Skip to main content

Configuration Summary

IDaws-s3-bucket
Provideraws
NameCCC AWS S3 Bucket Terraform Module
DescriptionThis module creates secure AWS S3 buckets with encryption, versioning, lifecycle management, and advanced security features.
Servicestorage
Pathremote/aws/s3bucket
GitHub LinkView GitHub Repository
Terraform FilesView Terraform Files

Repository Information

Repository Namecfi-s3-module
DescriptionVarious CFI artifacts for AI, Object Storage, VPN, Databases etc.
Repository URLhttps://github.com/robmoffat/cfi-s3-module
Downloaded AtOctober 7, 2025 at 07:54 AM
Workflow Status
successRun #18279299317

Test Summary

Aggregate summary of all tests in this configuration

Resources In Configuration10
Count of Tests40
Passing Tests19
Failing Tests21
Catalogs Tested
CCC.ObjStor

Control Catalog Summary

Summary of test results grouped by control catalog and resource

Control CatalogResourcesTotal TestsPassingFailingTested RequirementsMissing Requirements
CCC.ObjStor
06e4e2ba-d746-4961-a...2112034953943ebf1622-2c1f-4429-9...<root_account>cloudfront-logs-well...d1b7f965-bf16-4960-9...d2d3259d-bfff-4848-8...logs-well-mooses3-bucket-well-moosesimple-well-moose
401921
CCC.ObjStor.C01.TR01CCC.ObjStor.C01.TR02CCC.ObjStor.C01.TR03CCC.ObjStor.C01.TR04CCC.ObjStor.C02.TR01CCC.ObjStor.C02.TR02CCC.ObjStor.C03.TR01CCC.ObjStor.C03.TR02CCC.ObjStor.C04.TR01CCC.ObjStor.C05.TR01CCC.ObjStor.C05.TR02CCC.ObjStor.C05.TR03CCC.ObjStor.C05.TR04CCC.ObjStor.C06.TR01
CCC.Core.C01.TR01CCC.Core.C01.TR02CCC.Core.C01.TR03CCC.Core.C01.TR07CCC.Core.C01.TR08CCC.Core.C02.TR01CCC.Core.C03.TR01CCC.Core.C03.TR02CCC.Core.C03.TR03CCC.Core.C03.TR04CCC.Core.C04.TR01CCC.Core.C04.TR02CCC.Core.C04.TR03CCC.Core.C05.TR01CCC.Core.C05.TR02CCC.Core.C05.TR03CCC.Core.C05.TR04CCC.Core.C05.TR05CCC.Core.C05.TR06CCC.Core.C06.TR01CCC.Core.C06.TR02CCC.Core.C07.TR01CCC.Core.C07.TR02CCC.Core.C09.TR01CCC.Core.C09.TR02CCC.Core.C09.TR03CCC.Core.C10.TR01CCC.ObjStor.C04.TR02

Test Mapping Summary

Summary of test mappings showing how event codes map to test requirements

Control CatalogTest Requirement IDMapped Tests (Event Code | Total | Passing | Failing)
CCC.ObjStorCCC.ObjStor.C01.TR01
kms_key_not_publicly_accessible
110
s3_bucket_kms_encryption
413
CCC.ObjStorCCC.ObjStor.C01.TR02
kms_cmk_not_deleted_unintentionally
413
kms_key_not_publicly_accessible
110
CCC.ObjStorCCC.ObjStor.C01.TR03
kms_cmk_not_deleted_unintentionally
413
kms_key_not_publicly_accessible
110
s3_bucket_kms_encryption
413
CCC.ObjStorCCC.ObjStor.C01.TR04
kms_cmk_not_deleted_unintentionally
413
kms_cmk_not_multi_region
110
kms_key_not_publicly_accessible
110
CCC.ObjStorCCC.ObjStor.C02.TR01
s3_bucket_public_write_acl
440
CCC.ObjStorCCC.ObjStor.C02.TR02
s3_bucket_acl_prohibited
422
s3_bucket_public_access
440
s3_bucket_public_write_acl
440
CCC.ObjStorCCC.ObjStor.C03.TR01
s3_bucket_lifecycle_enabled
413
s3_bucket_object_lock
413
s3_bucket_object_versioning
413
CCC.ObjStorCCC.ObjStor.C03.TR02
s3_bucket_lifecycle_enabled
413
s3_bucket_object_versioning
413
CCC.ObjStorCCC.ObjStor.C04.TR01
s3_bucket_object_lock
413
s3_bucket_object_versioning
413
CCC.ObjStorCCC.ObjStor.C05.TR01
s3_bucket_object_lock
413
s3_bucket_object_versioning
413
CCC.ObjStorCCC.ObjStor.C05.TR02
iam_rotate_access_key_90_days
110
s3_bucket_object_lock
413
s3_bucket_object_versioning
413
CCC.ObjStorCCC.ObjStor.C05.TR03
s3_bucket_object_versioning
413
CCC.ObjStorCCC.ObjStor.C05.TR04
kms_cmk_not_deleted_unintentionally
413
s3_bucket_object_versioning
413
CCC.ObjStorCCC.ObjStor.C06.TR01
cloudtrail_s3_dataevents_read_enabled
101
s3_bucket_server_access_logging_enabled
413

Resource Summary

Summary of all resources mentioned in OCSF results

Resource NameResource TypeControl CatalogsTotal TestsPassingFailing
<root_account>
AwsIamUser
No CCC catalogs
532
<root_account>
AwsIamAccessKey
CCC.ObjStor
330
06e4e2ba-d746-4961-a0c3-8b3970228960
AwsKmsKey
CCC.ObjStor
211
211203495394
AwsAccount
No CCC catalogs
511
211203495394
AwsBackupBackupVault
No CCC catalogs
101
211203495394
AwsCloudTrailTrail
CCC.ObjStor
36036
211203495394
AwsCloudWatchAlarm
No CCC catalogs
15015
211203495394
Other
No CCC catalogs
30029
211203495394
AwsIamPolicy
No CCC catalogs
110
211203495394
AwsIamRole
No CCC catalogs
101
211203495394
AwsS3AccountPublicAccessBlock
No CCC catalogs
101
211203495394
AwsEc2Vpc
No CCC catalogs
101
3ebf1622-2c1f-4429-9607-9f07906793ad
AwsKmsKey
CCC.ObjStor
211
AdministratorAccess
AwsIamPolicy
No CCC catalogs
101
analyzer/unknown
Other
No CCC catalogs
17017
AWSSupportServiceRolePolicy
AwsIamPolicy
No CCC catalogs
110
AWSTrustedAdvisorServiceRolePolicy
AwsIamPolicy
No CCC catalogs
110
cloudfront-logs-well-moose
AwsS3Bucket
CCC.ObjStor
17710
d1b7f965-bf16-4960-93e3-c6326c53f1f2
AwsKmsKey
CCC.ObjStor
541
d2d3259d-bfff-4848-8bc7-d81169f2ed74
AwsKmsKey
CCC.ObjStor
211
default
AwsEventsEventbus
No CCC catalogs
34340
logs-well-moose
AwsS3Bucket
CCC.ObjStor
1789
model-invocation-logging
Other
No CCC catalogs
16016
s3-bucket-well-moose
AwsS3Bucket
CCC.ObjStor
17134
SecurityAudit
AwsIamRole
No CCC catalogs
101
sg-008944225f228fd81
AwsEc2SecurityGroup
No CCC catalogs
220
sg-014e009f46ee13b45
AwsEc2SecurityGroup
No CCC catalogs
220
sg-01923ef90e2de7133
AwsEc2SecurityGroup
No CCC catalogs
220
sg-029960885501a0b75
AwsEc2SecurityGroup
No CCC catalogs
220
sg-0327baf3109c76bd6
AwsEc2SecurityGroup
No CCC catalogs
220
sg-03318d6619212b0ba
AwsEc2SecurityGroup
No CCC catalogs
220
sg-03a7045e3785df7ff
AwsEc2SecurityGroup
No CCC catalogs
220
sg-066f794ff1205057d
AwsEc2SecurityGroup
No CCC catalogs
220
sg-099c221d7926804bb
AwsEc2SecurityGroup
No CCC catalogs
220
sg-0b3de880562ea3eb7
AwsEc2SecurityGroup
No CCC catalogs
220
sg-0c66948cc6f6dcdda
AwsEc2SecurityGroup
No CCC catalogs
220
sg-0d76d3e4b114d9607
AwsEc2SecurityGroup
No CCC catalogs
220
sg-0df0417b64dd9e39e
AwsEc2SecurityGroup
No CCC catalogs
220
sg-0e59948ea67ec4573
AwsEc2SecurityGroup
No CCC catalogs
220
sg-0e6674385e3c02b58
AwsEc2SecurityGroup
No CCC catalogs
220
sg-0ec663ac32427bceb
AwsEc2SecurityGroup
No CCC catalogs
220
sg-0f7d37ac7dc72736c
AwsEc2SecurityGroup
No CCC catalogs
220
simple-well-moose
AwsS3Bucket
CCC.ObjStor
1789
terraform-20251006112730373600000001
AwsIamRole
No CCC catalogs
101
TerraformRole
AwsIamRole
No CCC catalogs
211
unknown
Other
No CCC catalogs
404
vpce-svc-028691921eaeee579
AwsEc2VpcEndpointService
No CCC catalogs
110
vpce-svc-02e288a4c6043110f
AwsEc2VpcEndpointService
No CCC catalogs
110

Test Results

OCSF test results filtered for entries with CCC compliance mappings

StatusFindingResource NameResource TypeMessageTest Requirements
FAIL
Check if S3 buckets have Object-level logging for read events is enabled in CloudTrail.
No CloudTrail trails have a data event to record all S3 object-level API operations.
211203495394
AwsCloudTrailTrail
No CloudTrail trails have a data event to record all S3 object-level API operations.
CCC.ObjStor.C06.TR01
PASS
Ensure access keys are rotated every 90 days or less
User <root_account> does not have access keys.
<root_account>
AwsIamAccessKey
User <root_account> does not have access keys.
CCC.ObjStor.C05.TR02
FAIL
AWS KMS keys should not be deleted unintentionally
KMS CMK 06e4e2ba-d746-4961-a0c3-8b3970228960 is scheduled for deletion, revert it if it was unintentionally.
06e4e2ba-d746-4961-a0c3-8b3970228960
AwsKmsKey
KMS CMK 06e4e2ba-d746-4961-a0c3-8b3970228960 is scheduled for deletion, revert it if it was unintentionally.
CCC.ObjStor.C01.TR02CCC.ObjStor.C01.TR03CCC.ObjStor.C01.TR04CCC.ObjStor.C05.TR04
FAIL
AWS KMS keys should not be deleted unintentionally
KMS CMK 3ebf1622-2c1f-4429-9607-9f07906793ad is scheduled for deletion, revert it if it was unintentionally.
3ebf1622-2c1f-4429-9607-9f07906793ad
AwsKmsKey
KMS CMK 3ebf1622-2c1f-4429-9607-9f07906793ad is scheduled for deletion, revert it if it was unintentionally.
CCC.ObjStor.C01.TR02CCC.ObjStor.C01.TR03CCC.ObjStor.C01.TR04CCC.ObjStor.C05.TR04
PASS
AWS KMS keys should not be deleted unintentionally
KMS CMK d1b7f965-bf16-4960-93e3-c6326c53f1f2 is not scheduled for deletion.
d1b7f965-bf16-4960-93e3-c6326c53f1f2
AwsKmsKey
KMS CMK d1b7f965-bf16-4960-93e3-c6326c53f1f2 is not scheduled for deletion.
CCC.ObjStor.C01.TR02CCC.ObjStor.C01.TR03CCC.ObjStor.C01.TR04CCC.ObjStor.C05.TR04
FAIL
AWS KMS keys should not be deleted unintentionally
KMS CMK d2d3259d-bfff-4848-8bc7-d81169f2ed74 is scheduled for deletion, revert it if it was unintentionally.
d2d3259d-bfff-4848-8bc7-d81169f2ed74
AwsKmsKey
KMS CMK d2d3259d-bfff-4848-8bc7-d81169f2ed74 is scheduled for deletion, revert it if it was unintentionally.
CCC.ObjStor.C01.TR02CCC.ObjStor.C01.TR03CCC.ObjStor.C01.TR04CCC.ObjStor.C05.TR04
PASS
AWS KMS customer managed keys should not be multi-Region
KMS CMK d1b7f965-bf16-4960-93e3-c6326c53f1f2 is a single-region key.
d1b7f965-bf16-4960-93e3-c6326c53f1f2
AwsKmsKey
KMS CMK d1b7f965-bf16-4960-93e3-c6326c53f1f2 is a single-region key.
CCC.ObjStor.C01.TR04
PASS
Check exposed KMS keys
KMS key d1b7f965-bf16-4960-93e3-c6326c53f1f2 is not exposed to Public.
d1b7f965-bf16-4960-93e3-c6326c53f1f2
AwsKmsKey
KMS key d1b7f965-bf16-4960-93e3-c6326c53f1f2 is not exposed to Public.
CCC.ObjStor.C01.TR01CCC.ObjStor.C01.TR02CCC.ObjStor.C01.TR03CCC.ObjStor.C01.TR04
FAIL
Check if S3 buckets have ACLs enabled
S3 Bucket cloudfront-logs-well-moose has bucket ACLs enabled.
cloudfront-logs-well-moose
AwsS3Bucket
S3 Bucket cloudfront-logs-well-moose has bucket ACLs enabled.
CCC.ObjStor.C02.TR02
PASS
Check if S3 buckets have ACLs enabled
S3 Bucket logs-well-moose has bucket ACLs disabled.
logs-well-moose
AwsS3Bucket
S3 Bucket logs-well-moose has bucket ACLs disabled.
CCC.ObjStor.C02.TR02
FAIL
Check if S3 buckets have ACLs enabled
S3 Bucket s3-bucket-well-moose has bucket ACLs enabled.
s3-bucket-well-moose
AwsS3Bucket
S3 Bucket s3-bucket-well-moose has bucket ACLs enabled.
CCC.ObjStor.C02.TR02
PASS
Check if S3 buckets have ACLs enabled
S3 Bucket simple-well-moose has bucket ACLs disabled.
simple-well-moose
AwsS3Bucket
S3 Bucket simple-well-moose has bucket ACLs disabled.
CCC.ObjStor.C02.TR02
FAIL
Check if S3 buckets have KMS encryption enabled.
Server Side Encryption is not configured with kms for S3 Bucket cloudfront-logs-well-moose.
cloudfront-logs-well-moose
AwsS3Bucket
Server Side Encryption is not configured with kms for S3 Bucket cloudfront-logs-well-moose.
CCC.ObjStor.C01.TR01CCC.ObjStor.C01.TR03
FAIL
Check if S3 buckets have KMS encryption enabled.
Server Side Encryption is not configured with kms for S3 Bucket logs-well-moose.
logs-well-moose
AwsS3Bucket
Server Side Encryption is not configured with kms for S3 Bucket logs-well-moose.
CCC.ObjStor.C01.TR01CCC.ObjStor.C01.TR03
PASS
Check if S3 buckets have KMS encryption enabled.
S3 Bucket s3-bucket-well-moose has Server Side Encryption with aws:kms.
s3-bucket-well-moose
AwsS3Bucket
S3 Bucket s3-bucket-well-moose has Server Side Encryption with aws:kms.
CCC.ObjStor.C01.TR01CCC.ObjStor.C01.TR03
FAIL
Check if S3 buckets have KMS encryption enabled.
Server Side Encryption is not configured with kms for S3 Bucket simple-well-moose.
simple-well-moose
AwsS3Bucket
Server Side Encryption is not configured with kms for S3 Bucket simple-well-moose.
CCC.ObjStor.C01.TR01CCC.ObjStor.C01.TR03
FAIL
Check if S3 buckets have a Lifecycle configuration enabled
S3 Bucket cloudfront-logs-well-moose does not have a lifecycle configuration enabled.
cloudfront-logs-well-moose
AwsS3Bucket
S3 Bucket cloudfront-logs-well-moose does not have a lifecycle configuration enabled.
CCC.ObjStor.C03.TR01CCC.ObjStor.C03.TR02
FAIL
Check if S3 buckets have a Lifecycle configuration enabled
S3 Bucket logs-well-moose does not have a lifecycle configuration enabled.
logs-well-moose
AwsS3Bucket
S3 Bucket logs-well-moose does not have a lifecycle configuration enabled.
CCC.ObjStor.C03.TR01CCC.ObjStor.C03.TR02
PASS
Check if S3 buckets have a Lifecycle configuration enabled
S3 Bucket s3-bucket-well-moose has a lifecycle configuration enabled.
s3-bucket-well-moose
AwsS3Bucket
S3 Bucket s3-bucket-well-moose has a lifecycle configuration enabled.
CCC.ObjStor.C03.TR01CCC.ObjStor.C03.TR02
FAIL
Check if S3 buckets have a Lifecycle configuration enabled
S3 Bucket simple-well-moose does not have a lifecycle configuration enabled.
simple-well-moose
AwsS3Bucket
S3 Bucket simple-well-moose does not have a lifecycle configuration enabled.
CCC.ObjStor.C03.TR01CCC.ObjStor.C03.TR02
FAIL
Check if S3 buckets have object lock enabled
S3 Bucket cloudfront-logs-well-moose has Object Lock disabled.
cloudfront-logs-well-moose
AwsS3Bucket
S3 Bucket cloudfront-logs-well-moose has Object Lock disabled.
CCC.ObjStor.C03.TR01CCC.ObjStor.C04.TR01CCC.ObjStor.C05.TR01CCC.ObjStor.C05.TR02
FAIL
Check if S3 buckets have object lock enabled
S3 Bucket logs-well-moose has Object Lock disabled.
logs-well-moose
AwsS3Bucket
S3 Bucket logs-well-moose has Object Lock disabled.
CCC.ObjStor.C03.TR01CCC.ObjStor.C04.TR01CCC.ObjStor.C05.TR01CCC.ObjStor.C05.TR02
PASS
Check if S3 buckets have object lock enabled
S3 Bucket s3-bucket-well-moose has Object Lock enabled.
s3-bucket-well-moose
AwsS3Bucket
S3 Bucket s3-bucket-well-moose has Object Lock enabled.
CCC.ObjStor.C03.TR01CCC.ObjStor.C04.TR01CCC.ObjStor.C05.TR01CCC.ObjStor.C05.TR02
FAIL
Check if S3 buckets have object lock enabled
S3 Bucket simple-well-moose has Object Lock disabled.
simple-well-moose
AwsS3Bucket
S3 Bucket simple-well-moose has Object Lock disabled.
CCC.ObjStor.C03.TR01CCC.ObjStor.C04.TR01CCC.ObjStor.C05.TR01CCC.ObjStor.C05.TR02
FAIL
Check if S3 buckets have object versioning enabled
S3 Bucket cloudfront-logs-well-moose has versioning disabled.
cloudfront-logs-well-moose
AwsS3Bucket
S3 Bucket cloudfront-logs-well-moose has versioning disabled.
CCC.ObjStor.C03.TR01CCC.ObjStor.C03.TR02CCC.ObjStor.C04.TR01CCC.ObjStor.C05.TR01CCC.ObjStor.C05.TR02CCC.ObjStor.C05.TR03CCC.ObjStor.C05.TR04
FAIL
Check if S3 buckets have object versioning enabled
S3 Bucket logs-well-moose has versioning disabled.
logs-well-moose
AwsS3Bucket
S3 Bucket logs-well-moose has versioning disabled.
CCC.ObjStor.C03.TR01CCC.ObjStor.C03.TR02CCC.ObjStor.C04.TR01CCC.ObjStor.C05.TR01CCC.ObjStor.C05.TR02CCC.ObjStor.C05.TR03CCC.ObjStor.C05.TR04
PASS
Check if S3 buckets have object versioning enabled
S3 Bucket s3-bucket-well-moose has versioning enabled.
s3-bucket-well-moose
AwsS3Bucket
S3 Bucket s3-bucket-well-moose has versioning enabled.
CCC.ObjStor.C03.TR01CCC.ObjStor.C03.TR02CCC.ObjStor.C04.TR01CCC.ObjStor.C05.TR01CCC.ObjStor.C05.TR02CCC.ObjStor.C05.TR03CCC.ObjStor.C05.TR04
FAIL
Check if S3 buckets have object versioning enabled
S3 Bucket simple-well-moose has versioning disabled.
simple-well-moose
AwsS3Bucket
S3 Bucket simple-well-moose has versioning disabled.
CCC.ObjStor.C03.TR01CCC.ObjStor.C03.TR02CCC.ObjStor.C04.TR01CCC.ObjStor.C05.TR01CCC.ObjStor.C05.TR02CCC.ObjStor.C05.TR03CCC.ObjStor.C05.TR04
PASS
Ensure there are no S3 buckets open to Everyone or Any AWS user.
S3 Bucket cloudfront-logs-well-moose is not public.
cloudfront-logs-well-moose
AwsS3Bucket
S3 Bucket cloudfront-logs-well-moose is not public.
CCC.ObjStor.C02.TR02
PASS
Ensure there are no S3 buckets open to Everyone or Any AWS user.
S3 Bucket logs-well-moose is not public.
logs-well-moose
AwsS3Bucket
S3 Bucket logs-well-moose is not public.
CCC.ObjStor.C02.TR02
PASS
Ensure there are no S3 buckets open to Everyone or Any AWS user.
S3 Bucket s3-bucket-well-moose is not public.
s3-bucket-well-moose
AwsS3Bucket
S3 Bucket s3-bucket-well-moose is not public.
CCC.ObjStor.C02.TR02
PASS
Ensure there are no S3 buckets open to Everyone or Any AWS user.
S3 Bucket simple-well-moose is not public.
simple-well-moose
AwsS3Bucket
S3 Bucket simple-well-moose is not public.
CCC.ObjStor.C02.TR02
PASS
Ensure there are no S3 buckets writable by Everyone or Any AWS customer.
S3 Bucket cloudfront-logs-well-moose is not publicly writable.
cloudfront-logs-well-moose
AwsS3Bucket
S3 Bucket cloudfront-logs-well-moose is not publicly writable.
CCC.ObjStor.C02.TR01CCC.ObjStor.C02.TR02
PASS
Ensure there are no S3 buckets writable by Everyone or Any AWS customer.
S3 Bucket logs-well-moose is not publicly writable.
logs-well-moose
AwsS3Bucket
S3 Bucket logs-well-moose is not publicly writable.
CCC.ObjStor.C02.TR01CCC.ObjStor.C02.TR02
PASS
Ensure there are no S3 buckets writable by Everyone or Any AWS customer.
S3 Bucket s3-bucket-well-moose is not publicly writable.
s3-bucket-well-moose
AwsS3Bucket
S3 Bucket s3-bucket-well-moose is not publicly writable.
CCC.ObjStor.C02.TR01CCC.ObjStor.C02.TR02
PASS
Ensure there are no S3 buckets writable by Everyone or Any AWS customer.
S3 Bucket simple-well-moose is not publicly writable.
simple-well-moose
AwsS3Bucket
S3 Bucket simple-well-moose is not publicly writable.
CCC.ObjStor.C02.TR01CCC.ObjStor.C02.TR02
FAIL
Check if S3 buckets have server access logging enabled
S3 Bucket cloudfront-logs-well-moose has server access logging disabled.
cloudfront-logs-well-moose
AwsS3Bucket
S3 Bucket cloudfront-logs-well-moose has server access logging disabled.
CCC.ObjStor.C06.TR01
FAIL
Check if S3 buckets have server access logging enabled
S3 Bucket logs-well-moose has server access logging disabled.
logs-well-moose
AwsS3Bucket
S3 Bucket logs-well-moose has server access logging disabled.
CCC.ObjStor.C06.TR01
PASS
Check if S3 buckets have server access logging enabled
S3 Bucket s3-bucket-well-moose has server access logging enabled.
s3-bucket-well-moose
AwsS3Bucket
S3 Bucket s3-bucket-well-moose has server access logging enabled.
CCC.ObjStor.C06.TR01
FAIL
Check if S3 buckets have server access logging enabled
S3 Bucket simple-well-moose has server access logging disabled.
simple-well-moose
AwsS3Bucket
S3 Bucket simple-well-moose has server access logging disabled.
CCC.ObjStor.C06.TR01