Compliance Posture — linux-update-cds¶

Disclaimer: This document describes the compliance-relevant features built into this accelerator. It is NOT a compliance certification or attestation. Compliance status depends on your organization's deployment, configuration, monitoring, and continuous-monitoring practices. Engage your authorizing official (AO) before relying on any statement in this document as evidence of compliance.

Target Frameworks¶

Framework	Status	Notes
FedRAMP High	Designed-for	Government-cloud parameterization, customer-managed keys, private endpoints, Log Analytics audit trail
DoD SRG IL4	Compatible	Azure Government deployment path; NSG segmentation and RBAC align with IL4 controls
DoD SRG IL5	Compatible	Azure Government with additional operator-imposed controls (Customer Lockbox, SIEM forwarding)
DoD SRG IL6	Compatible	Azure Government Secret air-gap path supported via same parameterized Bicep
CJIS	Compatible	With operator-imposed personnel screening, audit log retention, and media-control procedures
ITAR	Compatible	Government-cloud only; no cross-border replication by default

Language note: "Designed-for" means architectural decisions were made to satisfy the control family. "Compatible" means no known architectural blockers; meeting the framework requires additional operator-side configuration and organizational controls.

What This Accelerator Gives You Out of the Box¶

The following hardening features are implemented in source and active on every deployment unless the adopter explicitly overrides them.

Private endpoints on all PaaS resources — PostgreSQL Flex Server uses VNet-delegated subnet; Redis, Key Vault, and Blob Storage have private-endpoint resources and private DNS zone groups. All private DNS zones are created and VNet-linked by infra/_shared/network.bicep.
TLS 1.2 minimum enforced — minimumTlsVersion: 'TLS1_2' and supportsHttpsTrafficOnly: true are set on every storage account (infra/_shared/storage.bicep); Redis has minimumTlsVersion: '1.2' and enableNonSslPort: false (infra/_shared/cache.bicep).
Managed identity for all service-to-service auth — No hardcoded credentials in deployed resources. ACA workloads authenticate to Key Vault, ACR, and Storage via user-assigned managed identity (infra/low-side/containerapps.bicep).
Secrets in Key Vault, not source control — All runtime secrets (Django secret key, DB password, Fernet key, TLS cert/key, storage key) are stored in Azure Key Vault with RBAC authorization and purge protection enabled (infra/_shared/keyvault.bicep; inventory in docs/security/secret-inventory.md).
RBAC scoped to least privilege — Runtime workloads receive Key Vault Secrets User (read-only); operators receive Key Vault Secrets Officer. VM-hosted high-side workloads receive AcrPull, Storage Blob Data Contributor, and Key Vault Secrets User only (docs/evidence/phase2-platform-security-checklist.md).
NSGs on every compute subnet — Inbound rules allow only SSH (22), HTTPS (443), and Pulp ports (18080, 18081) from operator/VirtualNetwork CIDRs; all other inbound traffic is implicitly denied (infra/_shared/network.bicep).
Log Analytics workspace + App Insights on every deployment — All ACA stdout/stderr, system events, and application traces flow to a Log Analytics workspace created by infra/_shared/monitoring.bicep. Retention is configurable (default 30 days).
Blob public access disabled — allowBlobPublicAccess: false on every storage account; all containers are created with publicAccess: 'None' (infra/_shared/storage.bicep).
Blob versioning + soft-delete — Storage accounts have isVersioningEnabled: true, blob soft-delete (30 days), and container soft-delete (30 days) — supports recovery and immutability evidence (infra/_shared/storage.bicep).
Government cloud as a single parameter — Pass cloudEnvironment: 'usgovernment' to infra/low-side/main.bicep to redirect all private DNS zones to *.usgovcloudapi.net / *.azurecr.us. No forking required (infra/low-side/main.bicep).
Immutable Pulp publications — Pulp's publication model creates point-in-time snapshots of repository content. Published versions cannot be overwritten; old versions are retained for audit evidence.
Internal PKI compatible — TLS certificates are consumed from Key Vault secrets (pulp-tls-cert, pulp-tls-key). No dependency on Let's Encrypt or any external CA. Bring your own certificate from your internal PKI.
Key Vault purge protection — enablePurgeProtection: true prevents permanent deletion of secrets for 90 days after soft-delete, supporting evidence retention (infra/_shared/keyvault.bicep).
Required compliance tags — The default tags object in main.bicep includes workload, environment, milestone, and managedBy. Adopters must extend this with Classification, Compliance, and Owner tags before production deployment.

What You Must Add for Production¶

The following controls are not implemented by this accelerator and are the adopter's responsibility:

Responsibility	Description
SIEM forwarding	Configure Log Analytics data export or Sentinel connector to forward audit events to your authoritative SIEM.
Continuous monitoring	Integrate Microsoft Defender for Cloud (or equivalent) and configure vulnerability scanning for ACA images and host OS.
Backup + DR	Define and test backup retention, restore procedures, and RTO/RPO targets for PostgreSQL and Blob Storage.
Incident response procedures	Document and exercise IR procedures that cover the Pulp service, Key Vault, and transfer media.
Personnel screening	Enforce background-check and need-to-know requirements for anyone with `Key Vault Secrets Officer` or ACA `Contributor` access.
Annual penetration testing	Commission independent red-team or pen-test assessment of the deployed environment.
Customer Lockbox	Enable Azure Customer Lockbox on your subscription to require explicit approval before Microsoft support accesses your tenant.
Change management workflows	Establish a formal change-control process for Bicep deployments and container image promotions.
RBAC governance reviews	Conduct periodic (quarterly) reviews of role assignments; remove stale principals promptly on personnel change.
Audit log retention ≥ 1 year	The default Log Analytics retention is 30 days. Increase `retentionInDays` in `infra/_shared/monitoring.bicep` and/or configure long-term archival to meet your policy.

NIST SP 800-53 Rev 5 Control Mapping¶

Control ID	Control Name	How This Accelerator Addresses It	Source Reference
AC-2	Account Management	Managed identities replace service accounts; no standing passwords for workloads; ACA identity is user-assigned with a defined principal	`infra/low-side/containerapps.bicep`
AC-3	Access Enforcement	Azure RBAC enforces least-privilege role assignments at Key Vault, Storage, and ACR scope; runtime workloads have read-only Secrets User role	`infra/_shared/keyvault.bicep`
AC-4	Information Flow Enforcement	NSG rules restrict inbound flows to documented ports/CIDRs; private DNS zones prevent cross-environment resolution; ACA subnet delegated to `Microsoft.App/environments`	`infra/_shared/network.bicep`
AU-2	Event Logging	ACA diagnostic settings send stdout/stderr, system events, and metrics to Log Analytics; Key Vault audit logging enabled	`infra/_shared/monitoring.bicep`
AU-12	Audit Record Generation	Log Analytics workspace captures ACA container logs and App Insights performance/exception telemetry; retention configurable	`infra/_shared/monitoring.bicep`
CM-2	Baseline Configuration	All infrastructure defined in Bicep IaC; no click-ops changes are authoritative; `main.bicep` is the configuration baseline	`infra/low-side/main.bicep`
CM-7	Least Functionality	ACA containers run only required Pulp processes; non-SSL Redis port disabled; no public blob access; no unnecessary PaaS features enabled	`infra/_shared/cache.bicep`, `infra/_shared/storage.bicep`
IA-2	Identification and Authentication	Azure Managed Identity provides non-repudiable identity for all service-to-service calls; no shared passwords for workloads	`infra/low-side/containerapps.bicep`
IA-5	Authenticator Management	Runtime secrets stored in Key Vault with versioning; rotation procedures documented with umask-protected file input (no shell-history exposure)	`docs/runbooks/secrets-rotation.md`, `docs/security/secret-inventory.md`
SC-7	Boundary Protection	Private endpoints remove public reachability for PostgreSQL, Redis, Key Vault, and Blob Storage; NSGs enforce subnet-level micro-segmentation	`infra/_shared/network.bicep`
SC-8	Transmission Confidentiality and Integrity	TLS 1.2 minimum on Redis, Storage, and Key Vault; HTTPS-only on all ACA ingress; certificate stored in Key Vault	`infra/_shared/cache.bicep`, `infra/_shared/storage.bicep`
SC-12	Cryptographic Key Establishment and Management	Key Vault used for all secret and key storage; purge protection retains key material for 90 days after soft-delete	`infra/_shared/keyvault.bicep`
SC-13	Cryptographic Protection	TLS 1.2+ for all data in transit; Azure Storage Server-Side Encryption (SSE) with platform-managed keys by default; CMK upgrade path via Key Vault	`infra/_shared/storage.bicep`
SC-28	Protection of Information at Rest	Azure Storage SSE enabled by default; blob public access disabled; blob versioning and soft-delete preserve evidence	`infra/_shared/storage.bicep`
SI-4	System Monitoring	Log Analytics workspace captures all ACA logs; App Insights captures traces and exceptions; both are in the operator's subscription	`infra/_shared/monitoring.bicep`

Gap note: Customer-managed keys (CMK) for Storage encryption at rest are not wired in the current Bicep — platform-managed keys are used. Adopters requiring SC-12/SC-28 at the CMK level must add a Key Vault key resource and reference it in the storage account's encryption.keyVaultProperties. This is an accepted M2 gap.

Air-Gap Deployment Notes¶

The same infra/low-side/main.bicep and infra/high-side/main.bicep templates deploy to Azure Government Secret and Top Secret by passing cloudEnvironment: 'usgovernment' and overriding privateDnsZoneNames for non-standard sovereign suffixes. No code fork is required.

Content transfer across the boundary: Follow docs/runbooks/transfer-media.md. The transfer bundle includes a signed manifest, SHA256SUMS, and Pulp export payload. Classification labels are enforced by the transfer script.
High-side configuration: See docs/runbooks/high-side-config.md for service model, required Azure inputs, and disconnected hydration procedures.
No internet dependency at runtime: The high side consumes only approved media bundles from the transfer queue. All ACA images are pulled from a private ACR; no public registry traffic at runtime.

Threat Model Summary¶

Trust Boundaries¶

┌─────────────────────────────────────────────────────────────────┐
│  Operator workstation (interactive RBAC sessions)               │
└────────────────────────────┬────────────────────────────────────┘
                             │ SSH / Azure CLI / HTTPS
┌────────────────────────────▼────────────────────────────────────┐
│  Low-side Azure VNet (10.40.0.0/16)                             │
│  ┌──────────────┐  ┌──────────────┐  ┌────────────────────────┐ │
│  │  ACA apps    │  │  PostgreSQL  │  │  Redis (private EP)    │ │
│  │  (app subnet)│  │  (delegated) │  └────────────────────────┘ │
│  └──────┬───────┘  └──────────────┘  ┌────────────────────────┐ │
│         │                            │  Key Vault (priv. EP)  │ │
│         ▼                            └────────────────────────┘ │
│  ┌────────────────────────────────────────────────────────────┐ │
│  │  Blob Storage (private endpoint)                           │ │
│  └────────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────┘
         │  approved media bundle (signed + hashed)
┌────────▼─────────────────────────────────────────────────────────┐
│  High-side disconnected environment (air-gapped)                 │
└──────────────────────────────────────────────────────────────────┘

In-Scope Threats¶

Threat	Mitigation
Compromised upstream package source	Pulp publications are immutable snapshots. Synced content can be validated against known-good checksums before publishing. Transfer bundles include SHA256SUMS and signed manifests.
Exfiltration through ACA egress	Private endpoints remove public IP surface; NSGs restrict outbound paths; Pulp upstream sync URL is operator-controlled (see `upstreamUrl` parameter).
Key Vault credential theft	Managed identity eliminates credential secrets on workloads; purge protection retains key material; `Key Vault Secrets User` role is read-only.
Stale RBAC principals	Rotation runbook covers personnel-change scenarios; adopter must implement RBAC governance review process.
Insider access to transfer media	Transfer bundles are signed with operator private key; classification label is enforced; signing key is not stored on transfer media.

Out of Scope¶

Azure platform compromise — Azure infrastructure security is Microsoft's responsibility under the shared-responsibility model.
Host kernel exploits — ACA manages the underlying compute; host-level hardening is not configurable by the adopter in the managed runtime.
Denial of service against Azure endpoints — Azure DDoS protection is a platform control.

Audit Evidence¶

Collect the following artefacts at each deployment and store them in your evidence repository:

Evidence Item	How to Collect	Reference
ARM deployment output	`az deployment group show` on the `main-infra-*` deployment	`docs/examples/reference-run/README.md`
ACA revision history	`az containerapp revision list` for each app	—
Pulp publication versions	`/pulp/api/v3/publications/` — immutable, append-only	—
Key Vault audit log	Log Analytics query on `AzureDiagnostics` for `KeyVault` resource type	`docs/evidence/phase2-platform-security-checklist.md`
RBAC assignments	`az role assignment list --resource-group <rg> -o json`	`docs/evidence/phase2-platform-security-checklist.md`
NSG rule snapshot	`az network nsg rule list`	`docs/evidence/phase2-platform-security-checklist.md`
Storage account security config	`az storage account show` — verify TLS, HTTPS-only, no public blob	`docs/evidence/phase2-platform-security-checklist.md`
Secrets rotation log	Key Vault secret version history; `az keyvault secret list-versions`	`docs/runbooks/secrets-rotation.md`

Continuous Improvement¶

Which controls are you having trouble mapping to your specific framework? Open an issue in this repository describing the control ID and the gap you found. We use these to prioritize future hardening work.