Appearance
External Processors Egress Tests (DM-PROCEXT)
Validate that external processors used in data-motion pipelines (e.g., DLP/OCR) do not leak data to disallowed regions and fail closed when unavailable.
Objectives
- Enforce region allowlists and mTLS/pinning.
- Ensure secrets are referenced via
{{CRED:*}}and not embedded. - Confirm
onProcessorFailuredenies transfers when processors are unhealthy.
Controls Under Test
- Data-motion rules using HTTP/gRPC/script processors.
Test Scenarios
| ID | Test Scenario | Procedure | Expected Outcome |
|---|---|---|---|
| DM-PROCEXT-01 | Disallowed Region | Configure regionAllowlist, target endpoint in disallowed region. | Pass: Transfer denied; audit shows region violation. |
| DM-PROCEXT-02 | Secret Handling | Use {{CRED:ProcessorApi:token}} in config; inspect audit/policy. | Pass: No raw secret appears in policy/audit payloads. |
| DM-PROCEXT-03 | Processor Failure | Set onProcessorFailure: "deny"; simulate outage/timeout. | Pass: Transfer denied; audit shows fail-closed. |
Evidence Requirements
- Audit category:
dataMotionwith processor context (name/ref), action, outcome, and failure reason when applicable.
Troubleshooting
- Verify
regionAllowlistvalues match processor metadata; confirm the processor reports region and that policy compares correctly. - Ensure TLS pinning is configured and the processor endpoint presents a certificate chaining to pinned roots.
- Simulate outages with realistic timeouts; check
onProcessorFailureis set to"deny"during tests. - Use
{{CRED:*}}placeholders and confirm no secrets appear in logs or policy payloads.
Known Limitations & Negative Space
- External processors may temporarily queue or retry; audit timing can vary. Capture a long enough window to include retries.
- These tests validate policy posture, not processor accuracy (for example, OCR quality). Validate functional accuracy separately.
