[ { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558408, "created_time_dt": "2026-04-07T10:40:08Z", "desc": "Compliance test scenario: Main check: no default VPC exists", "title": "Main check: no default VPC exists", "types": [], "uid": "ccc-test-2278-1775558408" }, "message": "Main check: no default VPC exists", "metadata": { "event_code": "Main check: no default VPC exists", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN01", "@CCC.VPC.CN01.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0c697ba86026b9c59", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0c697ba86026b9c59", "region": "us-east-1", "type": "vpc", "uid": "vpc-0c697ba86026b9c59" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I call \"{vpcService}\" with \"CountDefaultVpcs\"\n✓ \"{result}\" is \"0\"", "status_id": 1, "time": 1775558408, "time_dt": "2026-04-07T10:40:08Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN01.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558408, "created_time_dt": "2026-04-07T10:40:08Z", "desc": "Compliance test scenario: Main check (config): public subnets do not auto-assign external IPs", "title": "Main check (config): public subnets do not auto-assign external IPs", "types": [], "uid": "ccc-test-2331-1775558408" }, "message": "Main check (config): public subnets do not auto-assign external IPs", "metadata": { "event_code": "Main check (config): public subnets do not auto-assign external IPs", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0c697ba86026b9c59", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0c697ba86026b9c59", "region": "us-east-1", "type": "vpc", "uid": "vpc-0c697ba86026b9c59" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluatePublicSubnetDefaultIPControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.ViolatingSubnetCount}\" is \"0\"\n✗ \"{result.Reason}\" contains \"disable default public IP\" - Error: expected {result.Reason} to contain 'disable default public IP', but got 'no public subnets found for in-scope VPC'", "status_id": 1, "time": 1775558408, "time_dt": "2026-04-07T10:40:08Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558409, "created_time_dt": "2026-04-07T10:40:09Z", "desc": "Compliance test scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP", "title": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "types": [], "uid": "ccc-test-2353-1775558409" }, "message": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "metadata": { "event_code": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0c697ba86026b9c59", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0c697ba86026b9c59", "region": "us-east-1", "type": "vpc", "uid": "vpc-0c697ba86026b9c59" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"SelectPublicSubnetForTest\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.SubnetId}\" as \"TestSubnetId\"\n✓ I call \"{vpcService}\" with \"CreateTestResourceInSubnet\" using argument \"{TestSubnetId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I call \"{vpcService}\" with \"GetResourceExternalIpAssignment\" using argument \"{TestResourceId}\"\n✓ I refer to \"{result.HasExternalIp}\" as \"HasExternalIp\"\n✓ \"{HasExternalIp}\" is false\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)", "status_id": 1, "time": 1775558409, "time_dt": "2026-04-07T10:40:09Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558409, "created_time_dt": "2026-04-07T10:40:09Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "title": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "types": [], "uid": "ccc-test-2454-1775558409" }, "message": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "metadata": { "event_code": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0c697ba86026b9c59", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0c697ba86026b9c59", "region": "us-east-1", "type": "vpc", "uid": "vpc-0c697ba86026b9c59" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"ValidateDisallowListEnforcement\" using argument \"{ReceiverVpcId}\"\n✓ I attach \"{result.Summary}\" to the test output as \"Disallow-list Enforcement Summary\"\n✓ I attach \"{result.Results}\" to the test output as \"Disallow-list Enforcement\"\n✓ \"{result.ListDefined}\" is true\n✓ \"{result.TestedCount}\" should be greater than \"0\"\n✓ \"{result.AllCorrect}\" is true\n✓ \"{result.ViolationCount}\" is \"0\"", "status_id": 1, "time": 1775558409, "time_dt": "2026-04-07T10:40:09Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558409, "created_time_dt": "2026-04-07T10:40:09Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "title": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "types": [], "uid": "ccc-test-2475-1775558409" }, "message": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "metadata": { "event_code": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0c697ba86026b9c59", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0c697ba86026b9c59", "region": "us-east-1", "type": "vpc", "uid": "vpc-0c697ba86026b9c59" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ \"{NonAllowlistedRequesterVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"EvaluatePeerAgainstAllowList\" using argument \"{NonAllowlistedRequesterVpcId}\"\n✓ \"{result.AllowedListDefined}\" is true\n✓ \"{result.Allowed}\" is false\n✓ I call \"{vpcService}\" with \"AttemptVpcPeeringDryRun\" using arguments \"{NonAllowlistedRequesterVpcId}\" and \"{ReceiverVpcId}\"\n✓ \"{result.DryRunAllowed}\" is false\n✓ \"{result.AllowListDefined}\" is true\n✓ \"{result.RequesterInAllowList}\" is false\n✓ \"{result.GuardrailExpectation}\" is \"deny\"\n✓ \"{result.GuardrailMismatch}\" is false\n✓ \"{result.ExitCode}\" should be greater than \"0\"\n✓ \"{result.Reason}\" contains \"guardrail aligned\"\n✓ \"{result.ConflictType}\" is \"\"", "status_id": 1, "time": 1775558409, "time_dt": "2026-04-07T10:40:09Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558410, "created_time_dt": "2026-04-07T10:40:10Z", "desc": "Compliance test scenario: Main check (config): flow logs are active and capture all traffic", "title": "Main check (config): flow logs are active and capture all traffic", "types": [], "uid": "ccc-test-2544-1775558410" }, "message": "Main check (config): flow logs are active and capture all traffic", "metadata": { "event_code": "Main check (config): flow logs are active and capture all traffic", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0c697ba86026b9c59", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0c697ba86026b9c59", "region": "us-east-1", "type": "vpc", "uid": "vpc-0c697ba86026b9c59" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluateVpcFlowLogsControl\" using argument \"{TargetVpcId}\"\n✗ \"{result.FlowLogCount}\" should be greater than \"0\" - Error: expected {result.FlowLogCount} (0) to be greater than 0\n⊘ \"{result.NonCompliantCount}\" is \"0\" (skipped)", "status_id": 1, "time": 1775558410, "time_dt": "2026-04-07T10:40:10Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558410, "created_time_dt": "2026-04-07T10:40:10Z", "desc": "Compliance test scenario: Behavioral check (active): traffic produces flow log records", "title": "Behavioral check (active): traffic produces flow log records", "types": [], "uid": "ccc-test-2559-1775558410" }, "message": "Behavioral check (active): traffic produces flow log records", "metadata": { "event_code": "Behavioral check (active): traffic produces flow log records", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0c697ba86026b9c59", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0c697ba86026b9c59", "region": "us-east-1", "type": "vpc", "uid": "vpc-0c697ba86026b9c59" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"PrepareFlowLogDeliveryObservation\" using argument \"{TargetVpcId}\"\n✓ I call \"{vpcService}\" with \"GenerateTestTraffic\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I refer to \"{result.CleanupDeleted}\" as \"TrafficCleanupDeleted\"\n✓ I call \"{vpcService}\" with \"ObserveRecentFlowLogDelivery\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.RecordsObserved}\" as \"RecordsObserved\"\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)\n⊘ \"{TrafficCleanupDeleted}\" is true (skipped)\n⊘ \"{RecordsObserved}\" is true (skipped)", "status_id": 1, "time": 1775558410, "time_dt": "2026-04-07T10:40:10Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558402, "created_time_dt": "2026-04-07T10:40:02Z", "desc": "Compliance test scenario: Main check: no default VPC exists", "title": "Main check: no default VPC exists", "types": [], "uid": "ccc-test-2278-1775558402" }, "message": "Main check: no default VPC exists", "metadata": { "event_code": "Main check: no default VPC exists", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN01", "@CCC.VPC.CN01.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0b622dcd5eee1a986", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0b622dcd5eee1a986", "region": "us-east-1", "type": "vpc", "uid": "vpc-0b622dcd5eee1a986" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I call \"{vpcService}\" with \"CountDefaultVpcs\"\n✓ \"{result}\" is \"0\"", "status_id": 1, "time": 1775558402, "time_dt": "2026-04-07T10:40:02Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN01.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558402, "created_time_dt": "2026-04-07T10:40:02Z", "desc": "Compliance test scenario: Main check (config): public subnets do not auto-assign external IPs", "title": "Main check (config): public subnets do not auto-assign external IPs", "types": [], "uid": "ccc-test-2331-1775558402" }, "message": "Main check (config): public subnets do not auto-assign external IPs", "metadata": { "event_code": "Main check (config): public subnets do not auto-assign external IPs", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0b622dcd5eee1a986", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0b622dcd5eee1a986", "region": "us-east-1", "type": "vpc", "uid": "vpc-0b622dcd5eee1a986" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluatePublicSubnetDefaultIPControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.ViolatingSubnetCount}\" is \"0\"\n✗ \"{result.Reason}\" contains \"disable default public IP\" - Error: expected {result.Reason} to contain 'disable default public IP', but got 'no public subnets found for in-scope VPC'", "status_id": 1, "time": 1775558402, "time_dt": "2026-04-07T10:40:02Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558403, "created_time_dt": "2026-04-07T10:40:03Z", "desc": "Compliance test scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP", "title": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "types": [], "uid": "ccc-test-2353-1775558403" }, "message": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "metadata": { "event_code": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0b622dcd5eee1a986", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0b622dcd5eee1a986", "region": "us-east-1", "type": "vpc", "uid": "vpc-0b622dcd5eee1a986" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"SelectPublicSubnetForTest\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.SubnetId}\" as \"TestSubnetId\"\n✓ I call \"{vpcService}\" with \"CreateTestResourceInSubnet\" using argument \"{TestSubnetId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I call \"{vpcService}\" with \"GetResourceExternalIpAssignment\" using argument \"{TestResourceId}\"\n✓ I refer to \"{result.HasExternalIp}\" as \"HasExternalIp\"\n✓ \"{HasExternalIp}\" is false\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)", "status_id": 1, "time": 1775558403, "time_dt": "2026-04-07T10:40:03Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558403, "created_time_dt": "2026-04-07T10:40:03Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "title": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "types": [], "uid": "ccc-test-2454-1775558403" }, "message": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "metadata": { "event_code": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0b622dcd5eee1a986", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0b622dcd5eee1a986", "region": "us-east-1", "type": "vpc", "uid": "vpc-0b622dcd5eee1a986" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"ValidateDisallowListEnforcement\" using argument \"{ReceiverVpcId}\"\n✓ I attach \"{result.Summary}\" to the test output as \"Disallow-list Enforcement Summary\"\n✓ I attach \"{result.Results}\" to the test output as \"Disallow-list Enforcement\"\n✓ \"{result.ListDefined}\" is true\n✓ \"{result.TestedCount}\" should be greater than \"0\"\n✓ \"{result.AllCorrect}\" is true\n✓ \"{result.ViolationCount}\" is \"0\"", "status_id": 1, "time": 1775558403, "time_dt": "2026-04-07T10:40:03Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558404, "created_time_dt": "2026-04-07T10:40:04Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "title": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "types": [], "uid": "ccc-test-2475-1775558404" }, "message": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "metadata": { "event_code": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0b622dcd5eee1a986", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0b622dcd5eee1a986", "region": "us-east-1", "type": "vpc", "uid": "vpc-0b622dcd5eee1a986" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ \"{NonAllowlistedRequesterVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"EvaluatePeerAgainstAllowList\" using argument \"{NonAllowlistedRequesterVpcId}\"\n✓ \"{result.AllowedListDefined}\" is true\n✓ \"{result.Allowed}\" is false\n✓ I call \"{vpcService}\" with \"AttemptVpcPeeringDryRun\" using arguments \"{NonAllowlistedRequesterVpcId}\" and \"{ReceiverVpcId}\"\n✓ \"{result.DryRunAllowed}\" is false\n✓ \"{result.AllowListDefined}\" is true\n✓ \"{result.RequesterInAllowList}\" is false\n✓ \"{result.GuardrailExpectation}\" is \"deny\"\n✓ \"{result.GuardrailMismatch}\" is false\n✓ \"{result.ExitCode}\" should be greater than \"0\"\n✓ \"{result.Reason}\" contains \"guardrail aligned\"\n✓ \"{result.ConflictType}\" is \"\"", "status_id": 1, "time": 1775558404, "time_dt": "2026-04-07T10:40:04Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558404, "created_time_dt": "2026-04-07T10:40:04Z", "desc": "Compliance test scenario: Main check (config): flow logs are active and capture all traffic", "title": "Main check (config): flow logs are active and capture all traffic", "types": [], "uid": "ccc-test-2544-1775558404" }, "message": "Main check (config): flow logs are active and capture all traffic", "metadata": { "event_code": "Main check (config): flow logs are active and capture all traffic", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0b622dcd5eee1a986", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0b622dcd5eee1a986", "region": "us-east-1", "type": "vpc", "uid": "vpc-0b622dcd5eee1a986" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluateVpcFlowLogsControl\" using argument \"{TargetVpcId}\"\n✗ \"{result.FlowLogCount}\" should be greater than \"0\" - Error: expected {result.FlowLogCount} (0) to be greater than 0\n⊘ \"{result.NonCompliantCount}\" is \"0\" (skipped)", "status_id": 1, "time": 1775558404, "time_dt": "2026-04-07T10:40:04Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558404, "created_time_dt": "2026-04-07T10:40:04Z", "desc": "Compliance test scenario: Behavioral check (active): traffic produces flow log records", "title": "Behavioral check (active): traffic produces flow log records", "types": [], "uid": "ccc-test-2559-1775558404" }, "message": "Behavioral check (active): traffic produces flow log records", "metadata": { "event_code": "Behavioral check (active): traffic produces flow log records", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0b622dcd5eee1a986", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0b622dcd5eee1a986", "region": "us-east-1", "type": "vpc", "uid": "vpc-0b622dcd5eee1a986" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"PrepareFlowLogDeliveryObservation\" using argument \"{TargetVpcId}\"\n✓ I call \"{vpcService}\" with \"GenerateTestTraffic\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I refer to \"{result.CleanupDeleted}\" as \"TrafficCleanupDeleted\"\n✓ I call \"{vpcService}\" with \"ObserveRecentFlowLogDelivery\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.RecordsObserved}\" as \"RecordsObserved\"\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)\n⊘ \"{TrafficCleanupDeleted}\" is true (skipped)\n⊘ \"{RecordsObserved}\" is true (skipped)", "status_id": 1, "time": 1775558404, "time_dt": "2026-04-07T10:40:04Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558405, "created_time_dt": "2026-04-07T10:40:05Z", "desc": "Compliance test scenario: Main check: no default VPC exists", "title": "Main check: no default VPC exists", "types": [], "uid": "ccc-test-2278-1775558405" }, "message": "Main check: no default VPC exists", "metadata": { "event_code": "Main check: no default VPC exists", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN01", "@CCC.VPC.CN01.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-03e0763d329ec1a53", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-03e0763d329ec1a53", "region": "us-east-1", "type": "vpc", "uid": "vpc-03e0763d329ec1a53" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I call \"{vpcService}\" with \"CountDefaultVpcs\"\n✓ \"{result}\" is \"0\"", "status_id": 1, "time": 1775558405, "time_dt": "2026-04-07T10:40:05Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN01.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558405, "created_time_dt": "2026-04-07T10:40:05Z", "desc": "Compliance test scenario: Main check (config): public subnets do not auto-assign external IPs", "title": "Main check (config): public subnets do not auto-assign external IPs", "types": [], "uid": "ccc-test-2331-1775558405" }, "message": "Main check (config): public subnets do not auto-assign external IPs", "metadata": { "event_code": "Main check (config): public subnets do not auto-assign external IPs", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-03e0763d329ec1a53", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-03e0763d329ec1a53", "region": "us-east-1", "type": "vpc", "uid": "vpc-03e0763d329ec1a53" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluatePublicSubnetDefaultIPControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.ViolatingSubnetCount}\" is \"0\"\n✗ \"{result.Reason}\" contains \"disable default public IP\" - Error: expected {result.Reason} to contain 'disable default public IP', but got 'no public subnets found for in-scope VPC'", "status_id": 1, "time": 1775558405, "time_dt": "2026-04-07T10:40:05Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558406, "created_time_dt": "2026-04-07T10:40:06Z", "desc": "Compliance test scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP", "title": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "types": [], "uid": "ccc-test-2353-1775558406" }, "message": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "metadata": { "event_code": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-03e0763d329ec1a53", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-03e0763d329ec1a53", "region": "us-east-1", "type": "vpc", "uid": "vpc-03e0763d329ec1a53" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"SelectPublicSubnetForTest\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.SubnetId}\" as \"TestSubnetId\"\n✓ I call \"{vpcService}\" with \"CreateTestResourceInSubnet\" using argument \"{TestSubnetId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I call \"{vpcService}\" with \"GetResourceExternalIpAssignment\" using argument \"{TestResourceId}\"\n✓ I refer to \"{result.HasExternalIp}\" as \"HasExternalIp\"\n✓ \"{HasExternalIp}\" is false\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)", "status_id": 1, "time": 1775558406, "time_dt": "2026-04-07T10:40:06Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558406, "created_time_dt": "2026-04-07T10:40:06Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "title": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "types": [], "uid": "ccc-test-2454-1775558406" }, "message": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "metadata": { "event_code": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-03e0763d329ec1a53", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-03e0763d329ec1a53", "region": "us-east-1", "type": "vpc", "uid": "vpc-03e0763d329ec1a53" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"ValidateDisallowListEnforcement\" using argument \"{ReceiverVpcId}\"\n✓ I attach \"{result.Summary}\" to the test output as \"Disallow-list Enforcement Summary\"\n✓ I attach \"{result.Results}\" to the test output as \"Disallow-list Enforcement\"\n✓ \"{result.ListDefined}\" is true\n✓ \"{result.TestedCount}\" should be greater than \"0\"\n✓ \"{result.AllCorrect}\" is true\n✓ \"{result.ViolationCount}\" is \"0\"", "status_id": 1, "time": 1775558406, "time_dt": "2026-04-07T10:40:06Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558407, "created_time_dt": "2026-04-07T10:40:07Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "title": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "types": [], "uid": "ccc-test-2475-1775558407" }, "message": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "metadata": { "event_code": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-03e0763d329ec1a53", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-03e0763d329ec1a53", "region": "us-east-1", "type": "vpc", "uid": "vpc-03e0763d329ec1a53" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ \"{NonAllowlistedRequesterVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"EvaluatePeerAgainstAllowList\" using argument \"{NonAllowlistedRequesterVpcId}\"\n✓ \"{result.AllowedListDefined}\" is true\n✓ \"{result.Allowed}\" is false\n✓ I call \"{vpcService}\" with \"AttemptVpcPeeringDryRun\" using arguments \"{NonAllowlistedRequesterVpcId}\" and \"{ReceiverVpcId}\"\n✓ \"{result.DryRunAllowed}\" is false\n✓ \"{result.AllowListDefined}\" is true\n✓ \"{result.RequesterInAllowList}\" is false\n✓ \"{result.GuardrailExpectation}\" is \"deny\"\n✓ \"{result.GuardrailMismatch}\" is false\n✓ \"{result.ExitCode}\" should be greater than \"0\"\n✓ \"{result.Reason}\" contains \"guardrail aligned\"\n✓ \"{result.ConflictType}\" is \"\"", "status_id": 1, "time": 1775558407, "time_dt": "2026-04-07T10:40:07Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558407, "created_time_dt": "2026-04-07T10:40:07Z", "desc": "Compliance test scenario: Main check (config): flow logs are active and capture all traffic", "title": "Main check (config): flow logs are active and capture all traffic", "types": [], "uid": "ccc-test-2544-1775558407" }, "message": "Main check (config): flow logs are active and capture all traffic", "metadata": { "event_code": "Main check (config): flow logs are active and capture all traffic", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-03e0763d329ec1a53", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-03e0763d329ec1a53", "region": "us-east-1", "type": "vpc", "uid": "vpc-03e0763d329ec1a53" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluateVpcFlowLogsControl\" using argument \"{TargetVpcId}\"\n✗ \"{result.FlowLogCount}\" should be greater than \"0\" - Error: expected {result.FlowLogCount} (0) to be greater than 0\n⊘ \"{result.NonCompliantCount}\" is \"0\" (skipped)", "status_id": 1, "time": 1775558407, "time_dt": "2026-04-07T10:40:07Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558407, "created_time_dt": "2026-04-07T10:40:07Z", "desc": "Compliance test scenario: Behavioral check (active): traffic produces flow log records", "title": "Behavioral check (active): traffic produces flow log records", "types": [], "uid": "ccc-test-2559-1775558407" }, "message": "Behavioral check (active): traffic produces flow log records", "metadata": { "event_code": "Behavioral check (active): traffic produces flow log records", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-03e0763d329ec1a53", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-03e0763d329ec1a53", "region": "us-east-1", "type": "vpc", "uid": "vpc-03e0763d329ec1a53" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"PrepareFlowLogDeliveryObservation\" using argument \"{TargetVpcId}\"\n✓ I call \"{vpcService}\" with \"GenerateTestTraffic\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I refer to \"{result.CleanupDeleted}\" as \"TrafficCleanupDeleted\"\n✓ I call \"{vpcService}\" with \"ObserveRecentFlowLogDelivery\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.RecordsObserved}\" as \"RecordsObserved\"\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)\n⊘ \"{TrafficCleanupDeleted}\" is true (skipped)\n⊘ \"{RecordsObserved}\" is true (skipped)", "status_id": 1, "time": 1775558407, "time_dt": "2026-04-07T10:40:07Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558399, "created_time_dt": "2026-04-07T10:39:59Z", "desc": "Compliance test scenario: Main check: no default VPC exists", "title": "Main check: no default VPC exists", "types": [], "uid": "ccc-test-2278-1775558399" }, "message": "Main check: no default VPC exists", "metadata": { "event_code": "Main check: no default VPC exists", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN01", "@CCC.VPC.CN01.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-00ceb92e81affe793", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-00ceb92e81affe793", "region": "us-east-1", "type": "vpc", "uid": "vpc-00ceb92e81affe793" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I call \"{vpcService}\" with \"CountDefaultVpcs\"\n✓ \"{result}\" is \"0\"", "status_id": 1, "time": 1775558399, "time_dt": "2026-04-07T10:39:59Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN01.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558399, "created_time_dt": "2026-04-07T10:39:59Z", "desc": "Compliance test scenario: Main check (config): public subnets do not auto-assign external IPs", "title": "Main check (config): public subnets do not auto-assign external IPs", "types": [], "uid": "ccc-test-2331-1775558399" }, "message": "Main check (config): public subnets do not auto-assign external IPs", "metadata": { "event_code": "Main check (config): public subnets do not auto-assign external IPs", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-00ceb92e81affe793", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-00ceb92e81affe793", "region": "us-east-1", "type": "vpc", "uid": "vpc-00ceb92e81affe793" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluatePublicSubnetDefaultIPControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.ViolatingSubnetCount}\" is \"0\"\n✗ \"{result.Reason}\" contains \"disable default public IP\" - Error: expected {result.Reason} to contain 'disable default public IP', but got 'no public subnets found for in-scope VPC'", "status_id": 1, "time": 1775558399, "time_dt": "2026-04-07T10:39:59Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558400, "created_time_dt": "2026-04-07T10:40:00Z", "desc": "Compliance test scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP", "title": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "types": [], "uid": "ccc-test-2353-1775558400" }, "message": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "metadata": { "event_code": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-00ceb92e81affe793", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-00ceb92e81affe793", "region": "us-east-1", "type": "vpc", "uid": "vpc-00ceb92e81affe793" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"SelectPublicSubnetForTest\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.SubnetId}\" as \"TestSubnetId\"\n✓ I call \"{vpcService}\" with \"CreateTestResourceInSubnet\" using argument \"{TestSubnetId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I call \"{vpcService}\" with \"GetResourceExternalIpAssignment\" using argument \"{TestResourceId}\"\n✓ I refer to \"{result.HasExternalIp}\" as \"HasExternalIp\"\n✓ \"{HasExternalIp}\" is false\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)", "status_id": 1, "time": 1775558400, "time_dt": "2026-04-07T10:40:00Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558400, "created_time_dt": "2026-04-07T10:40:00Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "title": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "types": [], "uid": "ccc-test-2454-1775558400" }, "message": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "metadata": { "event_code": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-00ceb92e81affe793", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-00ceb92e81affe793", "region": "us-east-1", "type": "vpc", "uid": "vpc-00ceb92e81affe793" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"ValidateDisallowListEnforcement\" using argument \"{ReceiverVpcId}\"\n✓ I attach \"{result.Summary}\" to the test output as \"Disallow-list Enforcement Summary\"\n✓ I attach \"{result.Results}\" to the test output as \"Disallow-list Enforcement\"\n✓ \"{result.ListDefined}\" is true\n✓ \"{result.TestedCount}\" should be greater than \"0\"\n✓ \"{result.AllCorrect}\" is true\n✓ \"{result.ViolationCount}\" is \"0\"", "status_id": 1, "time": 1775558400, "time_dt": "2026-04-07T10:40:00Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558401, "created_time_dt": "2026-04-07T10:40:01Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "title": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "types": [], "uid": "ccc-test-2475-1775558401" }, "message": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "metadata": { "event_code": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-00ceb92e81affe793", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-00ceb92e81affe793", "region": "us-east-1", "type": "vpc", "uid": "vpc-00ceb92e81affe793" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ \"{NonAllowlistedRequesterVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"EvaluatePeerAgainstAllowList\" using argument \"{NonAllowlistedRequesterVpcId}\"\n✓ \"{result.AllowedListDefined}\" is true\n✓ \"{result.Allowed}\" is false\n✓ I call \"{vpcService}\" with \"AttemptVpcPeeringDryRun\" using arguments \"{NonAllowlistedRequesterVpcId}\" and \"{ReceiverVpcId}\"\n✓ \"{result.DryRunAllowed}\" is false\n✓ \"{result.AllowListDefined}\" is true\n✓ \"{result.RequesterInAllowList}\" is false\n✓ \"{result.GuardrailExpectation}\" is \"deny\"\n✓ \"{result.GuardrailMismatch}\" is false\n✓ \"{result.ExitCode}\" should be greater than \"0\"\n✓ \"{result.Reason}\" contains \"guardrail aligned\"\n✓ \"{result.ConflictType}\" is \"\"", "status_id": 1, "time": 1775558401, "time_dt": "2026-04-07T10:40:01Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558401, "created_time_dt": "2026-04-07T10:40:01Z", "desc": "Compliance test scenario: Main check (config): flow logs are active and capture all traffic", "title": "Main check (config): flow logs are active and capture all traffic", "types": [], "uid": "ccc-test-2544-1775558401" }, "message": "Main check (config): flow logs are active and capture all traffic", "metadata": { "event_code": "Main check (config): flow logs are active and capture all traffic", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-00ceb92e81affe793", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-00ceb92e81affe793", "region": "us-east-1", "type": "vpc", "uid": "vpc-00ceb92e81affe793" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluateVpcFlowLogsControl\" using argument \"{TargetVpcId}\"\n✗ \"{result.FlowLogCount}\" should be greater than \"0\" - Error: expected {result.FlowLogCount} (0) to be greater than 0\n⊘ \"{result.NonCompliantCount}\" is \"0\" (skipped)", "status_id": 1, "time": 1775558401, "time_dt": "2026-04-07T10:40:01Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558401, "created_time_dt": "2026-04-07T10:40:01Z", "desc": "Compliance test scenario: Behavioral check (active): traffic produces flow log records", "title": "Behavioral check (active): traffic produces flow log records", "types": [], "uid": "ccc-test-2559-1775558401" }, "message": "Behavioral check (active): traffic produces flow log records", "metadata": { "event_code": "Behavioral check (active): traffic produces flow log records", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-00ceb92e81affe793", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-00ceb92e81affe793", "region": "us-east-1", "type": "vpc", "uid": "vpc-00ceb92e81affe793" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"PrepareFlowLogDeliveryObservation\" using argument \"{TargetVpcId}\"\n✓ I call \"{vpcService}\" with \"GenerateTestTraffic\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I refer to \"{result.CleanupDeleted}\" as \"TrafficCleanupDeleted\"\n✓ I call \"{vpcService}\" with \"ObserveRecentFlowLogDelivery\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.RecordsObserved}\" as \"RecordsObserved\"\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)\n⊘ \"{TrafficCleanupDeleted}\" is true (skipped)\n⊘ \"{RecordsObserved}\" is true (skipped)", "status_id": 1, "time": 1775558401, "time_dt": "2026-04-07T10:40:01Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558371, "created_time_dt": "2026-04-07T10:39:31Z", "desc": "Compliance test scenario: Main check: no default VPC exists", "title": "Main check: no default VPC exists", "types": [], "uid": "ccc-test-2278-1775558371" }, "message": "Main check: no default VPC exists", "metadata": { "event_code": "Main check: no default VPC exists", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN01", "@CCC.VPC.CN01.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0f691db8cf3afae09", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0f691db8cf3afae09", "region": "us-east-1", "type": "vpc", "uid": "vpc-0f691db8cf3afae09" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I call \"{vpcService}\" with \"CountDefaultVpcs\"\n✓ \"{result}\" is \"0\"", "status_id": 1, "time": 1775558371, "time_dt": "2026-04-07T10:39:31Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN01.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558372, "created_time_dt": "2026-04-07T10:39:32Z", "desc": "Compliance test scenario: Main check (config): public subnets do not auto-assign external IPs", "title": "Main check (config): public subnets do not auto-assign external IPs", "types": [], "uid": "ccc-test-2331-1775558372" }, "message": "Main check (config): public subnets do not auto-assign external IPs", "metadata": { "event_code": "Main check (config): public subnets do not auto-assign external IPs", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0f691db8cf3afae09", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0f691db8cf3afae09", "region": "us-east-1", "type": "vpc", "uid": "vpc-0f691db8cf3afae09" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluatePublicSubnetDefaultIPControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.ViolatingSubnetCount}\" is \"0\"\n✗ \"{result.Reason}\" contains \"disable default public IP\" - Error: expected {result.Reason} to contain 'disable default public IP', but got 'no public subnets found for in-scope VPC'", "status_id": 1, "time": 1775558372, "time_dt": "2026-04-07T10:39:32Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558372, "created_time_dt": "2026-04-07T10:39:32Z", "desc": "Compliance test scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP", "title": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "types": [], "uid": "ccc-test-2353-1775558372" }, "message": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "metadata": { "event_code": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0f691db8cf3afae09", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0f691db8cf3afae09", "region": "us-east-1", "type": "vpc", "uid": "vpc-0f691db8cf3afae09" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"SelectPublicSubnetForTest\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.SubnetId}\" as \"TestSubnetId\"\n✓ I call \"{vpcService}\" with \"CreateTestResourceInSubnet\" using argument \"{TestSubnetId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I call \"{vpcService}\" with \"GetResourceExternalIpAssignment\" using argument \"{TestResourceId}\"\n✓ I refer to \"{result.HasExternalIp}\" as \"HasExternalIp\"\n✓ \"{HasExternalIp}\" is false\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)", "status_id": 1, "time": 1775558372, "time_dt": "2026-04-07T10:39:32Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558372, "created_time_dt": "2026-04-07T10:39:32Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "title": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "types": [], "uid": "ccc-test-2454-1775558372" }, "message": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "metadata": { "event_code": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0f691db8cf3afae09", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0f691db8cf3afae09", "region": "us-east-1", "type": "vpc", "uid": "vpc-0f691db8cf3afae09" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"ValidateDisallowListEnforcement\" using argument \"{ReceiverVpcId}\"\n✓ I attach \"{result.Summary}\" to the test output as \"Disallow-list Enforcement Summary\"\n✓ I attach \"{result.Results}\" to the test output as \"Disallow-list Enforcement\"\n✓ \"{result.ListDefined}\" is true\n✓ \"{result.TestedCount}\" should be greater than \"0\"\n✓ \"{result.AllCorrect}\" is true\n✓ \"{result.ViolationCount}\" is \"0\"", "status_id": 1, "time": 1775558372, "time_dt": "2026-04-07T10:39:32Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558373, "created_time_dt": "2026-04-07T10:39:33Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "title": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "types": [], "uid": "ccc-test-2475-1775558373" }, "message": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "metadata": { "event_code": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0f691db8cf3afae09", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0f691db8cf3afae09", "region": "us-east-1", "type": "vpc", "uid": "vpc-0f691db8cf3afae09" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ \"{NonAllowlistedRequesterVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"EvaluatePeerAgainstAllowList\" using argument \"{NonAllowlistedRequesterVpcId}\"\n✓ \"{result.AllowedListDefined}\" is true\n✓ \"{result.Allowed}\" is false\n✓ I call \"{vpcService}\" with \"AttemptVpcPeeringDryRun\" using arguments \"{NonAllowlistedRequesterVpcId}\" and \"{ReceiverVpcId}\"\n✓ \"{result.DryRunAllowed}\" is false\n✓ \"{result.AllowListDefined}\" is true\n✓ \"{result.RequesterInAllowList}\" is false\n✓ \"{result.GuardrailExpectation}\" is \"deny\"\n✓ \"{result.GuardrailMismatch}\" is false\n✓ \"{result.ExitCode}\" should be greater than \"0\"\n✓ \"{result.Reason}\" contains \"guardrail aligned\"\n✓ \"{result.ConflictType}\" is \"\"", "status_id": 1, "time": 1775558373, "time_dt": "2026-04-07T10:39:33Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558373, "created_time_dt": "2026-04-07T10:39:33Z", "desc": "Compliance test scenario: Main check (config): flow logs are active and capture all traffic", "title": "Main check (config): flow logs are active and capture all traffic", "types": [], "uid": "ccc-test-2544-1775558373" }, "message": "Main check (config): flow logs are active and capture all traffic", "metadata": { "event_code": "Main check (config): flow logs are active and capture all traffic", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0f691db8cf3afae09", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0f691db8cf3afae09", "region": "us-east-1", "type": "vpc", "uid": "vpc-0f691db8cf3afae09" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluateVpcFlowLogsControl\" using argument \"{TargetVpcId}\"\n✗ \"{result.FlowLogCount}\" should be greater than \"0\" - Error: expected {result.FlowLogCount} (0) to be greater than 0\n⊘ \"{result.NonCompliantCount}\" is \"0\" (skipped)", "status_id": 1, "time": 1775558373, "time_dt": "2026-04-07T10:39:33Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558374, "created_time_dt": "2026-04-07T10:39:34Z", "desc": "Compliance test scenario: Behavioral check (active): traffic produces flow log records", "title": "Behavioral check (active): traffic produces flow log records", "types": [], "uid": "ccc-test-2559-1775558374" }, "message": "Behavioral check (active): traffic produces flow log records", "metadata": { "event_code": "Behavioral check (active): traffic produces flow log records", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0f691db8cf3afae09", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0f691db8cf3afae09", "region": "us-east-1", "type": "vpc", "uid": "vpc-0f691db8cf3afae09" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"PrepareFlowLogDeliveryObservation\" using argument \"{TargetVpcId}\"\n✓ I call \"{vpcService}\" with \"GenerateTestTraffic\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I refer to \"{result.CleanupDeleted}\" as \"TrafficCleanupDeleted\"\n✓ I call \"{vpcService}\" with \"ObserveRecentFlowLogDelivery\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.RecordsObserved}\" as \"RecordsObserved\"\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)\n⊘ \"{TrafficCleanupDeleted}\" is true (skipped)\n⊘ \"{RecordsObserved}\" is true (skipped)", "status_id": 1, "time": 1775558374, "time_dt": "2026-04-07T10:39:34Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558374, "created_time_dt": "2026-04-07T10:39:34Z", "desc": "Compliance test scenario: Main check: no default VPC exists", "title": "Main check: no default VPC exists", "types": [], "uid": "ccc-test-2278-1775558374" }, "message": "Main check: no default VPC exists", "metadata": { "event_code": "Main check: no default VPC exists", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN01", "@CCC.VPC.CN01.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-027ef85c88b9d68c2", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-027ef85c88b9d68c2", "region": "us-east-1", "type": "vpc", "uid": "vpc-027ef85c88b9d68c2" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I call \"{vpcService}\" with \"CountDefaultVpcs\"\n✓ \"{result}\" is \"0\"", "status_id": 1, "time": 1775558374, "time_dt": "2026-04-07T10:39:34Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN01.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558375, "created_time_dt": "2026-04-07T10:39:35Z", "desc": "Compliance test scenario: Main check (config): public subnets do not auto-assign external IPs", "title": "Main check (config): public subnets do not auto-assign external IPs", "types": [], "uid": "ccc-test-2331-1775558375" }, "message": "Main check (config): public subnets do not auto-assign external IPs", "metadata": { "event_code": "Main check (config): public subnets do not auto-assign external IPs", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-027ef85c88b9d68c2", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-027ef85c88b9d68c2", "region": "us-east-1", "type": "vpc", "uid": "vpc-027ef85c88b9d68c2" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluatePublicSubnetDefaultIPControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.ViolatingSubnetCount}\" is \"0\"\n✓ \"{result.Reason}\" contains \"disable default public IP\"", "status_id": 1, "time": 1775558375, "time_dt": "2026-04-07T10:39:35Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558375, "created_time_dt": "2026-04-07T10:39:35Z", "desc": "Compliance test scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP", "title": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "types": [], "uid": "ccc-test-2353-1775558375" }, "message": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "metadata": { "event_code": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-027ef85c88b9d68c2", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-027ef85c88b9d68c2", "region": "us-east-1", "type": "vpc", "uid": "vpc-027ef85c88b9d68c2" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"SelectPublicSubnetForTest\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.SubnetId}\" as \"TestSubnetId\"\n✓ I call \"{vpcService}\" with \"CreateTestResourceInSubnet\" using argument \"{TestSubnetId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I call \"{vpcService}\" with \"GetResourceExternalIpAssignment\" using argument \"{TestResourceId}\"\n✓ I refer to \"{result.HasExternalIp}\" as \"HasExternalIp\"\n✓ \"{HasExternalIp}\" is false\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✓ \"{result.Deleted}\" is true", "status_id": 1, "time": 1775558375, "time_dt": "2026-04-07T10:39:35Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558384, "created_time_dt": "2026-04-07T10:39:44Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "title": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "types": [], "uid": "ccc-test-2454-1775558384" }, "message": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "metadata": { "event_code": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-027ef85c88b9d68c2", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-027ef85c88b9d68c2", "region": "us-east-1", "type": "vpc", "uid": "vpc-027ef85c88b9d68c2" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"ValidateDisallowListEnforcement\" using argument \"{ReceiverVpcId}\"\n✓ I attach \"{result.Summary}\" to the test output as \"Disallow-list Enforcement Summary\"\n✓ I attach \"{result.Results}\" to the test output as \"Disallow-list Enforcement\"\n✓ \"{result.ListDefined}\" is true\n✓ \"{result.TestedCount}\" should be greater than \"0\"\n✓ \"{result.AllCorrect}\" is true\n✓ \"{result.ViolationCount}\" is \"0\"", "status_id": 1, "time": 1775558384, "time_dt": "2026-04-07T10:39:44Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558384, "created_time_dt": "2026-04-07T10:39:44Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "title": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "types": [], "uid": "ccc-test-2475-1775558384" }, "message": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "metadata": { "event_code": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-027ef85c88b9d68c2", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-027ef85c88b9d68c2", "region": "us-east-1", "type": "vpc", "uid": "vpc-027ef85c88b9d68c2" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ \"{NonAllowlistedRequesterVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"EvaluatePeerAgainstAllowList\" using argument \"{NonAllowlistedRequesterVpcId}\"\n✓ \"{result.AllowedListDefined}\" is true\n✓ \"{result.Allowed}\" is false\n✓ I call \"{vpcService}\" with \"AttemptVpcPeeringDryRun\" using arguments \"{NonAllowlistedRequesterVpcId}\" and \"{ReceiverVpcId}\"\n✓ \"{result.DryRunAllowed}\" is false\n✓ \"{result.AllowListDefined}\" is true\n✓ \"{result.RequesterInAllowList}\" is false\n✓ \"{result.GuardrailExpectation}\" is \"deny\"\n✓ \"{result.GuardrailMismatch}\" is false\n✓ \"{result.ExitCode}\" should be greater than \"0\"\n✓ \"{result.Reason}\" contains \"guardrail aligned\"\n✓ \"{result.ConflictType}\" is \"\"", "status_id": 1, "time": 1775558384, "time_dt": "2026-04-07T10:39:44Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558384, "created_time_dt": "2026-04-07T10:39:44Z", "desc": "Compliance test scenario: Main check (config): flow logs are active and capture all traffic", "title": "Main check (config): flow logs are active and capture all traffic", "types": [], "uid": "ccc-test-2544-1775558384" }, "message": "Main check (config): flow logs are active and capture all traffic", "metadata": { "event_code": "Main check (config): flow logs are active and capture all traffic", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-027ef85c88b9d68c2", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-027ef85c88b9d68c2", "region": "us-east-1", "type": "vpc", "uid": "vpc-027ef85c88b9d68c2" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluateVpcFlowLogsControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.FlowLogCount}\" should be greater than \"0\"\n✓ \"{result.NonCompliantCount}\" is \"0\"", "status_id": 1, "time": 1775558384, "time_dt": "2026-04-07T10:39:44Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775558385, "created_time_dt": "2026-04-07T10:39:45Z", "desc": "Compliance test scenario: Behavioral check (active): traffic produces flow log records", "title": "Behavioral check (active): traffic produces flow log records", "types": [], "uid": "ccc-test-2559-1775558385" }, "message": "Behavioral check (active): traffic produces flow log records", "metadata": { "event_code": "Behavioral check (active): traffic produces flow log records", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-027ef85c88b9d68c2", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-027ef85c88b9d68c2", "region": "us-east-1", "type": "vpc", "uid": "vpc-027ef85c88b9d68c2" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"PrepareFlowLogDeliveryObservation\" using argument \"{TargetVpcId}\"\n✓ I call \"{vpcService}\" with \"GenerateTestTraffic\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I refer to \"{result.CleanupDeleted}\" as \"TrafficCleanupDeleted\"\n✓ I call \"{vpcService}\" with \"ObserveRecentFlowLogDelivery\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.RecordsObserved}\" as \"RecordsObserved\"\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✓ \"{result.Deleted}\" is true\n✓ \"{TrafficCleanupDeleted}\" is true\n✓ \"{RecordsObserved}\" is true", "status_id": 1, "time": 1775558385, "time_dt": "2026-04-07T10:39:45Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } } ]