[ { "message": "Storage account enforces minimum TLS version", "metadata": { "event_code": "Storage account enforces minimum TLS version", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@CCC.Core", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.Core.CN01", "@Policy", "@PerService", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✗ I attempt policy check \"object-storage-tls-policy\" for control \"CCC.Core.CN01\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage Account TLS Policy Check: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN01.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775149688, "created_time_dt": "2026-04-02T17:08:08Z", "desc": "Compliance test scenario: Storage account enforces minimum TLS version", "title": "Storage account enforces minimum TLS version", "types": [], "uid": "ccc-test-138-1775149688" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775149688, "time_dt": "2026-04-02T17:08:08Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Object storage policy prevents the use of unencrypted ports", "metadata": { "event_code": "Object storage policy prevents the use of unencrypted ports", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.Core", "@CCC.Core.CN01", "@Policy", "@PerService", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✗ I attempt policy check \"object-storage-unencrypted-policy\" for control \"CCC.Core.CN01\" assessment requirement \"AR03\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage Unencrypted Traffic Block Check: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN01.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775149690, "created_time_dt": "2026-04-02T17:08:10Z", "desc": "Compliance test scenario: Object storage policy prevents the use of unencrypted ports", "title": "Object storage policy prevents the use of unencrypted ports", "types": [], "uid": "ccc-test-291-1775149690" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775149690, "time_dt": "2026-04-02T17:08:10Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Storage account enforces mutual TLS - NotTested", "metadata": { "event_code": "Storage account enforces mutual TLS - NotTested", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@tls", "@tlp-amber", "@tlp-red", "@CCC.Core", "@CCC.Core.CN01", "@Policy", "@NotTested", "@PerService", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "Update", "status_code": "FAIL", "status_detail": "✓ no-op required", "status_id": 2, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN01.AR08" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775149692, "created_time_dt": "2026-04-02T17:08:12Z", "desc": "Compliance test scenario: Storage account enforces mutual TLS - NotTested", "title": "Storage account enforces mutual TLS - NotTested", "types": [], "uid": "ccc-test-430-1775149692" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775149692, "time_dt": "2026-04-02T17:08:12Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Verify objects are encrypted at rest", "metadata": { "event_code": "Verify objects are encrypted at rest", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN02", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ \"{result}\" is not an error\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-encryption-check={Timestamp}.txt\", and \"encryption test data\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob test-encryption-check=1775149692349.txt: PUT https://stgcfi20260402t161720z.blob.core.windows.net/ccc-test-container-20260402t161720z/test-encryption-check=1775149692349.txt\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 This request is not authorized to perform this operation using this permission.\nERROR CODE: AuthorizationPermissionMismatch\n--------------------------------------------------------------------------------\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003cError\u003e\u003cCode\u003eAuthorizationPermissionMismatch\u003c/Code\u003e\u003cMessage\u003eThis request is not authorized to perform this operation using this permission.\nRequestId:0198eff3-f01e-0064-28c3-c29a27000000\nTime:2026-04-02T17:12:14.5066050Z\u003c/Message\u003e\u003c/Error\u003e\n--------------------------------------------------------------------------------\n\n⊘ I refer to \"{result}\" as \"uploadResult\" (skipped)\n⊘ \"{uploadResult.Encryption}\" is not null (skipped)\n⊘ \"{uploadResult.EncryptionAlgorithm}\" is \"AES256\" (skipped)\n⊘ I attach \"{uploadResult}\" to the test output as \"Upload Result with Encryption Details\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN02.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775149692, "created_time_dt": "2026-04-02T17:08:12Z", "desc": "Compliance test scenario: Verify objects are encrypted at rest", "title": "Verify objects are encrypted at rest", "types": [], "uid": "ccc-test-466-1775149692" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775149692, "time_dt": "2026-04-02T17:08:12Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Object storage encryption compliance", "metadata": { "event_code": "Object storage encryption compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN02", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I attempt policy check \"object-storage-encryption\" for control \"CCC.Core.CN02\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN02.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775149934, "created_time_dt": "2026-04-02T17:12:14Z", "desc": "Compliance test scenario: Object storage encryption compliance", "title": "Object storage encryption compliance", "types": [], "uid": "ccc-test-470-1775149934" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775149934, "time_dt": "2026-04-02T17:12:14Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Object storage delete protection compliance", "metadata": { "event_code": "Object storage delete protection compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN03", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I attempt policy check \"object-storage-delete-protection\" for control \"CCC.Core.CN03\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN03.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775149935, "created_time_dt": "2026-04-02T17:12:15Z", "desc": "Compliance test scenario: Object storage delete protection compliance", "title": "Object storage delete protection compliance", "types": [], "uid": "ccc-test-492-1775149935" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775149935, "time_dt": "2026-04-02T17:12:15Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "MFA requirement for destructive operations cannot be tested automatically", "metadata": { "event_code": "MFA requirement for destructive operations cannot be tested automatically", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN03", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@object-storage", "@load-balancer" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN03.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775149936, "created_time_dt": "2026-04-02T17:12:16Z", "desc": "Compliance test scenario: MFA requirement for destructive operations cannot be tested automatically", "title": "MFA requirement for destructive operations cannot be tested automatically", "types": [], "uid": "ccc-test-495-1775149936" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775149936, "time_dt": "2026-04-02T17:12:16Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "API modification requires credential and trust perimeter origin - NotTestable", "metadata": { "event_code": "API modification requires credential and trust perimeter origin - NotTestable", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN03", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@NotTestable", "@object-storage", "@load-balancer" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN03.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775149936, "created_time_dt": "2026-04-02T17:12:16Z", "desc": "Compliance test scenario: API modification requires credential and trust perimeter origin - NotTestable", "title": "API modification requires credential and trust perimeter origin - NotTestable", "types": [], "uid": "ccc-test-513-1775149936" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775149936, "time_dt": "2026-04-02T17:12:16Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "UI viewing requires multi-factor authentication - NotTestable", "metadata": { "event_code": "UI viewing requires multi-factor authentication - NotTestable", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN03", "@tlp-amber", "@tlp-red", "@Policy", "@NotTestable", "@object-storage", "@load-balancer" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN03.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775149936, "created_time_dt": "2026-04-02T17:12:16Z", "desc": "Compliance test scenario: UI viewing requires multi-factor authentication - NotTestable", "title": "UI viewing requires multi-factor authentication - NotTestable", "types": [], "uid": "ccc-test-529-1775149936" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775149936, "time_dt": "2026-04-02T17:12:16Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "API viewing requires credential and trust perimeter origin - NotTestable", "metadata": { "event_code": "API viewing requires credential and trust perimeter origin - NotTestable", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN03", "@tlp-amber", "@tlp-red", "@Policy", "@NotTestable", "@object-storage", "@load-balancer" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN03.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775149936, "created_time_dt": "2026-04-02T17:12:16Z", "desc": "Compliance test scenario: API viewing requires credential and trust perimeter origin - NotTestable", "title": "API viewing requires credential and trust perimeter origin - NotTestable", "types": [], "uid": "ccc-test-545-1775149936" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775149936, "time_dt": "2026-04-02T17:12:16Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Object storage admin logging compliance", "metadata": { "event_code": "Object storage admin logging compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN04", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ I attempt policy check \"admin-logging\" for control \"CCC.Core.CN04\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN04.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775149936, "created_time_dt": "2026-04-02T17:12:16Z", "desc": "Compliance test scenario: Object storage admin logging compliance", "title": "Object storage admin logging compliance", "types": [], "uid": "ccc-test-589-1775149936" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775149936, "time_dt": "2026-04-02T17:12:16Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Verify admin actions are logged with identity and timestamp", "metadata": { "event_code": "Verify admin actions are logged with identity and timestamp", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN04", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"{ServiceType}\"\n✓ I refer to \"{result}\" as \"theService\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"logging\"\n✓ I refer to \"{result}\" as \"loggingService\"\n✓ I call \"{theService}\" with \"UpdateResourcePolicy\"\n✓ \"{result}\" is not an error\n✓ I attach \"{result}\" to the test output as \"Policy Update Result\"\n✓ we wait for a period of \"10000\" ms\n✓ I call \"{loggingService}\" with \"QueryAdminLogs\" using arguments \"{ResourceName}\" and \"{20}\"\n✓ \"{result}\" is not an error\n✓ I refer to \"{result}\" as \"adminLogs\"\n✓ I attach \"{adminLogs}\" to the test output as \"Admin Activity Logs\"\n✓ \"{adminLogs}\" is an array of objects with at least the following contents", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN04.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775149939, "created_time_dt": "2026-04-02T17:12:19Z", "desc": "Compliance test scenario: Verify admin actions are logged with identity and timestamp", "title": "Verify admin actions are logged with identity and timestamp", "types": [], "uid": "ccc-test-610-1775149939" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775149939, "time_dt": "2026-04-02T17:12:19Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Object storage data modification logging compliance", "metadata": { "event_code": "Object storage data modification logging compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN04", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✗ I attempt policy check \"data-write-logging\" for control \"CCC.Core.CN04\" assessment requirement \"AR02\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Diagnostic Logging Write Configuration: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN04.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775149953, "created_time_dt": "2026-04-02T17:12:33Z", "desc": "Compliance test scenario: Object storage data modification logging compliance", "title": "Object storage data modification logging compliance", "types": [], "uid": "ccc-test-641-1775149953" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775149953, "time_dt": "2026-04-02T17:12:33Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Data read logging compliance", "metadata": { "event_code": "Data read logging compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN04", "@tlp-red", "@Policy", "@object-storage", "@vpc" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✗ I attempt policy check \"data-read-logging\" for control \"CCC.Core.CN04\" assessment requirement \"AR03\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Diagnostic Logging Read Configuration: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN04.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775149954, "created_time_dt": "2026-04-02T17:12:34Z", "desc": "Compliance test scenario: Data read logging compliance", "title": "Data read logging compliance", "types": [], "uid": "ccc-test-692-1775149954" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775149954, "time_dt": "2026-04-02T17:12:34Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Verify data read operations are logged with identity and timestamp", "metadata": { "event_code": "Verify data read operations are logged with identity and timestamp", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN04", "@tlp-red", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"logging\"\n✓ I refer to \"{result}\" as \"loggingService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-read-logging-object={Timestamp}.txt\", and \"test data for read logging verification\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob test-read-logging-object=1775149955468.txt: PUT https://stgcfi20260402t161720z.blob.core.windows.net/ccc-test-container-20260402t161720z/test-read-logging-object=1775149955468.txt\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 This request is not authorized to perform this operation using this permission.\nERROR CODE: AuthorizationPermissionMismatch\n--------------------------------------------------------------------------------\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003cError\u003e\u003cCode\u003eAuthorizationPermissionMismatch\u003c/Code\u003e\u003cMessage\u003eThis request is not authorized to perform this operation using this permission.\nRequestId:019a9f21-f01e-0064-31c4-c29a27000000\nTime:2026-04-02T17:16:37.5966033Z\u003c/Message\u003e\u003c/Error\u003e\n--------------------------------------------------------------------------------\n\n⊘ I refer to \"{result}\" as \"createResult\" (skipped)\n⊘ I call \"{storage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-read-logging-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I refer to \"{result}\" as \"readResult\" (skipped)\n⊘ I attach \"{readResult}\" to the test output as \"Object Read Result\" (skipped)\n⊘ we wait for a period of \"10000\" ms (skipped)\n⊘ I call \"{loggingService}\" with \"QueryDataReadLogs\" using arguments \"{ResourceName}\" and \"{20}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I refer to \"{result}\" as \"readLogs\" (skipped)\n⊘ I attach \"{readLogs}\" to the test output as \"Data Read Logs\" (skipped)\n⊘ \"{readLogs}\" is an array of objects with at least the following contents (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN04.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775149955, "created_time_dt": "2026-04-02T17:12:35Z", "desc": "Compliance test scenario: Verify data read operations are logged with identity and timestamp", "title": "Verify data read operations are logged with identity and timestamp", "types": [], "uid": "ccc-test-711-1775149955" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775149955, "time_dt": "2026-04-02T17:12:35Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service prevents data modification by user with no access", "metadata": { "event_code": "Service prevents data modification by user with no access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Destructive", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-no-write-access\", \"{UID}\", and \"none\"\n✓ I refer to \"{result}\" as \"testUserNoAccess\"\n✓ I attach \"{result}\" to the test output as \"no-access-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserNoAccess}\", and \"{false}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-cn05-unauthorized-modify={Timestamp}.txt\", and \"unauthorized data\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"no-access-create-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150197, "created_time_dt": "2026-04-02T17:16:37Z", "desc": "Compliance test scenario: Service prevents data modification by user with no access", "title": "Service prevents data modification by user with no access", "types": [], "uid": "ccc-test-775-1775150197" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150197, "time_dt": "2026-04-02T17:16:37Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service allows data modification by user with write access", "metadata": { "event_code": "Service allows data modification by user with write access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Destructive", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-write-access\", \"{UID}\", and \"write\"\n✓ I refer to \"{result}\" as \"testUserWrite\"\n✓ I attach \"{result}\" to the test output as \"write-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserWrite}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-cn05-authorized-modify={Timestamp}.txt\", and \"authorized data\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"write-create-object-result.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150198, "created_time_dt": "2026-04-02T17:16:38Z", "desc": "Compliance test scenario: Service allows data modification by user with write access", "title": "Service allows data modification by user with write access", "types": [], "uid": "ccc-test-790-1775150198" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150198, "time_dt": "2026-04-02T17:16:38Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Storage is not configured for public write access", "metadata": { "event_code": "Storage is not configured for public write access", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I attempt policy check \"object-storage-block-public-write-access\" for control \"CCC.Core.CN05\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150198, "created_time_dt": "2026-04-02T17:16:38Z", "desc": "Compliance test scenario: Storage is not configured for public write access", "title": "Storage is not configured for public write access", "types": [], "uid": "ccc-test-798-1775150198" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150198, "time_dt": "2026-04-02T17:16:38Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service prevents administrative action (creating a new bucket) by user with no access", "metadata": { "event_code": "Service prevents administrative action (creating a new bucket) by user with no access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Destructive", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-no-admin-access\", \"{UID}\", and \"none\"\n✓ I refer to \"{result}\" as \"testUserNoAccess\"\n✓ I attach \"{result}\" to the test output as \"no-admin-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserNoAccess}\", and \"{false}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateBucket\" using argument \"test-cn05-unauthorized-admin-container\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"no-admin-create-bucket-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150199, "created_time_dt": "2026-04-02T17:16:39Z", "desc": "Compliance test scenario: Service prevents administrative action (creating a new bucket) by user with no access", "title": "Service prevents administrative action (creating a new bucket) by user with no access", "types": [], "uid": "ccc-test-877-1775150199" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150199, "time_dt": "2026-04-02T17:16:39Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service prevents administrative action (creating a new bucket) by user with read-only access", "metadata": { "event_code": "Service prevents administrative action (creating a new bucket) by user with read-only access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Destructive", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-read-only-admin\", \"{UID}\", and \"read\"\n✓ I refer to \"{result}\" as \"testUserRead\"\n✓ I attach \"{result}\" to the test output as \"read-only-admin-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserRead}\", and \"{false}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateBucket\" using argument \"test-cn05-read-only-create-container\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-only-create-bucket-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150200, "created_time_dt": "2026-04-02T17:16:40Z", "desc": "Compliance test scenario: Service prevents administrative action (creating a new bucket) by user with read-only access", "title": "Service prevents administrative action (creating a new bucket) by user with read-only access", "types": [], "uid": "ccc-test-892-1775150200" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150200, "time_dt": "2026-04-02T17:16:40Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service allows administrative action (creating a new bucket) by user with admin access", "metadata": { "event_code": "Service allows administrative action (creating a new bucket) by user with admin access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-admin-access\", \"{UID}\", and \"admin\"\n✓ I refer to \"{result}\" as \"testUserAdmin\"\n✓ I attach \"{result}\" to the test output as \"admin-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserAdmin}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateBucket\" using argument \"test-cn05-authorized-admin-container\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"admin-create-bucket-result.json\" (skipped)\n⊘ I call \"{storage}\" with \"DeleteBucket\" using argument \"test-cn05-authorized-admin-container\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150200, "created_time_dt": "2026-04-02T17:16:40Z", "desc": "Compliance test scenario: Service allows administrative action (creating a new bucket) by user with admin access", "title": "Service allows administrative action (creating a new bucket) by user with admin access", "types": [], "uid": "ccc-test-908-1775150200" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150200, "time_dt": "2026-04-02T17:16:40Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Unauthorized administrative access is blocked", "metadata": { "event_code": "Unauthorized administrative access is blocked", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150201, "created_time_dt": "2026-04-02T17:16:41Z", "desc": "Compliance test scenario: Unauthorized administrative access is blocked", "title": "Unauthorized administrative access is blocked", "types": [], "uid": "ccc-test-915-1775150201" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150201, "time_dt": "2026-04-02T17:16:41Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Cross-tenant access is blocked without explicit allowlist", "metadata": { "event_code": "Cross-tenant access is blocked without explicit allowlist", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I attempt policy check \"object-storage-cross-tenant-block\" for control \"CCC.Core.CN05\" assessment requirement \"AR03\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150201, "created_time_dt": "2026-04-02T17:16:41Z", "desc": "Compliance test scenario: Cross-tenant access is blocked without explicit allowlist", "title": "Cross-tenant access is blocked without explicit allowlist", "types": [], "uid": "ccc-test-933-1775150201" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150201, "time_dt": "2026-04-02T17:16:41Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "External unauthorized data requests are blocked", "metadata": { "event_code": "External unauthorized data requests are blocked", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I attempt policy check \"object-storage-block-public-read\" for control \"CCC.Core.CN05\" assessment requirement \"AR04\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150202, "created_time_dt": "2026-04-02T17:16:42Z", "desc": "Compliance test scenario: External unauthorized data requests are blocked", "title": "External unauthorized data requests are blocked", "types": [], "uid": "ccc-test-949-1775150202" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150202, "time_dt": "2026-04-02T17:16:42Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "External requests do not reveal service existence - NotTested", "metadata": { "event_code": "External requests do not reveal service existence - NotTested", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-red", "@Policy", "@NotTested", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "Update", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 2, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR05" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150203, "created_time_dt": "2026-04-02T17:16:43Z", "desc": "Compliance test scenario: External requests do not reveal service existence - NotTested", "title": "External requests do not reveal service existence - NotTested", "types": [], "uid": "ccc-test-963-1775150203" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150203, "time_dt": "2026-04-02T17:16:43Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service prevents data read by user with no access - Duplicate", "metadata": { "event_code": "Service prevents data read by user with no access - Duplicate", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-green", "@tlp-amber", "@tlp-red", "@Destructive", "@Behavioural", "@Duplicate", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR06" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150203, "created_time_dt": "2026-04-02T17:16:43Z", "desc": "Compliance test scenario: Service prevents data read by user with no access - Duplicate", "title": "Service prevents data read by user with no access - Duplicate", "types": [], "uid": "ccc-test-993-1775150203" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150203, "time_dt": "2026-04-02T17:16:43Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "All unauthorized requests are blocked - Duplicate", "metadata": { "event_code": "All unauthorized requests are blocked - Duplicate", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN05", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@Duplicate", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN05.AR06" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150203, "created_time_dt": "2026-04-02T17:16:43Z", "desc": "Compliance test scenario: All unauthorized requests are blocked - Duplicate", "title": "All unauthorized requests are blocked - Duplicate", "types": [], "uid": "ccc-test-1000-1775150203" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150203, "time_dt": "2026-04-02T17:16:43Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Object storage region compliance", "metadata": { "event_code": "Object storage region compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN06", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I attempt policy check \"object-storage-region\" for control \"CCC.Core.CN06\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN06.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150203, "created_time_dt": "2026-04-02T17:16:43Z", "desc": "Compliance test scenario: Object storage region compliance", "title": "Object storage region compliance", "types": [], "uid": "ccc-test-1036-1775150203" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150203, "time_dt": "2026-04-02T17:16:43Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Resource region can be retrieved for compliance verification", "metadata": { "event_code": "Resource region can be retrieved for compliance verification", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN06", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@object-storage", "@vpc" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"{ServiceType}\"\n✓ I refer to \"{result}\" as \"theService\"\n✓ I call \"{theService}\" with \"GetResourceRegion\" using argument \"{ResourceName}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: not yet implemented\n⊘ I refer to \"{result}\" as \"region\" (skipped)\n⊘ I attach \"{region}\" to the test output as \"Resource Region\" (skipped)\n⊘ \"{PermittedRegions}\" is an array of objects with at least the following contents (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN06.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150203, "created_time_dt": "2026-04-02T17:16:43Z", "desc": "Compliance test scenario: Resource region can be retrieved for compliance verification", "title": "Resource region can be retrieved for compliance verification", "types": [], "uid": "ccc-test-1050-1775150203" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150203, "time_dt": "2026-04-02T17:16:43Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Child resource region compliance - NotTestable", "metadata": { "event_code": "Child resource region compliance - NotTestable", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN06", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN06.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150203, "created_time_dt": "2026-04-02T17:16:43Z", "desc": "Compliance test scenario: Child resource region compliance - NotTestable", "title": "Child resource region compliance - NotTestable", "types": [], "uid": "ccc-test-1072-1775150203" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150203, "time_dt": "2026-04-02T17:16:43Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Child resource region compliance - NotTestable", "metadata": { "event_code": "Child resource region compliance - NotTestable", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN06", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN06.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150203, "created_time_dt": "2026-04-02T17:16:43Z", "desc": "Compliance test scenario: Child resource region compliance - NotTestable", "title": "Child resource region compliance - NotTestable", "types": [], "uid": "ccc-test-1075-1775150203" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150203, "time_dt": "2026-04-02T17:16:43Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Enumeration activities publish events to monitored channels", "metadata": { "event_code": "Enumeration activities publish events to monitored channels", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN07", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✗ I attempt policy check \"enumeration-monitoring-policy\" for control \"CCC.Core.CN07\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage Enumeration Monitoring Policy Check: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN07.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150204, "created_time_dt": "2026-04-02T17:16:44Z", "desc": "Compliance test scenario: Enumeration activities publish events to monitored channels", "title": "Enumeration activities publish events to monitored channels", "types": [], "uid": "ccc-test-1096-1775150204" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150204, "time_dt": "2026-04-02T17:16:44Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Enumeration event publishing cannot be tested automatically - NotTestable", "metadata": { "event_code": "Enumeration event publishing cannot be tested automatically - NotTestable", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN07", "@tlp-amber", "@tlp-red", "@Behavioural", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN07.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150205, "created_time_dt": "2026-04-02T17:16:45Z", "desc": "Compliance test scenario: Enumeration event publishing cannot be tested automatically - NotTestable", "title": "Enumeration event publishing cannot be tested automatically - NotTestable", "types": [], "uid": "ccc-test-1099-1775150205" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150205, "time_dt": "2026-04-02T17:16:45Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Enumeration activities are logged", "metadata": { "event_code": "Enumeration activities are logged", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN07", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✗ I attempt policy check \"enumeration-logging-policy\" for control \"CCC.Core.CN07\" assessment requirement \"AR02\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage Enumeration Logging Policy Check: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN07.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150205, "created_time_dt": "2026-04-02T17:16:45Z", "desc": "Compliance test scenario: Enumeration activities are logged", "title": "Enumeration activities are logged", "types": [], "uid": "ccc-test-1122-1775150205" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150205, "time_dt": "2026-04-02T17:16:45Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Enumeration logging cannot be verified automatically - NotTestable", "metadata": { "event_code": "Enumeration logging cannot be verified automatically - NotTestable", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN07", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN07.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150206, "created_time_dt": "2026-04-02T17:16:46Z", "desc": "Compliance test scenario: Enumeration logging cannot be verified automatically - NotTestable", "title": "Enumeration logging cannot be verified automatically - NotTestable", "types": [], "uid": "ccc-test-1125-1775150206" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150206, "time_dt": "2026-04-02T17:16:46Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Object storage replication compliance", "metadata": { "event_code": "Object storage replication compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN08", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I attempt policy check \"object-storage-replication\" for control \"CCC.Core.CN08\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN08.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150206, "created_time_dt": "2026-04-02T17:16:46Z", "desc": "Compliance test scenario: Object storage replication compliance", "title": "Object storage replication compliance", "types": [], "uid": "ccc-test-1160-1775150206" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150206, "time_dt": "2026-04-02T17:16:46Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Bucket data is replicated to physically separate locations", "metadata": { "event_code": "Bucket data is replicated to physically separate locations", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN08", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"GetReplicationStatus\" using argument \"{ResourceName}\"\n✓ I refer to \"{result}\" as \"replicationStatus\"\n✓ I refer to \"{replicationStatus.Locations}\" as \"locations\"\n✓ I attach \"{replicationStatus}\" to the test output as \"Replication Status\"\n✓ \"{locations}\" is an array of objects with length \"2\"\n✓ \"{PermittedRegions}\" is an array of objects with at least the following contents\n✓ \"{PermittedRegions}\" is an array of objects with at least the following contents", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN08.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150207, "created_time_dt": "2026-04-02T17:16:47Z", "desc": "Compliance test scenario: Bucket data is replicated to physically separate locations", "title": "Bucket data is replicated to physically separate locations", "types": [], "uid": "ccc-test-1171-1775150207" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150207, "time_dt": "2026-04-02T17:16:47Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Object storage replication status is visible", "metadata": { "event_code": "Object storage replication status is visible", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN08", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I attempt policy check \"object-storage-replication-status\" for control \"CCC.Core.CN08\" assessment requirement \"AR02\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN08.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150207, "created_time_dt": "2026-04-02T17:16:47Z", "desc": "Compliance test scenario: Object storage replication status is visible", "title": "Object storage replication status is visible", "types": [], "uid": "ccc-test-1203-1775150207" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150207, "time_dt": "2026-04-02T17:16:47Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Replication status can be retrieved for monitoring", "metadata": { "event_code": "Replication status can be retrieved for monitoring", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN08", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"GetReplicationStatus\" using argument \"{ResourceName}\"\n✓ I refer to \"{result}\" as \"replicationStatus\"\n✓ I attach \"{replicationStatus}\" to the test output as \"Replication Status\"\n✓ I refer to \"{replicationStatus.Locations}\" as \"locations\"\n✓ \"{locations}\" is an array of objects with at least the following contents", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN08.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150208, "created_time_dt": "2026-04-02T17:16:48Z", "desc": "Compliance test scenario: Replication status can be retrieved for monitoring", "title": "Replication status can be retrieved for monitoring", "types": [], "uid": "ccc-test-1212-1775150208" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150208, "time_dt": "2026-04-02T17:16:48Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Object storage access logging compliance", "metadata": { "event_code": "Object storage access logging compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN09", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✗ I attempt policy check \"object-storage-access-logging\" for control \"CCC.Core.CN09\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage Account Diagnostic Logging Configuration: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN09.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150208, "created_time_dt": "2026-04-02T17:16:48Z", "desc": "Compliance test scenario: Object storage access logging compliance", "title": "Object storage access logging compliance", "types": [], "uid": "ccc-test-1229-1775150208" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150208, "time_dt": "2026-04-02T17:16:48Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Disabling logs requires disabling the resource - NotTestable", "metadata": { "event_code": "Disabling logs requires disabling the resource - NotTestable", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN09", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN09.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150209, "created_time_dt": "2026-04-02T17:16:49Z", "desc": "Compliance test scenario: Disabling logs requires disabling the resource - NotTestable", "title": "Disabling logs requires disabling the resource - NotTestable", "types": [], "uid": "ccc-test-1246-1775150209" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150209, "time_dt": "2026-04-02T17:16:49Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Redirecting logs requires halting the resource - NotTestable", "metadata": { "event_code": "Redirecting logs requires halting the resource - NotTestable", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN09", "@tlp-amber", "@tlp-red", "@Policy", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN09.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150209, "created_time_dt": "2026-04-02T17:16:49Z", "desc": "Compliance test scenario: Redirecting logs requires halting the resource - NotTestable", "title": "Redirecting logs requires halting the resource - NotTestable", "types": [], "uid": "ccc-test-1261-1775150209" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150209, "time_dt": "2026-04-02T17:16:49Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Object storage replication destination compliance", "metadata": { "event_code": "Object storage replication destination compliance", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN10", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I attempt policy check \"object-storage-replication-destination\" for control \"CCC.Core.CN10\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN10.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150209, "created_time_dt": "2026-04-02T17:16:49Z", "desc": "Compliance test scenario: Object storage replication destination compliance", "title": "Object storage replication destination compliance", "types": [], "uid": "ccc-test-1283-1775150209" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150209, "time_dt": "2026-04-02T17:16:49Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Replication destination trust cannot be verified automatically - NotTestable", "metadata": { "event_code": "Replication destination trust cannot be verified automatically - NotTestable", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@CCC.Core", "@CCC.Core.CN10", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural", "@NotTestable", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.Core.CN10.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150210, "created_time_dt": "2026-04-02T17:16:50Z", "desc": "Compliance test scenario: Replication destination trust cannot be verified automatically - NotTestable", "title": "Replication destination trust cannot be verified automatically - NotTestable", "types": [], "uid": "ccc-test-1286-1775150210" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150210, "time_dt": "2026-04-02T17:16:50Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service prevents reading bucket with no access", "metadata": { "event_code": "Service prevents reading bucket with no access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-no-access\", \"{UID}\", and \"none\"\n✓ I refer to \"{result}\" as \"testUserNoAccess\"\n✓ I attach \"{result}\" to the test output as \"no-access-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserNoAccess}\", and \"{false}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ListObjects\" using argument \"{ResourceName}\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"no-access-list-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150210, "created_time_dt": "2026-04-02T17:16:50Z", "desc": "Compliance test scenario: Service prevents reading bucket with no access", "title": "Service prevents reading bucket with no access", "types": [], "uid": "ccc-test-1340-1775150210" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150210, "time_dt": "2026-04-02T17:16:50Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service allows reading bucket with read access", "metadata": { "event_code": "Service allows reading bucket with read access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-read\", \"{UID}\", and \"read\"\n✓ I refer to \"{result}\" as \"testUserRead\"\n✓ I attach \"{result}\" to the test output as \"read-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserRead}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I attach \"{result}\" to the test output as \"read-storage-service.json\" (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ListObjects\" using argument \"{ResourceName}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-list-objects-result.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150211, "created_time_dt": "2026-04-02T17:16:51Z", "desc": "Compliance test scenario: Service allows reading bucket with read access", "title": "Service allows reading bucket with read access", "types": [], "uid": "ccc-test-1356-1775150211" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150211, "time_dt": "2026-04-02T17:16:51Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Test policy for bucket access control", "metadata": { "event_code": "Test policy for bucket access control", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Policy" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I attempt policy check \"no-public-access\" for control \"CCC.ObjStor.CN01\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150211, "created_time_dt": "2026-04-02T17:16:51Z", "desc": "Compliance test scenario: Test policy for bucket access control", "title": "Test policy for bucket access control", "types": [], "uid": "ccc-test-1364-1775150211" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150211, "time_dt": "2026-04-02T17:16:51Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service prevents reading object with no access", "metadata": { "event_code": "Service prevents reading object with no access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"test content\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob test-object=1775150212789.txt: PUT https://stgcfi20260402t161720z.blob.core.windows.net/ccc-test-container-20260402t161720z/test-object=1775150212789.txt\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 This request is not authorized to perform this operation using this permission.\nERROR CODE: AuthorizationPermissionMismatch\n--------------------------------------------------------------------------------\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003cError\u003e\u003cCode\u003eAuthorizationPermissionMismatch\u003c/Code\u003e\u003cMessage\u003eThis request is not authorized to perform this operation using this permission.\nRequestId:019c5208-f01e-0064-27c5-c29a27000000\nTime:2026-04-02T17:20:54.9551967Z\u003c/Message\u003e\u003c/Error\u003e\n--------------------------------------------------------------------------------\n\n⊘ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-no-access\", \"{UID}\", and \"none\" (skipped)\n⊘ I refer to \"{result}\" as \"testUserNoAccess\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"no-access-user-identity.json\" (skipped)\n⊘ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserNoAccess}\", and \"{false}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"no-access-read-object-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150212, "created_time_dt": "2026-04-02T17:16:52Z", "desc": "Compliance test scenario: Service prevents reading object with no access", "title": "Service prevents reading object with no access", "types": [], "uid": "ccc-test-1422-1775150212" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150212, "time_dt": "2026-04-02T17:16:52Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service allows reading object with read access", "metadata": { "event_code": "Service allows reading object with read access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"test content\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob test-object=1775150454964.txt: PUT https://stgcfi20260402t161720z.blob.core.windows.net/ccc-test-container-20260402t161720z/test-object=1775150454964.txt\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 This request is not authorized to perform this operation using this permission.\nERROR CODE: AuthorizationPermissionMismatch\n--------------------------------------------------------------------------------\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003cError\u003e\u003cCode\u003eAuthorizationPermissionMismatch\u003c/Code\u003e\u003cMessage\u003eThis request is not authorized to perform this operation using this permission.\nRequestId:019e2456-f01e-0064-69c5-c29a27000000\nTime:2026-04-02T17:24:57.1604812Z\u003c/Message\u003e\u003c/Error\u003e\n--------------------------------------------------------------------------------\n\n⊘ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-read\", \"{UID}\", and \"read\" (skipped)\n⊘ I refer to \"{result}\" as \"testUserRead\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-user-identity.json\" (skipped)\n⊘ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserRead}\", and \"{true}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-storage-service.json\" (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-read-object-result.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150454, "created_time_dt": "2026-04-02T17:20:54Z", "desc": "Compliance test scenario: Service allows reading object with read access", "title": "Service allows reading object with read access", "types": [], "uid": "ccc-test-1440-1775150454" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150454, "time_dt": "2026-04-02T17:20:54Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "All unauthorized requests are blocked", "metadata": { "event_code": "All unauthorized requests are blocked", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"test content\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob test-object=1775150697169.txt: PUT https://stgcfi20260402t161720z.blob.core.windows.net/ccc-test-container-20260402t161720z/test-object=1775150697169.txt\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 This request is not authorized to perform this operation using this permission.\nERROR CODE: AuthorizationPermissionMismatch\n--------------------------------------------------------------------------------\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003cError\u003e\u003cCode\u003eAuthorizationPermissionMismatch\u003c/Code\u003e\u003cMessage\u003eThis request is not authorized to perform this operation using this permission.\nRequestId:019fb362-f01e-0064-6ec6-c29a27000000\nTime:2026-04-02T17:28:59.2990033Z\u003c/Message\u003e\u003c/Error\u003e\n--------------------------------------------------------------------------------\n\n⊘ I attempt policy check \"object-storage-no-public-principals\" for control \"CCC.ObjStor.CN01\" assessment requirement \"AR02\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" (skipped)\n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150697, "created_time_dt": "2026-04-02T17:24:57Z", "desc": "Compliance test scenario: All unauthorized requests are blocked", "title": "All unauthorized requests are blocked", "types": [], "uid": "ccc-test-1450-1775150697" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150697, "time_dt": "2026-04-02T17:24:57Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service prevents creating bucket with no access", "metadata": { "event_code": "Service prevents creating bucket with no access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-no-access\", \"{UID}\", and \"none\"\n✓ I refer to \"{result}\" as \"testUserNoAccess\"\n✓ I attach \"{result}\" to the test output as \"no-access-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserNoAccess}\", and \"{false}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateBucket\" using argument \"test-bucket-no-access\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"no-access-create-bucket-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150939, "created_time_dt": "2026-04-02T17:28:59Z", "desc": "Compliance test scenario: Service prevents creating bucket with no access", "title": "Service prevents creating bucket with no access", "types": [], "uid": "ccc-test-1507-1775150939" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150939, "time_dt": "2026-04-02T17:28:59Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service allows creating bucket with write access", "metadata": { "event_code": "Service allows creating bucket with write access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-write\", \"{UID}\", and \"write\"\n✓ I refer to \"{result}\" as \"testUserWrite\"\n✓ I attach \"{result}\" to the test output as \"write-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserWrite}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I attach \"{result}\" to the test output as \"write-storage-service.json\" (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateBucket\" using argument \"test-bucket-write\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"write-create-bucket-result.json\" (skipped)\n⊘ I call \"{storage}\" with \"DeleteBucket\" using argument \"{result.ID}\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150939, "created_time_dt": "2026-04-02T17:28:59Z", "desc": "Compliance test scenario: Service allows creating bucket with write access", "title": "Service allows creating bucket with write access", "types": [], "uid": "ccc-test-1524-1775150939" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150939, "time_dt": "2026-04-02T17:28:59Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "All unauthorized requests are blocked", "metadata": { "event_code": "All unauthorized requests are blocked", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✗ I attempt policy check \"object-storage-no-public-principals\" for control \"CCC.ObjStor.CN01\" assessment requirement \"AR03\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage RBAC in Use: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150940, "created_time_dt": "2026-04-02T17:29:00Z", "desc": "Compliance test scenario: All unauthorized requests are blocked", "title": "All unauthorized requests are blocked", "types": [], "uid": "ccc-test-1532-1775150940" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150940, "time_dt": "2026-04-02T17:29:00Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service prevents writing object with read-only access", "metadata": { "event_code": "Service prevents writing object with read-only access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ \"{result}\" is not an error\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ \"{result}\" is not an error\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-read\", \"{UID}\", and \"read\"\n✓ I refer to \"{result}\" as \"testUserRead\"\n✓ I attach \"{result}\" to the test output as \"read-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserRead}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-write-object={Timestamp}.txt\", and \"test content\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-create-object-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150942, "created_time_dt": "2026-04-02T17:29:02Z", "desc": "Compliance test scenario: Service prevents writing object with read-only access", "title": "Service prevents writing object with read-only access", "types": [], "uid": "ccc-test-1592-1775150942" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150942, "time_dt": "2026-04-02T17:29:02Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service allows writing object with write access", "metadata": { "event_code": "Service allows writing object with write access", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ \"{result}\" is not an error\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ \"{result}\" is not an error\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-write\", \"{UID}\", and \"write\"\n✓ I refer to \"{result}\" as \"testUserWrite\"\n✓ I attach \"{result}\" to the test output as \"write-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserWrite}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I attach \"{result}\" to the test output as \"write-storage-service.json\" (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-write-object={Timestamp}.txt\", and \"test content\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"write-create-object-result.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150942, "created_time_dt": "2026-04-02T17:29:02Z", "desc": "Compliance test scenario: Service allows writing object with write access", "title": "Service allows writing object with write access", "types": [], "uid": "ccc-test-1610-1775150942" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150942, "time_dt": "2026-04-02T17:29:02Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "All unauthorized requests are blocked", "metadata": { "event_code": "All unauthorized requests are blocked", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN01", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ \"{result}\" is not an error\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ \"{result}\" is not an error\n✗ I attempt policy check \"object-storage-no-public-principals\" for control \"CCC.ObjStor.CN01\" assessment requirement \"AR04\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Storage RBAC in Use: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN01.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150943, "created_time_dt": "2026-04-02T17:29:03Z", "desc": "Compliance test scenario: All unauthorized requests are blocked", "title": "All unauthorized requests are blocked", "types": [], "uid": "ccc-test-1620-1775150943" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150943, "time_dt": "2026-04-02T17:29:03Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service enforces uniform bucket-level access by rejecting object-level permissions", "metadata": { "event_code": "Service enforces uniform bucket-level access by rejecting object-level permissions", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN02", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"test data\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob test-object=1775150944556.txt: PUT https://stgcfi20260402t161720z.blob.core.windows.net/ccc-test-container-20260402t161720z/test-object=1775150944556.txt\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 This request is not authorized to perform this operation using this permission.\nERROR CODE: AuthorizationPermissionMismatch\n--------------------------------------------------------------------------------\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003cError\u003e\u003cCode\u003eAuthorizationPermissionMismatch\u003c/Code\u003e\u003cMessage\u003eThis request is not authorized to perform this operation using this permission.\nRequestId:01a158ce-f01e-0064-27c6-c29a27000000\nTime:2026-04-02T17:33:06.7138406Z\u003c/Message\u003e\u003c/Error\u003e\n--------------------------------------------------------------------------------\n\n⊘ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-read\", \"{UID}\", and \"read\" (skipped)\n⊘ I refer to \"{result}\" as \"testUserRead\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-user-identity.json\" (skipped)\n⊘ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserRead}\", and \"{true}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I call \"{storage}\" with \"SetObjectPermission\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"none\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"set-object-permission-error.txt\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is not an error (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN02.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775150944, "created_time_dt": "2026-04-02T17:29:04Z", "desc": "Compliance test scenario: Service enforces uniform bucket-level access by rejecting object-level permissions", "title": "Service enforces uniform bucket-level access by rejecting object-level permissions", "types": [], "uid": "ccc-test-1674-1775150944" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775150944, "time_dt": "2026-04-02T17:29:04Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Test policy for uniform access", "metadata": { "event_code": "Test policy for uniform access", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN02", "@Policy" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I attempt policy check \"uniform-bucket-level-access\" for control \"CCC.ObjStor.CN02\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN02.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775151186, "created_time_dt": "2026-04-02T17:33:06Z", "desc": "Compliance test scenario: Test policy for uniform access", "title": "Test policy for uniform access", "types": [], "uid": "ccc-test-1682-1775151186" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775151186, "time_dt": "2026-04-02T17:33:06Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service enforces uniform bucket-level access denial", "metadata": { "event_code": "Service enforces uniform bucket-level access denial", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN02", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"test data\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob test-object=1775151187643.txt: PUT https://stgcfi20260402t161720z.blob.core.windows.net/ccc-test-container-20260402t161720z/test-object=1775151187643.txt\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 This request is not authorized to perform this operation using this permission.\nERROR CODE: AuthorizationPermissionMismatch\n--------------------------------------------------------------------------------\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003cError\u003e\u003cCode\u003eAuthorizationPermissionMismatch\u003c/Code\u003e\u003cMessage\u003eThis request is not authorized to perform this operation using this permission.\nRequestId:01a31dbf-f01e-0064-24c7-c29a27000000\nTime:2026-04-02T17:37:09.7421095Z\u003c/Message\u003e\u003c/Error\u003e\n--------------------------------------------------------------------------------\n\n⊘ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-no-access\", \"{UID}\", and \"none\" (skipped)\n⊘ I refer to \"{result}\" as \"testUserNoAccess\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"no-access-user-identity.json\" (skipped)\n⊘ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserNoAccess}\", and \"{false}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I call \"{storage}\" with \"SetObjectPermission\" using arguments \"{ResourceName}\", \"test-object={Timestamp}.txt\", and \"read\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"set-object-permission-error.txt\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"test-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is an error (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN02.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775151187, "created_time_dt": "2026-04-02T17:33:07Z", "desc": "Compliance test scenario: Service enforces uniform bucket-level access denial", "title": "Service enforces uniform bucket-level access denial", "types": [], "uid": "ccc-test-1737-1775151187" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775151187, "time_dt": "2026-04-02T17:33:07Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Uniform bucket-level access prevents object-level deny overrides - Duplicate", "metadata": { "event_code": "Uniform bucket-level access prevents object-level deny overrides - Duplicate", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN02", "@Policy", "@Duplicate", "@object-storage" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN02.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775151429, "created_time_dt": "2026-04-02T17:37:09Z", "desc": "Compliance test scenario: Uniform bucket-level access prevents object-level deny overrides - Duplicate", "title": "Uniform bucket-level access prevents object-level deny overrides - Duplicate", "types": [], "uid": "ccc-test-1744-1775151429" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775151429, "time_dt": "2026-04-02T17:37:09Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service supports bucket soft delete and recovery", "metadata": { "event_code": "Service supports bucket soft delete and recovery", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN03", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"CreateBucket\" using argument \"ccc-test-soft-delete\"\n✓ \"{result}\" is not an error\n✓ I refer to \"{result}\" as \"testBucket\"\n✓ I attach \"{result}\" to the test output as \"created-bucket.json\"\n✓ I call \"{storage}\" with \"DeleteBucket\" using argument \"ccc-test-soft-delete\"\n✓ \"{result}\" is not an error\n✓ I call \"{storage}\" with \"ListDeletedBuckets\"\n✓ \"{result}\" is not an error\n✓ I attach \"{result}\" to the test output as \"deleted-buckets.json\"\n? \"{result}\" should have length greater than \"0\" (undefined)\n⊘ I call \"{storage}\" with \"RestoreBucket\" using argument \"ccc-test-soft-delete\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I call \"{storage}\" with \"ListBuckets\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"restored-buckets.json\" (skipped)\n⊘ I call \"{storage}\" with \"DeleteBucket\" using argument \"ccc-test-soft-delete\" (skipped)\n⊘ \"{result}\" is not an error (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN03.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775151429, "created_time_dt": "2026-04-02T17:37:09Z", "desc": "Compliance test scenario: Service supports bucket soft delete and recovery", "title": "Service supports bucket soft delete and recovery", "types": [], "uid": "ccc-test-1798-1775151429" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775151429, "time_dt": "2026-04-02T17:37:09Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Test policy for bucket soft delete", "metadata": { "event_code": "Test policy for bucket soft delete", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN03", "@Policy" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I attempt policy check \"bucket-soft-delete\" for control \"CCC.ObjStor.CN03\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN03.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775151430, "created_time_dt": "2026-04-02T17:37:10Z", "desc": "Compliance test scenario: Test policy for bucket soft delete", "title": "Test policy for bucket soft delete", "types": [], "uid": "ccc-test-1804-1775151430" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775151430, "time_dt": "2026-04-02T17:37:10Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service prevents modification of locked retention policy", "metadata": { "event_code": "Service prevents modification of locked retention policy", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN03", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"GetBucketRetentionDurationDays\" using argument \"{ResourceName}\"\n✓ \"{result}\" is not an error\n✓ I refer to \"{result}\" as \"originalRetention\"\n✓ I attach \"{result}\" to the test output as \"original-retention-days.txt\"\n✗ \"{result}\" should be greater than \"0\" - Error: expected {result} (0) to be greater than 0\n⊘ I call \"{storage}\" with \"SetBucketRetentionDurationDays\" using arguments \"{ResourceName}\" and \"1\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"set-retention-error.txt\" (skipped)\n⊘ I call \"{storage}\" with \"GetBucketRetentionDurationDays\" using argument \"{ResourceName}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n? \"{result}\" should equal \"{originalRetention}\" (undefined)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN03.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775151432, "created_time_dt": "2026-04-02T17:37:12Z", "desc": "Compliance test scenario: Service prevents modification of locked retention policy", "title": "Service prevents modification of locked retention policy", "types": [], "uid": "ccc-test-1846-1775151432" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775151432, "time_dt": "2026-04-02T17:37:12Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Test policy for immutable bucket retention lock", "metadata": { "event_code": "Test policy for immutable bucket retention lock", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN03", "@Policy" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I attempt policy check \"bucket-retention-lock\" for control \"CCC.ObjStor.CN03\" assessment requirement \"AR02\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN03.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775151432, "created_time_dt": "2026-04-02T17:37:12Z", "desc": "Compliance test scenario: Test policy for immutable bucket retention lock", "title": "Test policy for immutable bucket retention lock", "types": [], "uid": "ccc-test-1852-1775151432" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775151432, "time_dt": "2026-04-02T17:37:12Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service applies default retention policy to newly uploaded object", "metadata": { "event_code": "Service applies default retention policy to newly uploaded object", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-write\", \"{UID}\", and \"write\"\n✓ I refer to \"{result}\" as \"testUserWrite\"\n✓ I attach \"{result}\" to the test output as \"write-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserWrite}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"test-retention-object={Timestamp}.txt\", and \"protected data\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"uploaded-object.json\" (skipped)\n⊘ I call \"{userStorage}\" with \"GetObjectRetentionDurationDays\" using arguments \"{ResourceName}\" and \"test-retention-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" should be greater than \"1\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775151434, "created_time_dt": "2026-04-02T17:37:14Z", "desc": "Compliance test scenario: Service applies default retention policy to newly uploaded object", "title": "Service applies default retention policy to newly uploaded object", "types": [], "uid": "ccc-test-1911-1775151434" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775151434, "time_dt": "2026-04-02T17:37:14Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service enforces retention policy on newly created objects", "metadata": { "event_code": "Service enforces retention policy on newly created objects", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"immediate-delete-test={Timestamp}.txt\", and \"test content\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob immediate-delete-test=1775151434581.txt: PUT https://stgcfi20260402t161720z.blob.core.windows.net/ccc-test-container-20260402t161720z/immediate-delete-test=1775151434581.txt\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 This request is not authorized to perform this operation using this permission.\nERROR CODE: AuthorizationPermissionMismatch\n--------------------------------------------------------------------------------\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003cError\u003e\u003cCode\u003eAuthorizationPermissionMismatch\u003c/Code\u003e\u003cMessage\u003eThis request is not authorized to perform this operation using this permission.\nRequestId:01a51baf-f01e-0064-59c7-c29a27000000\nTime:2026-04-02T17:41:16.6369970Z\u003c/Message\u003e\u003c/Error\u003e\n--------------------------------------------------------------------------------\n\n⊘ I call \"{storage}\" with \"DeleteObject\" using arguments \"{ResourceName}\" and \"immediate-delete-test={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"immediate-delete-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775151434, "created_time_dt": "2026-04-02T17:37:14Z", "desc": "Compliance test scenario: Service enforces retention policy on newly created objects", "title": "Service enforces retention policy on newly created objects", "types": [], "uid": "ccc-test-1922-1775151434" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775151434, "time_dt": "2026-04-02T17:37:14Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service validates retention period meets minimum requirements", "metadata": { "event_code": "Service validates retention period meets minimum requirements", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"retention-period-test={Timestamp}.txt\", and \"compliance data\"\n✓ I call \"{storage}\" with \"GetObjectRetentionDurationDays\" using arguments \"{ResourceName}\" and \"retention-period-test={Timestamp}.txt\"\n✗ \"{result}\" should be greater than \"1\" - Error: cannot parse {result} as number: strconv.ParseFloat: parsing \"failed to get blob properties: HEAD https://stgcfi20260402t161720z.blob.core.windows.net/ccc-test-container-20260402t161720z/retention-period-test=1775151676645.txt\\n--------------------------------------------------------------------------------\\nRESPONSE 403: 403 This request is not authorized to perform this operation using this permission.\\nERROR CODE: AuthorizationPermissionMismatch\\n--------------------------------------------------------------------------------\\nResponse contained no body\\n--------------------------------------------------------------------------------\\n\": invalid syntax\n⊘ I attach \"{result}\" to the test output as \"retention-period-days.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775151676, "created_time_dt": "2026-04-02T17:41:16Z", "desc": "Compliance test scenario: Service validates retention period meets minimum requirements", "title": "Service validates retention period meets minimum requirements", "types": [], "uid": "ccc-test-1932-1775151676" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775151676, "time_dt": "2026-04-02T17:41:16Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Test policy for default object retention", "metadata": { "event_code": "Test policy for default object retention", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✗ I attempt policy check \"object-default-retention\" for control \"CCC.ObjStor.CN04\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Blob Default Immutability Policy Check: \n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775152160, "created_time_dt": "2026-04-02T17:49:20Z", "desc": "Compliance test scenario: Test policy for default object retention", "title": "Test policy for default object retention", "types": [], "uid": "ccc-test-1940-1775152160" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775152160, "time_dt": "2026-04-02T17:49:20Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service prevents object deletion by write user during retention period", "metadata": { "event_code": "Service prevents object deletion by write user during retention period", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-write\", \"{UID}\", and \"write\"\n✓ I refer to \"{result}\" as \"testUserWrite\"\n✓ I attach \"{result}\" to the test output as \"write-user-identity.json\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserWrite}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"protected-object={Timestamp}.txt\", and \"immutable data\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"protected-object.json\" (skipped)\n⊘ I call \"{userStorage}\" with \"DeleteObject\" using arguments \"{ResourceName}\" and \"protected-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"delete-protected-error.txt\" (skipped)\n? \"{result}\" should contain one of \"retention, locked, immutable, protected\" (undefined)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775152161, "created_time_dt": "2026-04-02T17:49:21Z", "desc": "Compliance test scenario: Service prevents object deletion by write user during retention period", "title": "Service prevents object deletion by write user during retention period", "types": [], "uid": "ccc-test-2028-1775152161" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775152161, "time_dt": "2026-04-02T17:49:21Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service prevents object deletion by admin user during retention period", "metadata": { "event_code": "Service prevents object deletion by admin user during retention period", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"admin-protected-object={Timestamp}.txt\", and \"compliance data\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob admin-protected-object=1775152162393.txt: PUT https://stgcfi20260402t161720z.blob.core.windows.net/ccc-test-container-20260402t161720z/admin-protected-object=1775152162393.txt\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 This request is not authorized to perform this operation using this permission.\nERROR CODE: AuthorizationPermissionMismatch\n--------------------------------------------------------------------------------\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003cError\u003e\u003cCode\u003eAuthorizationPermissionMismatch\u003c/Code\u003e\u003cMessage\u003eThis request is not authorized to perform this operation using this permission.\nRequestId:01aa2d31-f01e-0064-0ac9-c29a27000000\nTime:2026-04-02T17:53:24.4380478Z\u003c/Message\u003e\u003c/Error\u003e\n--------------------------------------------------------------------------------\n\n⊘ I call \"{storage}\" with \"DeleteObject\" using arguments \"{ResourceName}\" and \"admin-protected-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"admin-delete-protected-error.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775152162, "created_time_dt": "2026-04-02T17:49:22Z", "desc": "Compliance test scenario: Service prevents object deletion by admin user during retention period", "title": "Service prevents object deletion by admin user during retention period", "types": [], "uid": "ccc-test-2039-1775152162" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775152162, "time_dt": "2026-04-02T17:49:22Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service prevents object modification during retention period", "metadata": { "event_code": "Service prevents object modification during retention period", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-write\", \"{UID}\", and \"write\"\n✓ I refer to \"{result}\" as \"testUserWrite\"\n✓ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserWrite}\", and \"{true}\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: Error calling {api}.GetServiceAPIWithIdentity: reflect: Call using *fmt.wrapError as type *iam.Identity\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"modify-test-object={Timestamp}.txt\", and \"original content\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"original-object.json\" (skipped)\n⊘ I call \"{userStorage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"modify-test-object={Timestamp}.txt\", and \"modified content\" (skipped)\n⊘ \"{result}\" is an error (skipped)\n⊘ I attach \"{result}\" to the test output as \"modify-protected-error.txt\" (skipped)\n? \"{result}\" should contain one of \"retention, locked, immutable, protected, exists\" (undefined)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775152404, "created_time_dt": "2026-04-02T17:53:24Z", "desc": "Compliance test scenario: Service prevents object modification during retention period", "title": "Service prevents object modification during retention period", "types": [], "uid": "ccc-test-2057-1775152404" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775152404, "time_dt": "2026-04-02T17:53:24Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service allows object read access during retention period", "metadata": { "event_code": "Service allows object read access during retention period", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"readable-protected-object={Timestamp}.txt\", and \"readable data\"\n✗ \"{result}\" is not an error - Error: expected {result} to not be an error, but got: failed to upload blob readable-protected-object=1775152405049.txt: PUT https://stgcfi20260402t161720z.blob.core.windows.net/ccc-test-container-20260402t161720z/readable-protected-object=1775152405049.txt\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 This request is not authorized to perform this operation using this permission.\nERROR CODE: AuthorizationPermissionMismatch\n--------------------------------------------------------------------------------\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003cError\u003e\u003cCode\u003eAuthorizationPermissionMismatch\u003c/Code\u003e\u003cMessage\u003eThis request is not authorized to perform this operation using this permission.\nRequestId:01abc75c-f01e-0064-49ca-c29a27000000\nTime:2026-04-02T17:57:27.0986795Z\u003c/Message\u003e\u003c/Error\u003e\n--------------------------------------------------------------------------------\n\n⊘ I call \"{iamService}\" with \"ProvisionUserWithAccess\" using arguments \"test-user-read\", \"{UID}\", and \"read\" (skipped)\n⊘ I refer to \"{result}\" as \"testUserRead\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-user-identity.json\" (skipped)\n⊘ I call \"{api}\" with \"GetServiceAPIWithIdentity\" using arguments \"object-storage\", \"{testUserRead}\", and \"{true}\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I refer to \"{result}\" as \"userStorage\" (skipped)\n⊘ I call \"{userStorage}\" with \"ReadObject\" using arguments \"{ResourceName}\" and \"readable-protected-object={Timestamp}.txt\" (skipped)\n⊘ \"{result}\" is not an error (skipped)\n⊘ I refer to \"{result}\" as \"readResult\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"read-protected-object.json\" (skipped)\n⊘ \"{readResult.Name}\" is \"readable-protected-object={Timestamp}.txt\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775152405, "created_time_dt": "2026-04-02T17:53:25Z", "desc": "Compliance test scenario: Service allows object read access during retention period", "title": "Service allows object read access during retention period", "types": [], "uid": "ccc-test-2076-1775152405" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775152405, "time_dt": "2026-04-02T17:53:25Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Test policy for object retention enforcement", "metadata": { "event_code": "Test policy for object retention enforcement", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@CCC.ObjStor.CN04", "@Policy" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"iam\"\n✓ I refer to \"{result}\" as \"iamService\"\n✓ I attempt policy check \"object-retention-enforcement\" for control \"CCC.ObjStor.CN04\" assessment requirement \"AR02\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\"\n✓ \"{result}\" is true", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN04.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775152647, "created_time_dt": "2026-04-02T17:57:27Z", "desc": "Compliance test scenario: Test policy for object retention enforcement", "title": "Test policy for object retention enforcement", "types": [], "uid": "ccc-test-2084-1775152647" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775152647, "time_dt": "2026-04-02T17:57:27Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Service enables versioning and objects receive unique version identifiers", "metadata": { "event_code": "Service enables versioning and objects receive unique version identifiers", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"IsBucketVersioningEnabled\" using argument \"{ResourceName}\"\n✓ \"{result}\" is true\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"versioned-object.txt\", and \"test content\"\n✓ I refer to \"{result}\" as \"createdObject\"\n? \"{createdObject.VersionID}\" is not empty (undefined)\n⊘ I attach \"{result}\" to the test output as \"versioned-object.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775152648, "created_time_dt": "2026-04-02T17:57:28Z", "desc": "Compliance test scenario: Service enables versioning and objects receive unique version identifiers", "title": "Service enables versioning and objects receive unique version identifiers", "types": [], "uid": "ccc-test-2118-1775152648" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775152648, "time_dt": "2026-04-02T17:57:28Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Objects are stored with unique version identifiers", "metadata": { "event_code": "Objects are stored with unique version identifiers", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✗ I attempt policy check \"object-storage-versioning\" for control \"CCC.ObjStor.CN05\" assessment requirement \"AR01\" for service \"{ServiceType}\" on resource \"{ResourceName}\" and provider \"{Provider}\" - Error: policy check failed: Azure Blob Versioning Configuration: query execution failed: exit status 1\nOutput: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2026-04-02T18:01:31.3611355Z, assertion valid from 2026-04-02T17:06:31.0000000Z, expiry time of assertion 2026-04-02T17:11:31.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: da0ef73d-3f48-4736-b0b9-831371b30b00 Correlation ID: c17c56a0-f042-49fc-96b5-100b03386a5e Timestamp: 2026-04-02 18:01:31Z\nRun the command below to authenticate interactively; additional arguments may be added as needed:\naz logout\naz login\n\n⊘ \"{result}\" is true (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR01" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775152890, "created_time_dt": "2026-04-02T18:01:30Z", "desc": "Compliance test scenario: Objects are stored with unique version identifiers", "title": "Objects are stored with unique version identifiers", "types": [], "uid": "ccc-test-2124-1775152890" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775152890, "time_dt": "2026-04-02T18:01:30Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Modified objects receive new version identifiers", "metadata": { "event_code": "Modified objects receive new version identifiers", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"version-test-object={Timestamp}.txt\", and \"original content\"\n✓ I refer to \"{result.VersionID}\" as \"version1\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"version-test-object={Timestamp}.txt\", and \"modified content\"\n✓ I refer to \"{result.VersionID}\" as \"version2\"\n? \"{version1}\" is not equal to \"{version2}\" (undefined)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775152891, "created_time_dt": "2026-04-02T18:01:31Z", "desc": "Compliance test scenario: Modified objects receive new version identifiers", "title": "Modified objects receive new version identifiers", "types": [], "uid": "ccc-test-2156-1775152891" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775152891, "time_dt": "2026-04-02T18:01:31Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Modified objects receive new version identifiers - Duplicate", "metadata": { "event_code": "Modified objects receive new version identifiers - Duplicate", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@Duplicate" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR02" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775153014, "created_time_dt": "2026-04-02T18:03:34Z", "desc": "Compliance test scenario: Modified objects receive new version identifiers - Duplicate", "title": "Modified objects receive new version identifiers - Duplicate", "types": [], "uid": "ccc-test-2161-1775153014" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775153014, "time_dt": "2026-04-02T18:03:34Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Modified objects receive new version identifiers", "metadata": { "event_code": "Modified objects receive new version identifiers", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"version-test-object={Timestamp}.txt\", and \"original content\"\n✓ I refer to \"{result.VersionID}\" as \"version1\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"version-test-object={Timestamp}.txt\", and \"modified content\"\n✓ I refer to \"{result.VersionID}\" as \"version2\"\n✓ I call \"{storage}\" with \"ReadObjectAtVersion\" using arguments \"{ResourceName}\", \"version-test-object={Timestamp}.txt\", and \"{version1}\"\n✓ I attach \"{result}\" to the test output as \"original-content.json\"\n✗ \"{result.Data}\" contains \"original content\" - Error: expected {result.Data} to contain 'original content', but got '\u003cnil\u003e'\n⊘ I call \"{storage}\" with \"ReadObjectAtVersion\" using arguments \"{ResourceName}\", \"version-test-object={Timestamp}.txt\", and \"{version2}\" (skipped)\n⊘ \"{result.Data}\" contains \"modified content\" (skipped)\n⊘ I attach \"{result}\" to the test output as \"modified-content.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775153014, "created_time_dt": "2026-04-02T18:03:34Z", "desc": "Compliance test scenario: Modified objects receive new version identifiers", "title": "Modified objects receive new version identifiers", "types": [], "uid": "ccc-test-2202-1775153014" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775153014, "time_dt": "2026-04-02T18:03:34Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Previous object versions can be recovered", "metadata": { "event_code": "Previous object versions can be recovered", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR03" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775153016, "created_time_dt": "2026-04-02T18:03:36Z", "desc": "Compliance test scenario: Previous object versions can be recovered", "title": "Previous object versions can be recovered", "types": [], "uid": "ccc-test-2207-1775153016" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775153016, "time_dt": "2026-04-02T18:03:36Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Deleted object data can be reloaded from previous version", "metadata": { "event_code": "Deleted object data can be reloaded from previous version", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"recover-deleted-object={Timestamp}.txt\", and \"data to retain\"\n✓ I refer to \"{result.VersionID}\" as \"retainedVersionId\"\n✓ I call \"{storage}\" with \"DeleteObject\" using arguments \"{ResourceName}\" and \"recover-deleted-object={Timestamp}.txt\"\n✓ I call \"{storage}\" with \"ReadObjectAtVersion\" using arguments \"{ResourceName}\", \"recover-deleted-object={Timestamp}.txt\", and \"{retainedVersionId}\"\n✗ \"{result.Data}\" contains \"data to retain\" - Error: expected {result.Data} to contain 'data to retain', but got '\u003cnil\u003e'\n⊘ I attach \"{result}\" to the test output as \"recovered-deleted-version.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775153016, "created_time_dt": "2026-04-02T18:03:36Z", "desc": "Compliance test scenario: Deleted object data can be reloaded from previous version", "title": "Deleted object data can be reloaded from previous version", "types": [], "uid": "ccc-test-2251-1775153016" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775153016, "time_dt": "2026-04-02T18:03:36Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Deleted object version remains in version list", "metadata": { "event_code": "Deleted object version remains in version list", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Behavioural" ], "version": "1.4.0" }, "severity_id": 3, "severity": "Medium", "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ I call \"{storage}\" with \"CreateObject\" using arguments \"{ResourceName}\", \"list-deleted-versions-object={Timestamp}.txt\", and \"versioned data\"\n✓ I refer to \"{result.VersionID}\" as \"listedVersionId\"\n✓ I call \"{storage}\" with \"DeleteObject\" using arguments \"{ResourceName}\" and \"list-deleted-versions-object={Timestamp}.txt\"\n✓ I call \"{storage}\" with \"ListObjectVersions\" using arguments \"{ResourceName}\" and \"list-deleted-versions-object={Timestamp}.txt\"\n✗ \"{result}\" is an array of objects with at least the following contents - Error: field {result} is not an array\n⊘ I attach \"{result}\" to the test output as \"versions-after-delete.json\" (skipped)", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775153018, "created_time_dt": "2026-04-02T18:03:38Z", "desc": "Compliance test scenario: Deleted object version remains in version list", "title": "Deleted object version remains in version list", "types": [], "uid": "ccc-test-2261-1775153018" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775153018, "time_dt": "2026-04-02T18:03:38Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] }, { "message": "Object versions are retained after deletion - Duplicate", "metadata": { "event_code": "Object versions are retained after deletion - Duplicate", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@PerService", "@object-storage", "@CCC.ObjStor", "@CCC.ObjStor.CN05", "@tlp-clear", "@tlp-green", "@tlp-amber", "@tlp-red", "@Policy", "@Duplicate" ], "version": "1.4.0" }, "severity_id": 1, "severity": "Informational", "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"object-storage\"\n✓ I refer to \"{result}\" as \"storage\"\n✓ no-op required", "status_id": 1, "unmapped": { "compliance": { "CCC": [ "CCC.ObjStor.CN05.AR04" ] } }, "activity_name": "Test", "activity_id": 1, "finding_info": { "created_time": 1775153019, "created_time_dt": "2026-04-02T18:03:39Z", "desc": "Compliance test scenario: Object versions are retained after deletion - Duplicate", "title": "Object versions are retained after deletion - Duplicate", "types": [], "uid": "ccc-test-2266-1775153019" }, "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "time": 1775153019, "time_dt": "2026-04-02T18:03:39Z", "type_uid": 200401, "type_name": "Compliance Finding: Test", "resources": [ { "cloud_partition": "azure", "region": "eastus", "data": { "details": " service on :", "metadata": { "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "status": "ACTIVE", "findings": [], "tags": [], "type": "object-storage", "region": "eastus" } }, "group": { "name": "object-storage" }, "name": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z", "type": "object-storage", "uid": "/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260402t161720z/providers/Microsoft.Storage/storageAccounts/stgcfi20260402t161720z" } ] } ]