Evidence Reports¶
CertifyClouds produces auditor-grade evidence in two packaged surfaces:
- Consolidated compliance evidence package -
GET /api/compliance/evidence-package?format=pdf. One PDF bundle covering whichever evidence sections the customer selects viainclude*flags. The customer signs one management assertion per audit cycle. - CC operator audit log -
GET /api/audit/export?format=pdf. Standalone hash-chained PDF bundle. Kept separate because the audit log is a complete artifact in its own right (tamper-evident chain + HMAC manifest) that auditors specifically request as the "what did the CC tool itself do" trail.
Both surfaces use the same shared envelope (evidence_bundle service):
- Cover page with tenant, scope, exported_at (UTC from CC's clock), actor, CC version, row count, SHA-256 of the bound CSV.
- Original CSV(s) preserved verbatim as PDF attachments so the bound SHA-256 stays verifiable byte-for-byte against the attached data.
- Customer Management Assertion page (per AT-C 105). The customer signs to attest that the scope + time period are correct. This signed assertion is the bridge from "tool output" to "evidence the auditor can rely on."
Consolidated evidence package - selectable sections¶
The /api/compliance/evidence-package endpoint produces one PDF covering whichever of the following sections are enabled via flags. Sections that produce tabular data also produce a CSV that rides along as a PDF attachment for auditor sampling.
| Section | Flag | What it covers |
|---|---|---|
| Policy configuration | always included | Customer-configured compliance thresholds |
| Compliance score + violations | always included | Latest score + per-rule violations + framework mappings |
| CIS Benchmark + framework assessments | includeCis (default true) | CIS Azure Key Vault checks + SOC 2 / ISO 27001 / NIST / Azure Security Benchmark mappings |
| Rotation event population | includeRotation (default true) | Every secret/cert rotation in the audit period: actor, before/after expiry, success/failure |
| KV asset inventory | includeInventory | Every secret/cert/key with subscription, vault, enabled, expiry, algorithm, key size, content type, tags |
| Dependency / blast-radius | includeDependencies | Every credential → downstream Azure resource mapping with subscription, vault, resource type/name/group, setting name, match type + confidence, status, last-verified |
| Multi-cloud sync provenance | includeSyncProvenance | Per-sync execution row in the audit window: vault, secret, status, start/complete timestamps, Azure source version, target ARN, actor, any error message. Drives PCI-DSS Req 4 + HIPAA §164.312(e) transmission-security evidence. |
| Recoverability posture per vault | includeRecoverability | Soft-delete + purge-protection + public-network-access + RBAC-enabled flags per vault (CIS Azure 8.5/8.6/8.7) |
| Cryptoperiod conformance | includeCryptoperiod | Per-asset days-until-expiry classified against policy thresholds (critical_expiry_days / warning_expiry_days); status of expired / critical / warning / ok / no-expiry. Drives NIST SP 800-57 cryptoperiod evidence. |
| Algorithm/strength conformance | includeAlgorithmStrength | Keys + certificates flagged against FIPS 140-3 + PCI-DSS minimums (RSA ≥2048, EC ≥256, DSA flagged as legacy). Secrets are skipped (opaque to CC). |
| Audit summary | includeAudit (default true) | Audit log statistics + action breakdown for the period. The full hash-chained audit trail is a separate download (/api/audit/export?format=pdf) so the integrity contract remains intact. |
The endpoint's shape and the wrapper format are stable today - new sections in future releases appear as additional opt-in flags without breaking existing integrations.
Out of scope: per-vault Azure RBAC role-assignment enumeration and firewall-rule counts. The Recoverability section reports the binary rbacEnabled / publicNetworkAccess posture per vault, which is what credential-lifecycle evidence requires. Deeper IAM and network-posture enumeration belongs in CIEM, Microsoft Defender for Cloud, or Entra Permissions Management - CertifyClouds stays focused on credential lifecycle.
Time-range parameters¶
/api/compliance/evidence-package accepts startDate and endDate ISO 8601 dates. Defaults: last 90 days. Hard limit: 365 days per request (matches typical SOC 2 / HIPAA / PCI audit-period sampling).
GET /api/compliance/evidence-package?format=pdf
&startDate=2025-05-20
&endDate=2026-05-20
&includeRotation=true
&includeCis=true
&includeAudit=true
Auth¶
Evidence-grade exports are admin-gated. The management assertion that the customer signs attests that the actor named on the cover page generated the report.
Verifying a downloaded bundle¶
The bundle's cover page lists the CSV SHA-256. To verify the embedded CSV is the same data the cover page binds to:
pypdf extract-attachments compliance_evidence_2025-05-20_to_2026-05-20.pdf
shasum -a 256 evidence-package.csv # compare against cover-page CSV SHA-256
For the audit-log bundle, additionally verify the hash chain + HMAC manifest using the verify-audit-export.py tool. See Compliance Evidence for the framework-by-framework control mappings and the Compliance Disclaimer for the full legal framing.