Wiz Control Mapping¶
Each TrustOnCloud control is mapped to its Wiz built-in rule equivalent where
one exists. Where the mapping shows N/A, no built-in rule exists — a custom
CCR is provided in the package to fill the gap.
How We Measure Coverage¶
A control is counted as covered by Wiz when a built-in Wiz rule directly resolves the control without requiring additional configuration or custom rules.
A control is counted as not covered when: - No built-in Wiz rule exists for it, or - The built-in rule only partially addresses the control requirement
Each gap is weighted by severity using TrustOnCloud's CVSS-based scoring which factors in threat mitigation, threat impact, and control difficulty.
Azure Storage — Full Control Mapping¶
| Control ID | Short Summary | Allowlist | Denylist | Universal | Wiz Built-in CCR Mapping |
|---|---|---|---|---|---|
| Storage.C9 | Disable unauthorized public access | - | - | - | StorageAccount-005 |
| Storage.C11 | Enforces blob versioning on required containers | - | - | - | StorageAccount-049 |
| Storage.C13 | Mandates share snapshots for required file shares | - | - | - | N/A |
| Storage.C18 | Validates blob soft-delete is enabled for data recovery | - | - | - | StorageAccount-008 |
| Storage.C21 | Validates container soft-delete is enabled for data recovery | - | - | - | StorageAccount-035 |
| Storage.C24 | Hierarchical Namespace (HNS) Detection | ✅ | - | ✅ | N/A |
| Storage.C28 | Storage Account Location Validation | ✅ | - | ✅ | N/A |
| Storage.C40 | Default Network Access (Firewall) | ✅ | - | ✅ | StorageAccount-029 |
| Storage.C45 | Authorized Private Endpoints | ✅ | - | ✅ | N/A |
| Storage.C49 | Restricts cross-tenant replication to authorized accounts | - | - | - | StorageAccount-019 |
| Storage.C54 | Verifies diagnostic logging to Log Analytics is configured | - | - | - | StorageAccount-030 |
| Storage.C59 | Limits anonymous access to explicitly authorized containers | - | - | - | StorageAccount-013 |
| Storage.C65 | Enforces authorized customer-managed keys | - | - | - | StorageAccount-007 |
| Storage.C74 | Mandates authorized storage redundancy | - | - | - | StorageAccount-027 |
| Storage.C78 | Authorized Azure Regions | ✅ | ✅ | ✅ | N/A |
| Storage.C81 | Restricts authorized authentication methods | ✅ | - | ✅ | StorageAccount-043 (Partial) |
| Storage.C86 | Enforces file share soft-delete | - | - | - | StorageAccount-048 |
| Storage.C93 | Disables unauthorized static websites | - | - | - | StorageAccount-046 |
| Storage.C97 | CORS Trusted Origins & Methods | ✅ | - | ✅ | N/A |
| Storage.C102 | Legacy SMB 2.1 Protocol Detection | ✅ | ✅ | ✅ | StorageAccount-034 (Partial) |
| Storage.C109 | Resource Management Locks | ✅ | - | ✅ | N/A |
| Storage.C116 | Restricts SFTP to authorized accounts | - | - | - | StorageAccount-036 |
| Storage.C123 | SMB Security Protocol Settings | ✅ | ✅ | ✅ | StorageAccount-037 (Partial), StorageAccount-038 (Partial) |
| Storage.C146 | Blob Version-Level Immutability | ✅ | - | ✅ | StorageAccount-047 (Partial) |
| Storage.C152 | Authorizes replication destination accounts | - | - | - | StorageAccount-045 |
| Storage.C157 | Validates stored access policy permissions | - | - | - | StorageAccount-042 (Partial) |
| Storage.C160 | Enforce Data Lake ACLs by disabling Shared Key access with HNS enabled | ✅ | - | ✅ | N/A |
| Storage.C163 | Authorizes SFTP local user permissions | ✅ | - | ✅ | N/A |
AWS S3 — Full Control Mapping¶
View the current mapping on GitHub →
GCP BigQuery — Full Control Mapping¶
View the current mapping on GitHub →*