Skip to main content

CCC-Complete (Policy) 0.1

Test results for this specific product, vendor, and version combination

VendorFINOS
ProductCCC-Complete (Policy)
Version0.1

Download Raw Results

Download the original OCSF, Gemara, or HTML result files used to generate this page

File NameDownload
azure-storage-account-ccc-test-container-20260410t121838z-port
OCSFHTML
azure-storage-account-ccc-test-container-20260410t121838z-service
OCSFHTML
azure-storage-account-combined
OCSF
azure-storage-account-summary
HTML

Test Summary

Aggregate summary of all tests for this configuration result

Resources In Configuration1
Count of Tests82
Passing Tests60
Failing Tests22
Catalogs Tested
CCC.CoreCCC.ObjStor

Control Catalog Summary

Summary of test results grouped by control catalog and resource

Control CatalogResourcesTotal TestsPassingFailingTested RequirementsMissing RequirementsUnused Core Requirements
CCC.Core
/subscriptions/c1ced...
543816
CCC.Core.CN01.AR01CCC.Core.CN01.AR03CCC.Core.CN01.AR08CCC.Core.CN02.AR01CCC.Core.CN03.AR01CCC.Core.CN03.AR02CCC.Core.CN03.AR03CCC.Core.CN03.AR04CCC.Core.CN04.AR01CCC.Core.CN04.AR02CCC.Core.CN04.AR03CCC.Core.CN05.AR01CCC.Core.CN05.AR02CCC.Core.CN05.AR03CCC.Core.CN05.AR04CCC.Core.CN05.AR05CCC.Core.CN05.AR06CCC.Core.CN06.AR01CCC.Core.CN06.AR02CCC.Core.CN07.AR01CCC.Core.CN07.AR02CCC.Core.CN08.AR01CCC.Core.CN08.AR02CCC.Core.CN09.AR01CCC.Core.CN09.AR02CCC.Core.CN09.AR03CCC.Core.CN10.AR01
All covered
CCC.Core.CN01.AR01CCC.Core.CN01.AR02CCC.Core.CN01.AR03CCC.Core.CN01.AR07CCC.Core.CN01.AR08CCC.Core.CN13.AR01CCC.Core.CN13.AR02CCC.Core.CN13.AR03CCC.Core.CN06.AR01CCC.Core.CN06.AR02CCC.Core.CN08.AR01CCC.Core.CN08.AR02CCC.Core.CN09.AR01CCC.Core.CN09.AR02CCC.Core.CN09.AR03CCC.Core.CN10.AR01CCC.Core.CN02.AR01CCC.Core.CN11.AR01CCC.Core.CN11.AR02CCC.Core.CN11.AR03CCC.Core.CN11.AR04CCC.Core.CN11.AR05CCC.Core.CN11.AR06CCC.Core.CN14.AR01CCC.Core.CN14.AR02CCC.Core.CN14.AR03CCC.Core.CN03.AR01CCC.Core.CN03.AR02CCC.Core.CN03.AR03CCC.Core.CN03.AR04CCC.Core.CN05.AR01CCC.Core.CN05.AR02CCC.Core.CN05.AR03CCC.Core.CN05.AR04CCC.Core.CN05.AR05CCC.Core.CN05.AR06CCC.Core.CN04.AR01CCC.Core.CN04.AR02CCC.Core.CN04.AR03CCC.Core.CN07.AR01CCC.Core.CN07.AR02CCC.Core.CN15.AR01CCC.Core.CN15.AR02CCC.Core.CN16.AR01CCC.Core.CN16.AR02CCC.Core.CN17.AR01CCC.Core.CN18.AR01CCC.Core.CN18.AR02CCC.Core.CN19.AR01CCC.Core.CN19.AR02
CCC.ObjStor
/subscriptions/c1ced...
28226
CCC.ObjStor.CN01.AR01CCC.ObjStor.CN01.AR02CCC.ObjStor.CN01.AR03CCC.ObjStor.CN01.AR04CCC.ObjStor.CN02.AR01CCC.ObjStor.CN02.AR02CCC.ObjStor.CN03.AR01CCC.ObjStor.CN03.AR02CCC.ObjStor.CN04.AR01CCC.ObjStor.CN04.AR02CCC.ObjStor.CN05.AR01CCC.ObjStor.CN05.AR02CCC.ObjStor.CN05.AR03CCC.ObjStor.CN05.AR04
CCC.ObjStor.CN07.AR01CCC.ObjStor.CN07.AR02CCC.ObjStor.CN07.AR03
None

Test Mapping Summary

Summary of test mappings showing how event codes map to test requirements

Control CatalogTest RequirementMapped Tests (Event Code | Total | Passing | Failing)
CCC.Core
CCC.Core.CN01.AR01
When a port is exposed for non-SSH network traffic, all traffic MUST include a TLS handshake AND be encrypted using TLS 1.3 or higher.
Storage account enforces minimum TLS version
202
CCC.Core
CCC.Core.CN01.AR03
When the service receives unencrypted traffic, then it MUST either block the request or automatically redirect it to the secure equivalent.
Object storage policy prevents the use of unencrypted ports
202
CCC.Core
CCC.Core.CN01.AR08
When a service transmits data using TLS, mutual TLS (mTLS) MUST be implemented to require both client and server certificate authentication for all connections.
Storage account enforces mutual TLS - NotTested
202
CCC.Core
CCC.Core.CN02.AR01
When data is stored, it MUST be encrypted using the latest industry-standard encryption methods.
Object storage encryption compliance
220
CCC.Core
CCC.Core.CN03.AR01
When an entity attempts to modify the service through a user interface, the authentication process MUST require multiple identifying factors for authentication.
Object storage delete protection compliance
220
CCC.Core
CCC.Core.CN03.AR02
When an entity attempts to modify the service through an API endpoint, the authentication process MUST require a credential such as an API key or token AND originate from within the trust perimeter.
API modification requires credential and trust perimeter origin - NotTestable
220
CCC.Core
CCC.Core.CN03.AR03
When an entity attempts to view information on the service through a user interface, the authentication process MUST require multiple identifying factors from the user.
UI viewing requires multi-factor authentication - NotTestable
220
CCC.Core
CCC.Core.CN03.AR04
When an entity attempts to view information on the service through an API endpoint, the authentication process MUST require a credential such as an API key or token AND originate from within the trust perimeter.
API viewing requires credential and trust perimeter origin - NotTestable
220
CCC.Core
CCC.Core.CN04.AR01
When administrative access or configuration change is attempted on the service or a child resource, the service MUST log the client identity, time, and result of the attempt.
Object storage admin logging compliance
220
CCC.Core
CCC.Core.CN04.AR02
When any attempt is made to modify data on the service or a child resource, the service MUST log the client identity, time, and result of the attempt.
Object storage data modification logging compliance
202
CCC.Core
CCC.Core.CN04.AR03
When any attempt is made to read data on the service or a child resource, the service MUST log the client identity, time, and result of the attempt.
Data read logging compliance
202
CCC.Core
CCC.Core.CN05.AR01
When an attempt is made to modify data on the service or a child resource, the service MUST block requests from unauthorized entities.
Storage is not configured for public write access
220
CCC.Core
CCC.Core.CN05.AR02
When administrative access or configuration change is attempted on the service or a child resource, the service MUST refuse requests from unauthorized entities.
Unauthorized administrative access is blocked
220
CCC.Core
CCC.Core.CN05.AR03
When administrative access or configuration change is attempted on the service or a child resource in a multi-tenant environment, the service MUST refuse requests across tenant boundaries unless the origin is explicitly included in a pre-approved allowlist.
Cross-tenant access is blocked without explicit allowlist
220
CCC.Core
CCC.Core.CN05.AR04
When data is requested from outside the trust perimeter, the service MUST refuse requests from unauthorized entities.
External unauthorized data requests are blocked
220
CCC.Core
CCC.Core.CN05.AR05
When any request is made from outside the trust perimeter, the service MUST NOT provide any response that may indicate the service exists.
External requests do not reveal service existence - NotTested
202
CCC.Core
CCC.Core.CN05.AR06
When any request is made to the service or a child resource, the service MUST refuse requests from unauthorized entities.
All unauthorized requests are blocked - Duplicate
220
CCC.Core
CCC.Core.CN06.AR01
When the service is running, its region and availability zone MUST be included in a list of explicitly trusted or approved locations within the trust perimeter.
Object storage region compliance
220
CCC.Core
CCC.Core.CN06.AR02
When a child resource is deployed, its region and availability zone MUST be included in a list of explicitly trusted or approved locations within the trust perimeter.
Child resource region compliance - NotTestable
220
CCC.Core
CCC.Core.CN07.AR01
When enumeration activities are detected, the service MUST publish an event to a monitored channel which includes the client identity, time, and nature of the activity.
Enumeration activities publish events to monitored channels
202
CCC.Core
CCC.Core.CN07.AR02
When enumeration activities are detected, the service MUST log the client identity, time, and nature of the activity.
Enumeration activities are logged
220
CCC.Core
CCC.Core.CN08.AR01
When data is created or modified, the data MUST have a complete and recoverable duplicate that is stored in a physically separate data center.
Object storage replication compliance
220
CCC.Core
CCC.Core.CN08.AR02
When data is replicated into a second location, the service MUST be able to accurately represent the replication locations, replication status, and data synchronization status.
Object storage replication status is visible
220
CCC.Core
CCC.Core.CN09.AR01
When the service is operational, its logs and any child resource logs MUST NOT be accessible from the resource they record access to.
Object storage access logging compliance
202
CCC.Core
CCC.Core.CN09.AR02
When the service is operational, disabling the logs for the service or its child resources MUST NOT be possible without also disabling the corresponding resource.
Disabling logs requires disabling the resource - NotTestable
220
CCC.Core
CCC.Core.CN09.AR03
When the service is operational, any attempt to redirect logs for the service or its child resources MUST NOT be possible without halting operation of the corresponding resource and publishing corresponding events to monitored channels.
Redirecting logs requires halting the resource - NotTestable
220
CCC.Core
CCC.Core.CN10.AR01
When data is replicated, the service MUST ensure that replication only occurs to destinations that are explicitly included within the defined trust perimeter.
Object storage replication destination compliance
220
CCC.ObjStor
CCC.ObjStor.CN01.AR01
When a request is made to read a bucket, the service MUST prevent any request using KMS keys not listed as trusted by the organization.
Test policy for bucket access control
220
CCC.ObjStor
CCC.ObjStor.CN01.AR02
When a request is made to read an object, the service MUST prevent any request using KMS keys not listed as trusted by the organization.
All unauthorized requests are blocked
202
CCC.ObjStor
CCC.ObjStor.CN01.AR03
When a request is made to write to a bucket, the service MUST prevent any request using KMS keys not listed as trusted by the organization.
All unauthorized requests are blocked
202
CCC.ObjStor
CCC.ObjStor.CN01.AR04
When a request is made to write to an object, the service MUST prevent any request using KMS keys not listed as trusted by the organization.
All unauthorized requests are blocked
202
CCC.ObjStor
CCC.ObjStor.CN02.AR01
When a permission set is allowed for an object in a bucket, the service MUST allow the same permission set to access all objects in the same bucket.
Test policy for uniform access
220
CCC.ObjStor
CCC.ObjStor.CN02.AR02
When a permission set is denied for an object in a bucket, the service MUST deny the same permission set to access all objects in the same bucket.
Uniform bucket-level access prevents object-level deny overrides - Duplicate
220
CCC.ObjStor
CCC.ObjStor.CN03.AR01
When an object storage bucket deletion is attempted, the bucket MUST be fully recoverable for a set time-frame after deletion is requested.
Test policy for bucket soft delete
220
CCC.ObjStor
CCC.ObjStor.CN03.AR02
When an attempt is made to modify the retention policy for an object storage bucket, the service MUST prevent the policy from being modified.
Test policy for immutable bucket retention lock
220
CCC.ObjStor
CCC.ObjStor.CN04.AR01
When an object is uploaded to the object storage system, the object MUST automatically receive a default retention policy that prevents premature deletion or modification.
Test policy for default object retention
220
CCC.ObjStor
CCC.ObjStor.CN04.AR02
When an attempt is made to delete or modify an object that is subject to an active retention policy, the service MUST prevent the action from being completed.
Test policy for object retention enforcement
220
CCC.ObjStor
CCC.ObjStor.CN05.AR01
When an object is uploaded to the object storage bucket, the object MUST be stored with a unique identifier.
Objects are stored with unique version identifiers
220
CCC.ObjStor
CCC.ObjStor.CN05.AR02
When an object is modified, the service MUST assign a new unique identifier to the modified object to differentiate it from the previous version.
Modified objects receive new version identifiers - Duplicate
220
CCC.ObjStor
CCC.ObjStor.CN05.AR03
When an object is modified, the service MUST allow for recovery of previous versions of the object.
Previous object versions can be recovered
220
CCC.ObjStor
CCC.ObjStor.CN05.AR04
When an object is deleted, the service MUST retain other versions of the object to allow for recovery of previous versions.
Object versions are retained after deletion - Duplicate
220

Resource Summary

Summary of all resources mentioned in OCSF results

Resource NameResource TypeControl CatalogsTotal TestsPassingFailing
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
CCC.CoreCCC.ObjStor
826022

Test Results

OCSF test results filtered for entries with CCC compliance mappings

StatusFindingResource NameResource TypeMessageTest Requirements
FAIL
Storage account enforces minimum TLS version
✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "object-storage-tls-policy" for control "CCC.Core.CN01" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Account TLS Policy Check: ⊘ "{result}" is true (skipped)
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Storage account enforces minimum TLS version
CCC.Core.CN01.AR01
FAIL
Object storage policy prevents the use of unencrypted ports
✗ I attempt policy check "object-storage-unencrypted-policy" for control "CCC.Core.CN01" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Unencrypted Traffic Block Check: ⊘ "{result}" is true (skipped)
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object storage policy prevents the use of unencrypted ports
CCC.Core.CN01.AR03
FAIL
Storage account enforces mutual TLS - NotTested
✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Storage account enforces mutual TLS - NotTested
CCC.Core.CN01.AR08
PASS
Object storage encryption compliance
✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-encryption" for control "CCC.Core.CN02" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object storage encryption compliance
CCC.Core.CN02.AR01
PASS
Object storage delete protection compliance
✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-delete-protection" for control "CCC.Core.CN03" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object storage delete protection compliance
CCC.Core.CN03.AR01
PASS
API modification requires credential and trust perimeter origin - NotTestable
✓ a cloud api for "{Instance}" in "api" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
API modification requires credential and trust perimeter origin - NotTestable
CCC.Core.CN03.AR02
PASS
UI viewing requires multi-factor authentication - NotTestable
✓ a cloud api for "{Instance}" in "api" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
UI viewing requires multi-factor authentication - NotTestable
CCC.Core.CN03.AR03
PASS
API viewing requires credential and trust perimeter origin - NotTestable
✓ a cloud api for "{Instance}" in "api" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
API viewing requires credential and trust perimeter origin - NotTestable
CCC.Core.CN03.AR04
PASS
Object storage admin logging compliance
✓ I attempt policy check "admin-logging" for control "CCC.Core.CN04" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object storage admin logging compliance
CCC.Core.CN04.AR01
FAIL
Object storage data modification logging compliance
✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "data-write-logging" for control "CCC.Core.CN04" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Diagnostic Logging Write Configuration: ⊘ "{result}" is true (skipped)
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object storage data modification logging compliance
CCC.Core.CN04.AR02
FAIL
Data read logging compliance
✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "data-read-logging" for control "CCC.Core.CN04" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Diagnostic Logging Read Configuration: ⊘ "{result}" is true (skipped)
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Data read logging compliance
CCC.Core.CN04.AR03
PASS
Storage is not configured for public write access
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ I attempt policy check "object-storage-block-public-write-access" for control "CCC.Core.CN05" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Storage is not configured for public write access
CCC.Core.CN05.AR01
PASS
Unauthorized administrative access is blocked
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Unauthorized administrative access is blocked
CCC.Core.CN05.AR02
PASS
Cross-tenant access is blocked without explicit allowlist
✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-cross-tenant-block" for control "CCC.Core.CN05" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Cross-tenant access is blocked without explicit allowlist
CCC.Core.CN05.AR03
PASS
External unauthorized data requests are blocked
✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-block-public-read" for control "CCC.Core.CN05" assessment requirement "AR04" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
External unauthorized data requests are blocked
CCC.Core.CN05.AR04
FAIL
External requests do not reveal service existence - NotTested
✓ a cloud api for "{Instance}" in "api" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
External requests do not reveal service existence - NotTested
CCC.Core.CN05.AR05
PASS
All unauthorized requests are blocked - Duplicate
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
All unauthorized requests are blocked - Duplicate
CCC.Core.CN05.AR06
PASS
Object storage region compliance
✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-region" for control "CCC.Core.CN06" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object storage region compliance
CCC.Core.CN06.AR01
PASS
Child resource region compliance - NotTestable
✓ a cloud api for "{Instance}" in "api" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Child resource region compliance - NotTestable
CCC.Core.CN06.AR02
FAIL
Enumeration activities publish events to monitored channels
✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "enumeration-monitoring-policy" for control "CCC.Core.CN07" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Enumeration Monitoring Policy Check: ⊘ "{result}" is true (skipped)
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Enumeration activities publish events to monitored channels
CCC.Core.CN07.AR01
PASS
Enumeration activities are logged
✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "enumeration-logging-policy" for control "CCC.Core.CN07" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Enumeration activities are logged
CCC.Core.CN07.AR02
PASS
Object storage replication compliance
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I attempt policy check "object-storage-replication" for control "CCC.Core.CN08" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object storage replication compliance
CCC.Core.CN08.AR01
PASS
Object storage replication status is visible
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I attempt policy check "object-storage-replication-status" for control "CCC.Core.CN08" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object storage replication status is visible
CCC.Core.CN08.AR02
FAIL
Object storage access logging compliance
✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "object-storage-access-logging" for control "CCC.Core.CN09" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Account Diagnostic Logging Configuration: ⊘ "{result}" is true (skipped)
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object storage access logging compliance
CCC.Core.CN09.AR01
PASS
Disabling logs requires disabling the resource - NotTestable
✓ a cloud api for "{Instance}" in "api" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Disabling logs requires disabling the resource - NotTestable
CCC.Core.CN09.AR02
PASS
Redirecting logs requires halting the resource - NotTestable
✓ a cloud api for "{Instance}" in "api" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Redirecting logs requires halting the resource - NotTestable
CCC.Core.CN09.AR03
PASS
Object storage replication destination compliance
✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-replication-destination" for control "CCC.Core.CN10" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object storage replication destination compliance
CCC.Core.CN10.AR01
PASS
Test policy for bucket access control
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ I attempt policy check "no-public-access" for control "CCC.ObjStor.CN01" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Test policy for bucket access control
CCC.ObjStor.CN01.AR01
FAIL
All unauthorized requests are blocked
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ I call "{storage}" with "CreateObject" using arguments "{ResourceName}", "test-object={Timestamp}.txt", and "test content" ✓ "{result}" is not an error ✗ I attempt policy check "object-storage-no-public-principals" for control "CCC.ObjStor.CN01" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage RBAC in Use: ⊘ "{result}" is true (skipped)
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
All unauthorized requests are blocked
CCC.ObjStor.CN01.AR02
FAIL
All unauthorized requests are blocked
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✗ I attempt policy check "object-storage-no-public-principals" for control "CCC.ObjStor.CN01" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage RBAC in Use: ⊘ "{result}" is true (skipped)
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
All unauthorized requests are blocked
CCC.ObjStor.CN01.AR03
FAIL
All unauthorized requests are blocked
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ "{result}" is not an error ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ "{result}" is not an error ✗ I attempt policy check "object-storage-no-public-principals" for control "CCC.ObjStor.CN01" assessment requirement "AR04" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage RBAC in Use: ⊘ "{result}" is true (skipped)
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
All unauthorized requests are blocked
CCC.ObjStor.CN01.AR04
PASS
Test policy for uniform access
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ I attempt policy check "uniform-bucket-level-access" for control "CCC.ObjStor.CN02" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Test policy for uniform access
CCC.ObjStor.CN02.AR01
PASS
Uniform bucket-level access prevents object-level deny overrides - Duplicate
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Uniform bucket-level access prevents object-level deny overrides - Duplicate
CCC.ObjStor.CN02.AR02
PASS
Test policy for bucket soft delete
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I attempt policy check "bucket-soft-delete" for control "CCC.ObjStor.CN03" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Test policy for bucket soft delete
CCC.ObjStor.CN03.AR01
PASS
Test policy for immutable bucket retention lock
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I attempt policy check "bucket-retention-lock" for control "CCC.ObjStor.CN03" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Test policy for immutable bucket retention lock
CCC.ObjStor.CN03.AR02
PASS
Test policy for default object retention
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ I attempt policy check "object-default-retention" for control "CCC.ObjStor.CN04" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Test policy for default object retention
CCC.ObjStor.CN04.AR01
PASS
Test policy for object retention enforcement
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ I attempt policy check "object-retention-enforcement" for control "CCC.ObjStor.CN04" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Test policy for object retention enforcement
CCC.ObjStor.CN04.AR02
PASS
Objects are stored with unique version identifiers
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I attempt policy check "object-storage-versioning" for control "CCC.ObjStor.CN05" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Objects are stored with unique version identifiers
CCC.ObjStor.CN05.AR01
PASS
Modified objects receive new version identifiers - Duplicate
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Modified objects receive new version identifiers - Duplicate
CCC.ObjStor.CN05.AR02
PASS
Previous object versions can be recovered
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Previous object versions can be recovered
CCC.ObjStor.CN05.AR03
PASS
Object versions are retained after deletion - Duplicate
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object versions are retained after deletion - Duplicate
CCC.ObjStor.CN05.AR04
FAIL
Storage account enforces minimum TLS version
✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "object-storage-tls-policy" for control "CCC.Core.CN01" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Account TLS Policy Check: ⊘ "{result}" is true (skipped)
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Storage account enforces minimum TLS version
CCC.Core.CN01.AR01
FAIL
Object storage policy prevents the use of unencrypted ports
✗ I attempt policy check "object-storage-unencrypted-policy" for control "CCC.Core.CN01" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Unencrypted Traffic Block Check: ⊘ "{result}" is true (skipped)
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object storage policy prevents the use of unencrypted ports
CCC.Core.CN01.AR03
FAIL
Storage account enforces mutual TLS - NotTested
✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Storage account enforces mutual TLS - NotTested
CCC.Core.CN01.AR08
PASS
Object storage encryption compliance
✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-encryption" for control "CCC.Core.CN02" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object storage encryption compliance
CCC.Core.CN02.AR01
PASS
Object storage delete protection compliance
✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-delete-protection" for control "CCC.Core.CN03" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object storage delete protection compliance
CCC.Core.CN03.AR01
PASS
API modification requires credential and trust perimeter origin - NotTestable
✓ a cloud api for "{Instance}" in "api" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
API modification requires credential and trust perimeter origin - NotTestable
CCC.Core.CN03.AR02
PASS
UI viewing requires multi-factor authentication - NotTestable
✓ a cloud api for "{Instance}" in "api" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
UI viewing requires multi-factor authentication - NotTestable
CCC.Core.CN03.AR03
PASS
API viewing requires credential and trust perimeter origin - NotTestable
✓ a cloud api for "{Instance}" in "api" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
API viewing requires credential and trust perimeter origin - NotTestable
CCC.Core.CN03.AR04
PASS
Object storage admin logging compliance
✓ I attempt policy check "admin-logging" for control "CCC.Core.CN04" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object storage admin logging compliance
CCC.Core.CN04.AR01
FAIL
Object storage data modification logging compliance
✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "data-write-logging" for control "CCC.Core.CN04" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Diagnostic Logging Write Configuration: ⊘ "{result}" is true (skipped)
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object storage data modification logging compliance
CCC.Core.CN04.AR02
FAIL
Data read logging compliance
✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "data-read-logging" for control "CCC.Core.CN04" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Diagnostic Logging Read Configuration: ⊘ "{result}" is true (skipped)
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Data read logging compliance
CCC.Core.CN04.AR03
PASS
Storage is not configured for public write access
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ I attempt policy check "object-storage-block-public-write-access" for control "CCC.Core.CN05" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Storage is not configured for public write access
CCC.Core.CN05.AR01
PASS
Unauthorized administrative access is blocked
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Unauthorized administrative access is blocked
CCC.Core.CN05.AR02
PASS
Cross-tenant access is blocked without explicit allowlist
✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-cross-tenant-block" for control "CCC.Core.CN05" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Cross-tenant access is blocked without explicit allowlist
CCC.Core.CN05.AR03
PASS
External unauthorized data requests are blocked
✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-block-public-read" for control "CCC.Core.CN05" assessment requirement "AR04" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
External unauthorized data requests are blocked
CCC.Core.CN05.AR04
FAIL
External requests do not reveal service existence - NotTested
✓ a cloud api for "{Instance}" in "api" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
External requests do not reveal service existence - NotTested
CCC.Core.CN05.AR05
PASS
All unauthorized requests are blocked - Duplicate
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
All unauthorized requests are blocked - Duplicate
CCC.Core.CN05.AR06
PASS
Object storage region compliance
✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-region" for control "CCC.Core.CN06" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object storage region compliance
CCC.Core.CN06.AR01
PASS
Child resource region compliance - NotTestable
✓ a cloud api for "{Instance}" in "api" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Child resource region compliance - NotTestable
CCC.Core.CN06.AR02
FAIL
Enumeration activities publish events to monitored channels
✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "enumeration-monitoring-policy" for control "CCC.Core.CN07" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Enumeration Monitoring Policy Check: ⊘ "{result}" is true (skipped)
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Enumeration activities publish events to monitored channels
CCC.Core.CN07.AR01
PASS
Enumeration activities are logged
✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "enumeration-logging-policy" for control "CCC.Core.CN07" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Enumeration activities are logged
CCC.Core.CN07.AR02
PASS
Object storage replication compliance
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I attempt policy check "object-storage-replication" for control "CCC.Core.CN08" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object storage replication compliance
CCC.Core.CN08.AR01
PASS
Object storage replication status is visible
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I attempt policy check "object-storage-replication-status" for control "CCC.Core.CN08" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object storage replication status is visible
CCC.Core.CN08.AR02
FAIL
Object storage access logging compliance
✓ a cloud api for "{Instance}" in "api" ✗ I attempt policy check "object-storage-access-logging" for control "CCC.Core.CN09" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage Account Diagnostic Logging Configuration: ⊘ "{result}" is true (skipped)
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object storage access logging compliance
CCC.Core.CN09.AR01
PASS
Disabling logs requires disabling the resource - NotTestable
✓ a cloud api for "{Instance}" in "api" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Disabling logs requires disabling the resource - NotTestable
CCC.Core.CN09.AR02
PASS
Redirecting logs requires halting the resource - NotTestable
✓ a cloud api for "{Instance}" in "api" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Redirecting logs requires halting the resource - NotTestable
CCC.Core.CN09.AR03
PASS
Object storage replication destination compliance
✓ a cloud api for "{Instance}" in "api" ✓ I attempt policy check "object-storage-replication-destination" for control "CCC.Core.CN10" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object storage replication destination compliance
CCC.Core.CN10.AR01
PASS
Test policy for bucket access control
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ I attempt policy check "no-public-access" for control "CCC.ObjStor.CN01" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Test policy for bucket access control
CCC.ObjStor.CN01.AR01
FAIL
All unauthorized requests are blocked
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ I call "{storage}" with "CreateObject" using arguments "{ResourceName}", "test-object={Timestamp}.txt", and "test content" ✓ "{result}" is not an error ✗ I attempt policy check "object-storage-no-public-principals" for control "CCC.ObjStor.CN01" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage RBAC in Use: ⊘ "{result}" is true (skipped)
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
All unauthorized requests are blocked
CCC.ObjStor.CN01.AR02
FAIL
All unauthorized requests are blocked
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✗ I attempt policy check "object-storage-no-public-principals" for control "CCC.ObjStor.CN01" assessment requirement "AR03" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage RBAC in Use: ⊘ "{result}" is true (skipped)
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
All unauthorized requests are blocked
CCC.ObjStor.CN01.AR03
FAIL
All unauthorized requests are blocked
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ "{result}" is not an error ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ "{result}" is not an error ✗ I attempt policy check "object-storage-no-public-principals" for control "CCC.ObjStor.CN01" assessment requirement "AR04" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" - Error: policy check failed: Azure Storage RBAC in Use: ⊘ "{result}" is true (skipped)
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
All unauthorized requests are blocked
CCC.ObjStor.CN01.AR04
PASS
Test policy for uniform access
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ I attempt policy check "uniform-bucket-level-access" for control "CCC.ObjStor.CN02" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Test policy for uniform access
CCC.ObjStor.CN02.AR01
PASS
Uniform bucket-level access prevents object-level deny overrides - Duplicate
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Uniform bucket-level access prevents object-level deny overrides - Duplicate
CCC.ObjStor.CN02.AR02
PASS
Test policy for bucket soft delete
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I attempt policy check "bucket-soft-delete" for control "CCC.ObjStor.CN03" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Test policy for bucket soft delete
CCC.ObjStor.CN03.AR01
PASS
Test policy for immutable bucket retention lock
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I attempt policy check "bucket-retention-lock" for control "CCC.ObjStor.CN03" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Test policy for immutable bucket retention lock
CCC.ObjStor.CN03.AR02
PASS
Test policy for default object retention
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ I attempt policy check "object-default-retention" for control "CCC.ObjStor.CN04" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Test policy for default object retention
CCC.ObjStor.CN04.AR01
PASS
Test policy for object retention enforcement
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I call "{api}" with "GetServiceAPI" using argument "iam" ✓ I refer to "{result}" as "iamService" ✓ I attempt policy check "object-retention-enforcement" for control "CCC.ObjStor.CN04" assessment requirement "AR02" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Test policy for object retention enforcement
CCC.ObjStor.CN04.AR02
PASS
Objects are stored with unique version identifiers
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ I attempt policy check "object-storage-versioning" for control "CCC.ObjStor.CN05" assessment requirement "AR01" for service "{ServiceType}" on resource "{ResourceName}" and provider "{Provider}" ✓ "{result}" is true
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Objects are stored with unique version identifiers
CCC.ObjStor.CN05.AR01
PASS
Modified objects receive new version identifiers - Duplicate
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Modified objects receive new version identifiers - Duplicate
CCC.ObjStor.CN05.AR02
PASS
Previous object versions can be recovered
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Previous object versions can be recovered
CCC.ObjStor.CN05.AR03
PASS
Object versions are retained after deletion - Duplicate
✓ a cloud api for "{Instance}" in "api" ✓ I call "{api}" with "GetServiceAPI" using argument "object-storage" ✓ I refer to "{result}" as "storage" ✓ no-op required
/subscriptions/c1cedd8e-bf91-4d7d-a4cc-45700402a2a1/resourceGroups/cfi_test_20260410t121838z/providers/Microsoft.Storage/storageAccounts/stgcfi20260410t121838z
object-storage
Object versions are retained after deletion - Duplicate
CCC.ObjStor.CN05.AR04