[ { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043863, "created_time_dt": "2026-04-13T01:31:03Z", "desc": "Compliance test scenario: Main check: no default VPC exists", "title": "Main check: no default VPC exists", "types": [], "uid": "ccc-test-2278-1776043863" }, "message": "Main check: no default VPC exists", "metadata": { "event_code": "Main check: no default VPC exists", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN01", "@CCC.VPC.CN01.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-02b2cf8649cae372a", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-02b2cf8649cae372a", "region": "us-east-1", "type": "vpc", "uid": "vpc-02b2cf8649cae372a" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I call \"{vpcService}\" with \"CountDefaultVpcs\"\n✓ \"{result}\" is \"0\"", "status_id": 1, "time": 1776043863, "time_dt": "2026-04-13T01:31:03Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN01.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043863, "created_time_dt": "2026-04-13T01:31:03Z", "desc": "Compliance test scenario: Main check (config): public subnets do not auto-assign external IPs", "title": "Main check (config): public subnets do not auto-assign external IPs", "types": [], "uid": "ccc-test-2331-1776043863" }, "message": "Main check (config): public subnets do not auto-assign external IPs", "metadata": { "event_code": "Main check (config): public subnets do not auto-assign external IPs", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-02b2cf8649cae372a", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-02b2cf8649cae372a", "region": "us-east-1", "type": "vpc", "uid": "vpc-02b2cf8649cae372a" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluatePublicSubnetDefaultIPControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.ViolatingSubnetCount}\" is \"0\"\n✗ \"{result.Reason}\" contains \"disable default public IP\" - Error: expected {result.Reason} to contain 'disable default public IP', but got 'no public subnets found for in-scope VPC'", "status_id": 1, "time": 1776043863, "time_dt": "2026-04-13T01:31:03Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043863, "created_time_dt": "2026-04-13T01:31:03Z", "desc": "Compliance test scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP", "title": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "types": [], "uid": "ccc-test-2353-1776043863" }, "message": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "metadata": { "event_code": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-02b2cf8649cae372a", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-02b2cf8649cae372a", "region": "us-east-1", "type": "vpc", "uid": "vpc-02b2cf8649cae372a" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"SelectPublicSubnetForTest\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.SubnetId}\" as \"TestSubnetId\"\n✓ I call \"{vpcService}\" with \"CreateTestResourceInSubnet\" using argument \"{TestSubnetId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I call \"{vpcService}\" with \"GetResourceExternalIpAssignment\" using argument \"{TestResourceId}\"\n✓ I refer to \"{result.HasExternalIp}\" as \"HasExternalIp\"\n✓ \"{HasExternalIp}\" is false\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)", "status_id": 1, "time": 1776043863, "time_dt": "2026-04-13T01:31:03Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043863, "created_time_dt": "2026-04-13T01:31:03Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "title": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "types": [], "uid": "ccc-test-2454-1776043863" }, "message": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "metadata": { "event_code": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-02b2cf8649cae372a", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-02b2cf8649cae372a", "region": "us-east-1", "type": "vpc", "uid": "vpc-02b2cf8649cae372a" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"ValidateDisallowListEnforcement\" using argument \"{ReceiverVpcId}\"\n✓ I attach \"{result.Summary}\" to the test output as \"Disallow-list Enforcement Summary\"\n✓ I attach \"{result.Results}\" to the test output as \"Disallow-list Enforcement\"\n✓ \"{result.ListDefined}\" is true\n✓ \"{result.TestedCount}\" should be greater than \"0\"\n✓ \"{result.AllCorrect}\" is true\n✓ \"{result.ViolationCount}\" is \"0\"", "status_id": 1, "time": 1776043863, "time_dt": "2026-04-13T01:31:03Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043863, "created_time_dt": "2026-04-13T01:31:03Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "title": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "types": [], "uid": "ccc-test-2475-1776043863" }, "message": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "metadata": { "event_code": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-02b2cf8649cae372a", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-02b2cf8649cae372a", "region": "us-east-1", "type": "vpc", "uid": "vpc-02b2cf8649cae372a" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ \"{NonAllowlistedRequesterVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"EvaluatePeerAgainstAllowList\" using argument \"{NonAllowlistedRequesterVpcId}\"\n✓ \"{result.AllowedListDefined}\" is true\n✓ \"{result.Allowed}\" is false\n✓ I call \"{vpcService}\" with \"AttemptVpcPeeringDryRun\" using arguments \"{NonAllowlistedRequesterVpcId}\" and \"{ReceiverVpcId}\"\n✓ \"{result.DryRunAllowed}\" is false\n✓ \"{result.AllowListDefined}\" is true\n✓ \"{result.RequesterInAllowList}\" is false\n✓ \"{result.GuardrailExpectation}\" is \"deny\"\n✓ \"{result.GuardrailMismatch}\" is false\n✓ \"{result.ExitCode}\" should be greater than \"0\"\n✓ \"{result.Reason}\" contains \"guardrail aligned\"\n✓ \"{result.ConflictType}\" is \"\"", "status_id": 1, "time": 1776043863, "time_dt": "2026-04-13T01:31:03Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043863, "created_time_dt": "2026-04-13T01:31:03Z", "desc": "Compliance test scenario: Main check (config): flow logs are active and capture all traffic", "title": "Main check (config): flow logs are active and capture all traffic", "types": [], "uid": "ccc-test-2543-1776043863" }, "message": "Main check (config): flow logs are active and capture all traffic", "metadata": { "event_code": "Main check (config): flow logs are active and capture all traffic", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Policy", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-02b2cf8649cae372a", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-02b2cf8649cae372a", "region": "us-east-1", "type": "vpc", "uid": "vpc-02b2cf8649cae372a" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluateVpcFlowLogsControl\" using argument \"{TargetVpcId}\"\n✗ \"{result.FlowLogCount}\" should be greater than \"0\" - Error: expected {result.FlowLogCount} (0) to be greater than 0\n⊘ \"{result.NonCompliantCount}\" is \"0\" (skipped)", "status_id": 1, "time": 1776043863, "time_dt": "2026-04-13T01:31:03Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043863, "created_time_dt": "2026-04-13T01:31:03Z", "desc": "Compliance test scenario: Behavioral check (active): traffic produces flow log records", "title": "Behavioral check (active): traffic produces flow log records", "types": [], "uid": "ccc-test-2558-1776043863" }, "message": "Behavioral check (active): traffic produces flow log records", "metadata": { "event_code": "Behavioral check (active): traffic produces flow log records", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-02b2cf8649cae372a", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-02b2cf8649cae372a", "region": "us-east-1", "type": "vpc", "uid": "vpc-02b2cf8649cae372a" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"PrepareFlowLogDeliveryObservation\" using argument \"{TargetVpcId}\"\n✓ I call \"{vpcService}\" with \"GenerateTestTraffic\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I refer to \"{result.CleanupDeleted}\" as \"TrafficCleanupDeleted\"\n✓ I call \"{vpcService}\" with \"ObserveRecentFlowLogDelivery\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.RecordsObserved}\" as \"RecordsObserved\"\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)\n⊘ \"{TrafficCleanupDeleted}\" is true (skipped)\n⊘ \"{RecordsObserved}\" is true (skipped)", "status_id": 1, "time": 1776043863, "time_dt": "2026-04-13T01:31:03Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043862, "created_time_dt": "2026-04-13T01:31:02Z", "desc": "Compliance test scenario: Main check: no default VPC exists", "title": "Main check: no default VPC exists", "types": [], "uid": "ccc-test-2278-1776043862" }, "message": "Main check: no default VPC exists", "metadata": { "event_code": "Main check: no default VPC exists", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN01", "@CCC.VPC.CN01.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-09f36d618737b4da7", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-09f36d618737b4da7", "region": "us-east-1", "type": "vpc", "uid": "vpc-09f36d618737b4da7" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I call \"{vpcService}\" with \"CountDefaultVpcs\"\n✓ \"{result}\" is \"0\"", "status_id": 1, "time": 1776043862, "time_dt": "2026-04-13T01:31:02Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN01.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043862, "created_time_dt": "2026-04-13T01:31:02Z", "desc": "Compliance test scenario: Main check (config): public subnets do not auto-assign external IPs", "title": "Main check (config): public subnets do not auto-assign external IPs", "types": [], "uid": "ccc-test-2331-1776043862" }, "message": "Main check (config): public subnets do not auto-assign external IPs", "metadata": { "event_code": "Main check (config): public subnets do not auto-assign external IPs", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-09f36d618737b4da7", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-09f36d618737b4da7", "region": "us-east-1", "type": "vpc", "uid": "vpc-09f36d618737b4da7" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluatePublicSubnetDefaultIPControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.ViolatingSubnetCount}\" is \"0\"\n✗ \"{result.Reason}\" contains \"disable default public IP\" - Error: expected {result.Reason} to contain 'disable default public IP', but got 'no public subnets found for in-scope VPC'", "status_id": 1, "time": 1776043862, "time_dt": "2026-04-13T01:31:02Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043862, "created_time_dt": "2026-04-13T01:31:02Z", "desc": "Compliance test scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP", "title": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "types": [], "uid": "ccc-test-2353-1776043862" }, "message": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "metadata": { "event_code": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-09f36d618737b4da7", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-09f36d618737b4da7", "region": "us-east-1", "type": "vpc", "uid": "vpc-09f36d618737b4da7" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"SelectPublicSubnetForTest\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.SubnetId}\" as \"TestSubnetId\"\n✓ I call \"{vpcService}\" with \"CreateTestResourceInSubnet\" using argument \"{TestSubnetId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I call \"{vpcService}\" with \"GetResourceExternalIpAssignment\" using argument \"{TestResourceId}\"\n✓ I refer to \"{result.HasExternalIp}\" as \"HasExternalIp\"\n✓ \"{HasExternalIp}\" is false\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)", "status_id": 1, "time": 1776043862, "time_dt": "2026-04-13T01:31:02Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043862, "created_time_dt": "2026-04-13T01:31:02Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "title": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "types": [], "uid": "ccc-test-2454-1776043862" }, "message": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "metadata": { "event_code": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-09f36d618737b4da7", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-09f36d618737b4da7", "region": "us-east-1", "type": "vpc", "uid": "vpc-09f36d618737b4da7" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"ValidateDisallowListEnforcement\" using argument \"{ReceiverVpcId}\"\n✓ I attach \"{result.Summary}\" to the test output as \"Disallow-list Enforcement Summary\"\n✓ I attach \"{result.Results}\" to the test output as \"Disallow-list Enforcement\"\n✓ \"{result.ListDefined}\" is true\n✓ \"{result.TestedCount}\" should be greater than \"0\"\n✓ \"{result.AllCorrect}\" is true\n✓ \"{result.ViolationCount}\" is \"0\"", "status_id": 1, "time": 1776043862, "time_dt": "2026-04-13T01:31:02Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043862, "created_time_dt": "2026-04-13T01:31:02Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "title": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "types": [], "uid": "ccc-test-2475-1776043862" }, "message": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "metadata": { "event_code": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-09f36d618737b4da7", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-09f36d618737b4da7", "region": "us-east-1", "type": "vpc", "uid": "vpc-09f36d618737b4da7" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ \"{NonAllowlistedRequesterVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"EvaluatePeerAgainstAllowList\" using argument \"{NonAllowlistedRequesterVpcId}\"\n✓ \"{result.AllowedListDefined}\" is true\n✓ \"{result.Allowed}\" is false\n✓ I call \"{vpcService}\" with \"AttemptVpcPeeringDryRun\" using arguments \"{NonAllowlistedRequesterVpcId}\" and \"{ReceiverVpcId}\"\n✓ \"{result.DryRunAllowed}\" is false\n✓ \"{result.AllowListDefined}\" is true\n✓ \"{result.RequesterInAllowList}\" is false\n✓ \"{result.GuardrailExpectation}\" is \"deny\"\n✓ \"{result.GuardrailMismatch}\" is false\n✓ \"{result.ExitCode}\" should be greater than \"0\"\n✓ \"{result.Reason}\" contains \"guardrail aligned\"\n✓ \"{result.ConflictType}\" is \"\"", "status_id": 1, "time": 1776043862, "time_dt": "2026-04-13T01:31:02Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043862, "created_time_dt": "2026-04-13T01:31:02Z", "desc": "Compliance test scenario: Main check (config): flow logs are active and capture all traffic", "title": "Main check (config): flow logs are active and capture all traffic", "types": [], "uid": "ccc-test-2543-1776043862" }, "message": "Main check (config): flow logs are active and capture all traffic", "metadata": { "event_code": "Main check (config): flow logs are active and capture all traffic", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Policy", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-09f36d618737b4da7", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-09f36d618737b4da7", "region": "us-east-1", "type": "vpc", "uid": "vpc-09f36d618737b4da7" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluateVpcFlowLogsControl\" using argument \"{TargetVpcId}\"\n✗ \"{result.FlowLogCount}\" should be greater than \"0\" - Error: expected {result.FlowLogCount} (0) to be greater than 0\n⊘ \"{result.NonCompliantCount}\" is \"0\" (skipped)", "status_id": 1, "time": 1776043862, "time_dt": "2026-04-13T01:31:02Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043863, "created_time_dt": "2026-04-13T01:31:03Z", "desc": "Compliance test scenario: Behavioral check (active): traffic produces flow log records", "title": "Behavioral check (active): traffic produces flow log records", "types": [], "uid": "ccc-test-2558-1776043863" }, "message": "Behavioral check (active): traffic produces flow log records", "metadata": { "event_code": "Behavioral check (active): traffic produces flow log records", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-09f36d618737b4da7", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-09f36d618737b4da7", "region": "us-east-1", "type": "vpc", "uid": "vpc-09f36d618737b4da7" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"PrepareFlowLogDeliveryObservation\" using argument \"{TargetVpcId}\"\n✓ I call \"{vpcService}\" with \"GenerateTestTraffic\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I refer to \"{result.CleanupDeleted}\" as \"TrafficCleanupDeleted\"\n✓ I call \"{vpcService}\" with \"ObserveRecentFlowLogDelivery\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.RecordsObserved}\" as \"RecordsObserved\"\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)\n⊘ \"{TrafficCleanupDeleted}\" is true (skipped)\n⊘ \"{RecordsObserved}\" is true (skipped)", "status_id": 1, "time": 1776043863, "time_dt": "2026-04-13T01:31:03Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043864, "created_time_dt": "2026-04-13T01:31:04Z", "desc": "Compliance test scenario: Main check: no default VPC exists", "title": "Main check: no default VPC exists", "types": [], "uid": "ccc-test-2278-1776043864" }, "message": "Main check: no default VPC exists", "metadata": { "event_code": "Main check: no default VPC exists", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN01", "@CCC.VPC.CN01.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0351e15653a529b6c", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0351e15653a529b6c", "region": "us-east-1", "type": "vpc", "uid": "vpc-0351e15653a529b6c" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I call \"{vpcService}\" with \"CountDefaultVpcs\"\n✓ \"{result}\" is \"0\"", "status_id": 1, "time": 1776043864, "time_dt": "2026-04-13T01:31:04Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN01.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043864, "created_time_dt": "2026-04-13T01:31:04Z", "desc": "Compliance test scenario: Main check (config): public subnets do not auto-assign external IPs", "title": "Main check (config): public subnets do not auto-assign external IPs", "types": [], "uid": "ccc-test-2331-1776043864" }, "message": "Main check (config): public subnets do not auto-assign external IPs", "metadata": { "event_code": "Main check (config): public subnets do not auto-assign external IPs", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0351e15653a529b6c", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0351e15653a529b6c", "region": "us-east-1", "type": "vpc", "uid": "vpc-0351e15653a529b6c" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluatePublicSubnetDefaultIPControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.ViolatingSubnetCount}\" is \"0\"\n✗ \"{result.Reason}\" contains \"disable default public IP\" - Error: expected {result.Reason} to contain 'disable default public IP', but got 'no public subnets found for in-scope VPC'", "status_id": 1, "time": 1776043864, "time_dt": "2026-04-13T01:31:04Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043865, "created_time_dt": "2026-04-13T01:31:05Z", "desc": "Compliance test scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP", "title": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "types": [], "uid": "ccc-test-2353-1776043865" }, "message": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "metadata": { "event_code": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0351e15653a529b6c", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0351e15653a529b6c", "region": "us-east-1", "type": "vpc", "uid": "vpc-0351e15653a529b6c" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"SelectPublicSubnetForTest\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.SubnetId}\" as \"TestSubnetId\"\n✓ I call \"{vpcService}\" with \"CreateTestResourceInSubnet\" using argument \"{TestSubnetId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I call \"{vpcService}\" with \"GetResourceExternalIpAssignment\" using argument \"{TestResourceId}\"\n✓ I refer to \"{result.HasExternalIp}\" as \"HasExternalIp\"\n✓ \"{HasExternalIp}\" is false\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)", "status_id": 1, "time": 1776043865, "time_dt": "2026-04-13T01:31:05Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043865, "created_time_dt": "2026-04-13T01:31:05Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "title": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "types": [], "uid": "ccc-test-2454-1776043865" }, "message": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "metadata": { "event_code": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0351e15653a529b6c", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0351e15653a529b6c", "region": "us-east-1", "type": "vpc", "uid": "vpc-0351e15653a529b6c" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"ValidateDisallowListEnforcement\" using argument \"{ReceiverVpcId}\"\n✓ I attach \"{result.Summary}\" to the test output as \"Disallow-list Enforcement Summary\"\n✓ I attach \"{result.Results}\" to the test output as \"Disallow-list Enforcement\"\n✓ \"{result.ListDefined}\" is true\n✓ \"{result.TestedCount}\" should be greater than \"0\"\n✓ \"{result.AllCorrect}\" is true\n✓ \"{result.ViolationCount}\" is \"0\"", "status_id": 1, "time": 1776043865, "time_dt": "2026-04-13T01:31:05Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043865, "created_time_dt": "2026-04-13T01:31:05Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "title": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "types": [], "uid": "ccc-test-2475-1776043865" }, "message": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "metadata": { "event_code": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0351e15653a529b6c", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0351e15653a529b6c", "region": "us-east-1", "type": "vpc", "uid": "vpc-0351e15653a529b6c" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ \"{NonAllowlistedRequesterVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"EvaluatePeerAgainstAllowList\" using argument \"{NonAllowlistedRequesterVpcId}\"\n✓ \"{result.AllowedListDefined}\" is true\n✓ \"{result.Allowed}\" is false\n✓ I call \"{vpcService}\" with \"AttemptVpcPeeringDryRun\" using arguments \"{NonAllowlistedRequesterVpcId}\" and \"{ReceiverVpcId}\"\n✓ \"{result.DryRunAllowed}\" is false\n✓ \"{result.AllowListDefined}\" is true\n✓ \"{result.RequesterInAllowList}\" is false\n✓ \"{result.GuardrailExpectation}\" is \"deny\"\n✓ \"{result.GuardrailMismatch}\" is false\n✓ \"{result.ExitCode}\" should be greater than \"0\"\n✓ \"{result.Reason}\" contains \"guardrail aligned\"\n✓ \"{result.ConflictType}\" is \"\"", "status_id": 1, "time": 1776043865, "time_dt": "2026-04-13T01:31:05Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043865, "created_time_dt": "2026-04-13T01:31:05Z", "desc": "Compliance test scenario: Main check (config): flow logs are active and capture all traffic", "title": "Main check (config): flow logs are active and capture all traffic", "types": [], "uid": "ccc-test-2543-1776043865" }, "message": "Main check (config): flow logs are active and capture all traffic", "metadata": { "event_code": "Main check (config): flow logs are active and capture all traffic", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Policy", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0351e15653a529b6c", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0351e15653a529b6c", "region": "us-east-1", "type": "vpc", "uid": "vpc-0351e15653a529b6c" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluateVpcFlowLogsControl\" using argument \"{TargetVpcId}\"\n✗ \"{result.FlowLogCount}\" should be greater than \"0\" - Error: expected {result.FlowLogCount} (0) to be greater than 0\n⊘ \"{result.NonCompliantCount}\" is \"0\" (skipped)", "status_id": 1, "time": 1776043865, "time_dt": "2026-04-13T01:31:05Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043865, "created_time_dt": "2026-04-13T01:31:05Z", "desc": "Compliance test scenario: Behavioral check (active): traffic produces flow log records", "title": "Behavioral check (active): traffic produces flow log records", "types": [], "uid": "ccc-test-2558-1776043865" }, "message": "Behavioral check (active): traffic produces flow log records", "metadata": { "event_code": "Behavioral check (active): traffic produces flow log records", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0351e15653a529b6c", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0351e15653a529b6c", "region": "us-east-1", "type": "vpc", "uid": "vpc-0351e15653a529b6c" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"PrepareFlowLogDeliveryObservation\" using argument \"{TargetVpcId}\"\n✓ I call \"{vpcService}\" with \"GenerateTestTraffic\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I refer to \"{result.CleanupDeleted}\" as \"TrafficCleanupDeleted\"\n✓ I call \"{vpcService}\" with \"ObserveRecentFlowLogDelivery\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.RecordsObserved}\" as \"RecordsObserved\"\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)\n⊘ \"{TrafficCleanupDeleted}\" is true (skipped)\n⊘ \"{RecordsObserved}\" is true (skipped)", "status_id": 1, "time": 1776043865, "time_dt": "2026-04-13T01:31:05Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043844, "created_time_dt": "2026-04-13T01:30:44Z", "desc": "Compliance test scenario: Main check: no default VPC exists", "title": "Main check: no default VPC exists", "types": [], "uid": "ccc-test-2278-1776043844" }, "message": "Main check: no default VPC exists", "metadata": { "event_code": "Main check: no default VPC exists", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN01", "@CCC.VPC.CN01.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0fd941576fc1de4a0", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0fd941576fc1de4a0", "region": "us-east-1", "type": "vpc", "uid": "vpc-0fd941576fc1de4a0" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I call \"{vpcService}\" with \"CountDefaultVpcs\"\n✓ \"{result}\" is \"0\"", "status_id": 1, "time": 1776043844, "time_dt": "2026-04-13T01:30:44Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN01.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043844, "created_time_dt": "2026-04-13T01:30:44Z", "desc": "Compliance test scenario: Main check (config): public subnets do not auto-assign external IPs", "title": "Main check (config): public subnets do not auto-assign external IPs", "types": [], "uid": "ccc-test-2331-1776043844" }, "message": "Main check (config): public subnets do not auto-assign external IPs", "metadata": { "event_code": "Main check (config): public subnets do not auto-assign external IPs", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0fd941576fc1de4a0", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0fd941576fc1de4a0", "region": "us-east-1", "type": "vpc", "uid": "vpc-0fd941576fc1de4a0" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluatePublicSubnetDefaultIPControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.ViolatingSubnetCount}\" is \"0\"\n✗ \"{result.Reason}\" contains \"disable default public IP\" - Error: expected {result.Reason} to contain 'disable default public IP', but got 'no public subnets found for in-scope VPC'", "status_id": 1, "time": 1776043844, "time_dt": "2026-04-13T01:30:44Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043844, "created_time_dt": "2026-04-13T01:30:44Z", "desc": "Compliance test scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP", "title": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "types": [], "uid": "ccc-test-2353-1776043844" }, "message": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "metadata": { "event_code": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0fd941576fc1de4a0", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0fd941576fc1de4a0", "region": "us-east-1", "type": "vpc", "uid": "vpc-0fd941576fc1de4a0" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"SelectPublicSubnetForTest\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.SubnetId}\" as \"TestSubnetId\"\n✓ I call \"{vpcService}\" with \"CreateTestResourceInSubnet\" using argument \"{TestSubnetId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I call \"{vpcService}\" with \"GetResourceExternalIpAssignment\" using argument \"{TestResourceId}\"\n✓ I refer to \"{result.HasExternalIp}\" as \"HasExternalIp\"\n✓ \"{HasExternalIp}\" is false\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)", "status_id": 1, "time": 1776043844, "time_dt": "2026-04-13T01:30:44Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043845, "created_time_dt": "2026-04-13T01:30:45Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "title": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "types": [], "uid": "ccc-test-2454-1776043845" }, "message": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "metadata": { "event_code": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0fd941576fc1de4a0", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0fd941576fc1de4a0", "region": "us-east-1", "type": "vpc", "uid": "vpc-0fd941576fc1de4a0" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"ValidateDisallowListEnforcement\" using argument \"{ReceiverVpcId}\"\n✓ I attach \"{result.Summary}\" to the test output as \"Disallow-list Enforcement Summary\"\n✓ I attach \"{result.Results}\" to the test output as \"Disallow-list Enforcement\"\n✓ \"{result.ListDefined}\" is true\n✓ \"{result.TestedCount}\" should be greater than \"0\"\n✓ \"{result.AllCorrect}\" is true\n✓ \"{result.ViolationCount}\" is \"0\"", "status_id": 1, "time": 1776043845, "time_dt": "2026-04-13T01:30:45Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043845, "created_time_dt": "2026-04-13T01:30:45Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "title": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "types": [], "uid": "ccc-test-2475-1776043845" }, "message": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "metadata": { "event_code": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0fd941576fc1de4a0", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0fd941576fc1de4a0", "region": "us-east-1", "type": "vpc", "uid": "vpc-0fd941576fc1de4a0" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ \"{NonAllowlistedRequesterVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"EvaluatePeerAgainstAllowList\" using argument \"{NonAllowlistedRequesterVpcId}\"\n✓ \"{result.AllowedListDefined}\" is true\n✓ \"{result.Allowed}\" is false\n✓ I call \"{vpcService}\" with \"AttemptVpcPeeringDryRun\" using arguments \"{NonAllowlistedRequesterVpcId}\" and \"{ReceiverVpcId}\"\n✓ \"{result.DryRunAllowed}\" is false\n✓ \"{result.AllowListDefined}\" is true\n✓ \"{result.RequesterInAllowList}\" is false\n✓ \"{result.GuardrailExpectation}\" is \"deny\"\n✓ \"{result.GuardrailMismatch}\" is false\n✓ \"{result.ExitCode}\" should be greater than \"0\"\n✓ \"{result.Reason}\" contains \"guardrail aligned\"\n✓ \"{result.ConflictType}\" is \"\"", "status_id": 1, "time": 1776043845, "time_dt": "2026-04-13T01:30:45Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043845, "created_time_dt": "2026-04-13T01:30:45Z", "desc": "Compliance test scenario: Main check (config): flow logs are active and capture all traffic", "title": "Main check (config): flow logs are active and capture all traffic", "types": [], "uid": "ccc-test-2543-1776043845" }, "message": "Main check (config): flow logs are active and capture all traffic", "metadata": { "event_code": "Main check (config): flow logs are active and capture all traffic", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Policy", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0fd941576fc1de4a0", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0fd941576fc1de4a0", "region": "us-east-1", "type": "vpc", "uid": "vpc-0fd941576fc1de4a0" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluateVpcFlowLogsControl\" using argument \"{TargetVpcId}\"\n✗ \"{result.FlowLogCount}\" should be greater than \"0\" - Error: expected {result.FlowLogCount} (0) to be greater than 0\n⊘ \"{result.NonCompliantCount}\" is \"0\" (skipped)", "status_id": 1, "time": 1776043845, "time_dt": "2026-04-13T01:30:45Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043845, "created_time_dt": "2026-04-13T01:30:45Z", "desc": "Compliance test scenario: Behavioral check (active): traffic produces flow log records", "title": "Behavioral check (active): traffic produces flow log records", "types": [], "uid": "ccc-test-2558-1776043845" }, "message": "Behavioral check (active): traffic produces flow log records", "metadata": { "event_code": "Behavioral check (active): traffic produces flow log records", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0fd941576fc1de4a0", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0fd941576fc1de4a0", "region": "us-east-1", "type": "vpc", "uid": "vpc-0fd941576fc1de4a0" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"PrepareFlowLogDeliveryObservation\" using argument \"{TargetVpcId}\"\n✓ I call \"{vpcService}\" with \"GenerateTestTraffic\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I refer to \"{result.CleanupDeleted}\" as \"TrafficCleanupDeleted\"\n✓ I call \"{vpcService}\" with \"ObserveRecentFlowLogDelivery\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.RecordsObserved}\" as \"RecordsObserved\"\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)\n⊘ \"{TrafficCleanupDeleted}\" is true (skipped)\n⊘ \"{RecordsObserved}\" is true (skipped)", "status_id": 1, "time": 1776043845, "time_dt": "2026-04-13T01:30:45Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043864, "created_time_dt": "2026-04-13T01:31:04Z", "desc": "Compliance test scenario: Main check: no default VPC exists", "title": "Main check: no default VPC exists", "types": [], "uid": "ccc-test-2278-1776043864" }, "message": "Main check: no default VPC exists", "metadata": { "event_code": "Main check: no default VPC exists", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN01", "@CCC.VPC.CN01.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-076ba48bcbf648628", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-076ba48bcbf648628", "region": "us-east-1", "type": "vpc", "uid": "vpc-076ba48bcbf648628" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I call \"{vpcService}\" with \"CountDefaultVpcs\"\n✓ \"{result}\" is \"0\"", "status_id": 1, "time": 1776043864, "time_dt": "2026-04-13T01:31:04Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN01.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043864, "created_time_dt": "2026-04-13T01:31:04Z", "desc": "Compliance test scenario: Main check (config): public subnets do not auto-assign external IPs", "title": "Main check (config): public subnets do not auto-assign external IPs", "types": [], "uid": "ccc-test-2331-1776043864" }, "message": "Main check (config): public subnets do not auto-assign external IPs", "metadata": { "event_code": "Main check (config): public subnets do not auto-assign external IPs", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-076ba48bcbf648628", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-076ba48bcbf648628", "region": "us-east-1", "type": "vpc", "uid": "vpc-076ba48bcbf648628" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluatePublicSubnetDefaultIPControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.ViolatingSubnetCount}\" is \"0\"\n✗ \"{result.Reason}\" contains \"disable default public IP\" - Error: expected {result.Reason} to contain 'disable default public IP', but got 'no public subnets found for in-scope VPC'", "status_id": 1, "time": 1776043864, "time_dt": "2026-04-13T01:31:04Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043864, "created_time_dt": "2026-04-13T01:31:04Z", "desc": "Compliance test scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP", "title": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "types": [], "uid": "ccc-test-2353-1776043864" }, "message": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "metadata": { "event_code": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-076ba48bcbf648628", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-076ba48bcbf648628", "region": "us-east-1", "type": "vpc", "uid": "vpc-076ba48bcbf648628" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"SelectPublicSubnetForTest\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.SubnetId}\" as \"TestSubnetId\"\n✓ I call \"{vpcService}\" with \"CreateTestResourceInSubnet\" using argument \"{TestSubnetId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I call \"{vpcService}\" with \"GetResourceExternalIpAssignment\" using argument \"{TestResourceId}\"\n✓ I refer to \"{result.HasExternalIp}\" as \"HasExternalIp\"\n✓ \"{HasExternalIp}\" is false\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)", "status_id": 1, "time": 1776043864, "time_dt": "2026-04-13T01:31:04Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043864, "created_time_dt": "2026-04-13T01:31:04Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "title": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "types": [], "uid": "ccc-test-2454-1776043864" }, "message": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "metadata": { "event_code": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-076ba48bcbf648628", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-076ba48bcbf648628", "region": "us-east-1", "type": "vpc", "uid": "vpc-076ba48bcbf648628" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"ValidateDisallowListEnforcement\" using argument \"{ReceiverVpcId}\"\n✓ I attach \"{result.Summary}\" to the test output as \"Disallow-list Enforcement Summary\"\n✓ I attach \"{result.Results}\" to the test output as \"Disallow-list Enforcement\"\n✓ \"{result.ListDefined}\" is true\n✓ \"{result.TestedCount}\" should be greater than \"0\"\n✓ \"{result.AllCorrect}\" is true\n✓ \"{result.ViolationCount}\" is \"0\"", "status_id": 1, "time": 1776043864, "time_dt": "2026-04-13T01:31:04Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043864, "created_time_dt": "2026-04-13T01:31:04Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "title": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "types": [], "uid": "ccc-test-2475-1776043864" }, "message": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "metadata": { "event_code": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-076ba48bcbf648628", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-076ba48bcbf648628", "region": "us-east-1", "type": "vpc", "uid": "vpc-076ba48bcbf648628" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ \"{NonAllowlistedRequesterVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"EvaluatePeerAgainstAllowList\" using argument \"{NonAllowlistedRequesterVpcId}\"\n✓ \"{result.AllowedListDefined}\" is true\n✓ \"{result.Allowed}\" is false\n✓ I call \"{vpcService}\" with \"AttemptVpcPeeringDryRun\" using arguments \"{NonAllowlistedRequesterVpcId}\" and \"{ReceiverVpcId}\"\n✓ \"{result.DryRunAllowed}\" is false\n✓ \"{result.AllowListDefined}\" is true\n✓ \"{result.RequesterInAllowList}\" is false\n✓ \"{result.GuardrailExpectation}\" is \"deny\"\n✓ \"{result.GuardrailMismatch}\" is false\n✓ \"{result.ExitCode}\" should be greater than \"0\"\n✓ \"{result.Reason}\" contains \"guardrail aligned\"\n✓ \"{result.ConflictType}\" is \"\"", "status_id": 1, "time": 1776043864, "time_dt": "2026-04-13T01:31:04Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043864, "created_time_dt": "2026-04-13T01:31:04Z", "desc": "Compliance test scenario: Main check (config): flow logs are active and capture all traffic", "title": "Main check (config): flow logs are active and capture all traffic", "types": [], "uid": "ccc-test-2543-1776043864" }, "message": "Main check (config): flow logs are active and capture all traffic", "metadata": { "event_code": "Main check (config): flow logs are active and capture all traffic", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Policy", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-076ba48bcbf648628", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-076ba48bcbf648628", "region": "us-east-1", "type": "vpc", "uid": "vpc-076ba48bcbf648628" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluateVpcFlowLogsControl\" using argument \"{TargetVpcId}\"\n✗ \"{result.FlowLogCount}\" should be greater than \"0\" - Error: expected {result.FlowLogCount} (0) to be greater than 0\n⊘ \"{result.NonCompliantCount}\" is \"0\" (skipped)", "status_id": 1, "time": 1776043864, "time_dt": "2026-04-13T01:31:04Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043864, "created_time_dt": "2026-04-13T01:31:04Z", "desc": "Compliance test scenario: Behavioral check (active): traffic produces flow log records", "title": "Behavioral check (active): traffic produces flow log records", "types": [], "uid": "ccc-test-2558-1776043864" }, "message": "Behavioral check (active): traffic produces flow log records", "metadata": { "event_code": "Behavioral check (active): traffic produces flow log records", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-076ba48bcbf648628", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-076ba48bcbf648628", "region": "us-east-1", "type": "vpc", "uid": "vpc-076ba48bcbf648628" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"PrepareFlowLogDeliveryObservation\" using argument \"{TargetVpcId}\"\n✓ I call \"{vpcService}\" with \"GenerateTestTraffic\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I refer to \"{result.CleanupDeleted}\" as \"TrafficCleanupDeleted\"\n✓ I call \"{vpcService}\" with \"ObserveRecentFlowLogDelivery\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.RecordsObserved}\" as \"RecordsObserved\"\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)\n⊘ \"{TrafficCleanupDeleted}\" is true (skipped)\n⊘ \"{RecordsObserved}\" is true (skipped)", "status_id": 1, "time": 1776043864, "time_dt": "2026-04-13T01:31:04Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043845, "created_time_dt": "2026-04-13T01:30:45Z", "desc": "Compliance test scenario: Main check: no default VPC exists", "title": "Main check: no default VPC exists", "types": [], "uid": "ccc-test-2278-1776043845" }, "message": "Main check: no default VPC exists", "metadata": { "event_code": "Main check: no default VPC exists", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN01", "@CCC.VPC.CN01.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-05f4e0d1e4eccf07f", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-05f4e0d1e4eccf07f", "region": "us-east-1", "type": "vpc", "uid": "vpc-05f4e0d1e4eccf07f" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I call \"{vpcService}\" with \"CountDefaultVpcs\"\n✓ \"{result}\" is \"0\"", "status_id": 1, "time": 1776043845, "time_dt": "2026-04-13T01:30:45Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN01.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043845, "created_time_dt": "2026-04-13T01:30:45Z", "desc": "Compliance test scenario: Main check (config): public subnets do not auto-assign external IPs", "title": "Main check (config): public subnets do not auto-assign external IPs", "types": [], "uid": "ccc-test-2331-1776043845" }, "message": "Main check (config): public subnets do not auto-assign external IPs", "metadata": { "event_code": "Main check (config): public subnets do not auto-assign external IPs", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-05f4e0d1e4eccf07f", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-05f4e0d1e4eccf07f", "region": "us-east-1", "type": "vpc", "uid": "vpc-05f4e0d1e4eccf07f" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluatePublicSubnetDefaultIPControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.ViolatingSubnetCount}\" is \"0\"\n✓ \"{result.Reason}\" contains \"disable default public IP\"", "status_id": 1, "time": 1776043845, "time_dt": "2026-04-13T01:30:45Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043846, "created_time_dt": "2026-04-13T01:30:46Z", "desc": "Compliance test scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP", "title": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "types": [], "uid": "ccc-test-2353-1776043846" }, "message": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "metadata": { "event_code": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-05f4e0d1e4eccf07f", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-05f4e0d1e4eccf07f", "region": "us-east-1", "type": "vpc", "uid": "vpc-05f4e0d1e4eccf07f" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"SelectPublicSubnetForTest\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.SubnetId}\" as \"TestSubnetId\"\n✓ I call \"{vpcService}\" with \"CreateTestResourceInSubnet\" using argument \"{TestSubnetId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I call \"{vpcService}\" with \"GetResourceExternalIpAssignment\" using argument \"{TestResourceId}\"\n✓ I refer to \"{result.HasExternalIp}\" as \"HasExternalIp\"\n✓ \"{HasExternalIp}\" is false\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✓ \"{result.Deleted}\" is true", "status_id": 1, "time": 1776043846, "time_dt": "2026-04-13T01:30:46Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043848, "created_time_dt": "2026-04-13T01:30:48Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "title": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "types": [], "uid": "ccc-test-2454-1776043848" }, "message": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "metadata": { "event_code": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-05f4e0d1e4eccf07f", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-05f4e0d1e4eccf07f", "region": "us-east-1", "type": "vpc", "uid": "vpc-05f4e0d1e4eccf07f" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"ValidateDisallowListEnforcement\" using argument \"{ReceiverVpcId}\"\n✓ I attach \"{result.Summary}\" to the test output as \"Disallow-list Enforcement Summary\"\n✓ I attach \"{result.Results}\" to the test output as \"Disallow-list Enforcement\"\n✓ \"{result.ListDefined}\" is true\n✓ \"{result.TestedCount}\" should be greater than \"0\"\n✓ \"{result.AllCorrect}\" is true\n✓ \"{result.ViolationCount}\" is \"0\"", "status_id": 1, "time": 1776043848, "time_dt": "2026-04-13T01:30:48Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043848, "created_time_dt": "2026-04-13T01:30:48Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "title": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "types": [], "uid": "ccc-test-2475-1776043848" }, "message": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "metadata": { "event_code": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-05f4e0d1e4eccf07f", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-05f4e0d1e4eccf07f", "region": "us-east-1", "type": "vpc", "uid": "vpc-05f4e0d1e4eccf07f" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ \"{NonAllowlistedRequesterVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"EvaluatePeerAgainstAllowList\" using argument \"{NonAllowlistedRequesterVpcId}\"\n✓ \"{result.AllowedListDefined}\" is true\n✓ \"{result.Allowed}\" is false\n✓ I call \"{vpcService}\" with \"AttemptVpcPeeringDryRun\" using arguments \"{NonAllowlistedRequesterVpcId}\" and \"{ReceiverVpcId}\"\n✓ \"{result.DryRunAllowed}\" is false\n✓ \"{result.AllowListDefined}\" is true\n✓ \"{result.RequesterInAllowList}\" is false\n✓ \"{result.GuardrailExpectation}\" is \"deny\"\n✓ \"{result.GuardrailMismatch}\" is false\n✓ \"{result.ExitCode}\" should be greater than \"0\"\n✓ \"{result.Reason}\" contains \"guardrail aligned\"\n✓ \"{result.ConflictType}\" is \"\"", "status_id": 1, "time": 1776043848, "time_dt": "2026-04-13T01:30:48Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043848, "created_time_dt": "2026-04-13T01:30:48Z", "desc": "Compliance test scenario: Main check (config): flow logs are active and capture all traffic", "title": "Main check (config): flow logs are active and capture all traffic", "types": [], "uid": "ccc-test-2543-1776043848" }, "message": "Main check (config): flow logs are active and capture all traffic", "metadata": { "event_code": "Main check (config): flow logs are active and capture all traffic", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Policy", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-05f4e0d1e4eccf07f", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-05f4e0d1e4eccf07f", "region": "us-east-1", "type": "vpc", "uid": "vpc-05f4e0d1e4eccf07f" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluateVpcFlowLogsControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.FlowLogCount}\" should be greater than \"0\"\n✓ \"{result.NonCompliantCount}\" is \"0\"", "status_id": 1, "time": 1776043848, "time_dt": "2026-04-13T01:30:48Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1776043849, "created_time_dt": "2026-04-13T01:30:49Z", "desc": "Compliance test scenario: Behavioral check (active): traffic produces flow log records", "title": "Behavioral check (active): traffic produces flow log records", "types": [], "uid": "ccc-test-2558-1776043849" }, "message": "Behavioral check (active): traffic produces flow log records", "metadata": { "event_code": "Behavioral check (active): traffic produces flow log records", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-05f4e0d1e4eccf07f", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-05f4e0d1e4eccf07f", "region": "us-east-1", "type": "vpc", "uid": "vpc-05f4e0d1e4eccf07f" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"PrepareFlowLogDeliveryObservation\" using argument \"{TargetVpcId}\"\n✓ I call \"{vpcService}\" with \"GenerateTestTraffic\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I refer to \"{result.CleanupDeleted}\" as \"TrafficCleanupDeleted\"\n✓ I call \"{vpcService}\" with \"ObserveRecentFlowLogDelivery\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.RecordsObserved}\" as \"RecordsObserved\"\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✓ \"{result.Deleted}\" is true\n✓ \"{TrafficCleanupDeleted}\" is true\n✓ \"{RecordsObserved}\" is true", "status_id": 1, "time": 1776043849, "time_dt": "2026-04-13T01:30:49Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } } ]