✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "object-storage-tls-policy" for control "CCC.Core.CN01" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Account TLS Policy Check: ⊘ "{result}" is true (skipped)

✗ I attempt policy check "object-storage-unencrypted-policy" for control "CCC.Core.CN01" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Unencrypted Traffic Block Check: ⊘ "{result}" is true (skipped)

✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-encryption" for control "CCC.Core.CN02" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-delete-protection" for control "CCC.Core.CN03" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ no-op required

✓ I attempt policy check "admin-logging" for control "CCC.Core.CN04" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "data-write-logging" for control "CCC.Core.CN04" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Diagnostic Logging Write Configuration: ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "data-read-logging" for control "CCC.Core.CN04" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Diagnostic Logging Read Configuration: ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ I attempt policy check "object-storage-block-public-write-access" for control "CCC.Core.CN05" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-cross-tenant-block" for control "CCC.Core.CN05" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-block-public-read" for control "CCC.Core.CN05" assessment requirement "AR04" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-region" for control "CCC.Core.CN06" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "enumeration-monitoring-policy" for control "CCC.Core.CN07" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Enumeration Monitoring Policy Check: ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "enumeration-logging-policy" for control "CCC.Core.CN07" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Enumeration Logging Policy Check: ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I attempt policy check "object-storage-replication" for control "CCC.Core.CN08" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I attempt policy check "object-storage-replication-status" for control "CCC.Core.CN08" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "object-storage-access-logging" for control "CCC.Core.CN09" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Account Diagnostic Logging Configuration: ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-replication-destination" for control "CCC.Core.CN10" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ I attempt policy check "no-public-access" for control "CCC.ObjStor.CN01" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ I call "{storage}" with "CreateObject" using arguments "{ResourceName}", "test-object={Timestamp}.txt", and "test content" ✗ "{result}" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob test-object=1775046164302.txt: PUT https://storagecfitest1775043178.blob.core.windows.net/ccc-test-container-1775043178/test-object=1775046164302.txt -------------------------------------------------------------------------------- RESPONSE 403: 403 This request is not authorized to perform this operation using this permission. ERROR CODE: AuthorizationPermissionMismatch -------------------------------------------------------------------------------- <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationPermissionMismatch</Code><Message>This request is not authorized to perform this operation using this permission. RequestId:cc408d5d-e01e-0003-6ed2-c1c301000000 Time:2026-04-01T12:26:46.4217644Z</Message></Error> -------------------------------------------------------------------------------- ⊘ I attempt policy check "object-storage-no-public-principals" for control "CCC.ObjStor.CN01" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" (skipped) ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✗ I attempt policy check "object-storage-no-public-principals" for control "CCC.ObjStor.CN01" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage RBAC in Use: ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ "{result}" is not an error ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ "{result}" is not an error ✗ I attempt policy check "object-storage-no-public-principals" for control "CCC.ObjStor.CN01" assessment requirement "AR04" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage RBAC in Use: ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✗ I attempt policy check "uniform-bucket-level-access" for control "CCC.ObjStor.CN02" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Blob Uniform Access Check: query execution failed: exit status 1 Output: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:42:58.6161680Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 52ed7894-f1f6-47b6-9683-c0d71b491400 Correlation ID: 059544d3-5f50-4738-b39e-a1b8d88f8e19 Timestamp: 2026-04-01 12:42:58Z Run the command below to authenticate interactively; additional arguments may be added as needed: az logout az login ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✗ I attempt policy check "bucket-soft-delete" for control "CCC.ObjStor.CN03" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Blob Soft Delete Check: query execution failed: exit status 1 Output: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:43:01.0015056Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: a6441681-f874-4c4e-8438-2d0ccb260c00 Correlation ID: b94a6db1-1334-450f-8797-89a479094410 Timestamp: 2026-04-01 12:43:01Z Run the command below to authenticate interactively; additional arguments may be added as needed: az logout az login ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✗ I attempt policy check "bucket-retention-lock" for control "CCC.ObjStor.CN03" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Blob Immutability Policy Lock Check: query execution failed: exit status 1 Output: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:43:02.6736890Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 2ebbfacb-fbd1-4eea-bea8-5690fa430900 Correlation ID: 23ab2cd7-e6e7-40df-b685-a43fe101a3cc Timestamp: 2026-04-01 12:43:02Z Run the command below to authenticate interactively; additional arguments may be added as needed: az logout az login ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✗ I attempt policy check "object-default-retention" for control "CCC.ObjStor.CN04" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Blob Default Immutability Policy Check: query execution failed: exit status 1 Output: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:47:07.5073091Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: d279db72-baf0-475c-97b4-6524c8c60300 Correlation ID: e1f13500-6b34-42c8-b895-5322b3e1e218 Timestamp: 2026-04-01 12:47:07Z Run the command below to authenticate interactively; additional arguments may be added as needed: az logout az login ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✗ I attempt policy check "object-retention-enforcement" for control "CCC.ObjStor.CN04" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Blob Object Retention Enforcement Check: query execution failed: exit status 1 Output: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:55:14.7375633Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: fc41409f-8f97-4fa9-a831-f58ef1340f00 Correlation ID: 88400164-6227-4ac7-a8ab-f87474f854a5 Timestamp: 2026-04-01 12:55:14Z Run the command below to authenticate interactively; additional arguments may be added as needed: az logout az login ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✗ I attempt policy check "object-storage-versioning" for control "CCC.ObjStor.CN05" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Blob Versioning Configuration: query execution failed: exit status 1 Output: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:55:16.5866754Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: d7da925a-8ff9-406d-8c98-083c6d210b00 Correlation ID: 519631d6-ddf2-43d2-a76b-a4d21aeea010 Timestamp: 2026-04-01 12:55:16Z Run the command below to authenticate interactively; additional arguments may be added as needed: az logout az login ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "object-storage-tls-policy" for control "CCC.Core.CN01" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Account TLS Policy Check: ⊘ "{result}" is true (skipped)

✗ I attempt policy check "object-storage-unencrypted-policy" for control "CCC.Core.CN01" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Unencrypted Traffic Block Check: ⊘ "{result}" is true (skipped)

✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-encryption" for control "CCC.Core.CN02" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-delete-protection" for control "CCC.Core.CN03" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ no-op required

✓ I attempt policy check "admin-logging" for control "CCC.Core.CN04" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "data-write-logging" for control "CCC.Core.CN04" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Diagnostic Logging Write Configuration: ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "data-read-logging" for control "CCC.Core.CN04" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Diagnostic Logging Read Configuration: ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ I attempt policy check "object-storage-block-public-write-access" for control "CCC.Core.CN05" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-cross-tenant-block" for control "CCC.Core.CN05" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-block-public-read" for control "CCC.Core.CN05" assessment requirement "AR04" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-region" for control "CCC.Core.CN06" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "enumeration-monitoring-policy" for control "CCC.Core.CN07" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Enumeration Monitoring Policy Check: ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "enumeration-logging-policy" for control "CCC.Core.CN07" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Enumeration Logging Policy Check: ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I attempt policy check "object-storage-replication" for control "CCC.Core.CN08" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I attempt policy check "object-storage-replication-status" for control "CCC.Core.CN08" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "object-storage-access-logging" for control "CCC.Core.CN09" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Account Diagnostic Logging Configuration: ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-replication-destination" for control "CCC.Core.CN10" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ I attempt policy check "no-public-access" for control "CCC.ObjStor.CN01" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ I call "{storage}" with "CreateObject" using arguments "{ResourceName}", "test-object={Timestamp}.txt", and "test content" ✗ "{result}" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob test-object=1775046164302.txt: PUT https://storagecfitest1775043178.blob.core.windows.net/ccc-test-container-1775043178/test-object=1775046164302.txt -------------------------------------------------------------------------------- RESPONSE 403: 403 This request is not authorized to perform this operation using this permission. ERROR CODE: AuthorizationPermissionMismatch -------------------------------------------------------------------------------- <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationPermissionMismatch</Code><Message>This request is not authorized to perform this operation using this permission. RequestId:cc408d5d-e01e-0003-6ed2-c1c301000000 Time:2026-04-01T12:26:46.4217644Z</Message></Error> -------------------------------------------------------------------------------- ⊘ I attempt policy check "object-storage-no-public-principals" for control "CCC.ObjStor.CN01" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" (skipped) ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✗ I attempt policy check "object-storage-no-public-principals" for control "CCC.ObjStor.CN01" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage RBAC in Use: ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ "{result}" is not an error ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ "{result}" is not an error ✗ I attempt policy check "object-storage-no-public-principals" for control "CCC.ObjStor.CN01" assessment requirement "AR04" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage RBAC in Use: ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✗ I attempt policy check "uniform-bucket-level-access" for control "CCC.ObjStor.CN02" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Blob Uniform Access Check: query execution failed: exit status 1 Output: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:42:58.6161680Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 52ed7894-f1f6-47b6-9683-c0d71b491400 Correlation ID: 059544d3-5f50-4738-b39e-a1b8d88f8e19 Timestamp: 2026-04-01 12:42:58Z Run the command below to authenticate interactively; additional arguments may be added as needed: az logout az login ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✗ I attempt policy check "bucket-soft-delete" for control "CCC.ObjStor.CN03" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Blob Soft Delete Check: query execution failed: exit status 1 Output: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:43:01.0015056Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: a6441681-f874-4c4e-8438-2d0ccb260c00 Correlation ID: b94a6db1-1334-450f-8797-89a479094410 Timestamp: 2026-04-01 12:43:01Z Run the command below to authenticate interactively; additional arguments may be added as needed: az logout az login ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✗ I attempt policy check "bucket-retention-lock" for control "CCC.ObjStor.CN03" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Blob Immutability Policy Lock Check: query execution failed: exit status 1 Output: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:43:02.6736890Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 2ebbfacb-fbd1-4eea-bea8-5690fa430900 Correlation ID: 23ab2cd7-e6e7-40df-b685-a43fe101a3cc Timestamp: 2026-04-01 12:43:02Z Run the command below to authenticate interactively; additional arguments may be added as needed: az logout az login ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✗ I attempt policy check "object-default-retention" for control "CCC.ObjStor.CN04" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Blob Default Immutability Policy Check: query execution failed: exit status 1 Output: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:47:07.5073091Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: d279db72-baf0-475c-97b4-6524c8c60300 Correlation ID: e1f13500-6b34-42c8-b895-5322b3e1e218 Timestamp: 2026-04-01 12:47:07Z Run the command below to authenticate interactively; additional arguments may be added as needed: az logout az login ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✗ I attempt policy check "object-retention-enforcement" for control "CCC.ObjStor.CN04" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Blob Object Retention Enforcement Check: query execution failed: exit status 1 Output: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:55:14.7375633Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: fc41409f-8f97-4fa9-a831-f58ef1340f00 Correlation ID: 88400164-6227-4ac7-a8ab-f87474f854a5 Timestamp: 2026-04-01 12:55:14Z Run the command below to authenticate interactively; additional arguments may be added as needed: az logout az login ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✗ I attempt policy check "object-storage-versioning" for control "CCC.ObjStor.CN05" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Blob Versioning Configuration: query execution failed: exit status 1 Output: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:55:16.5866754Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: d7da925a-8ff9-406d-8c98-083c6d210b00 Correlation ID: 519631d6-ddf2-43d2-a76b-a4d21aeea010 Timestamp: 2026-04-01 12:55:16Z Run the command below to authenticate interactively; additional arguments may be added as needed: az logout az login ⊘ "{result}" is true (skipped)

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ no-op required

✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ no-op required