Wiz CCR Integration¶
TrustOnCloud Custom Configuration Rules (CCRs) are written in Rego and integrate directly into Wiz as Custom Configuration Rules. This page covers the three enforcement modes, how to read the control mappings, and links to the open-source packages for each cloud service.
CCR Packages¶
| Cloud Service | GitHub Repo |
|---|---|
| AWS S3 | threatmodel-for-aws-s3 |
| Azure Storage | threatmodel-for-azure-storage |
| GCP BigQuery | threatmodel-for-google-bigquery |
Each package includes a full mapping of default Wiz built-in rules to TrustOnCloud controls, plus custom Rego rules for every gap.
CCR Enforcement Modes¶
TrustOnCloud CCRs operate in three distinct modes so teams can match rules to their risk tolerance and operational context.
| Mode | Philosophy | Best For |
|---|---|---|
| Universal | Binary check — applies to every resource with no exceptions | Non-negotiable baseline controls |
| Allowlist | Default Deny — only explicitly permitted values pass | Strict environments: Production, Banking, PCI-DSS |
| Denylist | Default Allow — only explicitly banned values fail | Flexible environments: Dev/Test, Sandboxes |
Universal Mode¶
A binary check. The control applies to every resource with no exceptions. If the
resource does not match the required configuration state, the result is fail.
Example — Storage.C123 (Universal):
All SMB file shares must support AES-256 (Kerberos) and AES-256-GCM (Channel)
encryption. Any deviation fails with no exceptions.
package wiz
# --- Configuration ---
required_kerberos := "AES-256"
required_channel := "AES-256-GCM"
Allowlist Mode¶
Follows a strict Default Deny philosophy. You define exactly what is permitted — everything else is flagged as a violation.
Example — Storage.C123 (Allowlist):
Only file shares named in required_secure_shares are subject to strict encryption
enforcement. All other shares bypass the check, reducing false positives.
package wiz
# --- Configuration ---
required_secure_shares := {"finance-share", "hr-share"}
required_kerberos := "AES-256"
required_channel := "AES-256-GCM"
Denylist Mode¶
Follows a Default Allow philosophy. You define specific bad configurations to block — everything else is permitted.
Example — Storage.C123 (Denylist): The rule targets known weak legacy protocols. Modern or unlisted encryption methods pass automatically.
package wiz
# --- Configuration ---
forbidden_methods := {"RC4-HMAC", "AES-128-CCM", "AES-128-GCM"}
Reading the Control Mapping¶
Each CCR package repo contains a mapping table linking TrustOnCloud control IDs to their Wiz built-in rule equivalent (where one exists).
Example — Storage.C49:
| TrustOnCloud Control | Description | Wiz Built-in Mapping |
|---|---|---|
| Storage.C49 | Restricts cross-tenant replication to authorized accounts | StorageAccount-019 |
Where the Wiz mapping shows N/A, no built-in rule exists — a custom CCR is
provided in the package to fill the gap.