[ { "message": "Storage account enforces minimum TLS version", "metadata": { "event_code": "Storage account enforces minimum TLS version", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@CCC.Core", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.Core.CN01", "@Policy", "@PerService", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✗ I attempt policy check \"object-storage-tls-policy\" for control \"CCC.Core.CN01\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage Account TLS Policy Check: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN01.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775043462, "created_time_dt": "2026-04-01T11:37:42Z", "desc": "Compliance test scenario: Storage account enforces minimum TLS version", "title": "Storage account enforces minimum TLS version", "types": [], "uid": "ccc-test-138-1775043462" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775043462, "time_dt": "2026-04-01T11:37:42Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Object storage policy prevents the use of unencrypted ports", "metadata": { "event_code": "Object storage policy prevents the use of unencrypted ports", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.Core", "@CCC.Core.CN01", "@Policy", "@PerService", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✗ I attempt policy check \"object-storage-unencrypted-policy\" for control \"CCC.Core.CN01\" assessment requirement \"AR03\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage Unencrypted Traffic Block Check: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN01.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775043463, "created_time_dt": "2026-04-01T11:37:43Z", "desc": "Compliance test scenario: Object storage policy prevents the use of unencrypted ports", "title": "Object storage policy prevents the use of unencrypted ports", "types": [], "uid": "ccc-test-284-1775043463" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775043463, "time_dt": "2026-04-01T11:37:43Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Storage account enforces mutual TLS - NotTested", "metadata": { "event_code": "Storage account enforces mutual TLS - NotTested", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@tls", "@tlp-amber", "@tlp-red", "@CCC.Core", "@CCC.Core.CN01", "@Policy", "@NotTested", "@PerService", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "Update", "status_code": "FAIL", "status_detail": "✓ no-op required", "status_id": 2, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN01.AR08" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775043464, "created_time_dt": "2026-04-01T11:37:44Z", "desc": "Compliance test scenario: Storage account enforces mutual TLS - NotTested", "title": "Storage account enforces mutual TLS - NotTested", "types": [], "uid": "ccc-test-416-1775043464" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775043464, "time_dt": "2026-04-01T11:37:44Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Verify objects are encrypted at rest", "metadata": { "event_code": "Verify objects are encrypted at rest", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN02", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ \"{result}\" is not an error\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-encryption-check={Timestamp}.txt\", and \"encryption test data\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob test-encryption-check=1775043464033.txt: PUT https://storagecfitest1775043178.blob.core.windows.net/ccc-test-container-1775043178/test-encryption-check=1775043464033.txt\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 This request is not authorized to perform this operation using this permission.\nERROR CODE: AuthorizationPermissionMismatch\n--------------------------------------------------------------------------------\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003cError\u003e\u003cCode\u003eAuthorizationPermissionMismatch\u003c/Code\u003e\u003cMessage\u003eThis request is not authorized to perform this operation using this permission.\nRequestId:01541a0d-c01e-0049-3bcc-c1608e000000\nTime:2026-04-01T11:41:46.0954990Z\u003c/Message\u003e\u003c/Error\u003e\n--------------------------------------------------------------------------------\n\n⊘ I refer to \"{result}\" as \"uploadResult\" (skipped)\n⊘ \"{uploadResult.Encryption}\" is not null (skipped)\n⊘ \"{uploadResult.EncryptionAlgorithm}\" is \"AES256\" (skipped)\n⊘ I attach \"{uploadResult}\" to the test output as \"Upload Result with Encryption Details\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN02.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775043464, "created_time_dt": "2026-04-01T11:37:44Z", "desc": "Compliance test scenario: Verify objects are encrypted at rest", "title": "Verify objects are encrypted at rest", "types": [], "uid": "ccc-test-452-1775043464" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775043464, "time_dt": "2026-04-01T11:37:44Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Object storage encryption compliance", "metadata": { "event_code": "Object storage encryption compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN02", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I attempt policy check \"object-storage-encryption\" for control \"CCC.Core.CN02\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN02.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775043706, "created_time_dt": "2026-04-01T11:41:46Z", "desc": "Compliance test scenario: Object storage encryption compliance", "title": "Object storage encryption compliance", "types": [], "uid": "ccc-test-456-1775043706" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775043706, "time_dt": "2026-04-01T11:41:46Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Object storage delete protection compliance", "metadata": { "event_code": "Object storage delete protection compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN03", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I attempt policy check \"object-storage-delete-protection\" for control \"CCC.Core.CN03\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN03.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775043706, "created_time_dt": "2026-04-01T11:41:46Z", "desc": "Compliance test scenario: Object storage delete protection compliance", "title": "Object storage delete protection compliance", "types": [], "uid": "ccc-test-478-1775043706" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775043706, "time_dt": "2026-04-01T11:41:46Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "MFA requirement for destructive operations cannot be tested automatically", "metadata": { "event_code": "MFA requirement for destructive operations cannot be tested automatically", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN03", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@object-storage", "@load-balancer" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN03.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775043707, "created_time_dt": "2026-04-01T11:41:47Z", "desc": "Compliance test scenario: MFA requirement for destructive operations cannot be tested automatically", "title": "MFA requirement for destructive operations cannot be tested automatically", "types": [], "uid": "ccc-test-481-1775043707" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775043707, "time_dt": "2026-04-01T11:41:47Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "API modification requires credential and trust perimeter origin - NotTestable", "metadata": { "event_code": "API modification requires credential and trust perimeter origin - NotTestable", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN03", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@NotTestable", "@object-storage", "@load-balancer" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN03.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775043707, "created_time_dt": "2026-04-01T11:41:47Z", "desc": "Compliance test scenario: API modification requires credential and trust perimeter origin - NotTestable", "title": "API modification requires credential and trust perimeter origin - NotTestable", "types": [], "uid": "ccc-test-499-1775043707" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775043707, "time_dt": "2026-04-01T11:41:47Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "UI viewing requires multi-factor authentication - NotTestable", "metadata": { "event_code": "UI viewing requires multi-factor authentication - NotTestable", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN03", "@tlp-amber", "@tlp-red", "@Policy", "@NotTestable", "@object-storage", "@load-balancer" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN03.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775043707, "created_time_dt": "2026-04-01T11:41:47Z", "desc": "Compliance test scenario: UI viewing requires multi-factor authentication - NotTestable", "title": "UI viewing requires multi-factor authentication - NotTestable", "types": [], "uid": "ccc-test-515-1775043707" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775043707, "time_dt": "2026-04-01T11:41:47Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "API viewing requires credential and trust perimeter origin - NotTestable", "metadata": { "event_code": "API viewing requires credential and trust perimeter origin - NotTestable", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN03", "@tlp-amber", "@tlp-red", "@Policy", "@NotTestable", "@object-storage", "@load-balancer" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN03.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775043707, "created_time_dt": "2026-04-01T11:41:47Z", "desc": "Compliance test scenario: API viewing requires credential and trust perimeter origin - NotTestable", "title": "API viewing requires credential and trust perimeter origin - NotTestable", "types": [], "uid": "ccc-test-531-1775043707" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775043707, "time_dt": "2026-04-01T11:41:47Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Object storage admin logging compliance", "metadata": { "event_code": "Object storage admin logging compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN04", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ I attempt policy check \"admin-logging\" for control \"CCC.Core.CN04\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN04.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775043707, "created_time_dt": "2026-04-01T11:41:47Z", "desc": "Compliance test scenario: Object storage admin logging compliance", "title": "Object storage admin logging compliance", "types": [], "uid": "ccc-test-575-1775043707" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775043707, "time_dt": "2026-04-01T11:41:47Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Verify admin actions are logged with identity and timestamp", "metadata": { "event_code": "Verify admin actions are logged with identity and timestamp", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN04", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"{ServiceType}\"\n✓ I refer to \"{result}\" as \"theService\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"logging\"\n✓ I refer to \"{result}\" as \"loggingService\"\n✓ I call \"{theService}\" with \"UpdateResourcePolicy\"\n✓ \"{result}\" is not an error\n✓ I attach \"{result}\" to the test output as \"Policy Update Result\"\n✓ we wait for a period of \"10000\" ms\n✓ I call \"{loggingService}\" with \"QueryAdminLogs\" using arguments \"{ResourceName}\" and \"{20}\"\n✓ \"{result}\" is not an error\n✓ I refer to \"{result}\" as \"adminLogs\"\n✓ I attach \"{adminLogs}\" to the test output as \"Admin Activity Logs\"\n✓ \"{adminLogs}\" is an array of objects with at least the following contents", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN04.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775043711, "created_time_dt": "2026-04-01T11:41:51Z", "desc": "Compliance test scenario: Verify admin actions are logged with identity and timestamp", "title": "Verify admin actions are logged with identity and timestamp", "types": [], "uid": "ccc-test-596-1775043711" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775043711, "time_dt": "2026-04-01T11:41:51Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Object storage data modification logging compliance", "metadata": { "event_code": "Object storage data modification logging compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN04", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✗ I attempt policy check \"data-write-logging\" for control \"CCC.Core.CN04\" assessment requirement \"AR02\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Diagnostic Logging Write Configuration: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN04.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775043727, "created_time_dt": "2026-04-01T11:42:07Z", "desc": "Compliance test scenario: Object storage data modification logging compliance", "title": "Object storage data modification logging compliance", "types": [], "uid": "ccc-test-627-1775043727" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775043727, "time_dt": "2026-04-01T11:42:07Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Data read logging compliance", "metadata": { "event_code": "Data read logging compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN04", "@tlp-red", "@Policy", "@object-storage", "@vpc" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✗ I attempt policy check \"data-read-logging\" for control \"CCC.Core.CN04\" assessment requirement \"AR03\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Diagnostic Logging Read Configuration: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN04.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775043728, "created_time_dt": "2026-04-01T11:42:08Z", "desc": "Compliance test scenario: Data read logging compliance", "title": "Data read logging compliance", "types": [], "uid": "ccc-test-678-1775043728" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775043728, "time_dt": "2026-04-01T11:42:08Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Verify data read operations are logged with identity and timestamp", "metadata": { "event_code": "Verify data read operations are logged with identity and timestamp", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN04", "@tlp-red", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"logging\"\n✓ I refer to \"{result}\" as \"loggingService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-read-logging-object={Timestamp}.txt\", and \"test data for read logging verification\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob test-read-logging-object=1775043730017.txt: PUT https://storagecfitest1775043178.blob.core.windows.net/ccc-test-container-1775043178/test-read-logging-object=1775043730017.txt\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 This request is not authorized to perform this operation using this permission.\nERROR CODE: AuthorizationPermissionMismatch\n--------------------------------------------------------------------------------\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003cError\u003e\u003cCode\u003eAuthorizationPermissionMismatch\u003c/Code\u003e\u003cMessage\u003eThis request is not authorized to perform this operation using this permission.\nRequestId:015761a3-c01e-0049-6acd-c1608e000000\nTime:2026-04-01T11:46:12.0519647Z\u003c/Message\u003e\u003c/Error\u003e\n--------------------------------------------------------------------------------\n\n⊘ I refer to \"{result}\" as \"createResult\" (skipped)\n⊘ I call \"{storage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-read-logging-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I refer to \"{result}\" as \"readResult\" (skipped)\n⊘ I attach \"{readResult}\" to the test output as \"Object Read Result\" (skipped)\n⊘ we wait for a period of \"10000\" ms (skipped)\n⊘ I call \"{loggingService}\" with \"QueryDataReadLogs\" using arguments \"{ResourceName}\" and \"{20}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I refer to \"{result}\" as \"readLogs\" (skipped)\n⊘ I attach \"{readLogs}\" to the test output as \"Data Read Logs\" (skipped)\n⊘ \"{readLogs}\" is an array of objects with at least the following contents (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN04.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775043730, "created_time_dt": "2026-04-01T11:42:10Z", "desc": "Compliance test scenario: Verify data read operations are logged with identity and timestamp", "title": "Verify data read operations are logged with identity and timestamp", "types": [], "uid": "ccc-test-697-1775043730" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775043730, "time_dt": "2026-04-01T11:42:10Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service prevents data modification by user with no access", "metadata": { "event_code": "Service prevents data modification by user with no access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Destructive", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-no-write-access\", \"{UID}\", and \"none\"\n✓ I refer to \"{result}\" as \"testUserNoAccess\"\n✓ I attach \"{result}\" to the test output as \"no-access-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserNoAccess}\", and \"{false}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-cn05-unauthorized-modify={Timestamp}.txt\", and \"unauthorized data\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"no-access-create-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775043972, "created_time_dt": "2026-04-01T11:46:12Z", "desc": "Compliance test scenario: Service prevents data modification by user with no access", "title": "Service prevents data modification by user with no access", "types": [], "uid": "ccc-test-761-1775043972" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775043972, "time_dt": "2026-04-01T11:46:12Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service allows data modification by user with write access", "metadata": { "event_code": "Service allows data modification by user with write access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Destructive", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-write-access\", \"{UID}\", and \"write\"\n✓ I refer to \"{result}\" as \"testUserWrite\"\n✓ I attach \"{result}\" to the test output as \"write-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserWrite}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-cn05-authorized-modify={Timestamp}.txt\", and \"authorized data\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"write-create-object-result.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775044214, "created_time_dt": "2026-04-01T11:50:14Z", "desc": "Compliance test scenario: Service allows data modification by user with write access", "title": "Service allows data modification by user with write access", "types": [], "uid": "ccc-test-776-1775044214" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775044214, "time_dt": "2026-04-01T11:50:14Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Storage is not configured for public write access", "metadata": { "event_code": "Storage is not configured for public write access", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I attempt policy check \"object-storage-block-public-write-access\" for control \"CCC.Core.CN05\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775044456, "created_time_dt": "2026-04-01T11:54:16Z", "desc": "Compliance test scenario: Storage is not configured for public write access", "title": "Storage is not configured for public write access", "types": [], "uid": "ccc-test-784-1775044456" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775044456, "time_dt": "2026-04-01T11:54:16Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service prevents administrative action (creating a new bucket) by user with no access", "metadata": { "event_code": "Service prevents administrative action (creating a new bucket) by user with no access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Destructive", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-no-admin-access\", \"{UID}\", and \"none\"\n✓ I refer to \"{result}\" as \"testUserNoAccess\"\n✓ I attach \"{result}\" to the test output as \"no-admin-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserNoAccess}\", and \"{false}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateBucket\" using argument \"test-cn05-unauthorized-admin-container\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"no-admin-create-bucket-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775044457, "created_time_dt": "2026-04-01T11:54:17Z", "desc": "Compliance test scenario: Service prevents administrative action (creating a new bucket) by user with no access", "title": "Service prevents administrative action (creating a new bucket) by user with no access", "types": [], "uid": "ccc-test-863-1775044457" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775044457, "time_dt": "2026-04-01T11:54:17Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service prevents administrative action (creating a new bucket) by user with read-only access", "metadata": { "event_code": "Service prevents administrative action (creating a new bucket) by user with read-only access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Destructive", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-read-only-admin\", \"{UID}\", and \"read\"\n✓ I refer to \"{result}\" as \"testUserRead\"\n✓ I attach \"{result}\" to the test output as \"read-only-admin-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserRead}\", and \"{false}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateBucket\" using argument \"test-cn05-read-only-create-container\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-only-create-bucket-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775044700, "created_time_dt": "2026-04-01T11:58:20Z", "desc": "Compliance test scenario: Service prevents administrative action (creating a new bucket) by user with read-only access", "title": "Service prevents administrative action (creating a new bucket) by user with read-only access", "types": [], "uid": "ccc-test-878-1775044700" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775044700, "time_dt": "2026-04-01T11:58:20Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service allows administrative action (creating a new bucket) by user with admin access", "metadata": { "event_code": "Service allows administrative action (creating a new bucket) by user with admin access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-admin-access\", \"{UID}\", and \"admin\"\n✓ I refer to \"{result}\" as \"testUserAdmin\"\n✓ I attach \"{result}\" to the test output as \"admin-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserAdmin}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateBucket\" using argument \"test-cn05-authorized-admin-container\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"admin-create-bucket-result.json\" (skipped)\n⊘ I call \"{storage}\" with \"DeleteBucket\" using argument \"test-cn05-authorized-admin-container\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775044942, "created_time_dt": "2026-04-01T12:02:22Z", "desc": "Compliance test scenario: Service allows administrative action (creating a new bucket) by user with admin access", "title": "Service allows administrative action (creating a new bucket) by user with admin access", "types": [], "uid": "ccc-test-894-1775044942" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775044942, "time_dt": "2026-04-01T12:02:22Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Unauthorized administrative access is blocked", "metadata": { "event_code": "Unauthorized administrative access is blocked", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045184, "created_time_dt": "2026-04-01T12:06:24Z", "desc": "Compliance test scenario: Unauthorized administrative access is blocked", "title": "Unauthorized administrative access is blocked", "types": [], "uid": "ccc-test-901-1775045184" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045184, "time_dt": "2026-04-01T12:06:24Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Cross-tenant access is blocked without explicit allowlist", "metadata": { "event_code": "Cross-tenant access is blocked without explicit allowlist", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I attempt policy check \"object-storage-cross-tenant-block\" for control \"CCC.Core.CN05\" assessment requirement \"AR03\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045184, "created_time_dt": "2026-04-01T12:06:24Z", "desc": "Compliance test scenario: Cross-tenant access is blocked without explicit allowlist", "title": "Cross-tenant access is blocked without explicit allowlist", "types": [], "uid": "ccc-test-919-1775045184" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045184, "time_dt": "2026-04-01T12:06:24Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "External unauthorized data requests are blocked", "metadata": { "event_code": "External unauthorized data requests are blocked", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I attempt policy check \"object-storage-block-public-read\" for control \"CCC.Core.CN05\" assessment requirement \"AR04\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045185, "created_time_dt": "2026-04-01T12:06:25Z", "desc": "Compliance test scenario: External unauthorized data requests are blocked", "title": "External unauthorized data requests are blocked", "types": [], "uid": "ccc-test-935-1775045185" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045185, "time_dt": "2026-04-01T12:06:25Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "External requests do not reveal service existence - NotTested", "metadata": { "event_code": "External requests do not reveal service existence - NotTested", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-red", "@Policy", "@NotTested", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "Update", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 2, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR05" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045186, "created_time_dt": "2026-04-01T12:06:26Z", "desc": "Compliance test scenario: External requests do not reveal service existence - NotTested", "title": "External requests do not reveal service existence - NotTested", "types": [], "uid": "ccc-test-949-1775045186" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045186, "time_dt": "2026-04-01T12:06:26Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service prevents data read by user with no access - Duplicate", "metadata": { "event_code": "Service prevents data read by user with no access - Duplicate", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-green", "@tlp-amber", "@tlp-red", "@Destructive", "@Behavioural", "@Duplicate", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR06" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045186, "created_time_dt": "2026-04-01T12:06:26Z", "desc": "Compliance test scenario: Service prevents data read by user with no access - Duplicate", "title": "Service prevents data read by user with no access - Duplicate", "types": [], "uid": "ccc-test-979-1775045186" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045186, "time_dt": "2026-04-01T12:06:26Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "All unauthorized requests are blocked - Duplicate", "metadata": { "event_code": "All unauthorized requests are blocked - Duplicate", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@Duplicate", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR06" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045186, "created_time_dt": "2026-04-01T12:06:26Z", "desc": "Compliance test scenario: All unauthorized requests are blocked - Duplicate", "title": "All unauthorized requests are blocked - Duplicate", "types": [], "uid": "ccc-test-986-1775045186" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045186, "time_dt": "2026-04-01T12:06:26Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Object storage region compliance", "metadata": { "event_code": "Object storage region compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN06", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I attempt policy check \"object-storage-region\" for control \"CCC.Core.CN06\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN06.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045186, "created_time_dt": "2026-04-01T12:06:26Z", "desc": "Compliance test scenario: Object storage region compliance", "title": "Object storage region compliance", "types": [], "uid": "ccc-test-1020-1775045186" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045186, "time_dt": "2026-04-01T12:06:26Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Child resource region compliance - NotTestable", "metadata": { "event_code": "Child resource region compliance - NotTestable", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN06", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN06.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045187, "created_time_dt": "2026-04-01T12:06:27Z", "desc": "Compliance test scenario: Child resource region compliance - NotTestable", "title": "Child resource region compliance - NotTestable", "types": [], "uid": "ccc-test-1056-1775045187" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045187, "time_dt": "2026-04-01T12:06:27Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Child resource region compliance - NotTestable", "metadata": { "event_code": "Child resource region compliance - NotTestable", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN06", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN06.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045187, "created_time_dt": "2026-04-01T12:06:27Z", "desc": "Compliance test scenario: Child resource region compliance - NotTestable", "title": "Child resource region compliance - NotTestable", "types": [], "uid": "ccc-test-1059-1775045187" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045187, "time_dt": "2026-04-01T12:06:27Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Enumeration activities publish events to monitored channels", "metadata": { "event_code": "Enumeration activities publish events to monitored channels", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN07", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✗ I attempt policy check \"enumeration-monitoring-policy\" for control \"CCC.Core.CN07\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage Enumeration Monitoring Policy Check: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN07.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045187, "created_time_dt": "2026-04-01T12:06:27Z", "desc": "Compliance test scenario: Enumeration activities publish events to monitored channels", "title": "Enumeration activities publish events to monitored channels", "types": [], "uid": "ccc-test-1080-1775045187" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045187, "time_dt": "2026-04-01T12:06:27Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Enumeration event publishing cannot be tested automatically - NotTestable", "metadata": { "event_code": "Enumeration event publishing cannot be tested automatically - NotTestable", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN07", "@tlp-amber", "@tlp-red", "@Behavioural", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN07.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045188, "created_time_dt": "2026-04-01T12:06:28Z", "desc": "Compliance test scenario: Enumeration event publishing cannot be tested automatically - NotTestable", "title": "Enumeration event publishing cannot be tested automatically - NotTestable", "types": [], "uid": "ccc-test-1083-1775045188" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045188, "time_dt": "2026-04-01T12:06:28Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Enumeration activities are logged", "metadata": { "event_code": "Enumeration activities are logged", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN07", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✗ I attempt policy check \"enumeration-logging-policy\" for control \"CCC.Core.CN07\" assessment requirement \"AR02\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage Enumeration Logging Policy Check: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN07.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045188, "created_time_dt": "2026-04-01T12:06:28Z", "desc": "Compliance test scenario: Enumeration activities are logged", "title": "Enumeration activities are logged", "types": [], "uid": "ccc-test-1106-1775045188" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045188, "time_dt": "2026-04-01T12:06:28Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Enumeration logging cannot be verified automatically - NotTestable", "metadata": { "event_code": "Enumeration logging cannot be verified automatically - NotTestable", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN07", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN07.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045189, "created_time_dt": "2026-04-01T12:06:29Z", "desc": "Compliance test scenario: Enumeration logging cannot be verified automatically - NotTestable", "title": "Enumeration logging cannot be verified automatically - NotTestable", "types": [], "uid": "ccc-test-1109-1775045189" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045189, "time_dt": "2026-04-01T12:06:29Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Object storage replication compliance", "metadata": { "event_code": "Object storage replication compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN08", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I attempt policy check \"object-storage-replication\" for control \"CCC.Core.CN08\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN08.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045189, "created_time_dt": "2026-04-01T12:06:29Z", "desc": "Compliance test scenario: Object storage replication compliance", "title": "Object storage replication compliance", "types": [], "uid": "ccc-test-1144-1775045189" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045189, "time_dt": "2026-04-01T12:06:29Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Bucket data is replicated to physically separate locations", "metadata": { "event_code": "Bucket data is replicated to physically separate locations", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN08", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"GetReplicationStatus\" using argument \"{ResourceName}\"\n✓ I refer to \"{result}\" as \"replicationStatus\"\n✓ I refer to \"{replicationStatus.Locations}\" as \"locations\"\n✓ I attach \"{replicationStatus}\" to the test output as \"Replication Status\"\n✓ \"{locations}\" is an array of objects with length \"2\"\n✓ \"{PermittedRegions}\" is an array of objects with at least the following contents\n✓ \"{PermittedRegions}\" is an array of objects with at least the following contents", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN08.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045190, "created_time_dt": "2026-04-01T12:06:30Z", "desc": "Compliance test scenario: Bucket data is replicated to physically separate locations", "title": "Bucket data is replicated to physically separate locations", "types": [], "uid": "ccc-test-1155-1775045190" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045190, "time_dt": "2026-04-01T12:06:30Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Object storage replication status is visible", "metadata": { "event_code": "Object storage replication status is visible", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN08", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I attempt policy check \"object-storage-replication-status\" for control \"CCC.Core.CN08\" assessment requirement \"AR02\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN08.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045190, "created_time_dt": "2026-04-01T12:06:30Z", "desc": "Compliance test scenario: Object storage replication status is visible", "title": "Object storage replication status is visible", "types": [], "uid": "ccc-test-1187-1775045190" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045190, "time_dt": "2026-04-01T12:06:30Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Replication status can be retrieved for monitoring", "metadata": { "event_code": "Replication status can be retrieved for monitoring", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN08", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"GetReplicationStatus\" using argument \"{ResourceName}\"\n✓ I refer to \"{result}\" as \"replicationStatus\"\n✓ I attach \"{replicationStatus}\" to the test output as \"Replication Status\"\n✓ I refer to \"{replicationStatus.Locations}\" as \"locations\"\n✓ \"{locations}\" is an array of objects with at least the following contents", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN08.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045191, "created_time_dt": "2026-04-01T12:06:31Z", "desc": "Compliance test scenario: Replication status can be retrieved for monitoring", "title": "Replication status can be retrieved for monitoring", "types": [], "uid": "ccc-test-1196-1775045191" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045191, "time_dt": "2026-04-01T12:06:31Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Object storage access logging compliance", "metadata": { "event_code": "Object storage access logging compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN09", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✗ I attempt policy check \"object-storage-access-logging\" for control \"CCC.Core.CN09\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage Account Diagnostic Logging Configuration: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN09.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045191, "created_time_dt": "2026-04-01T12:06:31Z", "desc": "Compliance test scenario: Object storage access logging compliance", "title": "Object storage access logging compliance", "types": [], "uid": "ccc-test-1213-1775045191" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045191, "time_dt": "2026-04-01T12:06:31Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Disabling logs requires disabling the resource - NotTestable", "metadata": { "event_code": "Disabling logs requires disabling the resource - NotTestable", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN09", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN09.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045192, "created_time_dt": "2026-04-01T12:06:32Z", "desc": "Compliance test scenario: Disabling logs requires disabling the resource - NotTestable", "title": "Disabling logs requires disabling the resource - NotTestable", "types": [], "uid": "ccc-test-1230-1775045192" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045192, "time_dt": "2026-04-01T12:06:32Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Redirecting logs requires halting the resource - NotTestable", "metadata": { "event_code": "Redirecting logs requires halting the resource - NotTestable", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN09", "@tlp-amber", "@tlp-red", "@Policy", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN09.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045192, "created_time_dt": "2026-04-01T12:06:32Z", "desc": "Compliance test scenario: Redirecting logs requires halting the resource - NotTestable", "title": "Redirecting logs requires halting the resource - NotTestable", "types": [], "uid": "ccc-test-1245-1775045192" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045192, "time_dt": "2026-04-01T12:06:32Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Object storage replication destination compliance", "metadata": { "event_code": "Object storage replication destination compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN10", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I attempt policy check \"object-storage-replication-destination\" for control \"CCC.Core.CN10\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN10.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045192, "created_time_dt": "2026-04-01T12:06:32Z", "desc": "Compliance test scenario: Object storage replication destination compliance", "title": "Object storage replication destination compliance", "types": [], "uid": "ccc-test-1267-1775045192" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045192, "time_dt": "2026-04-01T12:06:32Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Replication destination trust cannot be verified automatically - NotTestable", "metadata": { "event_code": "Replication destination trust cannot be verified automatically - NotTestable", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN10", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN10.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045193, "created_time_dt": "2026-04-01T12:06:33Z", "desc": "Compliance test scenario: Replication destination trust cannot be verified automatically - NotTestable", "title": "Replication destination trust cannot be verified automatically - NotTestable", "types": [], "uid": "ccc-test-1270-1775045193" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045193, "time_dt": "2026-04-01T12:06:33Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service prevents reading bucket with no access", "metadata": { "event_code": "Service prevents reading bucket with no access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-no-access\", \"{UID}\", and \"none\"\n✓ I refer to \"{result}\" as \"testUserNoAccess\"\n✓ I attach \"{result}\" to the test output as \"no-access-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserNoAccess}\", and \"{false}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ListObjects\" using argument \"{ResourceName}\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"no-access-list-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045193, "created_time_dt": "2026-04-01T12:06:33Z", "desc": "Compliance test scenario: Service prevents reading bucket with no access", "title": "Service prevents reading bucket with no access", "types": [], "uid": "ccc-test-1324-1775045193" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045193, "time_dt": "2026-04-01T12:06:33Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service allows reading bucket with read access", "metadata": { "event_code": "Service allows reading bucket with read access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-read\", \"{UID}\", and \"read\"\n✓ I refer to \"{result}\" as \"testUserRead\"\n✓ I attach \"{result}\" to the test output as \"read-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserRead}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I attach \"{result}\" to the test output as \"read-storage-service.json\" (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ListObjects\" using argument \"{ResourceName}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-list-objects-result.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045435, "created_time_dt": "2026-04-01T12:10:35Z", "desc": "Compliance test scenario: Service allows reading bucket with read access", "title": "Service allows reading bucket with read access", "types": [], "uid": "ccc-test-1340-1775045435" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045435, "time_dt": "2026-04-01T12:10:35Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Test policy for bucket access control", "metadata": { "event_code": "Test policy for bucket access control", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Policy" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I attempt policy check \"no-public-access\" for control \"CCC.ObjStor.CN01\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045678, "created_time_dt": "2026-04-01T12:14:38Z", "desc": "Compliance test scenario: Test policy for bucket access control", "title": "Test policy for bucket access control", "types": [], "uid": "ccc-test-1348-1775045678" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045678, "time_dt": "2026-04-01T12:14:38Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service prevents reading object with no access", "metadata": { "event_code": "Service prevents reading object with no access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"test content\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob test-object=1775045679389.txt: PUT https://storagecfitest1775043178.blob.core.windows.net/ccc-test-container-1775043178/test-object=1775045679389.txt\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 This request is not authorized to perform this operation using this permission.\nERROR CODE: AuthorizationPermissionMismatch\n--------------------------------------------------------------------------------\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003cError\u003e\u003cCode\u003eAuthorizationPermissionMismatch\u003c/Code\u003e\u003cMessage\u003eThis request is not authorized to perform this operation using this permission.\nRequestId:cc3c542f-e01e-0003-4ad1-c1c301000000\nTime:2026-04-01T12:18:41.9538108Z\u003c/Message\u003e\u003c/Error\u003e\n--------------------------------------------------------------------------------\n\n⊘ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-no-access\", \"{UID}\", and \"none\" (skipped)\n⊘ I refer to \"{result}\" as \"testUserNoAccess\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"no-access-user-identity.json\" (skipped)\n⊘ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserNoAccess}\", and \"{false}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"no-access-read-object-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045679, "created_time_dt": "2026-04-01T12:14:39Z", "desc": "Compliance test scenario: Service prevents reading object with no access", "title": "Service prevents reading object with no access", "types": [], "uid": "ccc-test-1406-1775045679" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045679, "time_dt": "2026-04-01T12:14:39Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service allows reading object with read access", "metadata": { "event_code": "Service allows reading object with read access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"test content\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob test-object=1775045921978.txt: PUT https://storagecfitest1775043178.blob.core.windows.net/ccc-test-container-1775043178/test-object=1775045921978.txt\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 This request is not authorized to perform this operation using this permission.\nERROR CODE: AuthorizationPermissionMismatch\n--------------------------------------------------------------------------------\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003cError\u003e\u003cCode\u003eAuthorizationPermissionMismatch\u003c/Code\u003e\u003cMessage\u003eThis request is not authorized to perform this operation using this permission.\nRequestId:cc3e9db2-e01e-0003-3bd2-c1c301000000\nTime:2026-04-01T12:22:44.2775685Z\u003c/Message\u003e\u003c/Error\u003e\n--------------------------------------------------------------------------------\n\n⊘ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-read\", \"{UID}\", and \"read\" (skipped)\n⊘ I refer to \"{result}\" as \"testUserRead\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-user-identity.json\" (skipped)\n⊘ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserRead}\", and \"{true}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-storage-service.json\" (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-read-object-result.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775045921, "created_time_dt": "2026-04-01T12:18:41Z", "desc": "Compliance test scenario: Service allows reading object with read access", "title": "Service allows reading object with read access", "types": [], "uid": "ccc-test-1424-1775045921" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775045921, "time_dt": "2026-04-01T12:18:41Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "All unauthorized requests are blocked", "metadata": { "event_code": "All unauthorized requests are blocked", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"test content\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob test-object=1775046164302.txt: PUT https://storagecfitest1775043178.blob.core.windows.net/ccc-test-container-1775043178/test-object=1775046164302.txt\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 This request is not authorized to perform this operation using this permission.\nERROR CODE: AuthorizationPermissionMismatch\n--------------------------------------------------------------------------------\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003cError\u003e\u003cCode\u003eAuthorizationPermissionMismatch\u003c/Code\u003e\u003cMessage\u003eThis request is not authorized to perform this operation using this permission.\nRequestId:cc408d5d-e01e-0003-6ed2-c1c301000000\nTime:2026-04-01T12:26:46.4217644Z\u003c/Message\u003e\u003c/Error\u003e\n--------------------------------------------------------------------------------\n\n⊘ I attempt policy check \"object-storage-no-public-principals\" for control \"CCC.ObjStor.CN01\" assessment requirement \"AR02\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" (skipped)\n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775046164, "created_time_dt": "2026-04-01T12:22:44Z", "desc": "Compliance test scenario: All unauthorized requests are blocked", "title": "All unauthorized requests are blocked", "types": [], "uid": "ccc-test-1434-1775046164" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775046164, "time_dt": "2026-04-01T12:22:44Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service prevents creating bucket with no access", "metadata": { "event_code": "Service prevents creating bucket with no access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-no-access\", \"{UID}\", and \"none\"\n✓ I refer to \"{result}\" as \"testUserNoAccess\"\n✓ I attach \"{result}\" to the test output as \"no-access-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserNoAccess}\", and \"{false}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateBucket\" using argument \"test-bucket-no-access\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"no-access-create-bucket-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775046406, "created_time_dt": "2026-04-01T12:26:46Z", "desc": "Compliance test scenario: Service prevents creating bucket with no access", "title": "Service prevents creating bucket with no access", "types": [], "uid": "ccc-test-1491-1775046406" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775046406, "time_dt": "2026-04-01T12:26:46Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service allows creating bucket with write access", "metadata": { "event_code": "Service allows creating bucket with write access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-write\", \"{UID}\", and \"write\"\n✓ I refer to \"{result}\" as \"testUserWrite\"\n✓ I attach \"{result}\" to the test output as \"write-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserWrite}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I attach \"{result}\" to the test output as \"write-storage-service.json\" (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateBucket\" using argument \"test-bucket-write\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"write-create-bucket-result.json\" (skipped)\n⊘ I call \"{storage}\" with \"DeleteBucket\" using argument \"{result.ID}\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775046648, "created_time_dt": "2026-04-01T12:30:48Z", "desc": "Compliance test scenario: Service allows creating bucket with write access", "title": "Service allows creating bucket with write access", "types": [], "uid": "ccc-test-1508-1775046648" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775046648, "time_dt": "2026-04-01T12:30:48Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "All unauthorized requests are blocked", "metadata": { "event_code": "All unauthorized requests are blocked", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✗ I attempt policy check \"object-storage-no-public-principals\" for control \"CCC.ObjStor.CN01\" assessment requirement \"AR03\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage RBAC in Use: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775046890, "created_time_dt": "2026-04-01T12:34:50Z", "desc": "Compliance test scenario: All unauthorized requests are blocked", "title": "All unauthorized requests are blocked", "types": [], "uid": "ccc-test-1516-1775046890" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775046890, "time_dt": "2026-04-01T12:34:50Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service prevents writing object with read-only access", "metadata": { "event_code": "Service prevents writing object with read-only access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ \"{result}\" is not an error\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ \"{result}\" is not an error\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-read\", \"{UID}\", and \"read\"\n✓ I refer to \"{result}\" as \"testUserRead\"\n✓ I attach \"{result}\" to the test output as \"read-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserRead}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-write-object={Timestamp}.txt\", and \"test content\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-create-object-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775046891, "created_time_dt": "2026-04-01T12:34:51Z", "desc": "Compliance test scenario: Service prevents writing object with read-only access", "title": "Service prevents writing object with read-only access", "types": [], "uid": "ccc-test-1576-1775046891" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775046891, "time_dt": "2026-04-01T12:34:51Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service allows writing object with write access", "metadata": { "event_code": "Service allows writing object with write access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ \"{result}\" is not an error\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ \"{result}\" is not an error\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-write\", \"{UID}\", and \"write\"\n✓ I refer to \"{result}\" as \"testUserWrite\"\n✓ I attach \"{result}\" to the test output as \"write-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserWrite}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I attach \"{result}\" to the test output as \"write-storage-service.json\" (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-write-object={Timestamp}.txt\", and \"test content\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"write-create-object-result.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775047134, "created_time_dt": "2026-04-01T12:38:54Z", "desc": "Compliance test scenario: Service allows writing object with write access", "title": "Service allows writing object with write access", "types": [], "uid": "ccc-test-1594-1775047134" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775047134, "time_dt": "2026-04-01T12:38:54Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "All unauthorized requests are blocked", "metadata": { "event_code": "All unauthorized requests are blocked", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ \"{result}\" is not an error\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ \"{result}\" is not an error\n✗ I attempt policy check \"object-storage-no-public-principals\" for control \"CCC.ObjStor.CN01\" assessment requirement \"AR04\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage RBAC in Use: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775047376, "created_time_dt": "2026-04-01T12:42:56Z", "desc": "Compliance test scenario: All unauthorized requests are blocked", "title": "All unauthorized requests are blocked", "types": [], "uid": "ccc-test-1604-1775047376" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775047376, "time_dt": "2026-04-01T12:42:56Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service enforces uniform bucket-level access by rejecting object-level permissions", "metadata": { "event_code": "Service enforces uniform bucket-level access by rejecting object-level permissions", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN02", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"test data\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob test-object=1775047377091.txt: AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:42:57.6581812Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 3858917d-2902-4403-9d0a-677daa7c1300 Correlation ID: 1359ebd9-c203-4639-bbb1-7abc9592718c Timestamp: 2026-04-01 12:42:57Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-read\", \"{UID}\", and \"read\" (skipped)\n⊘ I refer to \"{result}\" as \"testUserRead\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-user-identity.json\" (skipped)\n⊘ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserRead}\", and \"{true}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I call \"{storage}\" with \"SetObjectPermission\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"none\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"set-object-permission-error.txt\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is not an error (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN02.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775047377, "created_time_dt": "2026-04-01T12:42:57Z", "desc": "Compliance test scenario: Service enforces uniform bucket-level access by rejecting object-level permissions", "title": "Service enforces uniform bucket-level access by rejecting object-level permissions", "types": [], "uid": "ccc-test-1658-1775047377" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775047377, "time_dt": "2026-04-01T12:42:57Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Test policy for uniform access", "metadata": { "event_code": "Test policy for uniform access", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN02", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✗ I attempt policy check \"uniform-bucket-level-access\" for control \"CCC.ObjStor.CN02\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Blob Uniform Access Check: query execution failed: exit status 1\nOutput: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:42:58.6161680Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 52ed7894-f1f6-47b6-9683-c0d71b491400 Correlation ID: 059544d3-5f50-4738-b39e-a1b8d88f8e19 Timestamp: 2026-04-01 12:42:58Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN02.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775047377, "created_time_dt": "2026-04-01T12:42:57Z", "desc": "Compliance test scenario: Test policy for uniform access", "title": "Test policy for uniform access", "types": [], "uid": "ccc-test-1666-1775047377" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775047377, "time_dt": "2026-04-01T12:42:57Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service enforces uniform bucket-level access denial", "metadata": { "event_code": "Service enforces uniform bucket-level access denial", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN02", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"test data\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob test-object=1775047378856.txt: AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:42:59.3883069Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 41444abc-458f-4080-8fe7-b392563a0c00 Correlation ID: 17343955-f8fa-40ef-9879-8ee3b4aecc30 Timestamp: 2026-04-01 12:42:59Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-no-access\", \"{UID}\", and \"none\" (skipped)\n⊘ I refer to \"{result}\" as \"testUserNoAccess\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"no-access-user-identity.json\" (skipped)\n⊘ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserNoAccess}\", and \"{false}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I call \"{storage}\" with \"SetObjectPermission\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"read\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"set-object-permission-error.txt\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is an error (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN02.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775047378, "created_time_dt": "2026-04-01T12:42:58Z", "desc": "Compliance test scenario: Service enforces uniform bucket-level access denial", "title": "Service enforces uniform bucket-level access denial", "types": [], "uid": "ccc-test-1721-1775047378" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775047378, "time_dt": "2026-04-01T12:42:58Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Uniform bucket-level access prevents object-level deny overrides - Duplicate", "metadata": { "event_code": "Uniform bucket-level access prevents object-level deny overrides - Duplicate", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN02", "@Policy", "@Duplicate", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN02.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775047379, "created_time_dt": "2026-04-01T12:42:59Z", "desc": "Compliance test scenario: Uniform bucket-level access prevents object-level deny overrides - Duplicate", "title": "Uniform bucket-level access prevents object-level deny overrides - Duplicate", "types": [], "uid": "ccc-test-1728-1775047379" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775047379, "time_dt": "2026-04-01T12:42:59Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service supports bucket soft delete and recovery", "metadata": { "event_code": "Service supports bucket soft delete and recovery", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN03", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"CreateBucket\" using argument \"ccc-test-soft-delete\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to create container: failed to create container ccc-test-soft-delete: AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:43:00.0975342Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 3b49c722-650d-48c2-bbb1-e11b93120a00 Correlation ID: 464df169-4e47-46f7-8bc9-c7df20aca4f9 Timestamp: 2026-04-01 12:43:00Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ I refer to \"{result}\" as \"testBucket\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"created-bucket.json\" (skipped)\n⊘ I call \"{storage}\" with \"DeleteBucket\" using argument \"ccc-test-soft-delete\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I call \"{storage}\" with \"ListDeletedBuckets\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"deleted-buckets.json\" (skipped)\n? \"{result}\" should have length greater than \"0\" (undefined)\n⊘ I call \"{storage}\" with \"RestoreBucket\" using argument \"ccc-test-soft-delete\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I call \"{storage}\" with \"ListBuckets\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"restored-buckets.json\" (skipped)\n⊘ I call \"{storage}\" with \"DeleteBucket\" using argument \"ccc-test-soft-delete\" (skipped)\n⊘ \"{result}\" is not an error (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN03.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775047379, "created_time_dt": "2026-04-01T12:42:59Z", "desc": "Compliance test scenario: Service supports bucket soft delete and recovery", "title": "Service supports bucket soft delete and recovery", "types": [], "uid": "ccc-test-1782-1775047379" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775047379, "time_dt": "2026-04-01T12:42:59Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Test policy for bucket soft delete", "metadata": { "event_code": "Test policy for bucket soft delete", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN03", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✗ I attempt policy check \"bucket-soft-delete\" for control \"CCC.ObjStor.CN03\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Blob Soft Delete Check: query execution failed: exit status 1\nOutput: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:43:01.0015056Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: a6441681-f874-4c4e-8438-2d0ccb260c00 Correlation ID: b94a6db1-1334-450f-8797-89a479094410 Timestamp: 2026-04-01 12:43:01Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN03.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775047380, "created_time_dt": "2026-04-01T12:43:00Z", "desc": "Compliance test scenario: Test policy for bucket soft delete", "title": "Test policy for bucket soft delete", "types": [], "uid": "ccc-test-1788-1775047380" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775047380, "time_dt": "2026-04-01T12:43:00Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service prevents modification of locked retention policy", "metadata": { "event_code": "Service prevents modification of locked retention policy", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN03", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"GetBucketRetentionDurationDays\" using argument \"{ResourceName}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to get container properties: AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:43:01.7128125Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: d191f517-9b87-4252-9dd1-eb9cc3970900 Correlation ID: d02bebb9-430b-4c07-8e2d-8109c94afcfb Timestamp: 2026-04-01 12:43:01Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ I refer to \"{result}\" as \"originalRetention\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"original-retention-days.txt\" (skipped)\n⊘ \"{result}\" should be greater than \"0\" (skipped)\n⊘ I call \"{storage}\" with \"SetBucketRetentionDurationDays\" using arguments \"{ResourceName}\" and \"1\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"set-retention-error.txt\" (skipped)\n⊘ I call \"{storage}\" with \"GetBucketRetentionDurationDays\" using argument \"{ResourceName}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n? \"{result}\" should equal \"{originalRetention}\" (undefined)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN03.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775047381, "created_time_dt": "2026-04-01T12:43:01Z", "desc": "Compliance test scenario: Service prevents modification of locked retention policy", "title": "Service prevents modification of locked retention policy", "types": [], "uid": "ccc-test-1830-1775047381" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775047381, "time_dt": "2026-04-01T12:43:01Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Test policy for immutable bucket retention lock", "metadata": { "event_code": "Test policy for immutable bucket retention lock", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN03", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✗ I attempt policy check \"bucket-retention-lock\" for control \"CCC.ObjStor.CN03\" assessment requirement \"AR02\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Blob Immutability Policy Lock Check: query execution failed: exit status 1\nOutput: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:43:02.6736890Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 2ebbfacb-fbd1-4eea-bea8-5690fa430900 Correlation ID: 23ab2cd7-e6e7-40df-b685-a43fe101a3cc Timestamp: 2026-04-01 12:43:02Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN03.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775047381, "created_time_dt": "2026-04-01T12:43:01Z", "desc": "Compliance test scenario: Test policy for immutable bucket retention lock", "title": "Test policy for immutable bucket retention lock", "types": [], "uid": "ccc-test-1836-1775047381" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775047381, "time_dt": "2026-04-01T12:43:01Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service applies default retention policy to newly uploaded object", "metadata": { "event_code": "Service applies default retention policy to newly uploaded object", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-write\", \"{UID}\", and \"write\"\n✓ I refer to \"{result}\" as \"testUserWrite\"\n✓ I attach \"{result}\" to the test output as \"write-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserWrite}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-retention-object={Timestamp}.txt\", and \"protected data\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"uploaded-object.json\" (skipped)\n⊘ I call \"{userStorage}\" with \"GetObjectRetentionDurationDays\" using arguments \"{ResourceName}\" and \"test-retention-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" should be greater than \"1\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775047382, "created_time_dt": "2026-04-01T12:43:02Z", "desc": "Compliance test scenario: Service applies default retention policy to newly uploaded object", "title": "Service applies default retention policy to newly uploaded object", "types": [], "uid": "ccc-test-1896-1775047382" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775047382, "time_dt": "2026-04-01T12:43:02Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service enforces retention policy on newly created objects", "metadata": { "event_code": "Service enforces retention policy on newly created objects", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"immediate-delete-test={Timestamp}.txt\", and \"test content\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob immediate-delete-test=1775047625583.txt: AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:47:05.8871394Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 550a146d-f6f6-46d2-9c81-25bc40b31400 Correlation ID: 60f6ce1c-b476-4280-98e1-8147e334e9cb Timestamp: 2026-04-01 12:47:05Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ I call \"{storage}\" with \"DeleteObject\" using arguments \"{ResourceName}\" and \"immediate-delete-test={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"immediate-delete-error.txt\" (skipped)\n? \"{result}\" should contain \"retention\" (undefined)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775047625, "created_time_dt": "2026-04-01T12:47:05Z", "desc": "Compliance test scenario: Service enforces retention policy on newly created objects", "title": "Service enforces retention policy on newly created objects", "types": [], "uid": "ccc-test-1908-1775047625" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775047625, "time_dt": "2026-04-01T12:47:05Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service validates retention period meets minimum requirements", "metadata": { "event_code": "Service validates retention period meets minimum requirements", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"retention-period-test={Timestamp}.txt\", and \"compliance data\"\n✓ I call \"{storage}\" with \"GetObjectRetentionDurationDays\" using arguments \"{ResourceName}\" and \"retention-period-test={Timestamp}.txt\"\n✗ \"{result}\" should be greater than \"1\" - Error: cannot parse {result} as number: strconv.ParseFloat: parsing \"failed to get blob properties: AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:47:06.8390040Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: be413971-b288-4230-b8f9-e878dec90200 Correlation ID: cdddabc4-4461-4934-9e83-9dbb7012824f Timestamp: 2026-04-01 12:47:06Z\\nRun the command below to authenticate interactively; additional arguments may be added as needed:\\naz logout\\naz login\\n\": invalid syntax\n⊘ I attach \"{result}\" to the test output as \"retention-period-days.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775047626, "created_time_dt": "2026-04-01T12:47:06Z", "desc": "Compliance test scenario: Service validates retention period meets minimum requirements", "title": "Service validates retention period meets minimum requirements", "types": [], "uid": "ccc-test-1918-1775047626" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775047626, "time_dt": "2026-04-01T12:47:06Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Test policy for default object retention", "metadata": { "event_code": "Test policy for default object retention", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✗ I attempt policy check \"object-default-retention\" for control \"CCC.ObjStor.CN04\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Blob Default Immutability Policy Check: query execution failed: exit status 1\nOutput: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:47:07.5073091Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: d279db72-baf0-475c-97b4-6524c8c60300 Correlation ID: e1f13500-6b34-42c8-b895-5322b3e1e218 Timestamp: 2026-04-01 12:47:07Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775047627, "created_time_dt": "2026-04-01T12:47:07Z", "desc": "Compliance test scenario: Test policy for default object retention", "title": "Test policy for default object retention", "types": [], "uid": "ccc-test-1926-1775047627" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775047627, "time_dt": "2026-04-01T12:47:07Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service prevents object deletion by write user during retention period", "metadata": { "event_code": "Service prevents object deletion by write user during retention period", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-write\", \"{UID}\", and \"write\"\n✓ I refer to \"{result}\" as \"testUserWrite\"\n✓ I attach \"{result}\" to the test output as \"write-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserWrite}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"protected-object={Timestamp}.txt\", and \"immutable data\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"protected-object.json\" (skipped)\n⊘ I call \"{userStorage}\" with \"DeleteObject\" using arguments \"{ResourceName}\" and \"protected-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"delete-protected-error.txt\" (skipped)\n? \"{result}\" should contain one of \"retention, locked, immutable, protected\" (undefined)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775047627, "created_time_dt": "2026-04-01T12:47:07Z", "desc": "Compliance test scenario: Service prevents object deletion by write user during retention period", "title": "Service prevents object deletion by write user during retention period", "types": [], "uid": "ccc-test-2015-1775047627" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775047627, "time_dt": "2026-04-01T12:47:07Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service prevents object deletion by admin user during retention period", "metadata": { "event_code": "Service prevents object deletion by admin user during retention period", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"admin-protected-object={Timestamp}.txt\", and \"compliance data\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob admin-protected-object=1775047870175.txt: AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:51:10.5202132Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: c8b0ad53-b2aa-41f1-9eaa-28edc48e1100 Correlation ID: 7a9326df-c55e-4404-ab53-d3845da3a1f7 Timestamp: 2026-04-01 12:51:10Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ I call \"{storage}\" with \"DeleteObject\" using arguments \"{ResourceName}\" and \"admin-protected-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"admin-delete-protected-error.txt\" (skipped)\n? \"{result}\" should contain \"retention\" (undefined)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775047870, "created_time_dt": "2026-04-01T12:51:10Z", "desc": "Compliance test scenario: Service prevents object deletion by admin user during retention period", "title": "Service prevents object deletion by admin user during retention period", "types": [], "uid": "ccc-test-2027-1775047870" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775047870, "time_dt": "2026-04-01T12:51:10Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service prevents object modification during retention period", "metadata": { "event_code": "Service prevents object modification during retention period", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-write\", \"{UID}\", and \"write\"\n✓ I refer to \"{result}\" as \"testUserWrite\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserWrite}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"modify-test-object={Timestamp}.txt\", and \"original content\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"original-object.json\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"modify-test-object={Timestamp}.txt\", and \"modified content\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"modify-protected-error.txt\" (skipped)\n? \"{result}\" should contain one of \"retention, locked, immutable, protected, exists\" (undefined)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775047870, "created_time_dt": "2026-04-01T12:51:10Z", "desc": "Compliance test scenario: Service prevents object modification during retention period", "title": "Service prevents object modification during retention period", "types": [], "uid": "ccc-test-2045-1775047870" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775047870, "time_dt": "2026-04-01T12:51:10Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service allows object read access during retention period", "metadata": { "event_code": "Service allows object read access during retention period", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"readable-protected-object={Timestamp}.txt\", and \"readable data\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob readable-protected-object=1775048113297.txt: AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:55:13.9190839Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 4b424c6c-3463-4e07-bf59-5f8f12901500 Correlation ID: c8892b37-dd92-4234-9963-a8c8ce74dfd1 Timestamp: 2026-04-01 12:55:13Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-read\", \"{UID}\", and \"read\" (skipped)\n⊘ I refer to \"{result}\" as \"testUserRead\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-user-identity.json\" (skipped)\n⊘ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserRead}\", and \"{true}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"readable-protected-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I refer to \"{result}\" as \"readResult\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-protected-object.json\" (skipped)\n⊘ \"{readResult.Name}\" is \"readable-protected-object={Timestamp}.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775048113, "created_time_dt": "2026-04-01T12:55:13Z", "desc": "Compliance test scenario: Service allows object read access during retention period", "title": "Service allows object read access during retention period", "types": [], "uid": "ccc-test-2064-1775048113" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775048113, "time_dt": "2026-04-01T12:55:13Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Test policy for object retention enforcement", "metadata": { "event_code": "Test policy for object retention enforcement", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✗ I attempt policy check \"object-retention-enforcement\" for control \"CCC.ObjStor.CN04\" assessment requirement \"AR02\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Blob Object Retention Enforcement Check: query execution failed: exit status 1\nOutput: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:55:14.7375633Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: fc41409f-8f97-4fa9-a831-f58ef1340f00 Correlation ID: 88400164-6227-4ac7-a8ab-f87474f854a5 Timestamp: 2026-04-01 12:55:14Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775048114, "created_time_dt": "2026-04-01T12:55:14Z", "desc": "Compliance test scenario: Test policy for object retention enforcement", "title": "Test policy for object retention enforcement", "types": [], "uid": "ccc-test-2072-1775048114" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775048114, "time_dt": "2026-04-01T12:55:14Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Service enables versioning and objects receive unique version identifiers", "metadata": { "event_code": "Service enables versioning and objects receive unique version identifiers", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"IsBucketVersioningEnabled\" using argument \"{ResourceName}\"\n✓ \"{result}\" is true\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"versioned-object.txt\", and \"test content\"\n✓ I refer to \"{result}\" as \"createdObject\"\n✗ \"{createdObject.VersionID}\" contains \"20\" - Error: expected {createdObject.VersionID} to contain '20', but got '\u003cnil\u003e'\n⊘ I attach \"{result}\" to the test output as \"versioned-object.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775048114, "created_time_dt": "2026-04-01T12:55:14Z", "desc": "Compliance test scenario: Service enables versioning and objects receive unique version identifiers", "title": "Service enables versioning and objects receive unique version identifiers", "types": [], "uid": "ccc-test-2106-1775048114" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775048114, "time_dt": "2026-04-01T12:55:14Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Objects are stored with unique version identifiers", "metadata": { "event_code": "Objects are stored with unique version identifiers", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✗ I attempt policy check \"object-storage-versioning\" for control \"CCC.ObjStor.CN05\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Blob Versioning Configuration: query execution failed: exit status 1\nOutput: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-01T12:55:16.5866754Z, assertion valid from 2026-04-01T11:32:59.0000000Z, expiry time of assertion 2026-04-01T11:37:59.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: d7da925a-8ff9-406d-8c98-083c6d210b00 Correlation ID: 519631d6-ddf2-43d2-a76b-a4d21aeea010 Timestamp: 2026-04-01 12:55:16Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775048115, "created_time_dt": "2026-04-01T12:55:15Z", "desc": "Compliance test scenario: Objects are stored with unique version identifiers", "title": "Objects are stored with unique version identifiers", "types": [], "uid": "ccc-test-2112-1775048115" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775048115, "time_dt": "2026-04-01T12:55:15Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Modified objects receive new version identifiers", "metadata": { "event_code": "Modified objects receive new version identifiers", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"version-test-object={Timestamp}.txt\", and \"original content\"\n✓ I refer to \"{result.VersionID}\" as \"version1\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"version-test-object={Timestamp}.txt\", and \"modified content\"\n✓ I refer to \"{result.VersionID}\" as \"version2\"\n? \"{version1}\" is not equal to \"{version2}\" (undefined)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775048116, "created_time_dt": "2026-04-01T12:55:16Z", "desc": "Compliance test scenario: Modified objects receive new version identifiers", "title": "Modified objects receive new version identifiers", "types": [], "uid": "ccc-test-2144-1775048116" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775048116, "time_dt": "2026-04-01T12:55:16Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Modified objects receive new version identifiers - Duplicate", "metadata": { "event_code": "Modified objects receive new version identifiers - Duplicate", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@Duplicate" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775048118, "created_time_dt": "2026-04-01T12:55:18Z", "desc": "Compliance test scenario: Modified objects receive new version identifiers - Duplicate", "title": "Modified objects receive new version identifiers - Duplicate", "types": [], "uid": "ccc-test-2149-1775048118" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775048118, "time_dt": "2026-04-01T12:55:18Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Modified objects receive new version identifiers", "metadata": { "event_code": "Modified objects receive new version identifiers", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"version-test-object={Timestamp}.txt\", and \"original content\"\n✓ I refer to \"{result.VersionID}\" as \"version1\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"version-test-object={Timestamp}.txt\", and \"modified content\"\n✓ I refer to \"{result.VersionID}\" as \"version2\"\n✓ I call \"{storage}\" with \"ReadObjectAtVersion\" using arguments \"{ResourceName}\", \"version-test-object={Timestamp}.txt\", and \"{version1}\"\n✓ I attach \"{result}\" to the test output as \"original-content.json\"\n✗ \"{result.Data}\" contains \"original content\" - Error: expected {result.Data} to contain 'original content', but got '\u003cnil\u003e'\n⊘ I call \"{storage}\" with \"ReadObjectAtVersion\" using arguments \"{ResourceName}\", \"version-test-object={Timestamp}.txt\", and \"{version2}\" (skipped)\n⊘ \"{result.Data}\" contains \"modified content\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"modified-content.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775048118, "created_time_dt": "2026-04-01T12:55:18Z", "desc": "Compliance test scenario: Modified objects receive new version identifiers", "title": "Modified objects receive new version identifiers", "types": [], "uid": "ccc-test-2190-1775048118" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775048118, "time_dt": "2026-04-01T12:55:18Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Previous object versions can be recovered", "metadata": { "event_code": "Previous object versions can be recovered", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775048120, "created_time_dt": "2026-04-01T12:55:20Z", "desc": "Compliance test scenario: Previous object versions can be recovered", "title": "Previous object versions can be recovered", "types": [], "uid": "ccc-test-2195-1775048120" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775048120, "time_dt": "2026-04-01T12:55:20Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Deleted object data can be reloaded from previous version", "metadata": { "event_code": "Deleted object data can be reloaded from previous version", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"recover-deleted-object={Timestamp}.txt\", and \"data to retain\"\n✓ I refer to \"{result.VersionID}\" as \"retainedVersionId\"\n✓ I call \"{storage}\" with \"DeleteObject\" using arguments \"{ResourceName}\" and \"recover-deleted-object={Timestamp}.txt\"\n✓ I call \"{storage}\" with \"ReadObjectAtVersion\" using arguments \"{ResourceName}\", \"recover-deleted-object={Timestamp}.txt\", and \"{retainedVersionId}\"\n✗ \"{result.Data}\" contains \"data to retain\" - Error: expected {result.Data} to contain 'data to retain', but got '\u003cnil\u003e'\n⊘ I attach \"{result}\" to the test output as \"recovered-deleted-version.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775048120, "created_time_dt": "2026-04-01T12:55:20Z", "desc": "Compliance test scenario: Deleted object data can be reloaded from previous version", "title": "Deleted object data can be reloaded from previous version", "types": [], "uid": "ccc-test-2239-1775048120" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775048120, "time_dt": "2026-04-01T12:55:20Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Deleted object version remains in version list", "metadata": { "event_code": "Deleted object version remains in version list", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"list-deleted-versions-object={Timestamp}.txt\", and \"versioned data\"\n✓ I refer to \"{result.VersionID}\" as \"listedVersionId\"\n✓ I call \"{storage}\" with \"DeleteObject\" using arguments \"{ResourceName}\" and \"list-deleted-versions-object={Timestamp}.txt\"\n✓ I call \"{storage}\" with \"ListObjectVersions\" using arguments \"{ResourceName}\" and \"list-deleted-versions-object={Timestamp}.txt\"\n✗ \"{result}\" is an array of objects with at least the following contents - Error: field {result} is not an array\n⊘ I attach \"{result}\" to the test output as \"versions-after-delete.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775048122, "created_time_dt": "2026-04-01T12:55:22Z", "desc": "Compliance test scenario: Deleted object version remains in version list", "title": "Deleted object version remains in version list", "types": [], "uid": "ccc-test-2249-1775048122" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775048122, "time_dt": "2026-04-01T12:55:22Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] }, { "message": "Object versions are retained after deletion - Duplicate", "metadata": { "event_code": "Object versions are retained after deletion - Duplicate", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@Duplicate" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775048124, "created_time_dt": "2026-04-01T12:55:24Z", "desc": "Compliance test scenario: Object versions are retained after deletion - Duplicate", "title": "Object versions are retained after deletion - Duplicate", "types": [], "uid": "ccc-test-2254-1775048124" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775048124, "time_dt": "2026-04-01T12:55:24Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_1775043178/providers/Microsoft.Storage/storageAccounts/storagecfitest1775043178" } ] } ]