[ { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707457, "created_time_dt": "2026-04-09T04:04:17Z", "desc": "Compliance test scenario: Main check: no default VPC exists", "title": "Main check: no default VPC exists", "types": [], "uid": "ccc-test-2278-1775707457" }, "message": "Main check: no default VPC exists", "metadata": { "event_code": "Main check: no default VPC exists", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN01", "@CCC.VPC.CN01.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0bbce9271c5d23986", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0bbce9271c5d23986", "region": "us-east-1", "type": "vpc", "uid": "vpc-0bbce9271c5d23986" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I call \"{vpcService}\" with \"CountDefaultVpcs\"\n✓ \"{result}\" is \"0\"", "status_id": 1, "time": 1775707457, "time_dt": "2026-04-09T04:04:17Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN01.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707457, "created_time_dt": "2026-04-09T04:04:17Z", "desc": "Compliance test scenario: Main check (config): public subnets do not auto-assign external IPs", "title": "Main check (config): public subnets do not auto-assign external IPs", "types": [], "uid": "ccc-test-2331-1775707457" }, "message": "Main check (config): public subnets do not auto-assign external IPs", "metadata": { "event_code": "Main check (config): public subnets do not auto-assign external IPs", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0bbce9271c5d23986", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0bbce9271c5d23986", "region": "us-east-1", "type": "vpc", "uid": "vpc-0bbce9271c5d23986" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluatePublicSubnetDefaultIPControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.ViolatingSubnetCount}\" is \"0\"\n✗ \"{result.Reason}\" contains \"disable default public IP\" - Error: expected {result.Reason} to contain 'disable default public IP', but got 'no public subnets found for in-scope VPC'", "status_id": 1, "time": 1775707457, "time_dt": "2026-04-09T04:04:17Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707458, "created_time_dt": "2026-04-09T04:04:18Z", "desc": "Compliance test scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP", "title": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "types": [], "uid": "ccc-test-2353-1775707458" }, "message": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "metadata": { "event_code": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0bbce9271c5d23986", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0bbce9271c5d23986", "region": "us-east-1", "type": "vpc", "uid": "vpc-0bbce9271c5d23986" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"SelectPublicSubnetForTest\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.SubnetId}\" as \"TestSubnetId\"\n✓ I call \"{vpcService}\" with \"CreateTestResourceInSubnet\" using argument \"{TestSubnetId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I call \"{vpcService}\" with \"GetResourceExternalIpAssignment\" using argument \"{TestResourceId}\"\n✓ I refer to \"{result.HasExternalIp}\" as \"HasExternalIp\"\n✓ \"{HasExternalIp}\" is false\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)", "status_id": 1, "time": 1775707458, "time_dt": "2026-04-09T04:04:18Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707458, "created_time_dt": "2026-04-09T04:04:18Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "title": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "types": [], "uid": "ccc-test-2454-1775707458" }, "message": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "metadata": { "event_code": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0bbce9271c5d23986", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0bbce9271c5d23986", "region": "us-east-1", "type": "vpc", "uid": "vpc-0bbce9271c5d23986" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"ValidateDisallowListEnforcement\" using argument \"{ReceiverVpcId}\"\n✓ I attach \"{result.Summary}\" to the test output as \"Disallow-list Enforcement Summary\"\n✓ I attach \"{result.Results}\" to the test output as \"Disallow-list Enforcement\"\n✓ \"{result.ListDefined}\" is true\n✓ \"{result.TestedCount}\" should be greater than \"0\"\n✓ \"{result.AllCorrect}\" is true\n✓ \"{result.ViolationCount}\" is \"0\"", "status_id": 1, "time": 1775707458, "time_dt": "2026-04-09T04:04:18Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707459, "created_time_dt": "2026-04-09T04:04:19Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "title": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "types": [], "uid": "ccc-test-2475-1775707459" }, "message": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "metadata": { "event_code": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0bbce9271c5d23986", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0bbce9271c5d23986", "region": "us-east-1", "type": "vpc", "uid": "vpc-0bbce9271c5d23986" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ \"{NonAllowlistedRequesterVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"EvaluatePeerAgainstAllowList\" using argument \"{NonAllowlistedRequesterVpcId}\"\n✓ \"{result.AllowedListDefined}\" is true\n✓ \"{result.Allowed}\" is false\n✓ I call \"{vpcService}\" with \"AttemptVpcPeeringDryRun\" using arguments \"{NonAllowlistedRequesterVpcId}\" and \"{ReceiverVpcId}\"\n✓ \"{result.DryRunAllowed}\" is false\n✓ \"{result.AllowListDefined}\" is true\n✓ \"{result.RequesterInAllowList}\" is false\n✓ \"{result.GuardrailExpectation}\" is \"deny\"\n✓ \"{result.GuardrailMismatch}\" is false\n✓ \"{result.ExitCode}\" should be greater than \"0\"\n✓ \"{result.Reason}\" contains \"guardrail aligned\"\n✓ \"{result.ConflictType}\" is \"\"", "status_id": 1, "time": 1775707459, "time_dt": "2026-04-09T04:04:19Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707459, "created_time_dt": "2026-04-09T04:04:19Z", "desc": "Compliance test scenario: Main check (config): flow logs are active and capture all traffic", "title": "Main check (config): flow logs are active and capture all traffic", "types": [], "uid": "ccc-test-2543-1775707459" }, "message": "Main check (config): flow logs are active and capture all traffic", "metadata": { "event_code": "Main check (config): flow logs are active and capture all traffic", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Policy", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0bbce9271c5d23986", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0bbce9271c5d23986", "region": "us-east-1", "type": "vpc", "uid": "vpc-0bbce9271c5d23986" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluateVpcFlowLogsControl\" using argument \"{TargetVpcId}\"\n✗ \"{result.FlowLogCount}\" should be greater than \"0\" - Error: expected {result.FlowLogCount} (0) to be greater than 0\n⊘ \"{result.NonCompliantCount}\" is \"0\" (skipped)", "status_id": 1, "time": 1775707459, "time_dt": "2026-04-09T04:04:19Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707459, "created_time_dt": "2026-04-09T04:04:19Z", "desc": "Compliance test scenario: Behavioral check (active): traffic produces flow log records", "title": "Behavioral check (active): traffic produces flow log records", "types": [], "uid": "ccc-test-2558-1775707459" }, "message": "Behavioral check (active): traffic produces flow log records", "metadata": { "event_code": "Behavioral check (active): traffic produces flow log records", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0bbce9271c5d23986", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0bbce9271c5d23986", "region": "us-east-1", "type": "vpc", "uid": "vpc-0bbce9271c5d23986" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"PrepareFlowLogDeliveryObservation\" using argument \"{TargetVpcId}\"\n✓ I call \"{vpcService}\" with \"GenerateTestTraffic\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I refer to \"{result.CleanupDeleted}\" as \"TrafficCleanupDeleted\"\n✓ I call \"{vpcService}\" with \"ObserveRecentFlowLogDelivery\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.RecordsObserved}\" as \"RecordsObserved\"\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)\n⊘ \"{TrafficCleanupDeleted}\" is true (skipped)\n⊘ \"{RecordsObserved}\" is true (skipped)", "status_id": 1, "time": 1775707459, "time_dt": "2026-04-09T04:04:19Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707428, "created_time_dt": "2026-04-09T04:03:48Z", "desc": "Compliance test scenario: Main check: no default VPC exists", "title": "Main check: no default VPC exists", "types": [], "uid": "ccc-test-2278-1775707428" }, "message": "Main check: no default VPC exists", "metadata": { "event_code": "Main check: no default VPC exists", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN01", "@CCC.VPC.CN01.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-01f543721b8193a2c", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-01f543721b8193a2c", "region": "us-east-1", "type": "vpc", "uid": "vpc-01f543721b8193a2c" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I call \"{vpcService}\" with \"CountDefaultVpcs\"\n✓ \"{result}\" is \"0\"", "status_id": 1, "time": 1775707428, "time_dt": "2026-04-09T04:03:48Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN01.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707428, "created_time_dt": "2026-04-09T04:03:48Z", "desc": "Compliance test scenario: Main check (config): public subnets do not auto-assign external IPs", "title": "Main check (config): public subnets do not auto-assign external IPs", "types": [], "uid": "ccc-test-2331-1775707428" }, "message": "Main check (config): public subnets do not auto-assign external IPs", "metadata": { "event_code": "Main check (config): public subnets do not auto-assign external IPs", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-01f543721b8193a2c", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-01f543721b8193a2c", "region": "us-east-1", "type": "vpc", "uid": "vpc-01f543721b8193a2c" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluatePublicSubnetDefaultIPControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.ViolatingSubnetCount}\" is \"0\"\n✗ \"{result.Reason}\" contains \"disable default public IP\" - Error: expected {result.Reason} to contain 'disable default public IP', but got 'no public subnets found for in-scope VPC'", "status_id": 1, "time": 1775707428, "time_dt": "2026-04-09T04:03:48Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707429, "created_time_dt": "2026-04-09T04:03:49Z", "desc": "Compliance test scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP", "title": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "types": [], "uid": "ccc-test-2353-1775707429" }, "message": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "metadata": { "event_code": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-01f543721b8193a2c", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-01f543721b8193a2c", "region": "us-east-1", "type": "vpc", "uid": "vpc-01f543721b8193a2c" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"SelectPublicSubnetForTest\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.SubnetId}\" as \"TestSubnetId\"\n✓ I call \"{vpcService}\" with \"CreateTestResourceInSubnet\" using argument \"{TestSubnetId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I call \"{vpcService}\" with \"GetResourceExternalIpAssignment\" using argument \"{TestResourceId}\"\n✓ I refer to \"{result.HasExternalIp}\" as \"HasExternalIp\"\n✓ \"{HasExternalIp}\" is false\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)", "status_id": 1, "time": 1775707429, "time_dt": "2026-04-09T04:03:49Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707429, "created_time_dt": "2026-04-09T04:03:49Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "title": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "types": [], "uid": "ccc-test-2454-1775707429" }, "message": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "metadata": { "event_code": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-01f543721b8193a2c", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-01f543721b8193a2c", "region": "us-east-1", "type": "vpc", "uid": "vpc-01f543721b8193a2c" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"ValidateDisallowListEnforcement\" using argument \"{ReceiverVpcId}\"\n✓ I attach \"{result.Summary}\" to the test output as \"Disallow-list Enforcement Summary\"\n✓ I attach \"{result.Results}\" to the test output as \"Disallow-list Enforcement\"\n✓ \"{result.ListDefined}\" is true\n✓ \"{result.TestedCount}\" should be greater than \"0\"\n✓ \"{result.AllCorrect}\" is true\n✓ \"{result.ViolationCount}\" is \"0\"", "status_id": 1, "time": 1775707429, "time_dt": "2026-04-09T04:03:49Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707430, "created_time_dt": "2026-04-09T04:03:50Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "title": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "types": [], "uid": "ccc-test-2475-1775707430" }, "message": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "metadata": { "event_code": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-01f543721b8193a2c", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-01f543721b8193a2c", "region": "us-east-1", "type": "vpc", "uid": "vpc-01f543721b8193a2c" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ \"{NonAllowlistedRequesterVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"EvaluatePeerAgainstAllowList\" using argument \"{NonAllowlistedRequesterVpcId}\"\n✓ \"{result.AllowedListDefined}\" is true\n✓ \"{result.Allowed}\" is false\n✓ I call \"{vpcService}\" with \"AttemptVpcPeeringDryRun\" using arguments \"{NonAllowlistedRequesterVpcId}\" and \"{ReceiverVpcId}\"\n✓ \"{result.DryRunAllowed}\" is false\n✓ \"{result.AllowListDefined}\" is true\n✓ \"{result.RequesterInAllowList}\" is false\n✓ \"{result.GuardrailExpectation}\" is \"deny\"\n✓ \"{result.GuardrailMismatch}\" is false\n✓ \"{result.ExitCode}\" should be greater than \"0\"\n✓ \"{result.Reason}\" contains \"guardrail aligned\"\n✓ \"{result.ConflictType}\" is \"\"", "status_id": 1, "time": 1775707430, "time_dt": "2026-04-09T04:03:50Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707430, "created_time_dt": "2026-04-09T04:03:50Z", "desc": "Compliance test scenario: Main check (config): flow logs are active and capture all traffic", "title": "Main check (config): flow logs are active and capture all traffic", "types": [], "uid": "ccc-test-2543-1775707430" }, "message": "Main check (config): flow logs are active and capture all traffic", "metadata": { "event_code": "Main check (config): flow logs are active and capture all traffic", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Policy", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-01f543721b8193a2c", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-01f543721b8193a2c", "region": "us-east-1", "type": "vpc", "uid": "vpc-01f543721b8193a2c" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluateVpcFlowLogsControl\" using argument \"{TargetVpcId}\"\n✗ \"{result.FlowLogCount}\" should be greater than \"0\" - Error: expected {result.FlowLogCount} (0) to be greater than 0\n⊘ \"{result.NonCompliantCount}\" is \"0\" (skipped)", "status_id": 1, "time": 1775707430, "time_dt": "2026-04-09T04:03:50Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707430, "created_time_dt": "2026-04-09T04:03:50Z", "desc": "Compliance test scenario: Behavioral check (active): traffic produces flow log records", "title": "Behavioral check (active): traffic produces flow log records", "types": [], "uid": "ccc-test-2558-1775707430" }, "message": "Behavioral check (active): traffic produces flow log records", "metadata": { "event_code": "Behavioral check (active): traffic produces flow log records", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-01f543721b8193a2c", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-01f543721b8193a2c", "region": "us-east-1", "type": "vpc", "uid": "vpc-01f543721b8193a2c" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"PrepareFlowLogDeliveryObservation\" using argument \"{TargetVpcId}\"\n✓ I call \"{vpcService}\" with \"GenerateTestTraffic\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I refer to \"{result.CleanupDeleted}\" as \"TrafficCleanupDeleted\"\n✓ I call \"{vpcService}\" with \"ObserveRecentFlowLogDelivery\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.RecordsObserved}\" as \"RecordsObserved\"\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)\n⊘ \"{TrafficCleanupDeleted}\" is true (skipped)\n⊘ \"{RecordsObserved}\" is true (skipped)", "status_id": 1, "time": 1775707430, "time_dt": "2026-04-09T04:03:50Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707434, "created_time_dt": "2026-04-09T04:03:54Z", "desc": "Compliance test scenario: Main check: no default VPC exists", "title": "Main check: no default VPC exists", "types": [], "uid": "ccc-test-2278-1775707434" }, "message": "Main check: no default VPC exists", "metadata": { "event_code": "Main check: no default VPC exists", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN01", "@CCC.VPC.CN01.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-02ff4e20289c915b9", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-02ff4e20289c915b9", "region": "us-east-1", "type": "vpc", "uid": "vpc-02ff4e20289c915b9" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I call \"{vpcService}\" with \"CountDefaultVpcs\"\n✓ \"{result}\" is \"0\"", "status_id": 1, "time": 1775707434, "time_dt": "2026-04-09T04:03:54Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN01.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707434, "created_time_dt": "2026-04-09T04:03:54Z", "desc": "Compliance test scenario: Main check (config): public subnets do not auto-assign external IPs", "title": "Main check (config): public subnets do not auto-assign external IPs", "types": [], "uid": "ccc-test-2331-1775707434" }, "message": "Main check (config): public subnets do not auto-assign external IPs", "metadata": { "event_code": "Main check (config): public subnets do not auto-assign external IPs", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-02ff4e20289c915b9", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-02ff4e20289c915b9", "region": "us-east-1", "type": "vpc", "uid": "vpc-02ff4e20289c915b9" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluatePublicSubnetDefaultIPControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.ViolatingSubnetCount}\" is \"0\"\n✗ \"{result.Reason}\" contains \"disable default public IP\" - Error: expected {result.Reason} to contain 'disable default public IP', but got 'no public subnets found for in-scope VPC'", "status_id": 1, "time": 1775707434, "time_dt": "2026-04-09T04:03:54Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707435, "created_time_dt": "2026-04-09T04:03:55Z", "desc": "Compliance test scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP", "title": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "types": [], "uid": "ccc-test-2353-1775707435" }, "message": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "metadata": { "event_code": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-02ff4e20289c915b9", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-02ff4e20289c915b9", "region": "us-east-1", "type": "vpc", "uid": "vpc-02ff4e20289c915b9" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"SelectPublicSubnetForTest\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.SubnetId}\" as \"TestSubnetId\"\n✓ I call \"{vpcService}\" with \"CreateTestResourceInSubnet\" using argument \"{TestSubnetId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I call \"{vpcService}\" with \"GetResourceExternalIpAssignment\" using argument \"{TestResourceId}\"\n✓ I refer to \"{result.HasExternalIp}\" as \"HasExternalIp\"\n✓ \"{HasExternalIp}\" is false\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)", "status_id": 1, "time": 1775707435, "time_dt": "2026-04-09T04:03:55Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707435, "created_time_dt": "2026-04-09T04:03:55Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "title": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "types": [], "uid": "ccc-test-2454-1775707435" }, "message": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "metadata": { "event_code": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-02ff4e20289c915b9", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-02ff4e20289c915b9", "region": "us-east-1", "type": "vpc", "uid": "vpc-02ff4e20289c915b9" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"ValidateDisallowListEnforcement\" using argument \"{ReceiverVpcId}\"\n✓ I attach \"{result.Summary}\" to the test output as \"Disallow-list Enforcement Summary\"\n✓ I attach \"{result.Results}\" to the test output as \"Disallow-list Enforcement\"\n✓ \"{result.ListDefined}\" is true\n✓ \"{result.TestedCount}\" should be greater than \"0\"\n✓ \"{result.AllCorrect}\" is true\n✓ \"{result.ViolationCount}\" is \"0\"", "status_id": 1, "time": 1775707435, "time_dt": "2026-04-09T04:03:55Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707435, "created_time_dt": "2026-04-09T04:03:55Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "title": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "types": [], "uid": "ccc-test-2475-1775707435" }, "message": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "metadata": { "event_code": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-02ff4e20289c915b9", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-02ff4e20289c915b9", "region": "us-east-1", "type": "vpc", "uid": "vpc-02ff4e20289c915b9" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ \"{NonAllowlistedRequesterVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"EvaluatePeerAgainstAllowList\" using argument \"{NonAllowlistedRequesterVpcId}\"\n✓ \"{result.AllowedListDefined}\" is true\n✓ \"{result.Allowed}\" is false\n✓ I call \"{vpcService}\" with \"AttemptVpcPeeringDryRun\" using arguments \"{NonAllowlistedRequesterVpcId}\" and \"{ReceiverVpcId}\"\n✓ \"{result.DryRunAllowed}\" is false\n✓ \"{result.AllowListDefined}\" is true\n✓ \"{result.RequesterInAllowList}\" is false\n✓ \"{result.GuardrailExpectation}\" is \"deny\"\n✓ \"{result.GuardrailMismatch}\" is false\n✓ \"{result.ExitCode}\" should be greater than \"0\"\n✓ \"{result.Reason}\" contains \"guardrail aligned\"\n✓ \"{result.ConflictType}\" is \"\"", "status_id": 1, "time": 1775707435, "time_dt": "2026-04-09T04:03:55Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707436, "created_time_dt": "2026-04-09T04:03:56Z", "desc": "Compliance test scenario: Main check (config): flow logs are active and capture all traffic", "title": "Main check (config): flow logs are active and capture all traffic", "types": [], "uid": "ccc-test-2543-1775707436" }, "message": "Main check (config): flow logs are active and capture all traffic", "metadata": { "event_code": "Main check (config): flow logs are active and capture all traffic", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Policy", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-02ff4e20289c915b9", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-02ff4e20289c915b9", "region": "us-east-1", "type": "vpc", "uid": "vpc-02ff4e20289c915b9" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluateVpcFlowLogsControl\" using argument \"{TargetVpcId}\"\n✗ \"{result.FlowLogCount}\" should be greater than \"0\" - Error: expected {result.FlowLogCount} (0) to be greater than 0\n⊘ \"{result.NonCompliantCount}\" is \"0\" (skipped)", "status_id": 1, "time": 1775707436, "time_dt": "2026-04-09T04:03:56Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707436, "created_time_dt": "2026-04-09T04:03:56Z", "desc": "Compliance test scenario: Behavioral check (active): traffic produces flow log records", "title": "Behavioral check (active): traffic produces flow log records", "types": [], "uid": "ccc-test-2558-1775707436" }, "message": "Behavioral check (active): traffic produces flow log records", "metadata": { "event_code": "Behavioral check (active): traffic produces flow log records", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-02ff4e20289c915b9", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-02ff4e20289c915b9", "region": "us-east-1", "type": "vpc", "uid": "vpc-02ff4e20289c915b9" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"PrepareFlowLogDeliveryObservation\" using argument \"{TargetVpcId}\"\n✓ I call \"{vpcService}\" with \"GenerateTestTraffic\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I refer to \"{result.CleanupDeleted}\" as \"TrafficCleanupDeleted\"\n✓ I call \"{vpcService}\" with \"ObserveRecentFlowLogDelivery\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.RecordsObserved}\" as \"RecordsObserved\"\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)\n⊘ \"{TrafficCleanupDeleted}\" is true (skipped)\n⊘ \"{RecordsObserved}\" is true (skipped)", "status_id": 1, "time": 1775707436, "time_dt": "2026-04-09T04:03:56Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707460, "created_time_dt": "2026-04-09T04:04:20Z", "desc": "Compliance test scenario: Main check: no default VPC exists", "title": "Main check: no default VPC exists", "types": [], "uid": "ccc-test-2278-1775707460" }, "message": "Main check: no default VPC exists", "metadata": { "event_code": "Main check: no default VPC exists", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN01", "@CCC.VPC.CN01.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0d617b955f0a44661", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0d617b955f0a44661", "region": "us-east-1", "type": "vpc", "uid": "vpc-0d617b955f0a44661" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I call \"{vpcService}\" with \"CountDefaultVpcs\"\n✓ \"{result}\" is \"0\"", "status_id": 1, "time": 1775707460, "time_dt": "2026-04-09T04:04:20Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN01.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707460, "created_time_dt": "2026-04-09T04:04:20Z", "desc": "Compliance test scenario: Main check (config): public subnets do not auto-assign external IPs", "title": "Main check (config): public subnets do not auto-assign external IPs", "types": [], "uid": "ccc-test-2331-1775707460" }, "message": "Main check (config): public subnets do not auto-assign external IPs", "metadata": { "event_code": "Main check (config): public subnets do not auto-assign external IPs", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0d617b955f0a44661", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0d617b955f0a44661", "region": "us-east-1", "type": "vpc", "uid": "vpc-0d617b955f0a44661" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluatePublicSubnetDefaultIPControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.ViolatingSubnetCount}\" is \"0\"\n✗ \"{result.Reason}\" contains \"disable default public IP\" - Error: expected {result.Reason} to contain 'disable default public IP', but got 'no public subnets found for in-scope VPC'", "status_id": 1, "time": 1775707460, "time_dt": "2026-04-09T04:04:20Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707461, "created_time_dt": "2026-04-09T04:04:21Z", "desc": "Compliance test scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP", "title": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "types": [], "uid": "ccc-test-2353-1775707461" }, "message": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "metadata": { "event_code": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0d617b955f0a44661", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0d617b955f0a44661", "region": "us-east-1", "type": "vpc", "uid": "vpc-0d617b955f0a44661" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"SelectPublicSubnetForTest\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.SubnetId}\" as \"TestSubnetId\"\n✓ I call \"{vpcService}\" with \"CreateTestResourceInSubnet\" using argument \"{TestSubnetId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I call \"{vpcService}\" with \"GetResourceExternalIpAssignment\" using argument \"{TestResourceId}\"\n✓ I refer to \"{result.HasExternalIp}\" as \"HasExternalIp\"\n✓ \"{HasExternalIp}\" is false\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)", "status_id": 1, "time": 1775707461, "time_dt": "2026-04-09T04:04:21Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707461, "created_time_dt": "2026-04-09T04:04:21Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "title": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "types": [], "uid": "ccc-test-2454-1775707461" }, "message": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "metadata": { "event_code": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0d617b955f0a44661", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0d617b955f0a44661", "region": "us-east-1", "type": "vpc", "uid": "vpc-0d617b955f0a44661" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"ValidateDisallowListEnforcement\" using argument \"{ReceiverVpcId}\"\n✓ I attach \"{result.Summary}\" to the test output as \"Disallow-list Enforcement Summary\"\n✓ I attach \"{result.Results}\" to the test output as \"Disallow-list Enforcement\"\n✓ \"{result.ListDefined}\" is true\n✓ \"{result.TestedCount}\" should be greater than \"0\"\n✓ \"{result.AllCorrect}\" is true\n✓ \"{result.ViolationCount}\" is \"0\"", "status_id": 1, "time": 1775707461, "time_dt": "2026-04-09T04:04:21Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707461, "created_time_dt": "2026-04-09T04:04:21Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "title": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "types": [], "uid": "ccc-test-2475-1775707461" }, "message": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "metadata": { "event_code": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0d617b955f0a44661", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0d617b955f0a44661", "region": "us-east-1", "type": "vpc", "uid": "vpc-0d617b955f0a44661" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ \"{NonAllowlistedRequesterVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"EvaluatePeerAgainstAllowList\" using argument \"{NonAllowlistedRequesterVpcId}\"\n✓ \"{result.AllowedListDefined}\" is true\n✓ \"{result.Allowed}\" is false\n✓ I call \"{vpcService}\" with \"AttemptVpcPeeringDryRun\" using arguments \"{NonAllowlistedRequesterVpcId}\" and \"{ReceiverVpcId}\"\n✓ \"{result.DryRunAllowed}\" is false\n✓ \"{result.AllowListDefined}\" is true\n✓ \"{result.RequesterInAllowList}\" is false\n✓ \"{result.GuardrailExpectation}\" is \"deny\"\n✓ \"{result.GuardrailMismatch}\" is false\n✓ \"{result.ExitCode}\" should be greater than \"0\"\n✓ \"{result.Reason}\" contains \"guardrail aligned\"\n✓ \"{result.ConflictType}\" is \"\"", "status_id": 1, "time": 1775707461, "time_dt": "2026-04-09T04:04:21Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707462, "created_time_dt": "2026-04-09T04:04:22Z", "desc": "Compliance test scenario: Main check (config): flow logs are active and capture all traffic", "title": "Main check (config): flow logs are active and capture all traffic", "types": [], "uid": "ccc-test-2543-1775707462" }, "message": "Main check (config): flow logs are active and capture all traffic", "metadata": { "event_code": "Main check (config): flow logs are active and capture all traffic", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Policy", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0d617b955f0a44661", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0d617b955f0a44661", "region": "us-east-1", "type": "vpc", "uid": "vpc-0d617b955f0a44661" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluateVpcFlowLogsControl\" using argument \"{TargetVpcId}\"\n✗ \"{result.FlowLogCount}\" should be greater than \"0\" - Error: expected {result.FlowLogCount} (0) to be greater than 0\n⊘ \"{result.NonCompliantCount}\" is \"0\" (skipped)", "status_id": 1, "time": 1775707462, "time_dt": "2026-04-09T04:04:22Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707462, "created_time_dt": "2026-04-09T04:04:22Z", "desc": "Compliance test scenario: Behavioral check (active): traffic produces flow log records", "title": "Behavioral check (active): traffic produces flow log records", "types": [], "uid": "ccc-test-2558-1775707462" }, "message": "Behavioral check (active): traffic produces flow log records", "metadata": { "event_code": "Behavioral check (active): traffic produces flow log records", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0d617b955f0a44661", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0d617b955f0a44661", "region": "us-east-1", "type": "vpc", "uid": "vpc-0d617b955f0a44661" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"PrepareFlowLogDeliveryObservation\" using argument \"{TargetVpcId}\"\n✓ I call \"{vpcService}\" with \"GenerateTestTraffic\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I refer to \"{result.CleanupDeleted}\" as \"TrafficCleanupDeleted\"\n✓ I call \"{vpcService}\" with \"ObserveRecentFlowLogDelivery\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.RecordsObserved}\" as \"RecordsObserved\"\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)\n⊘ \"{TrafficCleanupDeleted}\" is true (skipped)\n⊘ \"{RecordsObserved}\" is true (skipped)", "status_id": 1, "time": 1775707462, "time_dt": "2026-04-09T04:04:22Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707431, "created_time_dt": "2026-04-09T04:03:51Z", "desc": "Compliance test scenario: Main check: no default VPC exists", "title": "Main check: no default VPC exists", "types": [], "uid": "ccc-test-2278-1775707431" }, "message": "Main check: no default VPC exists", "metadata": { "event_code": "Main check: no default VPC exists", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN01", "@CCC.VPC.CN01.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0a6158c0cf30fae39", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0a6158c0cf30fae39", "region": "us-east-1", "type": "vpc", "uid": "vpc-0a6158c0cf30fae39" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I call \"{vpcService}\" with \"CountDefaultVpcs\"\n✓ \"{result}\" is \"0\"", "status_id": 1, "time": 1775707431, "time_dt": "2026-04-09T04:03:51Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN01.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707431, "created_time_dt": "2026-04-09T04:03:51Z", "desc": "Compliance test scenario: Main check (config): public subnets do not auto-assign external IPs", "title": "Main check (config): public subnets do not auto-assign external IPs", "types": [], "uid": "ccc-test-2331-1775707431" }, "message": "Main check (config): public subnets do not auto-assign external IPs", "metadata": { "event_code": "Main check (config): public subnets do not auto-assign external IPs", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0a6158c0cf30fae39", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0a6158c0cf30fae39", "region": "us-east-1", "type": "vpc", "uid": "vpc-0a6158c0cf30fae39" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluatePublicSubnetDefaultIPControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.ViolatingSubnetCount}\" is \"0\"\n✗ \"{result.Reason}\" contains \"disable default public IP\" - Error: expected {result.Reason} to contain 'disable default public IP', but got 'no public subnets found for in-scope VPC'", "status_id": 1, "time": 1775707431, "time_dt": "2026-04-09T04:03:51Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707432, "created_time_dt": "2026-04-09T04:03:52Z", "desc": "Compliance test scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP", "title": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "types": [], "uid": "ccc-test-2353-1775707432" }, "message": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "metadata": { "event_code": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0a6158c0cf30fae39", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0a6158c0cf30fae39", "region": "us-east-1", "type": "vpc", "uid": "vpc-0a6158c0cf30fae39" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"SelectPublicSubnetForTest\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.SubnetId}\" as \"TestSubnetId\"\n✓ I call \"{vpcService}\" with \"CreateTestResourceInSubnet\" using argument \"{TestSubnetId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I call \"{vpcService}\" with \"GetResourceExternalIpAssignment\" using argument \"{TestResourceId}\"\n✓ I refer to \"{result.HasExternalIp}\" as \"HasExternalIp\"\n✓ \"{HasExternalIp}\" is false\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)", "status_id": 1, "time": 1775707432, "time_dt": "2026-04-09T04:03:52Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707432, "created_time_dt": "2026-04-09T04:03:52Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "title": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "types": [], "uid": "ccc-test-2454-1775707432" }, "message": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "metadata": { "event_code": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0a6158c0cf30fae39", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0a6158c0cf30fae39", "region": "us-east-1", "type": "vpc", "uid": "vpc-0a6158c0cf30fae39" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"ValidateDisallowListEnforcement\" using argument \"{ReceiverVpcId}\"\n✓ I attach \"{result.Summary}\" to the test output as \"Disallow-list Enforcement Summary\"\n✓ I attach \"{result.Results}\" to the test output as \"Disallow-list Enforcement\"\n✓ \"{result.ListDefined}\" is true\n✓ \"{result.TestedCount}\" should be greater than \"0\"\n✓ \"{result.AllCorrect}\" is true\n✓ \"{result.ViolationCount}\" is \"0\"", "status_id": 1, "time": 1775707432, "time_dt": "2026-04-09T04:03:52Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707433, "created_time_dt": "2026-04-09T04:03:53Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "title": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "types": [], "uid": "ccc-test-2475-1775707433" }, "message": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "metadata": { "event_code": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0a6158c0cf30fae39", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0a6158c0cf30fae39", "region": "us-east-1", "type": "vpc", "uid": "vpc-0a6158c0cf30fae39" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ \"{NonAllowlistedRequesterVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"EvaluatePeerAgainstAllowList\" using argument \"{NonAllowlistedRequesterVpcId}\"\n✓ \"{result.AllowedListDefined}\" is true\n✓ \"{result.Allowed}\" is false\n✓ I call \"{vpcService}\" with \"AttemptVpcPeeringDryRun\" using arguments \"{NonAllowlistedRequesterVpcId}\" and \"{ReceiverVpcId}\"\n✓ \"{result.DryRunAllowed}\" is false\n✓ \"{result.AllowListDefined}\" is true\n✓ \"{result.RequesterInAllowList}\" is false\n✓ \"{result.GuardrailExpectation}\" is \"deny\"\n✓ \"{result.GuardrailMismatch}\" is false\n✓ \"{result.ExitCode}\" should be greater than \"0\"\n✓ \"{result.Reason}\" contains \"guardrail aligned\"\n✓ \"{result.ConflictType}\" is \"\"", "status_id": 1, "time": 1775707433, "time_dt": "2026-04-09T04:03:53Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707433, "created_time_dt": "2026-04-09T04:03:53Z", "desc": "Compliance test scenario: Main check (config): flow logs are active and capture all traffic", "title": "Main check (config): flow logs are active and capture all traffic", "types": [], "uid": "ccc-test-2543-1775707433" }, "message": "Main check (config): flow logs are active and capture all traffic", "metadata": { "event_code": "Main check (config): flow logs are active and capture all traffic", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Policy", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0a6158c0cf30fae39", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0a6158c0cf30fae39", "region": "us-east-1", "type": "vpc", "uid": "vpc-0a6158c0cf30fae39" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluateVpcFlowLogsControl\" using argument \"{TargetVpcId}\"\n✗ \"{result.FlowLogCount}\" should be greater than \"0\" - Error: expected {result.FlowLogCount} (0) to be greater than 0\n⊘ \"{result.NonCompliantCount}\" is \"0\" (skipped)", "status_id": 1, "time": 1775707433, "time_dt": "2026-04-09T04:03:53Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707433, "created_time_dt": "2026-04-09T04:03:53Z", "desc": "Compliance test scenario: Behavioral check (active): traffic produces flow log records", "title": "Behavioral check (active): traffic produces flow log records", "types": [], "uid": "ccc-test-2558-1775707433" }, "message": "Behavioral check (active): traffic produces flow log records", "metadata": { "event_code": "Behavioral check (active): traffic produces flow log records", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-0a6158c0cf30fae39", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-0a6158c0cf30fae39", "region": "us-east-1", "type": "vpc", "uid": "vpc-0a6158c0cf30fae39" } ], "severity": "Medium", "severity_id": 3, "status": "New", "status_code": "FAIL", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"PrepareFlowLogDeliveryObservation\" using argument \"{TargetVpcId}\"\n✓ I call \"{vpcService}\" with \"GenerateTestTraffic\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I refer to \"{result.CleanupDeleted}\" as \"TrafficCleanupDeleted\"\n✓ I call \"{vpcService}\" with \"ObserveRecentFlowLogDelivery\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.RecordsObserved}\" as \"RecordsObserved\"\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✗ \"{result.Deleted}\" is true - Error: expected {result.Deleted} to be truthy, got \u003cnil\u003e (type: \u003cnil\u003e)\n⊘ \"{TrafficCleanupDeleted}\" is true (skipped)\n⊘ \"{RecordsObserved}\" is true (skipped)", "status_id": 1, "time": 1775707433, "time_dt": "2026-04-09T04:03:53Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707437, "created_time_dt": "2026-04-09T04:03:57Z", "desc": "Compliance test scenario: Main check: no default VPC exists", "title": "Main check: no default VPC exists", "types": [], "uid": "ccc-test-2278-1775707437" }, "message": "Main check: no default VPC exists", "metadata": { "event_code": "Main check: no default VPC exists", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN01", "@CCC.VPC.CN01.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-071bf2e1e2416f266", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-071bf2e1e2416f266", "region": "us-east-1", "type": "vpc", "uid": "vpc-071bf2e1e2416f266" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I call \"{vpcService}\" with \"CountDefaultVpcs\"\n✓ \"{result}\" is \"0\"", "status_id": 1, "time": 1775707437, "time_dt": "2026-04-09T04:03:57Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN01.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707437, "created_time_dt": "2026-04-09T04:03:57Z", "desc": "Compliance test scenario: Main check (config): public subnets do not auto-assign external IPs", "title": "Main check (config): public subnets do not auto-assign external IPs", "types": [], "uid": "ccc-test-2331-1775707437" }, "message": "Main check (config): public subnets do not auto-assign external IPs", "metadata": { "event_code": "Main check (config): public subnets do not auto-assign external IPs", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Policy", "@MAIN", "@CCC.VPC", "@DEFAULT" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-071bf2e1e2416f266", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-071bf2e1e2416f266", "region": "us-east-1", "type": "vpc", "uid": "vpc-071bf2e1e2416f266" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluatePublicSubnetDefaultIPControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.ViolatingSubnetCount}\" is \"0\"\n✓ \"{result.Reason}\" contains \"disable default public IP\"", "status_id": 1, "time": 1775707437, "time_dt": "2026-04-09T04:03:57Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707438, "created_time_dt": "2026-04-09T04:03:58Z", "desc": "Compliance test scenario: Behavioural check (active): resource launched in public subnet is not assigned an external IP", "title": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "types": [], "uid": "ccc-test-2353-1775707438" }, "message": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "metadata": { "event_code": "Behavioural check (active): resource launched in public subnet is not assigned an external IP", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-red", "@CCC.VPC.CN02", "@CCC.VPC.CN02.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-071bf2e1e2416f266", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-071bf2e1e2416f266", "region": "us-east-1", "type": "vpc", "uid": "vpc-071bf2e1e2416f266" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"SelectPublicSubnetForTest\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.SubnetId}\" as \"TestSubnetId\"\n✓ I call \"{vpcService}\" with \"CreateTestResourceInSubnet\" using argument \"{TestSubnetId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I call \"{vpcService}\" with \"GetResourceExternalIpAssignment\" using argument \"{TestResourceId}\"\n✓ I refer to \"{result.HasExternalIp}\" as \"HasExternalIp\"\n✓ \"{HasExternalIp}\" is false\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✓ \"{result.Deleted}\" is true", "status_id": 1, "time": 1775707438, "time_dt": "2026-04-09T04:03:58Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN02.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707441, "created_time_dt": "2026-04-09T04:04:01Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "title": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "types": [], "uid": "ccc-test-2454-1775707441" }, "message": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "metadata": { "event_code": "Enforcement proof (dry-run): all disallowed requesters are denied against in-scope receiver VPC", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-071bf2e1e2416f266", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-071bf2e1e2416f266", "region": "us-east-1", "type": "vpc", "uid": "vpc-071bf2e1e2416f266" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"ValidateDisallowListEnforcement\" using argument \"{ReceiverVpcId}\"\n✓ I attach \"{result.Summary}\" to the test output as \"Disallow-list Enforcement Summary\"\n✓ I attach \"{result.Results}\" to the test output as \"Disallow-list Enforcement\"\n✓ \"{result.ListDefined}\" is true\n✓ \"{result.TestedCount}\" should be greater than \"0\"\n✓ \"{result.AllCorrect}\" is true\n✓ \"{result.ViolationCount}\" is \"0\"", "status_id": 1, "time": 1775707441, "time_dt": "2026-04-09T04:04:01Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707442, "created_time_dt": "2026-04-09T04:04:02Z", "desc": "Compliance test scenario: Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "title": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "types": [], "uid": "ccc-test-2475-1775707442" }, "message": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "metadata": { "event_code": "Enforcement proof (dry-run): non-allowlisted requester is denied even when not explicitly listed as disallowed", "product": { "name": "CCC-Complete", "uid": "CCC-Complete", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN03", "@CCC.VPC.CN03.AR01", "@Destructive", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-071bf2e1e2416f266", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-071bf2e1e2416f266", "region": "us-east-1", "type": "vpc", "uid": "vpc-071bf2e1e2416f266" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I load environment variable \"CN03_RECEIVER_VPC_ID\" as \"ReceiverVpcId\"\n✓ I load environment variable \"CN03_NON_ALLOWLISTED_REQUESTER_VPC_ID\" as \"NonAllowlistedRequesterVpcId\"\n✓ I load environment variable \"CN03_PEER_TRIAL_MATRIX_FILE\" as \"PeerTrialMatrixFile\"\n✓ \"{ReceiverVpcId}\" is not nil\n✓ \"{NonAllowlistedRequesterVpcId}\" is not nil\n✓ I call \"{vpcService}\" with \"EvaluatePeerAgainstAllowList\" using argument \"{NonAllowlistedRequesterVpcId}\"\n✓ \"{result.AllowedListDefined}\" is true\n✓ \"{result.Allowed}\" is false\n✓ I call \"{vpcService}\" with \"AttemptVpcPeeringDryRun\" using arguments \"{NonAllowlistedRequesterVpcId}\" and \"{ReceiverVpcId}\"\n✓ \"{result.DryRunAllowed}\" is false\n✓ \"{result.AllowListDefined}\" is true\n✓ \"{result.RequesterInAllowList}\" is false\n✓ \"{result.GuardrailExpectation}\" is \"deny\"\n✓ \"{result.GuardrailMismatch}\" is false\n✓ \"{result.ExitCode}\" should be greater than \"0\"\n✓ \"{result.Reason}\" contains \"guardrail aligned\"\n✓ \"{result.ConflictType}\" is \"\"", "status_id": 1, "time": 1775707442, "time_dt": "2026-04-09T04:04:02Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN03.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707442, "created_time_dt": "2026-04-09T04:04:02Z", "desc": "Compliance test scenario: Main check (config): flow logs are active and capture all traffic", "title": "Main check (config): flow logs are active and capture all traffic", "types": [], "uid": "ccc-test-2543-1775707442" }, "message": "Main check (config): flow logs are active and capture all traffic", "metadata": { "event_code": "Main check (config): flow logs are active and capture all traffic", "product": { "name": "CCC-Complete (Policy)", "uid": "CCC-Complete (Policy)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Policy", "@MAIN", "@DEFAULT", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-071bf2e1e2416f266", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-071bf2e1e2416f266", "region": "us-east-1", "type": "vpc", "uid": "vpc-071bf2e1e2416f266" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"EvaluateVpcFlowLogsControl\" using argument \"{TargetVpcId}\"\n✓ \"{result.FlowLogCount}\" should be greater than \"0\"\n✓ \"{result.NonCompliantCount}\" is \"0\"", "status_id": 1, "time": 1775707442, "time_dt": "2026-04-09T04:04:02Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } }, { "activity_id": 1, "activity_name": "Test", "category_name": "Findings", "category_uid": 2, "class_name": "Compliance Finding", "class_uid": 2004, "finding_info": { "created_time": 1775707443, "created_time_dt": "2026-04-09T04:04:03Z", "desc": "Compliance test scenario: Behavioral check (active): traffic produces flow log records", "title": "Behavioral check (active): traffic produces flow log records", "types": [], "uid": "ccc-test-2558-1775707443" }, "message": "Behavioral check (active): traffic produces flow log records", "metadata": { "event_code": "Behavioral check (active): traffic produces flow log records", "product": { "name": "CCC-Complete (Behavioural)", "uid": "CCC-Complete (Behavioural)", "vendor_name": "FINOS", "version": "0.1" }, "profiles": [ "@vpc", "@tlp-amber", "@tlp-red", "@CCC.VPC.CN04", "@CCC.VPC.CN04.AR01", "@Behavioural", "@MAIN", "@CCC.VPC" ], "version": "1.4.0" }, "resources": [ { "cloud_partition": "aws", "data": { "details": " service on :", "metadata": { "findings": [], "name": "vpc-071bf2e1e2416f266", "region": "us-east-1", "status": "ACTIVE", "tags": [], "type": "vpc" } }, "group": { "name": "vpc" }, "name": "vpc-071bf2e1e2416f266", "region": "us-east-1", "type": "vpc", "uid": "vpc-071bf2e1e2416f266" } ], "severity": "Informational", "severity_id": 1, "status": "New", "status_code": "PASS", "status_detail": "✓ a cloud api for \"{Instance}\" in \"api\"\n✓ I call \"{api}\" with \"GetServiceAPI\" using argument \"vpc\"\n✓ I refer to \"{result}\" as \"vpcService\"\n✓ I refer to \"{UID}\" as \"TargetVpcId\"\n✓ I call \"{vpcService}\" with \"PrepareFlowLogDeliveryObservation\" using argument \"{TargetVpcId}\"\n✓ I call \"{vpcService}\" with \"GenerateTestTraffic\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.ResourceId}\" as \"TestResourceId\"\n✓ I refer to \"{result.CleanupDeleted}\" as \"TrafficCleanupDeleted\"\n✓ I call \"{vpcService}\" with \"ObserveRecentFlowLogDelivery\" using argument \"{TargetVpcId}\"\n✓ I refer to \"{result.RecordsObserved}\" as \"RecordsObserved\"\n✓ I call \"{vpcService}\" with \"DeleteTestResource\" using argument \"{TestResourceId}\"\n✓ \"{result.Deleted}\" is true\n✓ \"{TrafficCleanupDeleted}\" is true\n✓ \"{RecordsObserved}\" is true", "status_id": 1, "time": 1775707443, "time_dt": "2026-04-09T04:04:03Z", "type_name": "Compliance Finding: Test", "type_uid": 200401, "unmapped": { "compliance": { "CCC": [ "CCC.VPC.CN04.AR01" ] } } } ]