CCC-Complete (Policy) 0.1
Test results for this specific product, vendor, and version combination
| Vendor | FINOS |
| Product | CCC-Complete (Policy) |
| Version | 0.1 |
Download Raw Results
Download the original OCSF or HTML result files used to generate this page
Test Summary
Aggregate summary of all tests for this configuration result
| Resources In Configuration | 1 |
| Count of Tests | 82 |
| Passing Tests | 60 |
| Failing Tests | 22 |
| Catalogs Tested |
Control Catalog Summary
Summary of test results grouped by control catalog and resource
| Control Catalog | Resources | Total Tests | Passing | Failing | Tested Requirements | Missing Requirements | Unused Core Requirements |
|---|---|---|---|---|---|---|---|
| CCC.Core | /subscriptions/c1ced... | 54 | 38 | 16 | CCC.Core.CN01.AR01CCC.Core.CN01.AR03CCC.Core.CN01.AR08CCC.Core.CN02.AR01CCC.Core.CN03.AR01CCC.Core.CN03.AR02CCC.Core.CN03.AR03CCC.Core.CN03.AR04CCC.Core.CN04.AR01CCC.Core.CN04.AR02CCC.Core.CN04.AR03CCC.Core.CN05.AR01CCC.Core.CN05.AR02CCC.Core.CN05.AR03CCC.Core.CN05.AR04CCC.Core.CN05.AR05CCC.Core.CN05.AR06CCC.Core.CN06.AR01CCC.Core.CN06.AR02CCC.Core.CN07.AR01CCC.Core.CN07.AR02CCC.Core.CN08.AR01CCC.Core.CN08.AR02CCC.Core.CN09.AR01CCC.Core.CN09.AR02CCC.Core.CN09.AR03CCC.Core.CN10.AR01 | ||
| CCC.ObjStor | /subscriptions/c1ced... | 28 | 22 | 6 | None |
Test Mapping Summary
Summary of test mappings showing how event codes map to test requirements
| Control Catalog | Test Requirement | Mapped Tests (Event Code | Total | Passing | Failing) |
|---|---|---|
| CCC.Core | CCC.Core.CN01.AR01 When a port is exposed for non-SSH network traffic, all traffic
MUST include a TLS handshake AND be encrypted using TLS 1.3 or
higher.
| Storage account enforces minimum TLS version202 |
| CCC.Core | CCC.Core.CN01.AR03 When the service receives unencrypted traffic,
then it MUST either block the request or automatically
redirect it to the secure equivalent.
| Object storage policy prevents the use of unencrypted ports202 |
| CCC.Core | CCC.Core.CN01.AR08 When a service transmits data using TLS, mutual TLS (mTLS) MUST be
implemented to require both client and server certificate
authentication for all connections.
| Storage account enforces mutual TLS - NotTested202 |
| CCC.Core | CCC.Core.CN02.AR01 When data is stored, it MUST be encrypted using the latest
industry-standard encryption methods.
| Object storage encryption compliance220 |
| CCC.Core | CCC.Core.CN03.AR01 When an entity attempts to modify the service through a user
interface, the authentication process MUST require multiple
identifying factors for authentication.
| Object storage delete protection compliance220 |
| CCC.Core | CCC.Core.CN03.AR02 When an entity attempts to modify the service through an API
endpoint, the authentication process MUST require a credential
such as an API key or token AND originate from within the trust
perimeter.
| API modification requires credential and trust perimeter origin - NotTestable220 |
| CCC.Core | CCC.Core.CN03.AR03 When an entity attempts to view information on the service through
a user interface, the authentication process MUST require multiple
identifying factors from the user.
| UI viewing requires multi-factor authentication - NotTestable220 |
| CCC.Core | CCC.Core.CN03.AR04 When an entity attempts to view information on the service through
an API endpoint, the authentication process MUST require a
credential such as an API key or token AND originate from within
the trust perimeter.
| API viewing requires credential and trust perimeter origin - NotTestable220 |
| CCC.Core | CCC.Core.CN04.AR01 When administrative access or configuration change is attempted on
the service or a child resource, the service MUST log the client
identity, time, and result of the attempt.
| Object storage admin logging compliance220 |
| CCC.Core | CCC.Core.CN04.AR02 When any attempt is made to modify data on the service or a child
resource, the service MUST log the client identity, time, and
result of the attempt.
| Object storage data modification logging compliance202 |
| CCC.Core | CCC.Core.CN04.AR03 When any attempt is made to read data on the service or a child
resource, the service MUST log the client identity, time, and
result of the attempt.
| Data read logging compliance202 |
| CCC.Core | CCC.Core.CN05.AR01 When an attempt is made to modify data on the service or a child
resource, the service MUST block requests from unauthorized
entities.
| Storage is not configured for public write access220 |
| CCC.Core | CCC.Core.CN05.AR02 When administrative access or configuration change is attempted on
the service or a child resource, the service MUST refuse requests
from unauthorized entities.
| Unauthorized administrative access is blocked220 |
| CCC.Core | CCC.Core.CN05.AR03 When administrative access or configuration change is attempted on
the service or a child resource in a multi-tenant environment, the
service MUST refuse requests across tenant boundaries unless the
origin is explicitly included in a pre-approved allowlist.
| Cross-tenant access is blocked without explicit allowlist220 |
| CCC.Core | CCC.Core.CN05.AR04 When data is requested from outside the trust perimeter, the
service MUST refuse requests from unauthorized entities.
| External unauthorized data requests are blocked220 |
| CCC.Core | CCC.Core.CN05.AR05 When any request is made from outside the trust perimeter,
the service MUST NOT provide any response that may indicate the
service exists.
| External requests do not reveal service existence - NotTested202 |
| CCC.Core | CCC.Core.CN05.AR06 When any request is made to the service or a child resource, the
service MUST refuse requests from unauthorized entities.
| All unauthorized requests are blocked - Duplicate220 |
| CCC.Core | CCC.Core.CN06.AR01 When the service is running, its region and availability zone MUST
be included in a list of explicitly trusted or approved locations
within the trust perimeter.
| Object storage region compliance220 |
| CCC.Core | CCC.Core.CN06.AR02 When a child resource is deployed, its region and availability
zone MUST be included in a list of explicitly trusted or approved
locations within the trust perimeter.
| Child resource region compliance - NotTestable220 |
| CCC.Core | CCC.Core.CN07.AR01 When enumeration activities are detected, the service MUST publish
an event to a monitored channel which includes the client
identity, time, and nature of the activity.
| Enumeration activities publish events to monitored channels202 |
| CCC.Core | CCC.Core.CN07.AR02 When enumeration activities are detected, the service MUST log the
client identity, time, and nature of the activity.
| Enumeration activities are logged220 |
| CCC.Core | CCC.Core.CN08.AR01 When data is created or modified, the data MUST have a complete
and recoverable duplicate that is stored in a physically separate
data center.
| Object storage replication compliance220 |
| CCC.Core | CCC.Core.CN08.AR02 When data is replicated into a second location, the service MUST
be able to accurately represent the replication locations,
replication status, and data synchronization status.
| Object storage replication status is visible220 |
| CCC.Core | CCC.Core.CN09.AR01 When the service is operational, its logs and any child resource
logs MUST NOT be accessible from the resource they record access
to.
| Object storage access logging compliance202 |
| CCC.Core | CCC.Core.CN09.AR02 When the service is operational, disabling the logs for the service
or its child resources MUST NOT be possible without also disabling
the corresponding resource.
| Disabling logs requires disabling the resource - NotTestable220 |
| CCC.Core | CCC.Core.CN09.AR03 When the service is operational, any attempt to redirect logs for
the service or its child resources MUST NOT be possible without
halting operation of the corresponding resource and publishing
corresponding events to monitored channels.
| Redirecting logs requires halting the resource - NotTestable220 |
| CCC.Core | CCC.Core.CN10.AR01 When data is replicated, the service MUST ensure that replication
only occurs to destinations that are explicitly included within
the defined trust perimeter.
| Object storage replication destination compliance220 |
| CCC.ObjStor | CCC.ObjStor.CN01.AR01 When a request is made to read a bucket, the service
MUST prevent any request using KMS keys not listed as trusted by
the organization.
| Test policy for bucket access control220 |
| CCC.ObjStor | CCC.ObjStor.CN01.AR02 When a request is made to read an object, the service
MUST prevent any request using KMS keys not listed as trusted by
the organization.
| All unauthorized requests are blocked202 |
| CCC.ObjStor | CCC.ObjStor.CN01.AR03 When a request is made to write to a bucket, the service MUST
prevent any request using KMS keys not listed as trusted by the
organization.
| All unauthorized requests are blocked202 |
| CCC.ObjStor | CCC.ObjStor.CN01.AR04 When a request is made to write to an object, the service MUST
prevent any request using KMS keys not listed as trusted by the
organization.
| All unauthorized requests are blocked202 |
| CCC.ObjStor | CCC.ObjStor.CN02.AR01 When a permission set is allowed for an object in a bucket, the
service MUST allow the same permission set to access all objects
in the same bucket.
| Test policy for uniform access220 |
| CCC.ObjStor | CCC.ObjStor.CN02.AR02 When a permission set is denied for an object in a bucket, the
service MUST deny the same permission set to access all objects
in the same bucket.
| Uniform bucket-level access prevents object-level deny overrides - Duplicate220 |
| CCC.ObjStor | CCC.ObjStor.CN03.AR01 When an object storage bucket deletion is attempted, the bucket MUST be
fully recoverable for a set time-frame after deletion is requested.
| Test policy for bucket soft delete220 |
| CCC.ObjStor | CCC.ObjStor.CN03.AR02 When an attempt is made to modify the retention policy for an object
storage bucket, the service MUST prevent the policy from being modified.
| Test policy for immutable bucket retention lock220 |
| CCC.ObjStor | CCC.ObjStor.CN04.AR01 When an object is uploaded to the object storage system, the object
MUST automatically receive a default retention policy that prevents
premature deletion or modification.
| Test policy for default object retention220 |
| CCC.ObjStor | CCC.ObjStor.CN04.AR02 When an attempt is made to delete or modify an object that is subject
to an active retention policy, the service MUST prevent the action
from being completed.
| Test policy for object retention enforcement220 |
| CCC.ObjStor | CCC.ObjStor.CN05.AR01 When an object is uploaded to the object storage bucket, the object
MUST be stored with a unique identifier.
| Objects are stored with unique version identifiers220 |
| CCC.ObjStor | CCC.ObjStor.CN05.AR02 When an object is modified, the service MUST assign a new unique
identifier to the modified object to differentiate it from the
previous version.
| Modified objects receive new version identifiers - Duplicate220 |
| CCC.ObjStor | CCC.ObjStor.CN05.AR03 When an object is modified, the service MUST allow for recovery
of previous versions of the object.
| Previous object versions can be recovered220 |
| CCC.ObjStor | CCC.ObjStor.CN05.AR04 When an object is deleted, the service MUST retain other versions of
the object to allow for recovery of previous versions.
| Object versions are retained after deletion - Duplicate220 |
Resource Summary
Summary of all resources mentioned in OCSF results
| Resource Name | Resource Type | Control Catalogs | Total Tests | Passing | Failing |
|---|---|---|---|---|---|
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | 82 | 60 | 22 |
Test Results
OCSF test results filtered for entries with CCC compliance mappings
| Status | Finding | Resource Name | Resource Type | Message | Test Requirements |
|---|---|---|---|---|---|
| FAIL | Storage account enforces minimum TLS version ✓ a cloud api for "{Instance}" in "api"
✗ I attempt policy check "object-storage-tls-policy" for control "CCC.Core.CN01" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Account TLS Policy Check:
⊘ "{result}" is true (skipped) | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Storage account enforces minimum TLS version | |
| FAIL | Object storage policy prevents the use of unencrypted ports ✗ I attempt policy check "object-storage-unencrypted-policy" for control "CCC.Core.CN01" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Unencrypted Traffic Block Check:
⊘ "{result}" is true (skipped) | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object storage policy prevents the use of unencrypted ports | |
| FAIL | Storage account enforces mutual TLS - NotTested ✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Storage account enforces mutual TLS - NotTested | |
| PASS | Object storage encryption compliance ✓ a cloud api for "{Instance}" in "api"
✓ I attempt policy check "object-storage-encryption" for control "CCC.Core.CN02" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object storage encryption compliance | |
| PASS | Object storage delete protection compliance ✓ a cloud api for "{Instance}" in "api"
✓ I attempt policy check "object-storage-delete-protection" for control "CCC.Core.CN03" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object storage delete protection compliance | |
| PASS | API modification requires credential and trust perimeter origin - NotTestable ✓ a cloud api for "{Instance}" in "api"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | API modification requires credential and trust perimeter origin - NotTestable | |
| PASS | UI viewing requires multi-factor authentication - NotTestable ✓ a cloud api for "{Instance}" in "api"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | UI viewing requires multi-factor authentication - NotTestable | |
| PASS | API viewing requires credential and trust perimeter origin - NotTestable ✓ a cloud api for "{Instance}" in "api"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | API viewing requires credential and trust perimeter origin - NotTestable | |
| PASS | Object storage admin logging compliance ✓ I attempt policy check "admin-logging" for control "CCC.Core.CN04" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object storage admin logging compliance | |
| FAIL | Object storage data modification logging compliance ✓ a cloud api for "{Instance}" in "api"
✗ I attempt policy check "data-write-logging" for control "CCC.Core.CN04" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Diagnostic Logging Write Configuration:
⊘ "{result}" is true (skipped) | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object storage data modification logging compliance | |
| FAIL | Data read logging compliance ✓ a cloud api for "{Instance}" in "api"
✗ I attempt policy check "data-read-logging" for control "CCC.Core.CN04" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Diagnostic Logging Read Configuration:
⊘ "{result}" is true (skipped) | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Data read logging compliance | |
| PASS | Storage is not configured for public write access ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✓ I attempt policy check "object-storage-block-public-write-access" for control "CCC.Core.CN05" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Storage is not configured for public write access | |
| PASS | Unauthorized administrative access is blocked ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Unauthorized administrative access is blocked | |
| PASS | Cross-tenant access is blocked without explicit allowlist ✓ a cloud api for "{Instance}" in "api"
✓ I attempt policy check "object-storage-cross-tenant-block" for control "CCC.Core.CN05" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Cross-tenant access is blocked without explicit allowlist | |
| PASS | External unauthorized data requests are blocked ✓ a cloud api for "{Instance}" in "api"
✓ I attempt policy check "object-storage-block-public-read" for control "CCC.Core.CN05" assessment requirement "AR04" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | External unauthorized data requests are blocked | |
| FAIL | External requests do not reveal service existence - NotTested ✓ a cloud api for "{Instance}" in "api"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | External requests do not reveal service existence - NotTested | |
| PASS | All unauthorized requests are blocked - Duplicate ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | All unauthorized requests are blocked - Duplicate | |
| PASS | Object storage region compliance ✓ a cloud api for "{Instance}" in "api"
✓ I attempt policy check "object-storage-region" for control "CCC.Core.CN06" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object storage region compliance | |
| PASS | Child resource region compliance - NotTestable ✓ a cloud api for "{Instance}" in "api"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Child resource region compliance - NotTestable | |
| FAIL | Enumeration activities publish events to monitored channels ✓ a cloud api for "{Instance}" in "api"
✗ I attempt policy check "enumeration-monitoring-policy" for control "CCC.Core.CN07" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Enumeration Monitoring Policy Check:
⊘ "{result}" is true (skipped) | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Enumeration activities publish events to monitored channels | |
| PASS | Enumeration activities are logged ✓ a cloud api for "{Instance}" in "api"
✓ I attempt policy check "enumeration-logging-policy" for control "CCC.Core.CN07" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Enumeration activities are logged | |
| PASS | Object storage replication compliance ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I attempt policy check "object-storage-replication" for control "CCC.Core.CN08" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object storage replication compliance | |
| PASS | Object storage replication status is visible ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I attempt policy check "object-storage-replication-status" for control "CCC.Core.CN08" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object storage replication status is visible | |
| FAIL | Object storage access logging compliance ✓ a cloud api for "{Instance}" in "api"
✗ I attempt policy check "object-storage-access-logging" for control "CCC.Core.CN09" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Account Diagnostic Logging Configuration:
⊘ "{result}" is true (skipped) | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object storage access logging compliance | |
| PASS | Disabling logs requires disabling the resource - NotTestable ✓ a cloud api for "{Instance}" in "api"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Disabling logs requires disabling the resource - NotTestable | |
| PASS | Redirecting logs requires halting the resource - NotTestable ✓ a cloud api for "{Instance}" in "api"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Redirecting logs requires halting the resource - NotTestable | |
| PASS | Object storage replication destination compliance ✓ a cloud api for "{Instance}" in "api"
✓ I attempt policy check "object-storage-replication-destination" for control "CCC.Core.CN10" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object storage replication destination compliance | |
| PASS | Test policy for bucket access control ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✓ I attempt policy check "no-public-access" for control "CCC.ObjStor.CN01" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Test policy for bucket access control | |
| FAIL | All unauthorized requests are blocked ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✓ I call "{storage}" with "CreateObject" using arguments "{ResourceName}", "test-object={Timestamp}.txt", and "test content"
✓ "{result}" is not an error
✗ I attempt policy check "object-storage-no-public-principals" for control "CCC.ObjStor.CN01" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage RBAC in Use:
⊘ "{result}" is true (skipped) | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | All unauthorized requests are blocked | |
| FAIL | All unauthorized requests are blocked ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✗ I attempt policy check "object-storage-no-public-principals" for control "CCC.ObjStor.CN01" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage RBAC in Use:
⊘ "{result}" is true (skipped) | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | All unauthorized requests are blocked | |
| FAIL | All unauthorized requests are blocked ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ "{result}" is not an error
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✓ "{result}" is not an error
✗ I attempt policy check "object-storage-no-public-principals" for control "CCC.ObjStor.CN01" assessment requirement "AR04" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage RBAC in Use:
⊘ "{result}" is true (skipped) | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | All unauthorized requests are blocked | |
| PASS | Test policy for uniform access ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✓ I attempt policy check "uniform-bucket-level-access" for control "CCC.ObjStor.CN02" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Test policy for uniform access | |
| PASS | Uniform bucket-level access prevents object-level deny overrides - Duplicate ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Uniform bucket-level access prevents object-level deny overrides - Duplicate | |
| PASS | Test policy for bucket soft delete ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I attempt policy check "bucket-soft-delete" for control "CCC.ObjStor.CN03" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Test policy for bucket soft delete | |
| PASS | Test policy for immutable bucket retention lock ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I attempt policy check "bucket-retention-lock" for control "CCC.ObjStor.CN03" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Test policy for immutable bucket retention lock | |
| PASS | Test policy for default object retention ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✓ I attempt policy check "object-default-retention" for control "CCC.ObjStor.CN04" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Test policy for default object retention | |
| PASS | Test policy for object retention enforcement ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✓ I attempt policy check "object-retention-enforcement" for control "CCC.ObjStor.CN04" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Test policy for object retention enforcement | |
| PASS | Objects are stored with unique version identifiers ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I attempt policy check "object-storage-versioning" for control "CCC.ObjStor.CN05" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Objects are stored with unique version identifiers | |
| PASS | Modified objects receive new version identifiers - Duplicate ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Modified objects receive new version identifiers - Duplicate | |
| PASS | Previous object versions can be recovered ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Previous object versions can be recovered | |
| PASS | Object versions are retained after deletion - Duplicate ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object versions are retained after deletion - Duplicate | |
| FAIL | Storage account enforces minimum TLS version ✓ a cloud api for "{Instance}" in "api"
✗ I attempt policy check "object-storage-tls-policy" for control "CCC.Core.CN01" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Account TLS Policy Check:
⊘ "{result}" is true (skipped) | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Storage account enforces minimum TLS version | |
| FAIL | Object storage policy prevents the use of unencrypted ports ✗ I attempt policy check "object-storage-unencrypted-policy" for control "CCC.Core.CN01" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Unencrypted Traffic Block Check:
⊘ "{result}" is true (skipped) | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object storage policy prevents the use of unencrypted ports | |
| FAIL | Storage account enforces mutual TLS - NotTested ✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Storage account enforces mutual TLS - NotTested | |
| PASS | Object storage encryption compliance ✓ a cloud api for "{Instance}" in "api"
✓ I attempt policy check "object-storage-encryption" for control "CCC.Core.CN02" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object storage encryption compliance | |
| PASS | Object storage delete protection compliance ✓ a cloud api for "{Instance}" in "api"
✓ I attempt policy check "object-storage-delete-protection" for control "CCC.Core.CN03" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object storage delete protection compliance | |
| PASS | API modification requires credential and trust perimeter origin - NotTestable ✓ a cloud api for "{Instance}" in "api"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | API modification requires credential and trust perimeter origin - NotTestable | |
| PASS | UI viewing requires multi-factor authentication - NotTestable ✓ a cloud api for "{Instance}" in "api"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | UI viewing requires multi-factor authentication - NotTestable | |
| PASS | API viewing requires credential and trust perimeter origin - NotTestable ✓ a cloud api for "{Instance}" in "api"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | API viewing requires credential and trust perimeter origin - NotTestable | |
| PASS | Object storage admin logging compliance ✓ I attempt policy check "admin-logging" for control "CCC.Core.CN04" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object storage admin logging compliance | |
| FAIL | Object storage data modification logging compliance ✓ a cloud api for "{Instance}" in "api"
✗ I attempt policy check "data-write-logging" for control "CCC.Core.CN04" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Diagnostic Logging Write Configuration:
⊘ "{result}" is true (skipped) | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object storage data modification logging compliance | |
| FAIL | Data read logging compliance ✓ a cloud api for "{Instance}" in "api"
✗ I attempt policy check "data-read-logging" for control "CCC.Core.CN04" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Diagnostic Logging Read Configuration:
⊘ "{result}" is true (skipped) | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Data read logging compliance | |
| PASS | Storage is not configured for public write access ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✓ I attempt policy check "object-storage-block-public-write-access" for control "CCC.Core.CN05" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Storage is not configured for public write access | |
| PASS | Unauthorized administrative access is blocked ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Unauthorized administrative access is blocked | |
| PASS | Cross-tenant access is blocked without explicit allowlist ✓ a cloud api for "{Instance}" in "api"
✓ I attempt policy check "object-storage-cross-tenant-block" for control "CCC.Core.CN05" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Cross-tenant access is blocked without explicit allowlist | |
| PASS | External unauthorized data requests are blocked ✓ a cloud api for "{Instance}" in "api"
✓ I attempt policy check "object-storage-block-public-read" for control "CCC.Core.CN05" assessment requirement "AR04" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | External unauthorized data requests are blocked | |
| FAIL | External requests do not reveal service existence - NotTested ✓ a cloud api for "{Instance}" in "api"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | External requests do not reveal service existence - NotTested | |
| PASS | All unauthorized requests are blocked - Duplicate ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | All unauthorized requests are blocked - Duplicate | |
| PASS | Object storage region compliance ✓ a cloud api for "{Instance}" in "api"
✓ I attempt policy check "object-storage-region" for control "CCC.Core.CN06" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object storage region compliance | |
| PASS | Child resource region compliance - NotTestable ✓ a cloud api for "{Instance}" in "api"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Child resource region compliance - NotTestable | |
| FAIL | Enumeration activities publish events to monitored channels ✓ a cloud api for "{Instance}" in "api"
✗ I attempt policy check "enumeration-monitoring-policy" for control "CCC.Core.CN07" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Enumeration Monitoring Policy Check:
⊘ "{result}" is true (skipped) | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Enumeration activities publish events to monitored channels | |
| PASS | Enumeration activities are logged ✓ a cloud api for "{Instance}" in "api"
✓ I attempt policy check "enumeration-logging-policy" for control "CCC.Core.CN07" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Enumeration activities are logged | |
| PASS | Object storage replication compliance ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I attempt policy check "object-storage-replication" for control "CCC.Core.CN08" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object storage replication compliance | |
| PASS | Object storage replication status is visible ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I attempt policy check "object-storage-replication-status" for control "CCC.Core.CN08" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object storage replication status is visible | |
| FAIL | Object storage access logging compliance ✓ a cloud api for "{Instance}" in "api"
✗ I attempt policy check "object-storage-access-logging" for control "CCC.Core.CN09" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Account Diagnostic Logging Configuration:
⊘ "{result}" is true (skipped) | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object storage access logging compliance | |
| PASS | Disabling logs requires disabling the resource - NotTestable ✓ a cloud api for "{Instance}" in "api"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Disabling logs requires disabling the resource - NotTestable | |
| PASS | Redirecting logs requires halting the resource - NotTestable ✓ a cloud api for "{Instance}" in "api"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Redirecting logs requires halting the resource - NotTestable | |
| PASS | Object storage replication destination compliance ✓ a cloud api for "{Instance}" in "api"
✓ I attempt policy check "object-storage-replication-destination" for control "CCC.Core.CN10" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object storage replication destination compliance | |
| PASS | Test policy for bucket access control ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✓ I attempt policy check "no-public-access" for control "CCC.ObjStor.CN01" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Test policy for bucket access control | |
| FAIL | All unauthorized requests are blocked ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✓ I call "{storage}" with "CreateObject" using arguments "{ResourceName}", "test-object={Timestamp}.txt", and "test content"
✓ "{result}" is not an error
✗ I attempt policy check "object-storage-no-public-principals" for control "CCC.ObjStor.CN01" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage RBAC in Use:
⊘ "{result}" is true (skipped) | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | All unauthorized requests are blocked | |
| FAIL | All unauthorized requests are blocked ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✗ I attempt policy check "object-storage-no-public-principals" for control "CCC.ObjStor.CN01" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage RBAC in Use:
⊘ "{result}" is true (skipped) | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | All unauthorized requests are blocked | |
| FAIL | All unauthorized requests are blocked ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ "{result}" is not an error
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✓ "{result}" is not an error
✗ I attempt policy check "object-storage-no-public-principals" for control "CCC.ObjStor.CN01" assessment requirement "AR04" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage RBAC in Use:
⊘ "{result}" is true (skipped) | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | All unauthorized requests are blocked | |
| PASS | Test policy for uniform access ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✓ I attempt policy check "uniform-bucket-level-access" for control "CCC.ObjStor.CN02" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Test policy for uniform access | |
| PASS | Uniform bucket-level access prevents object-level deny overrides - Duplicate ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Uniform bucket-level access prevents object-level deny overrides - Duplicate | |
| PASS | Test policy for bucket soft delete ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I attempt policy check "bucket-soft-delete" for control "CCC.ObjStor.CN03" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Test policy for bucket soft delete | |
| PASS | Test policy for immutable bucket retention lock ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I attempt policy check "bucket-retention-lock" for control "CCC.ObjStor.CN03" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Test policy for immutable bucket retention lock | |
| PASS | Test policy for default object retention ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✓ I attempt policy check "object-default-retention" for control "CCC.ObjStor.CN04" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Test policy for default object retention | |
| PASS | Test policy for object retention enforcement ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I call "{api}" with "GetServiceAPI" using argument "iam"
✓ I refer to "{result}" as "iamService"
✓ I attempt policy check "object-retention-enforcement" for control "CCC.ObjStor.CN04" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Test policy for object retention enforcement | |
| PASS | Objects are stored with unique version identifiers ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ I attempt policy check "object-storage-versioning" for control "CCC.ObjStor.CN05" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}"
✓ "{result}" is true | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Objects are stored with unique version identifiers | |
| PASS | Modified objects receive new version identifiers - Duplicate ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Modified objects receive new version identifiers - Duplicate | |
| PASS | Previous object versions can be recovered ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Previous object versions can be recovered | |
| PASS | Object versions are retained after deletion - Duplicate ✓ a cloud api for "{Instance}" in "api"
✓ I call "{api}" with "GetServiceAPI" using argument "object-storage"
✓ I refer to "{result}" as "storage"
✓ no-op required | /subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z | object-storage | Object versions are retained after deletion - Duplicate |