of assertion 2026-04-08T17:42:53.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 46499c48-1e1d-43e5-85a3-5a6bc5bc3f00 Correlation ID: f1dc21cb-d3ef-44b5-b22d-639d2a5fb3c3 Timestamp: 2026-04-08 18:35:07Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-no-access\", \"{UID}\", and \"none\" (skipped)\n⊘ I refer to \"{result}\" as \"testUserNoAccess\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"no-access-user-identity.json\" (skipped)\n⊘ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserNoAccess}\", and \"{false}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I call \"{storage}\" with \"SetObjectPermission\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"read\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"set-object-permission-error.txt\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is an error (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN02.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775673307, "created_time_dt": "2026-04-08T18:35:07Z", "desc": "Compliance test scenario: Service enforces uniform bucket-level access denial", "title": "Service enforces uniform bucket-level access denial", "types": [], "uid": "ccc-test-1737-1775673307" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775673307, "time_dt": "2026-04-08T18:35:07Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Uniform bucket-level access prevents object-level deny overrides - Duplicate", "metadata": { "event_code": "Uniform bucket-level access prevents object-level deny overrides - Duplicate", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN02", "@Policy", "@Duplicate", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN02.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775673307, "created_time_dt": "2026-04-08T18:35:07Z", "desc": "Compliance test scenario: Uniform bucket-level access prevents object-level deny overrides - Duplicate", "title": "Uniform bucket-level access prevents object-level deny overrides - Duplicate", "types": [], "uid": "ccc-test-1744-1775673307" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775673307, "time_dt": "2026-04-08T18:35:07Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service supports bucket soft delete and recovery", "metadata": { "event_code": "Service supports bucket soft delete and recovery", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN03", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"CreateBucket\" using argument \"ccc-test-soft-delete\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to create container: failed to create container ccc-test-soft-delete: AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-08T18:35:07.9848824Z, assertion valid from 2026-04-08T17:37:53.0000000Z, expiry time of assertion 2026-04-08T17:42:53.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 4683d8a7-b571-4cdd-97c0-19d35d630100 Correlation ID: b8c86d63-92bd-40f0-b0a1-62df8e76fc57 Timestamp: 2026-04-08 18:35:07Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ I refer to \"{result}\" as \"testBucket\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"created-bucket.json\" (skipped)\n⊘ I call \"{storage}\" with \"DeleteBucket\" using argument \"ccc-test-soft-delete\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I call \"{storage}\" with \"ListDeletedBuckets\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"deleted-buckets.json\" (skipped)\n? \"{result}\" should have length greater than \"0\" (undefined)\n⊘ I call \"{storage}\" with \"RestoreBucket\" using argument \"ccc-test-soft-delete\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I call \"{storage}\" with \"ListBuckets\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"restored-buckets.json\" (skipped)\n⊘ I call \"{storage}\" with \"DeleteBucket\" using argument \"ccc-test-soft-delete\" (skipped)\n⊘ \"{result}\" is not an error (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN03.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775673307, "created_time_dt": "2026-04-08T18:35:07Z", "desc": "Compliance test scenario: Service supports bucket soft delete and recovery", "title": "Service supports bucket soft delete and recovery", "types": [], "uid": "ccc-test-1798-1775673307" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775673307, "time_dt": "2026-04-08T18:35:07Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Test policy for bucket soft delete", "metadata": { "event_code": "Test policy for bucket soft delete", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN03", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✗ I attempt policy check \"bucket-soft-delete\" for control \"CCC.ObjStor.CN03\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Blob Soft Delete Check: query execution failed: exit status 1\nOutput: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-08T18:35:08.7540070Z, assertion valid from 2026-04-08T17:37:53.0000000Z, expiry time of assertion 2026-04-08T17:42:53.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 741de93f-4a6c-4004-8d16-6b5b8c62a200 Correlation ID: 42c75dce-6be7-403c-be9d-a250b992c870 Timestamp: 2026-04-08 18:35:08Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN03.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775673308, "created_time_dt": "2026-04-08T18:35:08Z", "desc": "Compliance test scenario: Test policy for bucket soft delete", "title": "Test policy for bucket soft delete", "types": [], "uid": "ccc-test-1804-1775673308" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775673308, "time_dt": "2026-04-08T18:35:08Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service prevents modification of locked retention policy", "metadata": { "event_code": "Service prevents modification of locked retention policy", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN03", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"GetBucketRetentionDurationDays\" using argument \"{ResourceName}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to get container properties: AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-08T18:35:09.3417776Z, assertion valid from 2026-04-08T17:37:53.0000000Z, expiry time of assertion 2026-04-08T17:42:53.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 6601f236-9ffb-4ed0-a028-c8e1e7400d00 Correlation ID: ed93c3bd-8f28-4036-bc2b-a9c9b410e1d5 Timestamp: 2026-04-08 18:35:09Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ I refer to \"{result}\" as \"originalRetention\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"original-retention-days.txt\" (skipped)\n⊘ \"{result}\" should be greater than \"0\" (skipped)\n⊘ I call \"{storage}\" with \"SetBucketRetentionDurationDays\" using arguments \"{ResourceName}\" and \"1\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"set-retention-error.txt\" (skipped)\n⊘ I call \"{storage}\" with \"GetBucketRetentionDurationDays\" using argument \"{ResourceName}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n? \"{result}\" should equal \"{originalRetention}\" (undefined)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN03.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775673308, "created_time_dt": "2026-04-08T18:35:08Z", "desc": "Compliance test scenario: Service prevents modification of locked retention policy", "title": "Service prevents modification of locked retention policy", "types": [], "uid": "ccc-test-1846-1775673308" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775673308, "time_dt": "2026-04-08T18:35:08Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Test policy for immutable bucket retention lock", "metadata": { "event_code": "Test policy for immutable bucket retention lock", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN03", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✗ I attempt policy check \"bucket-retention-lock\" for control \"CCC.ObjStor.CN03\" assessment requirement \"AR02\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Blob Immutability Policy Lock Check: query execution failed: exit status 1\nOutput: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-08T18:35:10.1984253Z, assertion valid from 2026-04-08T17:37:53.0000000Z, expiry time of assertion 2026-04-08T17:42:53.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: a8e4659a-f962-44fa-85a6-12ac926c0000 Correlation ID: f6d6b4ad-3960-4595-afbf-891df83978e0 Timestamp: 2026-04-08 18:35:10Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN03.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775673309, "created_time_dt": "2026-04-08T18:35:09Z", "desc": "Compliance test scenario: Test policy for immutable bucket retention lock", "title": "Test policy for immutable bucket retention lock", "types": [], "uid": "ccc-test-1852-1775673309" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775673309, "time_dt": "2026-04-08T18:35:09Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service applies default retention policy to newly uploaded object", "metadata": { "event_code": "Service applies default retention policy to newly uploaded object", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-write\", \"{UID}\", and \"write\"\n✓ I refer to \"{result}\" as \"testUserWrite\"\n✓ I attach \"{result}\" to the test output as \"write-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserWrite}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-retention-object={Timestamp}.txt\", and \"protected data\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"uploaded-object.json\" (skipped)\n⊘ I call \"{userStorage}\" with \"GetObjectRetentionDurationDays\" using arguments \"{ResourceName}\" and \"test-retention-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" should be greater than \"1\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775673310, "created_time_dt": "2026-04-08T18:35:10Z", "desc": "Compliance test scenario: Service applies default retention policy to newly uploaded object", "title": "Service applies default retention policy to newly uploaded object", "types": [], "uid": "ccc-test-1911-1775673310" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775673310, "time_dt": "2026-04-08T18:35:10Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service enforces retention policy on newly created objects", "metadata": { "event_code": "Service enforces retention policy on newly created objects", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"immediate-delete-test={Timestamp}.txt\", and \"test content\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob immediate-delete-test=1775673552900.txt: AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-08T18:39:13.3820455Z, assertion valid from 2026-04-08T17:37:53.0000000Z, expiry time of assertion 2026-04-08T17:42:53.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 1878ce1e-a386-4d6c-81d7-3f536e474500 Correlation ID: fb579ac3-e0f4-4c58-ae78-509789e6b2ec Timestamp: 2026-04-08 18:39:13Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ I call \"{storage}\" with \"DeleteObject\" using arguments \"{ResourceName}\" and \"immediate-delete-test={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"immediate-delete-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775673552, "created_time_dt": "2026-04-08T18:39:12Z", "desc": "Compliance test scenario: Service enforces retention policy on newly created objects", "title": "Service enforces retention policy on newly created objects", "types": [], "uid": "ccc-test-1922-1775673552" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775673552, "time_dt": "2026-04-08T18:39:12Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service validates retention period meets minimum requirements", "metadata": { "event_code": "Service validates retention period meets minimum requirements", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"retention-period-test={Timestamp}.txt\", and \"compliance data\"\n✓ I call \"{storage}\" with \"GetObjectRetentionDurationDays\" using arguments \"{ResourceName}\" and \"retention-period-test={Timestamp}.txt\"\n✗ \"{result}\" should be greater than \"1\" - Error: cannot parse {result} as number: strconv.ParseFloat: parsing \"failed to get blob properties: AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-08T18:39:14.7711109Z, assertion valid from 2026-04-08T17:37:53.0000000Z, expiry time of assertion 2026-04-08T17:42:53.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 2f27d4bb-74d6-4b6e-b065-7f0a8e920100 Correlation ID: e6a2f61c-3300-45e4-9ee8-be7d431df845 Timestamp: 2026-04-08 18:39:14Z\\nRun the command below to authenticate interactively; additional arguments may be added as needed:\\naz logout\\naz login\\n\": invalid syntax\n⊘ I attach \"{result}\" to the test output as \"retention-period-days.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775673553, "created_time_dt": "2026-04-08T18:39:13Z", "desc": "Compliance test scenario: Service validates retention period meets minimum requirements", "title": "Service validates retention period meets minimum requirements", "types": [], "uid": "ccc-test-1932-1775673553" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775673553, "time_dt": "2026-04-08T18:39:13Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Test policy for default object retention", "metadata": { "event_code": "Test policy for default object retention", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✗ I attempt policy check \"object-default-retention\" for control \"CCC.ObjStor.CN04\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Blob Default Immutability Policy Check: query execution failed: exit status 1\nOutput: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-08T18:39:15.6727884Z, assertion valid from 2026-04-08T17:37:53.0000000Z, expiry time of assertion 2026-04-08T17:42:53.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: a9f0a44e-2c38-4568-b592-9743e1e81100 Correlation ID: dd794153-e0c7-4854-b75c-94e4f01c83e3 Timestamp: 2026-04-08 18:39:15Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775673554, "created_time_dt": "2026-04-08T18:39:14Z", "desc": "Compliance test scenario: Test policy for default object retention", "title": "Test policy for default object retention", "types": [], "uid": "ccc-test-1940-1775673554" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775673554, "time_dt": "2026-04-08T18:39:14Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service prevents object deletion by write user during retention period", "metadata": { "event_code": "Service prevents object deletion by write user during retention period", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-write\", \"{UID}\", and \"write\"\n✓ I refer to \"{result}\" as \"testUserWrite\"\n✓ I attach \"{result}\" to the test output as \"write-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserWrite}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"protected-object={Timestamp}.txt\", and \"immutable data\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"protected-object.json\" (skipped)\n⊘ I call \"{userStorage}\" with \"DeleteObject\" using arguments \"{ResourceName}\" and \"protected-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"delete-protected-error.txt\" (skipped)\n? \"{result}\" should contain one of \"retention, locked, immutable, protected\" (undefined)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775673555, "created_time_dt": "2026-04-08T18:39:15Z", "desc": "Compliance test scenario: Service prevents object deletion by write user during retention period", "title": "Service prevents object deletion by write user during retention period", "types": [], "uid": "ccc-test-2028-1775673555" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775673555, "time_dt": "2026-04-08T18:39:15Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service prevents object deletion by admin user during retention period", "metadata": { "event_code": "Service prevents object deletion by admin user during retention period", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"admin-protected-object={Timestamp}.txt\", and \"compliance data\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob admin-protected-object=1775673798250.txt: AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-08T18:43:18.7499682Z, assertion valid from 2026-04-08T17:37:53.0000000Z, expiry time of assertion 2026-04-08T17:42:53.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: dd5c4c89-6032-414a-972d-143c30030f00 Correlation ID: a9b87fb0-3a13-483e-833e-9e8489c31bc6 Timestamp: 2026-04-08 18:43:18Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ I call \"{storage}\" with \"DeleteObject\" using arguments \"{ResourceName}\" and \"admin-protected-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"admin-delete-protected-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775673798, "created_time_dt": "2026-04-08T18:43:18Z", "desc": "Compliance test scenario: Service prevents object deletion by admin user during retention period", "title": "Service prevents object deletion by admin user during retention period", "types": [], "uid": "ccc-test-2039-1775673798" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775673798, "time_dt": "2026-04-08T18:43:18Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service prevents object modification during retention period", "metadata": { "event_code": "Service prevents object modification during retention period", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-write\", \"{UID}\", and \"write\"\n✓ I refer to \"{result}\" as \"testUserWrite\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserWrite}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"modify-test-object={Timestamp}.txt\", and \"original content\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"original-object.json\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"modify-test-object={Timestamp}.txt\", and \"modified content\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"modify-protected-error.txt\" (skipped)\n? \"{result}\" should contain one of \"retention, locked, immutable, protected, exists\" (undefined)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775673798, "created_time_dt": "2026-04-08T18:43:18Z", "desc": "Compliance test scenario: Service prevents object modification during retention period", "title": "Service prevents object modification during retention period", "types": [], "uid": "ccc-test-2057-1775673798" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775673798, "time_dt": "2026-04-08T18:43:18Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service allows object read access during retention period", "metadata": { "event_code": "Service allows object read access during retention period", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"readable-protected-object={Timestamp}.txt\", and \"readable data\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob readable-protected-object=1775674041403.txt: AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-08T18:47:21.7830571Z, assertion valid from 2026-04-08T17:37:53.0000000Z, expiry time of assertion 2026-04-08T17:42:53.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: ae214633-721c-4e8e-bf3b-bbbe7ff50100 Correlation ID: 4c56d1d0-c18e-4baa-9833-330cc6058526 Timestamp: 2026-04-08 18:47:21Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-read\", \"{UID}\", and \"read\" (skipped)\n⊘ I refer to \"{result}\" as \"testUserRead\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-user-identity.json\" (skipped)\n⊘ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserRead}\", and \"{true}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"readable-protected-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I refer to \"{result}\" as \"readResult\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-protected-object.json\" (skipped)\n⊘ \"{readResult.Name}\" is \"readable-protected-object={Timestamp}.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775674041, "created_time_dt": "2026-04-08T18:47:21Z", "desc": "Compliance test scenario: Service allows object read access during retention period", "title": "Service allows object read access during retention period", "types": [], "uid": "ccc-test-2076-1775674041" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775674041, "time_dt": "2026-04-08T18:47:21Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Test policy for object retention enforcement", "metadata": { "event_code": "Test policy for object retention enforcement", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✗ I attempt policy check \"object-retention-enforcement\" for control \"CCC.ObjStor.CN04\" assessment requirement \"AR02\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Blob Object Retention Enforcement Check: query execution failed: exit status 1\nOutput: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-08T18:47:22.4276460Z, assertion valid from 2026-04-08T17:37:53.0000000Z, expiry time of assertion 2026-04-08T17:42:53.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: bd229009-8104-4142-9d16-22b83e160e00 Correlation ID: b2e22624-ae73-4104-9bfe-b3552df72033 Timestamp: 2026-04-08 18:47:22Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775674041, "created_time_dt": "2026-04-08T18:47:21Z", "desc": "Compliance test scenario: Test policy for object retention enforcement", "title": "Test policy for object retention enforcement", "types": [], "uid": "ccc-test-2084-1775674041" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775674041, "time_dt": "2026-04-08T18:47:21Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Service enables versioning and objects receive unique version identifiers", "metadata": { "event_code": "Service enables versioning and objects receive unique version identifiers", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"IsBucketVersioningEnabled\" using argument \"{ResourceName}\"\n✓ \"{result}\" is true\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"versioned-object.txt\", and \"test content\"\n✓ I refer to \"{result}\" as \"createdObject\"\n? \"{createdObject.VersionID}\" is not empty (undefined)\n⊘ I attach \"{result}\" to the test output as \"versioned-object.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775674042, "created_time_dt": "2026-04-08T18:47:22Z", "desc": "Compliance test scenario: Service enables versioning and objects receive unique version identifiers", "title": "Service enables versioning and objects receive unique version identifiers", "types": [], "uid": "ccc-test-2118-1775674042" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775674042, "time_dt": "2026-04-08T18:47:22Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Objects are stored with unique version identifiers", "metadata": { "event_code": "Objects are stored with unique version identifiers", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✗ I attempt policy check \"object-storage-versioning\" for control \"CCC.ObjStor.CN05\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Blob Versioning Configuration: query execution failed: exit status 1\nOutput: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-08T18:47:23.7701422Z, assertion valid from 2026-04-08T17:37:53.0000000Z, expiry time of assertion 2026-04-08T17:42:53.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: c5501534-9fb7-433d-b264-b1108dee5300 Correlation ID: 5ca64cb6-d458-4410-97e4-09325628e601 Timestamp: 2026-04-08 18:47:23Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775674043, "created_time_dt": "2026-04-08T18:47:23Z", "desc": "Compliance test scenario: Objects are stored with unique version identifiers", "title": "Objects are stored with unique version identifiers", "types": [], "uid": "ccc-test-2124-1775674043" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775674043, "time_dt": "2026-04-08T18:47:23Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Modified objects receive new version identifiers", "metadata": { "event_code": "Modified objects receive new version identifiers", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"version-test-object={Timestamp}.txt\", and \"original content\"\n✓ I refer to \"{result.VersionID}\" as \"version1\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"version-test-object={Timestamp}.txt\", and \"modified content\"\n✓ I refer to \"{result.VersionID}\" as \"version2\"\n? \"{version1}\" is not equal to \"{version2}\" (undefined)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775674043, "created_time_dt": "2026-04-08T18:47:23Z", "desc": "Compliance test scenario: Modified objects receive new version identifiers", "title": "Modified objects receive new version identifiers", "types": [], "uid": "ccc-test-2156-1775674043" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775674043, "time_dt": "2026-04-08T18:47:23Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Modified objects receive new version identifiers - Duplicate", "metadata": { "event_code": "Modified objects receive new version identifiers - Duplicate", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@Duplicate" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775674045, "created_time_dt": "2026-04-08T18:47:25Z", "desc": "Compliance test scenario: Modified objects receive new version identifiers - Duplicate", "title": "Modified objects receive new version identifiers - Duplicate", "types": [], "uid": "ccc-test-2161-1775674045" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775674045, "time_dt": "2026-04-08T18:47:25Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Modified objects receive new version identifiers", "metadata": { "event_code": "Modified objects receive new version identifiers", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"version-test-object={Timestamp}.txt\", and \"original content\"\n✓ I refer to \"{result.VersionID}\" as \"version1\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"version-test-object={Timestamp}.txt\", and \"modified content\"\n✓ I refer to \"{result.VersionID}\" as \"version2\"\n✓ I call \"{storage}\" with \"ReadObjectAtVersion\" using arguments \"{ResourceName}\", \"version-test-object={Timestamp}.txt\", and \"{version1}\"\n✓ I attach \"{result}\" to the test output as \"original-content.json\"\n✗ \"{result.Data}\" contains \"original content\" - Error: expected {result.Data} to contain 'original content', but got '\u003cnil\u003e'\n⊘ I call \"{storage}\" with \"ReadObjectAtVersion\" using arguments \"{ResourceName}\", \"version-test-object={Timestamp}.txt\", and \"{version2}\" (skipped)\n⊘ \"{result.Data}\" contains \"modified content\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"modified-content.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775674045, "created_time_dt": "2026-04-08T18:47:25Z", "desc": "Compliance test scenario: Modified objects receive new version identifiers", "title": "Modified objects receive new version identifiers", "types": [], "uid": "ccc-test-2202-1775674045" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775674045, "time_dt": "2026-04-08T18:47:25Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Previous object versions can be recovered", "metadata": { "event_code": "Previous object versions can be recovered", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775674046, "created_time_dt": "2026-04-08T18:47:26Z", "desc": "Compliance test scenario: Previous object versions can be recovered", "title": "Previous object versions can be recovered", "types": [], "uid": "ccc-test-2207-1775674046" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775674046, "time_dt": "2026-04-08T18:47:26Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Deleted object data can be reloaded from previous version", "metadata": { "event_code": "Deleted object data can be reloaded from previous version", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"recover-deleted-object={Timestamp}.txt\", and \"data to retain\"\n✓ I refer to \"{result.VersionID}\" as \"retainedVersionId\"\n✓ I call \"{storage}\" with \"DeleteObject\" using arguments \"{ResourceName}\" and \"recover-deleted-object={Timestamp}.txt\"\n✓ I call \"{storage}\" with \"ReadObjectAtVersion\" using arguments \"{ResourceName}\", \"recover-deleted-object={Timestamp}.txt\", and \"{retainedVersionId}\"\n✗ \"{result.Data}\" contains \"data to retain\" - Error: expected {result.Data} to contain 'data to retain', but got '\u003cnil\u003e'\n⊘ I attach \"{result}\" to the test output as \"recovered-deleted-version.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775674046, "created_time_dt": "2026-04-08T18:47:26Z", "desc": "Compliance test scenario: Deleted object data can be reloaded from previous version", "title": "Deleted object data can be reloaded from previous version", "types": [], "uid": "ccc-test-2251-1775674046" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775674046, "time_dt": "2026-04-08T18:47:26Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Deleted object version remains in version list", "metadata": { "event_code": "Deleted object version remains in version list", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"list-deleted-versions-object={Timestamp}.txt\", and \"versioned data\"\n✓ I refer to \"{result.VersionID}\" as \"listedVersionId\"\n✓ I call \"{storage}\" with \"DeleteObject\" using arguments \"{ResourceName}\" and \"list-deleted-versions-object={Timestamp}.txt\"\n✓ I call \"{storage}\" with \"ListObjectVersions\" using arguments \"{ResourceName}\" and \"list-deleted-versions-object={Timestamp}.txt\"\n✗ \"{result}\" is an array of objects with at least the following contents - Error: field {result} is not an array\n⊘ I attach \"{result}\" to the test output as \"versions-after-delete.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775674048, "created_time_dt": "2026-04-08T18:47:28Z", "desc": "Compliance test scenario: Deleted object version remains in version list", "title": "Deleted object version remains in version list", "types": [], "uid": "ccc-test-2261-1775674048" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775674048, "time_dt": "2026-04-08T18:47:28Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] }, { "message": "Object versions are retained after deletion - Duplicate", "metadata": { "event_code": "Object versions are retained after deletion - Duplicate", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@Duplicate" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775674049, "created_time_dt": "2026-04-08T18:47:29Z", "desc": "Compliance test scenario: Object versions are retained after deletion - Duplicate", "title": "Object versions are retained after deletion - Duplicate", "types": [], "uid": "ccc-test-2266-1775674049" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775674049, "time_dt": "2026-04-08T18:47:29Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260408t173437z/providers/Microsoft.Storage/storageAccounts/stgcfi20260408t173437z" } ] } ]