🥒 CCC.ObjStor Test: ccc-test-bucket-20260526t102300z

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.Core/CCC.Core.CN01/AR01/object-storage-tls-policy/gcp.yaml",
  "name": "GCP Cloud Storage HTTPS Policy Check",
  "service_type": "object-storage",
  "requirement_text": "When a port is exposed for non-SSH network traffic, all traffic MUST include  a TLS handshake AND be encrypted using TLS 1.3 or higher.\n",
  "validity_score": 8,
  "validity_commentary": "This check verifies that GCP Cloud Storage is accessed over HTTPS. Strengths: - GCS API explicitly requires TLS for all operations on the public endpoint - Google manages the TLS termination and certificate lifecycle - Organization-level policy 'constraints/storage.requireHttpsTrafficOnly'\n  can be used for universal enforcement\nLimitations: - GCP does not expose a per-bucket 'minimum TLS version' field - TLS 1.3 is supported but cannot be set as the exclusive minimum yet\n",
  "query_template": "gcloud storage buckets describe gs://${ResourceName} \\\n  --format=json\n",
  "query_executed": "gcloud storage buckets describe gs://ccc-test-bucket-20260526t102300z \\\n  --format=json\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.Core/CCC.Core.CN01/AR03/object-storage-unencrypted-policy/gcp.yaml",
  "name": "GCP Cloud Storage Unencrypted Traffic Block Check",
  "service_type": "object-storage",
  "requirement_text": "Unencrypted traffic MUST be blocked or redirected to secure equivalents so that no data is transmitted in plaintext.\n",
  "validity_score": 8,
  "validity_commentary": "This check verifies that GCP Cloud Storage is accessed over HTTPS. Strengths: - GCS API implicitly requires TLS for all operations on the public endpoint - Google manages the TLS termination; plaintext is not accepted Limitations: - GCP does not expose a per-bucket HTTPS-only flag; enforcement is platform-level - Organization policy 'constraints/storage.requireHttpsTrafficOnly' can provide\n  additional enforcement\n",
  "query_template": "gcloud storage buckets describe gs://${ResourceName} \\\n  --format=json\n",
  "query_executed": "gcloud storage buckets describe gs://ccc-test-bucket-20260526t102300z \\\n  --format=json\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

{"ID":"test-encryption-check=1779791088569.txt","BucketID":"ccc-test-bucket-20260526t102300z","Name":"test-encryption-check=1779791088569.txt","Size":20,"Data":["encryption test data"],"Encryption":"Google","EncryptionAlgorithm":"AES256","VersionID":"1779791088652117"}

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.Core/CCC.Core.CN02/AR01/object-storage-encryption/gcp.yaml",
  "name": "GCP Cloud Storage Bucket Encryption Check",
  "service_type": "object-storage",
  "requirement_text": "When data is stored, it MUST be encrypted using the latest industry-standard  encryption methods.\n",
  "validity_score": 9,
  "validity_commentary": "This query validates GCP Cloud Storage bucket encryption configuration. GCP encrypts all data at rest by default using AES-256. Strengths: - All GCS data is encrypted by default - Supports Google-managed, CMEK, and CSEK keys - Validates CMEK configuration when specified Limitations: - Does not validate KMS key configuration details - Does not verify key rotation policies\n",
  "query_template": "gcloud storage buckets describe gs://${ResourceName} \\\n  --format=json\n",
  "query_executed": "gcloud storage buckets describe gs://ccc-test-bucket-20260526t102300z \\\n  --format=json\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.Core/CCC.Core.CN03/AR01/object-storage-delete-protection/gcp.yaml",
  "name": "GCP Cloud Storage Soft Delete and Versioning Configuration",
  "service_type": "object-storage",
  "requirement_text": "When an entity attempts to modify the service through a user interface, the  authentication process MUST require multiple identifying factors for authentication.\n",
  "validity_score": 5,
  "validity_commentary": "GCP does not have a direct equivalent to S3 MFA Delete at the storage level. MFA in GCP is enforced at the IAM/Identity Platform level. This check validates soft delete and versioning as compensating controls. Strengths: - Soft delete allows recovery of deleted objects - Object versioning preserves all object versions - GCP Identity Platform supports MFA for all operations Limitations: - This is NOT a direct MFA-for-delete check - MFA enforcement is at the identity layer, not storage layer\n",
  "query_template": "gcloud storage buckets describe gs://${ResourceName} \\\n  --format=json\n",
  "query_executed": "gcloud storage buckets describe gs://ccc-test-bucket-20260526t102300z \\\n  --format=json\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.Core/CCC.Core.CN04/AR01/admin-logging/gcp.yaml",
  "name": "Cloud Audit Logs Admin Activity Configuration",
  "service_type": "all",
  "requirement_text": "The service MUST log all access and changes by administrators  (identity, timestamp, action, result).\n",
  "validity_score": 9,
  "validity_commentary": "This query validates that Cloud Audit Logs Admin Activity logging is enabled. Admin Activity logs are always enabled by default in GCP and cannot be disabled. Strengths: - Admin Activity logs are enabled by default and cannot be disabled - Logs include principal, timestamp, method, and status - Stored in Cloud Logging separate from the bucket Limitations: - Does not validate log retention period - Does not verify log sink configuration for long-term storage\n",
  "query_template": "gcloud logging sinks list \\\n  --project=${GcpProjectId} \\\n  --format=json\n",
  "query_executed": "gcloud logging sinks list \\\n  --project=nodal-time-474015-p5 \\\n  --format=json\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

null

[]

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.Core/CCC.Core.CN04/AR02/data-write-logging/gcp.yaml",
  "name": "Cloud Audit Logs Data Write Configuration",
  "service_type": "all",
  "requirement_text": "The service MUST log all data modification attempts  (identity, timestamp, action, result).\n",
  "validity_score": 7,
  "validity_commentary": "This query validates that Data Write audit logs are enabled. Data Write logs capture resource creation, deletion, and modification. Strengths: - Captures object-level write operations - Logs include principal, timestamp, method, and status - Stored in Cloud Logging separate from the bucket Limitations: - Data Write logs must be explicitly enabled (not default) - High-volume buckets may incur significant logging costs - Requires IAM configuration at project or organization level\n",
  "query_template": "gcloud projects get-iam-policy ${GcpProjectId} \\\n  --format=json\n",
  "query_executed": "gcloud projects get-iam-policy nodal-time-474015-p5 \\\n  --format=json\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.Core/CCC.Core.CN04/AR03/data-read-logging/gcp.yaml",
  "name": "Cloud Audit Logs Data Read Configuration",
  "service_type": "all",
  "requirement_text": "The service MUST log all data read attempts  (identity, timestamp, action, result).\n",
  "validity_score": 7,
  "validity_commentary": "This query validates that Data Read audit logs are enabled. Data Read logs capture resource download and metadata read operations. Strengths: - Captures object-level read operations - Logs include principal, timestamp, method, and status - Stored in Cloud Logging separate from the bucket Limitations: - Data Read logs must be explicitly enabled (not default) - High-volume buckets may incur very significant logging costs - Requires IAM configuration at project or organization level\n",
  "query_template": "gcloud projects get-iam-policy ${GcpProjectId} \\\n  --format=json\n",
  "query_executed": "gcloud projects get-iam-policy nodal-time-474015-p5 \\\n  --format=json\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

{"ID":"test-read-logging-object=1779791103396.txt","BucketID":"ccc-test-bucket-20260526t102300z","Name":"test-read-logging-object=1779791103396.txt","Size":39,"Data":["test data for read logging verification"],"Encryption":"","EncryptionAlgorithm":"","VersionID":""}

[]

{"UserName":"test-user-no-write-access","Provider":"gcp","Credentials":{"client_email":"test-user-no-write-access@nodal-time-474015-p5.iam.gserviceaccount.com","email":"test-user-no-write-access@nodal-time-474015-p5.iam.gserviceaccount.com","private_key_id":"79cbc3f1d6f12e66a4f1c85644538b525d7adadc","project_id":"nodal-time-474015-p5","service_account_key":"{\n  \"type\": \"service_account\",\n  \"project_id\": \"nodal-time-474015-p5\",\n  \"private_key_id\": \"79cbc3f1d6f12e66a4f1c85644538b525d7adadc\",\n  \"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCuXDAU0XQWREE9\\nJfm/xCeuZVXhXlxOL5hgxVv9Y+8Y1rdI34Z8vQH857W2rpC12AuxaXaqabnEMRU8\\nZDj0s7MqZgpRdya0/x/3P3ekEuBPy1nAqwwADh2E7oQiVHJW5ZGXCPSOhQCLRSLb\\nLjuVokRiGIJYRzxW5m9Mp0KVMF0R5SAkpJFP2us1ArjvAtbfMWQlCX2h0N3+lgX5\\nMRvIgcD4fcDeO+UemzCIHUSQIYd7GHbC5Q7jxzwFicPevJePmONW1ZMmtOy+u+nx\\n3Ul0n3xgRzHnSXs325pPDKaxsk6uz0RbDLINpeFdwj8MfVaQtBY2iGCDVN5Ut0SK\\ncmskiXv1AgMBAAECggEAGBS3YfNY+xz2KFcvBSM278kjG/syTcIZDinJKK09VSA3\\n3s1a/64DBkY3kewjea9FqNJjXJSO3t/V36oKi7v932SJwZ1D2p+ZxJt0D1RkEovd\\nRiou1XBy90G8khk4/si6BjLAbqaZNU2ZIM25K6i7lRNu0nkUMP77xDRy57Pu8WI0\\nuQPpvpwRBSW06uuyFmmA/W4vCtbnOiXK1DS9cU6w+58jQIJFGca+NY4sQz3XWzCN\\nUl7JizCB5mzQu0uT4KvWKSvew1KCtEdy1ho90jZbu2mHryLIKSzyfHqQFTvhjgdn\\nfh8L30y/V9A0all7KsSC/kSl9LmyhdCJero3FVEKCQKBgQDW0xwlOEUXIGS1xSat\\nWyNtP/OKxrBSiltfAD8ptJQjbbBhPXdcWlS+3wVzzLi9XLQ/rITP1BHLAEIt7ju7\\nYCpq9yCZNAxXYPPg7KyQeJdU8jOe3PX+/dsxQmSu438pVwFOWAtcAEiF7wYGbUj7\\nBVRUfTr0zH9OAXEG6lKQfPhEWwKBgQDPx5ZpCqfiMBGrbiy4weSc0KHS2SYa7tEq\\nkH+PSwBGKEd+he5d2bfcF0X1t7dOMMwExh/NCxZ1ofd+LbMFIdhIOfBMH6/cZCZz\\nUipVMFTqfuqW4wl/ZT5Sfui9Q+ChkKU1h7trocIVXmtTMT4emMBqlvoSz0ytBKev\\nxzOVDbjx7wKBgB5QbAhUiGtbBtsflvWfhsBD5foPT5JWM86UGlWoRb86G0mdgtpl\\nZNAKaJqOqQMPsd/KWHN7WYdr4erZU1R9nX66oL79uUAbTk7PFwrL+Y7jHqWsSIpT\\nCDtLQynqsGcFAAouImw5HgLIV/FQOpwxhFTn1wn0UYKQcYKoTj5VZDNBAoGBAJGZ\\n9k/TlMPPFYLBKPure61cEhoz6xzyf4bJTWo3j5CaR0dlSR1hJRNJB9BhlkVnsoAh\\n6kUAYRO7lThJg+qzxeEPINHnXpAdakhjqqCZxtewammj3ZL1eo/KuQNwHmh5eRwi\\n6nZJGz1oNeNNXY+JUUUgWUt3Eu8nlO57tCzeOdznAoGAb9d07Nh/Fbn79WSYHL7o\\nqCThGvZAa4zRE6tdn/cU3avf52sPEsi4YeKYHv2RlvjewSCht3VDAs6VJkH1/M6j\\nhORylh4xqpkrQz4gCEVzO+DRdPurkCT18YD3XlG7Qg4GHzUHXPqXfltUMISEJBg6\\nIQDp+5Z/JIitgN7y6bNLzwI=\\n-----END PRIVATE KEY-----\\n\",\n  \"client_email\": \"test-user-no-write-access@nodal-time-474015-p5.iam.gserviceaccount.com\",\n  \"client_id\": \"118325143407635661704\",\n  \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\n  \"token_uri\": \"https://oauth2.googleapis.com/token\",\n  \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\n  \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/test-user-no-write-access%40nodal-time-474015-p5.iam.gserviceaccount.com\",\n  \"universe_domain\": \"googleapis.com\"\n}\n","unique_id":"118325143407635661704"},"Policy":"{\"user\": \"test-user-no-write-access\", \"service\": \"projects/nodal-time-474015-p5/buckets/ccc-test-bucket-20260526t102300z\", \"level\": \"none\", \"role\": \"\"}"}

failed to close writer for object test-cn05-unauthorized-modify=1779791113641.txt: googleapi: Error 403: test-user-no-write-access@nodal-time-474015-p5.iam.gserviceaccount.com does not have storage.objects.create access to the Google Cloud Storage object. Permission 'storage.objects.create' denied on resource (or it may not exist)., forbidden

{"UserName":"test-user-write-access","Provider":"gcp","Credentials":{"client_email":"test-user-write-access@nodal-time-474015-p5.iam.gserviceaccount.com","email":"test-user-write-access@nodal-time-474015-p5.iam.gserviceaccount.com","private_key_id":"6fd238869e6a63bdb0a0dd0674e8a1e467b8e88d","project_id":"nodal-time-474015-p5","service_account_key":"{\n  \"type\": \"service_account\",\n  \"project_id\": \"nodal-time-474015-p5\",\n  \"private_key_id\": \"6fd238869e6a63bdb0a0dd0674e8a1e467b8e88d\",\n  \"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC+D4U67PMPd/2w\\nq6arIf1c7IL7eVBgL8aKGDV+sDdEVt/u84El4OmhYhlpnFU60UbbdMNMqZ8VBkto\\nMaFbVP5w/72HuvPz3ikgmKNdLfA6d00u5cyn6BUz7jY8C9w55vmvXTMh/IvDBqyn\\nB9J/raMY4HVYMmDgnLO8T8cbpLZX9upJ2b5HupgkwRJfMLVK7BugbG1Vy6OYurjx\\nbLUT/cGmDCUiPJH+EwroHnuzapx1IaJFV5AlO68T1y0lMnHg0JX0m3q26KCxm3gU\\ncK4BNgOKF6BYI8EdP5DHHEiwQm98FihUzzfft6mDblaOiolBZ+ehXimwe2cORTic\\npuYaLEkjAgMBAAECggEAA55fUPEcar965LCVrf+8LCBA9L8yfFpX8QNL/E2V4zkj\\nXH4ch+Bz4kzLozZXIxVVrhtFOqamrtACOa4h8LQnyOP9oSre23rdlOGnrFJtX/wr\\nXfZvHgVJZzPJPP2UiFaMsAb+dSn724YWprvEwCpJ0CyDBAQViWXUrfGunrswmnCL\\nrJqTFlktDOKKQS10V83EUx5N2CLE0ezz/HN6sRYE64BVg/SzxoJ3FusBnJOJuABz\\nJecVw5X8ADt5xCfdcnp5YcQjwqGLQmXprlazgcxdwvU1WbQWPl5VwZZUl77QXE+G\\n9tKi2MyFswbThMG6K+eB79NQQnwhZ9U1WqxLVApCfQKBgQD5RY+sH2R5ecQ3OYg/\\nagRlm6J/WqtEjWtoSN/3wujUQHh7Stw8LocF2XsWxsEPGnyr9pPgIKz/mi7MIBVj\\nPcCEf/Wc+tOavysEqk+eFpC5TG8VOf2AL4yT7nItOPPaLBJI7H4LU7WJGgTmVgRx\\nOLFM2/1BUFXqI8qkOKoA11YdjwKBgQDDMNE/w30QIf5HOTzRl5wj+wRhKcrmg8XM\\n546DQbl3mXXaSdAWUCoT7RqLTWj/Pa6HtfywVZ6GGuCFUlSipomReOhvrqeezkBP\\nIxBufz1ChlJbAqfegNCFMYMEGxcq2eSwqTdRYxckPcAy1KHOQDPcMZwJMvlxujZ0\\n0doL+6f5LQKBgF7i9szLamC/VEy9Trrs7V2MP/AAoJ9IwfEBhJf4js50+CfemDUk\\ndOtqHOvPnp/UMk73XtT7Oz9U/qlfMSUE1araVrF53WDTklmFRydjaZXPnZ1T5MaN\\n0xJguv+x5UlQa2ls9JH1PG5DBEh1x90deohKWX4qSXoGQ9X9Z+FIFxTLAoGBAME7\\n4uutLHJ8NK9uCrezz/AO4RcPuL7cVUW1N3DZ8DJmyjWAPXDZi86OPGkMCZYmClJv\\n5+jp2jYJBZz3FLKxDB/oArQNxAODTEcL/4hkjtD9CSrwRiAQhl5V1c6KwzS44Z3C\\n5/C6mH5YY53uwwDcrnqe4kp5HFlqb97WoXabfH9BAoGANLmsy8dQn9yTJjvA4Lz/\\nVYV0x4FakH+HQpIdNF5A7/1AtGBq2CsG7Bb0VprNn0qJaJJ329Igl+QcUOSGUJtQ\\nI3V1jf4Li799m5YwMamVS7Vs/lGfkwLt7AHtwklz15paH9JcHW+3KyG+Y2En7BLo\\nbrfJGxToqWkFumsP+gPB968=\\n-----END PRIVATE KEY-----\\n\",\n  \"client_email\": \"test-user-write-access@nodal-time-474015-p5.iam.gserviceaccount.com\",\n  \"client_id\": \"107332673065103117761\",\n  \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\n  \"token_uri\": \"https://oauth2.googleapis.com/token\",\n  \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\n  \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/test-user-write-access%40nodal-time-474015-p5.iam.gserviceaccount.com\",\n  \"universe_domain\": \"googleapis.com\"\n}\n","unique_id":"107332673065103117761"},"Policy":"{\"user\": \"test-user-write-access\", \"service\": \"projects/nodal-time-474015-p5/buckets/ccc-test-bucket-20260526t102300z\", \"level\": \"write\", \"role\": \"roles/editor\"}"}

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.Core/CCC.Core.CN05/AR01/object-storage-block-public-write-access/gcp.yaml",
  "name": "GCP Cloud Storage Public Access Prevention",
  "service_type": "object-storage",
  "requirement_text": "When an attempt is made to modify data on the service or a child resource, the service MUST block requests from unauthorized entities. Public access prevention ensures the bucket is not world-writable.\n",
  "validity_score": 8,
  "validity_commentary": "This query validates that GCP Cloud Storage has public access prevention enabled. When set to 'enforced', the bucket cannot be made public via IAM or ACLs, reducing the risk of unauthorized data modification. Strengths: - Prevents allUsers and allAuthenticatedUsers access when enforced - Cannot be overridden by IAM policy or ACL changes - Aligns with Google security best practices Limitations: - Does not validate IAM policies for principle of least privilege - Behavioral testing (CN05-AR01) verifies unauthorized modification is blocked at runtime - 'inherited' uses org-level policy; org policy should restrict public access\n",
  "query_template": "gcloud storage buckets describe gs://${ResourceName} \\\n  --format=\"json(iamConfiguration.publicAccessPrevention)\"\n",
  "query_executed": "gcloud storage buckets describe gs://ccc-test-bucket-20260526t102300z \\\n  --format=\"json(iamConfiguration.publicAccessPrevention)\"\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

failed to create service account key for test-user-no-admin-access: rpc error: code = NotFound desc = Service account projects/nodal-time-474015-p5/serviceAccounts/test-user-no-admin-access@nodal-time-474015-p5.iam.gserviceaccount.com does not exist.

failed to create service account key for test-user-read-only-admin: rpc error: code = NotFound desc = Service account projects/nodal-time-474015-p5/serviceAccounts/test-user-read-only-admin@nodal-time-474015-p5.iam.gserviceaccount.com does not exist.

failed to create service account test-user-admin-access: rpc error: code = ResourceExhausted desc = A quota has been reached for project number 784623368087: Service accounts created per minute per project.
error details: retry in 1m0s

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.Core/CCC.Core.CN05/AR03/object-storage-cross-tenant-block/gcp.yaml",
  "name": "GCP Cloud Storage Cross-Tenant Access Block",
  "service_type": "object-storage",
  "requirement_text": "When administrative access or configuration change is attempted on the service or a child resource in a multi-tenant environment, the service MUST refuse requests across tenant boundaries unless the origin is explicitly included in a pre-approved allowlist.\n",
  "validity_score": 6,
  "validity_commentary": "Cross-tenant (cross-project) access in GCP Storage is granted via IAM policy bindings with principals from other projects (e.g. serviceAccount:...@other-project.iam.gserviceaccount.com). This query checks the bucket IAM policy and validates cross-project members are in permitted-project-ids. Strengths: - Directly queries bucket IAM policy - Identifies serviceAccount members from other projects - Uses permitted-project-ids for explicit allowlist Limitations: - user: and group: members from outside the project not analyzed - Organization-level bindings are not checked\n",
  "query_template": "BINDINGS=$(gcloud storage buckets get-iam-policy gs://${ResourceName} --project=${GcpProjectId} --format=\"json(bindings)\" 2\u003e/dev/null || echo '{\"bindings\":[]}')\necho \"$BINDINGS\" | jq --arg p \"${GcpProjectId}\" '{\n  crossProjectIds: [\n    .bindings[]?.members[]? |\n    select(startswith(\"serviceAccount:\")) |\n    capture(\"serviceAccount:(?\u003csa\u003e[^@]+)@(?\u003cproj\u003e[^.]+)\\\\.iam\\\\.gserviceaccount\\\\.com\") |\n    select(.proj != $p) | .proj\n  ] | unique\n}' 2\u003e/dev/null || echo '{\"crossProjectIds\": []}'\n",
  "query_executed": "BINDINGS=$(gcloud storage buckets get-iam-policy gs://ccc-test-bucket-20260526t102300z --project=nodal-time-474015-p5 --format=\"json(bindings)\" 2\u003e/dev/null || echo '{\"bindings\":[]}')\necho \"$BINDINGS\" | jq --arg p \"nodal-time-474015-p5\" '{\n  crossProjectIds: [\n    .bindings[]?.members[]? |\n    select(startswith(\"serviceAccount:\")) |\n    capture(\"serviceAccount:(?\u003csa\u003e[^@]+)@(?\u003cproj\u003e[^.]+)\\\\.iam\\\\.gserviceaccount\\\\.com\") |\n    select(.proj != $p) | .proj\n  ] | unique\n}' 2\u003e/dev/null || echo '{\"crossProjectIds\": []}'\n",
  "query_output": "{\n  \"crossProjectIds\": []\n}\n",
  "passed": true,
  "rule_results": [
    {
      "jsonpath": "$.crossProjectIds",
      "expected_values": [],
      "validation_rule": "",
      "description": "Validates that cross-project service account members are in permitted-project-ids. Empty permitted = no cross-project allowed.\n",
      "actual_value": "[]",
      "passed": true
    }
  ]
}

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.Core/CCC.Core.CN05/AR04/object-storage-block-public-read/gcp.yaml",
  "name": "GCP Cloud Storage Block External Unauthorized Data Requests",
  "service_type": "object-storage",
  "requirement_text": "Data requests from outside the trust perimeter MUST be blocked so that data exfiltration is prevented. Only authorised identities may read data.\n",
  "validity_score": 8,
  "validity_commentary": "This query validates that GCP Cloud Storage has public access prevention enabled. When set to 'enforced' or 'inherited', the bucket cannot grant public read access via IAM or ACLs, blocking external unauthorized data requests. Strengths: - Prevents allUsers and allAuthenticatedUsers read access when enforced - Cannot be overridden by IAM policy or ACL changes - Aligns with Google security best practices Limitations: - Does not validate network-level restrictions - 'inherited' uses org-level policy; org should restrict public access - Behavioral testing verifies unauthorized read is blocked at runtime\n",
  "query_template": "gcloud storage buckets describe gs://${ResourceName} \\\n  --format=\"json(iamConfiguration.publicAccessPrevention)\"\n",
  "query_executed": "gcloud storage buckets describe gs://ccc-test-bucket-20260526t102300z \\\n  --format=\"json(iamConfiguration.publicAccessPrevention)\"\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.Core/CCC.Core.CN06/AR01/object-storage-region/gcp.yaml",
  "name": "GCP Cloud Storage Bucket Region Compliance",
  "service_type": "object-storage",
  "requirement_text": "When the service is running, its region and availability zone MUST be included  in a list of explicitly trusted or approved locations within the trust perimeter.\n",
  "validity_score": 8,
  "validity_commentary": "This query validates that GCP Cloud Storage buckets are deployed in approved locations. GCS supports regional, dual-region, and multi-region locations. Strengths: - Directly queries bucket location - Bucket location cannot be changed after creation - Easy to validate against an approved location list Limitations: - Approved locations must be defined externally - Multi-region buckets span multiple locations\n",
  "query_template": "gcloud storage buckets describe gs://${ResourceName} \\\n  --format=json\n",
  "query_executed": "gcloud storage buckets describe gs://ccc-test-bucket-20260526t102300z \\\n  --format=json\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.Core/CCC.Core.CN07/AR01/enumeration-monitoring-policy/gcp.yaml",
  "name": "GCP Enumeration Monitoring Policy Check",
  "service_type": "object-storage",
  "requirement_text": "Enumeration activities must be monitored and generate events that can be sent to monitored channels.\n",
  "validity_score": 8,
  "validity_commentary": "This query validates that at least one log sink exists for the project, which allows logs to be exported to monitored channels like Pub/Sub, BigQuery, or a separate Logging project.\n",
  "query_template": "gcloud logging sinks list --project ${GcpProjectId} --format=json\n",
  "query_executed": "gcloud logging sinks list --project nodal-time-474015-p5 --format=json\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.Core/CCC.Core.CN07/AR02/enumeration-logging-policy/gcp.yaml",
  "name": "GCP Cloud Storage Enumeration Logging Policy Check",
  "service_type": "object-storage",
  "requirement_text": "Enumeration activities must be logged.\n",
  "validity_score": 7,
  "validity_commentary": "This query validates that bucket-level logging is enabled.\n",
  "query_template": "gcloud storage buckets describe gs://${ResourceName} \\\n  --format=json\n",
  "query_executed": "gcloud storage buckets describe gs://ccc-test-bucket-20260526t102300z \\\n  --format=json\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.Core/CCC.Core.CN08/AR01/object-storage-replication/gcp.yaml",
  "name": "GCP Cloud Storage Multi-Region/Dual-Region Configuration",
  "service_type": "object-storage",
  "requirement_text": "When data is created or modified, the data MUST have a complete and recoverable  duplicate that is stored in a physically separate data center.\n",
  "validity_score": 8,
  "validity_commentary": "This query validates GCP Cloud Storage replication through multi-region or dual-region bucket configuration. GCP provides automatic geo-redundancy for multi-region and dual-region buckets. Strengths: - Replication is automatic and synchronous - Multi-region provides geographic redundancy - Turbo replication available for dual-region Limitations: - Regional buckets do not provide geo-redundancy - Cross-bucket replication requires separate configuration\n",
  "query_template": "gcloud storage buckets describe gs://${ResourceName} \\\n  --format=json\n",
  "query_executed": "gcloud storage buckets describe gs://ccc-test-bucket-20260526t102300z \\\n  --format=json\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

not yet implemented

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.Core/CCC.Core.CN08/AR02/object-storage-replication-status/gcp.yaml",
  "name": "GCP Cloud Storage Replication Status Visibility",
  "service_type": "object-storage",
  "requirement_text": "When data is replicated into a second location, the service MUST be able to accurately represent the replication locations, replication status, and data synchronization status.\n",
  "validity_score": 7,
  "validity_commentary": "This query validates that GCP Cloud Storage bucket replication information is visible. GCP provides location and replication type information. Strengths: - Location type indicates replication configuration - Multi-region/dual-region locations are automatically replicated - Turbo replication provides faster sync for dual-region Limitations: - GCP does not expose real-time replication lag metrics - Object-level replication status is not available\n",
  "query_template": "gcloud storage buckets describe gs://${ResourceName} \\\n  --format=json\n",
  "query_executed": "gcloud storage buckets describe gs://ccc-test-bucket-20260526t102300z \\\n  --format=json\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

not yet implemented

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.Core/CCC.Core.CN09/AR01/object-storage-access-logging/gcp.yaml",
  "name": "GCP Cloud Storage Access Logging Configuration",
  "service_type": "object-storage",
  "requirement_text": "When the service is operational, its logs and any child resource logs MUST NOT  be accessible from the resource they record access to.\n",
  "validity_score": 7,
  "validity_commentary": "This query validates that GCP Cloud Storage access logging is configured to write to a separate bucket. GCP also supports Cloud Audit Logs. Strengths: - Validates logging is enabled and configured - Target bucket separation ensures logs are not accessible from source - Cloud Audit Logs provide additional logging Limitations: - Does not validate Cloud Audit Logs configuration - Does not verify target bucket permissions - Legacy logging (bucket-level) is being deprecated\n",
  "query_template": "gcloud storage buckets describe gs://${ResourceName} \\\n  --format=json\n",
  "query_executed": "gcloud storage buckets describe gs://ccc-test-bucket-20260526t102300z \\\n  --format=json\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.Core/CCC.Core.CN10/AR01/object-storage-replication-destination/gcp.yaml",
  "name": "GCP Cloud Storage Replication Destination Validation",
  "service_type": "object-storage",
  "requirement_text": "When data is replicated, the service MUST ensure that replication only occurs  to destinations that are explicitly included within the defined trust perimeter.\n",
  "validity_score": 7,
  "validity_commentary": "This query validates that GCP Cloud Storage bucket locations are within approved regions. For multi-region/dual-region buckets, GCP automatically determines replication destinations. Strengths: - Location type and location are directly queryable - Multi-region locations have known member regions - Can validate against approved location list Limitations: - GCP does not allow custom replication destination selection - Dual-region specific regions may need validation\n",
  "query_template": "gcloud storage buckets describe gs://${ResourceName} \\\n  --format=json\n",
  "query_executed": "gcloud storage buckets describe gs://ccc-test-bucket-20260526t102300z \\\n  --format=json\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

failed to create service account key for test-user-no-access: rpc error: code = NotFound desc = Service account projects/nodal-time-474015-p5/serviceAccounts/test-user-no-access@nodal-time-474015-p5.iam.gserviceaccount.com does not exist.

failed to create service account test-user-read: rpc error: code = ResourceExhausted desc = A quota has been reached for project number 784623368087: Service accounts created per minute per project.
error details: retry in 1m0s

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.ObjStor/CCC.ObjStor.CN01/AR01/no-public-access/gcp.yaml",
  "name": "GCP Cloud Storage Block Public Access Check",
  "service_type": "object-storage",
  "requirement_text": "The service MUST enforce access control so that only authorised identities can read, list, write, or create objects and buckets.\n",
  "validity_score": 10,
  "validity_commentary": "This query validates that Uniform Bucket-Level Access is enabled on the GCP bucket, which prevents unauthenticated or ACL-based public access. Strengths: - Directly verifies the IAM configuration for uniform access - When UBLA is enabled, only IAM bindings control access — no public ACLs - Consistent with GCP security best practices\n",
  "query_template": "gcloud storage buckets describe gs://${ResourceName} \\\n  --format=\"json(iamConfiguration.uniformBucketLevelAccess)\"\n",
  "query_executed": "gcloud storage buckets describe gs://ccc-test-bucket-20260526t102300z \\\n  --format=\"json(iamConfiguration.uniformBucketLevelAccess)\"\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

failed to create service account test-user-no-access: rpc error: code = ResourceExhausted desc = A quota has been reached for project number 784623368087: Service accounts created per minute per project.
error details: retry in 1m0s

failed to create service account key for test-user-read: rpc error: code = NotFound desc = Service account projects/nodal-time-474015-p5/serviceAccounts/test-user-read@nodal-time-474015-p5.iam.gserviceaccount.com does not exist.

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.ObjStor/CCC.ObjStor.CN01/AR02/object-storage-no-public-principals/gcp.yaml",
  "name": "GCP Cloud Storage IAM in Use",
  "service_type": "object-storage",
  "requirement_text": "All unauthorized requests MUST be blocked. Access MUST be controlled by IAM.\n",
  "validity_score": 7,
  "validity_commentary": "ObjStor.CN01.AR01 already validates no-public-access. This check validates that IAM bindings exist on the bucket, proving access control is identity-based rather than public. At least one binding indicates IAM is in use. Strengths: - Confirms IAM is configured for the bucket - Bindings scope access to specific identities (user, group, service account) Limitations: - Does not validate least-privilege bindings - Inherited project-level bindings may not appear in bucket policy - Behavioral testing verifies unauthorized access is blocked at runtime\n",
  "query_template": "POLICY=$(gcloud storage buckets get-iam-policy gs://${ResourceName} --format=json 2\u003e/dev/null || echo \"{}\")\nCOUNT=$(echo \"$POLICY\" | jq -r '.bindings | length' 2\u003e/dev/null || echo \"0\")\necho \"{\\\"iamInUse\\\": $COUNT}\"\n",
  "query_executed": "POLICY=$(gcloud storage buckets get-iam-policy gs://ccc-test-bucket-20260526t102300z --format=json 2\u003e/dev/null || echo \"{}\")\nCOUNT=$(echo \"$POLICY\" | jq -r '.bindings | length' 2\u003e/dev/null || echo \"0\")\necho \"{\\\"iamInUse\\\": $COUNT}\"\n",
  "query_output": "{\"iamInUse\": 4}\n",
  "passed": true,
  "rule_results": [
    {
      "jsonpath": "$.iamInUse",
      "expected_values": [],
      "validation_rule": "^[1-9][0-9]*$",
      "description": "Validates that at least one IAM binding exists on the bucket. IAM is the required access control mechanism; no bindings indicates access may not be properly scoped.\n",
      "actual_value": "[4]",
      "passed": true
    }
  ]
}

failed to create service account test-user-no-access: rpc error: code = ResourceExhausted desc = A quota has been reached for project number 784623368087: Service accounts created per minute per project.
error details: retry in 1m0s

failed to create service account test-user-write: rpc error: code = ResourceExhausted desc = A quota has been reached for project number 784623368087: Service accounts created per minute per project.
error details: retry in 1m0s

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.ObjStor/CCC.ObjStor.CN01/AR03/object-storage-no-public-principals/gcp.yaml",
  "name": "GCP Cloud Storage IAM in Use",
  "service_type": "object-storage",
  "requirement_text": "All unauthorized requests MUST be blocked. Access MUST be controlled by IAM.\n",
  "validity_score": 7,
  "validity_commentary": "ObjStor.CN01.AR01 already validates no-public-access. This check validates that IAM bindings exist on the bucket, proving access control is identity-based rather than public. At least one binding indicates IAM is in use. Strengths: - Confirms IAM is configured for the bucket - Bindings scope access to specific identities (user, group, service account) Limitations: - Does not validate least-privilege bindings - Inherited project-level bindings may not appear in bucket policy - Behavioral testing verifies unauthorized access is blocked at runtime\n",
  "query_template": "POLICY=$(gcloud storage buckets get-iam-policy gs://${ResourceName} --format=json 2\u003e/dev/null || echo \"{}\")\nCOUNT=$(echo \"$POLICY\" | jq -r '.bindings | length' 2\u003e/dev/null || echo \"0\")\necho \"{\\\"iamInUse\\\": $COUNT}\"\n",
  "query_executed": "POLICY=$(gcloud storage buckets get-iam-policy gs://ccc-test-bucket-20260526t102300z --format=json 2\u003e/dev/null || echo \"{}\")\nCOUNT=$(echo \"$POLICY\" | jq -r '.bindings | length' 2\u003e/dev/null || echo \"0\")\necho \"{\\\"iamInUse\\\": $COUNT}\"\n",
  "query_output": "{\"iamInUse\": 4}\n",
  "passed": true,
  "rule_results": [
    {
      "jsonpath": "$.iamInUse",
      "expected_values": [],
      "validation_rule": "^[1-9][0-9]*$",
      "description": "Validates that at least one IAM binding exists on the bucket. IAM is the required access control mechanism; no bindings indicates access may not be properly scoped.\n",
      "actual_value": "[4]",
      "passed": true
    }
  ]
}

failed to create service account test-user-read: rpc error: code = ResourceExhausted desc = A quota has been reached for project number 784623368087: Service accounts created per minute per project.
error details: retry in 1m0s

failed to create service account test-user-write: rpc error: code = ResourceExhausted desc = A quota has been reached for project number 784623368087: Service accounts created per minute per project.
error details: retry in 1m0s

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.ObjStor/CCC.ObjStor.CN01/AR04/object-storage-no-public-principals/gcp.yaml",
  "name": "GCP Cloud Storage IAM in Use",
  "service_type": "object-storage",
  "requirement_text": "All unauthorized requests MUST be blocked. Access MUST be controlled by IAM.\n",
  "validity_score": 7,
  "validity_commentary": "ObjStor.CN01.AR01 already validates no-public-access. This check validates that IAM bindings exist on the bucket, proving access control is identity-based rather than public. At least one binding indicates IAM is in use. Strengths: - Confirms IAM is configured for the bucket - Bindings scope access to specific identities (user, group, service account) Limitations: - Does not validate least-privilege bindings - Inherited project-level bindings may not appear in bucket policy - Behavioral testing verifies unauthorized access is blocked at runtime\n",
  "query_template": "POLICY=$(gcloud storage buckets get-iam-policy gs://${ResourceName} --format=json 2\u003e/dev/null || echo \"{}\")\nCOUNT=$(echo \"$POLICY\" | jq -r '.bindings | length' 2\u003e/dev/null || echo \"0\")\necho \"{\\\"iamInUse\\\": $COUNT}\"\n",
  "query_executed": "POLICY=$(gcloud storage buckets get-iam-policy gs://ccc-test-bucket-20260526t102300z --format=json 2\u003e/dev/null || echo \"{}\")\nCOUNT=$(echo \"$POLICY\" | jq -r '.bindings | length' 2\u003e/dev/null || echo \"0\")\necho \"{\\\"iamInUse\\\": $COUNT}\"\n",
  "query_output": "{\"iamInUse\": 4}\n",
  "passed": true,
  "rule_results": [
    {
      "jsonpath": "$.iamInUse",
      "expected_values": [],
      "validation_rule": "^[1-9][0-9]*$",
      "description": "Validates that at least one IAM binding exists on the bucket. IAM is the required access control mechanism; no bindings indicates access may not be properly scoped.\n",
      "actual_value": "[4]",
      "passed": true
    }
  ]
}

failed to create service account test-user-read: rpc error: code = ResourceExhausted desc = A quota has been reached for project number 784623368087: Service accounts created per minute per project.
error details: retry in 1m0s

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.ObjStor/CCC.ObjStor.CN02/AR01/uniform-bucket-level-access/gcp.yaml",
  "name": "GCP Cloud Storage Uniform Bucket-Level Access Check",
  "service_type": "object-storage",
  "requirement_text": "The service MUST enforce uniform bucket-level access, preventing ad-hoc  object-level permissions.\n",
  "validity_score": 10,
  "validity_commentary": "This query validates that Uniform Bucket-Level Access (UBLA) is enabled. UBLA ensures that only IAM policies govern access to the bucket and its objects. Strengths: - Directly queries the UBLA configuration - Guarantees no ad-hoc object ACLs can be used - Consistent with GCP security best practices\n",
  "query_template": "gcloud storage buckets describe gs://${ResourceName} \\\n  --format=\"json(iamConfiguration.uniformBucketLevelAccess)\"\n",
  "query_executed": "gcloud storage buckets describe gs://ccc-test-bucket-20260526t102300z \\\n  --format=\"json(iamConfiguration.uniformBucketLevelAccess)\"\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

failed to create service account test-user-no-access: rpc error: code = ResourceExhausted desc = A quota has been reached for project number 784623368087: Service accounts created per minute per project.
error details: retry in 1m0s

{"ID":"ccc-test-soft-delete","Name":"ccc-test-soft-delete","Region":"us-central1"}

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.ObjStor/CCC.ObjStor.CN03/AR01/bucket-soft-delete/gcp.yaml",
  "name": "GCP Cloud Storage Soft Delete Check",
  "service_type": "object-storage",
  "requirement_text": "When an object storage bucket deletion is attempted, the bucket MUST be fully recoverable for a set time-frame after deletion is requested.\n",
  "validity_score": 9,
  "validity_commentary": "GCP Cloud Storage supports bucket soft delete via the softDeletePolicy. This check validates that the soft delete retention duration is set to a non-zero value, ensuring deleted buckets and objects can be recovered. Strengths: - Directly checks the soft delete policy configuration - GCP soft delete is a native feature providing bucket-level recovery Limitations: - Does not verify the exact minimum retention duration required\n",
  "query_template": "gcloud storage buckets describe gs://${ResourceName} \\\n  --format=\"json(softDeletePolicy)\"\n",
  "query_executed": "gcloud storage buckets describe gs://ccc-test-bucket-20260526t102300z \\\n  --format=\"json(softDeletePolicy)\"\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

2

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.ObjStor/CCC.ObjStor.CN03/AR02/bucket-retention-lock/gcp.yaml",
  "name": "GCP Cloud Storage Retention Policy Lock Check",
  "service_type": "object-storage",
  "requirement_text": "When an attempt is made to modify the retention policy for an object storage bucket, the service MUST prevent the policy from being modified.\n",
  "validity_score": 10,
  "validity_commentary": "This query validates that a retention policy is set and locked on the GCP bucket. A locked retention policy cannot be removed or shortened, even by project owners. Strengths: - Locking is an irreversible, immutable configuration - Directly checks both the presence and locked state of the policy - Consistent with GCP compliance best practices Limitations: - Does not validate the specific minimum retention period\n",
  "query_template": "gcloud storage buckets describe gs://${ResourceName} \\\n  --format=\"json(retentionPolicy)\"\n",
  "query_executed": "gcloud storage buckets describe gs://ccc-test-bucket-20260526t102300z \\\n  --format=\"json(retentionPolicy)\"\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

{"UserName":"test-user-write","Provider":"gcp","Credentials":{"client_email":"test-user-write@nodal-time-474015-p5.iam.gserviceaccount.com","email":"test-user-write@nodal-time-474015-p5.iam.gserviceaccount.com","private_key_id":"862e25e3202690e27c62ce2bc4a7606b214eb924","project_id":"nodal-time-474015-p5","service_account_key":"{\n  \"type\": \"service_account\",\n  \"project_id\": \"nodal-time-474015-p5\",\n  \"private_key_id\": \"862e25e3202690e27c62ce2bc4a7606b214eb924\",\n  \"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDR9fPGFF4BImwW\\nD91YZOpE045Hevh1L8NWkiHjmGD+bu7BzUv41vq/86qkn5/yV3SLI89Stnwi9M01\\ncJ+oqdNNx/eJ51QS3LrSRQAi+Cfy6iFapVyw6w006IJnUP29tgah/wuYBhSPR1Wi\\no36m7+AT0BlgYS/9ai8hw7ZfevSWCUIOE4rTY9fCl1k4hMdYTdZz3/yxHqiTGQMn\\ndYjaIVE159KvMQP7aW8sMpbhdFLmFp5BLE96OAQ0V1Jq8qR+ij2cQt12fisWnTZm\\nrJHpprk/0T36lJdQdnb5+F6+DPqM8Ay636a8hnFPk54mKR92+EEn3Gs9XvAJDqsC\\n2I24CWTfAgMBAAECggEAGLT4mraK2VdToMT9Jwm5B6BdfcvasO+N7QIFOuMTht1G\\n+0dNSVsC5tOloPmnuLzR2g28t98BfJuSClfWceKKGv0NBA1Ut2OCGHxGJ9dL3Cnx\\nAtmyrp76Tt+NeNrvAQQKg8Wfd6Q/hxy91wWmQb64f5xdYBoPq6JzKWX+b/3oCj+V\\n943PwFDoCPP4I/EMp+Vph1gWPvs2Xu0qCdiK14PWQCbYzPewTDHJAmWuNmeITyHb\\n3X7RgK1BlaRbtLaEO2SiKCyjYivaWAyhUj/zwuYRc5fp/mEIM6xryrGmy/7dTU8T\\nRgwoentL8IMdnRq+X1qqUMvinsaiiYco0nZx4/p7AQKBgQD3pRYGj2tthx3T9y9H\\nBvPJaWAoI2RirC//CNqN5qRozraKBaj73sWUa0rgGCVYa94KosjyINHX0TZ9zigj\\nXvr0wzcM4RM2RdeoZahNBRDxVVR5szYgnfpM8RtJpdDF2FuYIBoeO838wIgpOEmv\\nRHei3jzvMAkp0gqhA4sM+d/VSwKBgQDZC2M/0CoQJUzewH9wnkup1EV8ryPJ0Hxe\\ntVufEL5PTtt57geXYq3F5qh9jinXu74NzD2wOILHYM52TZSQdl6AuLAUE1GUBab4\\nQ+VDvGy9gQPAWh+SsLz6h1rojwSpJdQrq8lMzAOpR1/3k9YHOztAbhB/8njI3Xc2\\n0raFLUl2PQKBgDiQO3SqI3Zz6ys0BVdqzhoN+ImSc+ZZv+i3o/vPV3Qc6vKhklRd\\nMLHSw9pliXolwSSaw90SA/wQbCrWALL7icSIJjXJ3vKBh12OQp+87X7B57aYaV+P\\n1dDnLT1oI0RdQ6Z+hpirPkRh0XfgxGvE7rKDolVbmmwz7nuSbJs9I5P7AoGARZE+\\n2J9SPCaYgvVUY7Z5LhAZzaMdZ3xpwLmEinGFbkoqUuSWjlFUvY/3BXdhtgI5IpcK\\nVsdmM521z3mCWuN12vBXj7e5eCZvpDeu7o0glYUavLamVBBOIkbsPopIxiaX4P+I\\n4BKsQb/c5K//9AVqMnaU103SpR9HLM1RL1Kar0kCgYEAufcFQiktxojyGouLo9pD\\nRgxpF1gk/pmDqdCFvQZL3eULvFJXsExhGCcFOtJB6/EKk5Z4JzaBhZY1JreTk/9E\\n3wKPIXQDAAo3Xd0VXBRrCfIyuU0kmBIPqRsUS6FcryoDspze4ZF/58IadasJz7Sq\\nc1YHLcnUFU575G7T4G4OrFA=\\n-----END PRIVATE KEY-----\\n\",\n  \"client_email\": \"test-user-write@nodal-time-474015-p5.iam.gserviceaccount.com\",\n  \"client_id\": \"114093962834554122395\",\n  \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\n  \"token_uri\": \"https://oauth2.googleapis.com/token\",\n  \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\n  \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/test-user-write%40nodal-time-474015-p5.iam.gserviceaccount.com\",\n  \"universe_domain\": \"googleapis.com\"\n}\n","unique_id":"114093962834554122395"},"Policy":"{\"user\": \"test-user-write\", \"service\": \"projects/nodal-time-474015-p5/buckets/ccc-test-bucket-20260526t102300z\", \"level\": \"write\", \"role\": \"roles/editor\"}"}

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.ObjStor/CCC.ObjStor.CN04/AR01/object-default-retention/gcp.yaml",
  "name": "GCP Cloud Storage Default Object Retention Check",
  "service_type": "object-storage",
  "requirement_text": "Objects MUST automatically receive a default retention policy upon upload, protecting critical data from premature deletion or modification.\n",
  "validity_score": 9,
  "validity_commentary": "This query validates that a default object retention policy is configured on the GCP Cloud Storage bucket. GCP's default object retention ensures all objects created in the bucket automatically inherit the retention duration. Strengths: - Default retention is applied at bucket level, covering all new objects - Directly queries the bucket retention policy configuration Limitations: - Does not validate whether the policy is locked (see CN03.AR02) - Does not validate the specific minimum retention duration\n",
  "query_template": "gcloud storage buckets describe gs://${ResourceName} \\\n  --format=\"json(retentionPolicy)\"\n",
  "query_executed": "gcloud storage buckets describe gs://ccc-test-bucket-20260526t102300z \\\n  --format=\"json(retentionPolicy)\"\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

{"UserName":"test-user-write","Provider":"gcp","Credentials":{"client_email":"test-user-write@nodal-time-474015-p5.iam.gserviceaccount.com","email":"test-user-write@nodal-time-474015-p5.iam.gserviceaccount.com","private_key_id":"862e25e3202690e27c62ce2bc4a7606b214eb924","project_id":"nodal-time-474015-p5","service_account_key":"{\n  \"type\": \"service_account\",\n  \"project_id\": \"nodal-time-474015-p5\",\n  \"private_key_id\": \"862e25e3202690e27c62ce2bc4a7606b214eb924\",\n  \"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDR9fPGFF4BImwW\\nD91YZOpE045Hevh1L8NWkiHjmGD+bu7BzUv41vq/86qkn5/yV3SLI89Stnwi9M01\\ncJ+oqdNNx/eJ51QS3LrSRQAi+Cfy6iFapVyw6w006IJnUP29tgah/wuYBhSPR1Wi\\no36m7+AT0BlgYS/9ai8hw7ZfevSWCUIOE4rTY9fCl1k4hMdYTdZz3/yxHqiTGQMn\\ndYjaIVE159KvMQP7aW8sMpbhdFLmFp5BLE96OAQ0V1Jq8qR+ij2cQt12fisWnTZm\\nrJHpprk/0T36lJdQdnb5+F6+DPqM8Ay636a8hnFPk54mKR92+EEn3Gs9XvAJDqsC\\n2I24CWTfAgMBAAECggEAGLT4mraK2VdToMT9Jwm5B6BdfcvasO+N7QIFOuMTht1G\\n+0dNSVsC5tOloPmnuLzR2g28t98BfJuSClfWceKKGv0NBA1Ut2OCGHxGJ9dL3Cnx\\nAtmyrp76Tt+NeNrvAQQKg8Wfd6Q/hxy91wWmQb64f5xdYBoPq6JzKWX+b/3oCj+V\\n943PwFDoCPP4I/EMp+Vph1gWPvs2Xu0qCdiK14PWQCbYzPewTDHJAmWuNmeITyHb\\n3X7RgK1BlaRbtLaEO2SiKCyjYivaWAyhUj/zwuYRc5fp/mEIM6xryrGmy/7dTU8T\\nRgwoentL8IMdnRq+X1qqUMvinsaiiYco0nZx4/p7AQKBgQD3pRYGj2tthx3T9y9H\\nBvPJaWAoI2RirC//CNqN5qRozraKBaj73sWUa0rgGCVYa94KosjyINHX0TZ9zigj\\nXvr0wzcM4RM2RdeoZahNBRDxVVR5szYgnfpM8RtJpdDF2FuYIBoeO838wIgpOEmv\\nRHei3jzvMAkp0gqhA4sM+d/VSwKBgQDZC2M/0CoQJUzewH9wnkup1EV8ryPJ0Hxe\\ntVufEL5PTtt57geXYq3F5qh9jinXu74NzD2wOILHYM52TZSQdl6AuLAUE1GUBab4\\nQ+VDvGy9gQPAWh+SsLz6h1rojwSpJdQrq8lMzAOpR1/3k9YHOztAbhB/8njI3Xc2\\n0raFLUl2PQKBgDiQO3SqI3Zz6ys0BVdqzhoN+ImSc+ZZv+i3o/vPV3Qc6vKhklRd\\nMLHSw9pliXolwSSaw90SA/wQbCrWALL7icSIJjXJ3vKBh12OQp+87X7B57aYaV+P\\n1dDnLT1oI0RdQ6Z+hpirPkRh0XfgxGvE7rKDolVbmmwz7nuSbJs9I5P7AoGARZE+\\n2J9SPCaYgvVUY7Z5LhAZzaMdZ3xpwLmEinGFbkoqUuSWjlFUvY/3BXdhtgI5IpcK\\nVsdmM521z3mCWuN12vBXj7e5eCZvpDeu7o0glYUavLamVBBOIkbsPopIxiaX4P+I\\n4BKsQb/c5K//9AVqMnaU103SpR9HLM1RL1Kar0kCgYEAufcFQiktxojyGouLo9pD\\nRgxpF1gk/pmDqdCFvQZL3eULvFJXsExhGCcFOtJB6/EKk5Z4JzaBhZY1JreTk/9E\\n3wKPIXQDAAo3Xd0VXBRrCfIyuU0kmBIPqRsUS6FcryoDspze4ZF/58IadasJz7Sq\\nc1YHLcnUFU575G7T4G4OrFA=\\n-----END PRIVATE KEY-----\\n\",\n  \"client_email\": \"test-user-write@nodal-time-474015-p5.iam.gserviceaccount.com\",\n  \"client_id\": \"114093962834554122395\",\n  \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\n  \"token_uri\": \"https://oauth2.googleapis.com/token\",\n  \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\n  \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/test-user-write%40nodal-time-474015-p5.iam.gserviceaccount.com\",\n  \"universe_domain\": \"googleapis.com\"\n}\n","unique_id":"114093962834554122395"},"Policy":"{\"user\": \"test-user-write\", \"service\": \"projects/nodal-time-474015-p5/buckets/ccc-test-bucket-20260526t102300z\", \"level\": \"write\", \"role\": \"roles/editor\"}"}

failed to create service account test-user-read: rpc error: code = ResourceExhausted desc = A quota has been reached for project number 784623368087: Service accounts created per minute per project.
error details: retry in 1m0s

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.ObjStor/CCC.ObjStor.CN04/AR02/object-retention-enforcement/gcp.yaml",
  "name": "GCP Cloud Storage Object Retention Enforcement Check",
  "service_type": "object-storage",
  "requirement_text": "The service MUST prevent deletion or modification of objects under active retention, maintaining data integrity and compliance requirements.\n",
  "validity_score": 9,
  "validity_commentary": "This query validates that a retention policy is configured and locked on the GCP bucket, preventing deletion or modification of any object before its retention period has elapsed. Strengths: - Locked policy cannot be shortened, removed, or overridden - Directly queries the retention policy lock status - Consistent with GCP compliance best practices Limitations: - Retention period is specified in seconds in GCP\n",
  "query_template": "gcloud storage buckets describe gs://${ResourceName} \\\n  --format=\"json(retentionPolicy)\"\n",
  "query_executed": "gcloud storage buckets describe gs://ccc-test-bucket-20260526t102300z \\\n  --format=\"json(retentionPolicy)\"\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

{
  "policy_path": "/home/runner/work/ccc-cfi-compliance/ccc-cfi-compliance/testing/policy/CCC.ObjStor/CCC.ObjStor.CN05/AR01/object-storage-versioning/gcp.yaml",
  "name": "GCP Cloud Storage Bucket Versioning Configuration",
  "service_type": "object-storage",
  "requirement_text": "When an object is uploaded to the object storage bucket, the object MUST be stored with a unique identifier.\n",
  "validity_score": 9,
  "validity_commentary": "This query validates that GCP Cloud Storage bucket versioning is enabled. When versioning is enabled, each object version gets a unique generation number. Strengths: - Directly queries versioning configuration - GCS automatically assigns unique generation numbers - Versioning can be suspended but history is preserved Limitations: - Does not validate lifecycle rules that may delete versions - Suspended versioning stops creating new versions\n",
  "query_template": "gcloud storage buckets describe gs://${ResourceName} \\\n  --format=json\n",
  "query_executed": "gcloud storage buckets describe gs://ccc-test-bucket-20260526t102300z \\\n  --format=json\n",
  "query_output": "",
  "query_error": "login: gcloud auth activate-service-account: exit status 1: ERROR: (gcloud.auth.activate-service-account) The .json key file is not in a valid format.\n",
  "passed": false,
  "rule_results": null
}

{"ID":"version-test-object=1779791146460.txt","BucketID":"ccc-test-bucket-20260526t102300z","Name":"version-test-object=1779791146460.txt","Size":16,"Data":["original content"],"Encryption":"","EncryptionAlgorithm":"","VersionID":""}

{"ID":"version-test-object=1779791146460.txt","BucketID":"ccc-test-bucket-20260526t102300z","Name":"version-test-object=1779791146460.txt","Size":16,"Data":["modified content"],"Encryption":"","EncryptionAlgorithm":"","VersionID":""}

{"ID":"recover-deleted-object=1779791146919.txt","BucketID":"ccc-test-bucket-20260526t102300z","Name":"recover-deleted-object=1779791146919.txt","Size":14,"Data":["data to retain"],"Encryption":"","EncryptionAlgorithm":"","VersionID":""}