| CCC.Core.CN01.AR01 |
— |
- Storage account enforces minimum TLS version
|
- Service accepts TLS 1.3 encrypted traffic
- Service rejects TLS 1.2 traffic
- Service rejects TLS 1.1 traffic
- Service rejects TLS 1.0 traffic
- Verify no known SSL/TLS vulnerabilities
- Verify TLS 1.3 only certificate validity
|
- Verify SSL/TLS protocol support
|
| CCC.Core.CN01.AR03 |
— |
- Object storage policy prevents the use of unencrypted ports
|
- Only secure protocols are exposed
|
|
| CCC.Core.CN01.AR07 |
— |
— |
- Verify HTTPS uses IANA-assigned port 443
|
— |
| CCC.Core.CN01.AR08 |
— |
- Storage account enforces mutual TLSNotTested
|
— |
- Verify mTLS requires client certificate authentication
|
| CCC.Core.CN02.AR01 - Data Encryption at Rest |
- Object storage encryption compliance
|
— |
- Verify objects are encrypted at rest
|
— |
| CCC.Core.CN03.AR01 - Multi-Factor Authentication for Destructive Operations |
- Object storage delete protection compliance
|
— |
- MFA requirement for destructive operations cannot be tested automatically
|
— |
| CCC.Core.CN03.AR02 - API Authentication with Credentials |
- API modification requires credential and trust perimeter originNotTestable
|
— |
— |
— |
| CCC.Core.CN03.AR03 - MFA for UI Viewing |
- UI viewing requires multi-factor authenticationNotTestable
|
— |
— |
— |
| CCC.Core.CN03.AR04 - API Authentication for Viewing |
- API viewing requires credential and trust perimeter originNotTestable
|
— |
— |
— |
| CCC.Core.CN04.AR01 - Log Administrative Access Attempts |
- Object storage admin logging compliance
|
— |
- Verify admin actions are logged with identity and timestamp
|
— |
| CCC.Core.CN04.AR02 - Log Data Modification Attempts |
— |
- Object storage data modification logging compliance
|
— |
— |
| CCC.Core.CN04.AR03 - Log Data Read Attempts |
— |
- Data read logging compliance
|
— |
- Verify data read operations are logged with identity and timestamp
|
| CCC.Core.CN05.AR01 - Block Unauthorized Data Modification |
- Storage is not configured for public write access
|
— |
- Service allows data modification by user with write access
|
- Service prevents data modification by user with no access
|
| CCC.Core.CN05.AR02 - Block Unauthorized Administrative Access |
- Unauthorized administrative access is blocked
|
— |
- Service prevents administrative action (creating a new bucket) by user with no access
- Service prevents administrative action (creating a new bucket) by user with read-only access
|
- Service allows administrative action (creating a new bucket) by user with admin access
|
| CCC.Core.CN05.AR03 - Block Cross-Tenant Access |
- Cross-tenant access is blocked without explicit allowlist
|
— |
— |
— |
| CCC.Core.CN05.AR04 - Block Unauthorized External Data Requests |
- External unauthorized data requests are blocked
|
— |
— |
— |
| CCC.Core.CN05.AR05 - Hide Service Existence from External Requests |
— |
- External requests do not reveal service existenceNotTested
|
— |
— |
| CCC.Core.CN05.AR06 - Block All Unauthorized Requests |
- All unauthorized requests are blockedDuplicate
|
— |
- Service prevents data read by user with no accessDuplicate
|
— |
| CCC.Core.CN06.AR01 - Resource Location Compliance |
- Object storage region compliance
|
— |
— |
- Resource region can be retrieved for compliance verification
|
| CCC.Core.CN06.AR02 - Child Resource Location Compliance |
- Child resource region complianceNotTestable
|
— |
- Child resource region complianceNotTestable
|
— |
| CCC.Core.CN07.AR01 - Publish Enumeration Activity Events |
— |
- Enumeration activities publish events to monitored channels
|
- Enumeration event publishing cannot be tested automaticallyNotTestable
|
— |
| CCC.Core.CN07.AR02 - Log Enumeration Activities |
- Enumeration activities are logged
|
— |
- Enumeration logging cannot be verified automaticallyNotTestable
|
— |
| CCC.Core.CN08.AR01 - Data Replication and Redundancy |
- Object storage replication compliance
|
— |
- Bucket data is replicated to physically separate locations
|
— |
| CCC.Core.CN08.AR02 - Replication Status Visibility |
- Object storage replication status is visible
|
— |
- Replication status can be retrieved for monitoring
|
— |
| CCC.Core.CN09.AR01 - Access Logging Separation |
— |
- Object storage access logging compliance
|
— |
— |
| CCC.Core.CN09.AR02 - Logs Cannot Be Disabled |
- Disabling logs requires disabling the resourceNotTestable
|
— |
— |
— |
| CCC.Core.CN09.AR03 - Log Redirection Requires Service Halt |
- Redirecting logs requires halting the resourceNotTestable
|
— |
— |
— |
| CCC.Core.CN10.AR01 - Replication Destination Trust |
- Object storage replication destination compliance
|
— |
- Replication destination trust cannot be verified automaticallyNotTestable
|
— |
| CCC.ObjStor.CN01.AR01 |
- Test policy for bucket access control
|
— |
- Service prevents reading bucket with no access
- Service allows reading bucket with read access
|
— |
| CCC.ObjStor.CN01.AR02 |
— |
- All unauthorized requests are blocked
|
- Service prevents reading object with no access
- Service allows reading object with read access
|
— |
| CCC.ObjStor.CN01.AR03 |
— |
- All unauthorized requests are blocked
|
- Service prevents creating bucket with no access
|
- Service allows creating bucket with write access
|
| CCC.ObjStor.CN01.AR04 |
— |
- All unauthorized requests are blocked
|
- Service prevents writing object with read-only access
- Service allows writing object with write access
|
— |
| CCC.ObjStor.CN02.AR01 - Uniform Bucket-Level Access (Consistent Allow) |
- Test policy for uniform access
|
— |
- Service enforces uniform bucket-level access by rejecting object-level permissions
|
— |
| CCC.ObjStor.CN02.AR02 - Uniform Bucket-Level Access (Consistent Deny) |
- Uniform bucket-level access prevents object-level deny overridesDuplicate
|
— |
- Service enforces uniform bucket-level access denial
|
— |
| CCC.ObjStor.CN03.AR01 - Bucket Soft Delete and Recovery |
- Test policy for bucket soft delete
|
— |
— |
- Service supports bucket soft delete and recovery
|
| CCC.ObjStor.CN03.AR02 - Immutable Bucket Retention Policy |
- Test policy for immutable bucket retention lock
|
— |
— |
- Service prevents modification of locked retention policy
|
| CCC.ObjStor.CN04.AR01 |
- Test policy for default object retention
|
— |
- Service enforces retention policy on newly created objects
|
- Service applies default retention policy to newly uploaded object
- Service validates retention period meets minimum requirements
|
| CCC.ObjStor.CN04.AR02 |
- Test policy for object retention enforcement
|
— |
- Service prevents object deletion by admin user during retention period
- Service allows object read access during retention period
|
- Service prevents object deletion by write user during retention period
- Service prevents object modification during retention period
|
| CCC.ObjStor.CN05.AR01 - Versioning with Unique Identifiers |
- Objects are stored with unique version identifiers
|
— |
— |
- Service enables versioning and objects receive unique version identifiers
|
| CCC.ObjStor.CN05.AR02 - New Version ID on Modification |
- Modified objects receive new version identifiersDuplicate
|
— |
— |
- Modified objects receive new version identifiers
|
| CCC.ObjStor.CN05.AR03 - Recovery of Previous Versions |
- Previous object versions can be recovered
|
— |
- Modified objects receive new version identifiers
|
— |
| CCC.ObjStor.CN05.AR04 - Retain Versions on Delete |
- Object versions are retained after deletionDuplicate
|
— |
- Deleted object data can be reloaded from previous version
|
- Deleted object version remains in version list
|