| CCC.VPC.CN01.AR01 - Subscription must not contain default network resources |
- Main check: no default VPC exists
- Main check: no default VPC exists
|
— |
— |
— |
| CCC.VPC.CN02.AR01 - No external IP by default in public subnets |
- Main check (config): public subnets do not auto-assign external IPs
|
- Main check (config): public subnets do not auto-assign external IPs
|
- Behavioural check (active): resource launched in public subnet is not assigned an external IP
- Behavioural check (active): resource launched in public subnet is not assigned an external IP
|
— |
| CCC.VPC.CN03.AR01 - Restrict VPC peering requests from non-allowlisted requesters |
— |
— |
- Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC
- Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed
|
- Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC
- Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed
|
| CCC.VPC.CN04.AR01 - Flow logs must capture all VPC traffic |
- Main check (config): flow logs are active and capture all traffic
|
- Main check (config): flow logs are active and capture all traffic
|
- Behavioral check (active): traffic produces flow log records
|
- Behavioral check (active): traffic produces flow log records
|