{"results":[{"id":"acr-untagged-manifest-retention-policy","text":"Untagged (dangling/orphaned) container images in ACR can be managed via a retention policy for untagged manifests.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-untagged-manifests-retention-policy","text":"Untagged (dangling/orphaned) container images in ACR can be managed via a retention policy for untagged manifests.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-default-deny-identity-rooted","text":"Azure's cross-layer default-deny enforcement (Standard LB blocks inbound, Storage firewall blocks all requests, Policy denies non-compliant resources) is itself governed by the identity-to-authorization chain: RBAC role assignments determine who can create NSG exceptions and policy exemptions, and the additive RBAC model means identity misconfiguration can silently widen the aperture of both denial layers.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-default-deny-spans-governance-and-network","text":"Azure default-deny enforcement spans both governance and network layers through independent mechanisms: the network layer closes traffic by default (Standard LB inbound + storage firewall), while governance uses Policy's explicit-deny system with cumulative most-restrictive evaluation — both cascade through separate hierarchies (subnet/NSG vs management group tree) and must be independently opened.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-dns-five-distinct-services","text":"Azure DNS encompasses five distinct services: Public DNS, Private DNS, DNS Private Resolver, Traffic Manager, and DNS Security Policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-dns-five-services","text":"Azure DNS encompasses five distinct services: Public DNS, Private DNS, DNS Private Resolver, Traffic Manager, and DNS Security Policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-dns-security-policy-vnet-level-msrc","text":"DNS Security Policy operates at the virtual network level and can block known malicious domains via Microsoft Security Response Center (MSRC) threat intelligence feed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-governance-dns-hidden-coupling","text":"Azure's two nominally orthogonal security planes (governance via RBAC/Policy and network via NSG/LB) share a hidden infrastructure coupling through DNS: the 168.63.129.16 virtual IP underpins both health probing (network plane operational dependency) and recursive name resolution (required by all service discovery), creating a single point of operational risk that compounds with DNS cross-VNet asymmetries to undermine the zero-trust assumptions of both planes.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-governance-hierarchy-dual-enforcement","text":"Azure governance cascades through a single management group hierarchy with two complementary enforcement mechanisms: RBAC grants accumulate additively downward (broader scopes can only widen access), while Policy restrictions tighten subtractively downward (broader scopes can only narrow what resources may exist) — creating an asymmetric funnel where identity permissions expand and resource constraints contract as scope narrows.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-governance-network-orthogonal-security-planes","text":"Azure security operates through two orthogonal enforcement planes that must both be configured: governance (RBAC + Policy cascading through management group hierarchy) controls authorization, while network zero-trust (NSG + LB default-deny + infrastructure IP 168.63.129.16) controls traffic flow — breaching one plane does not bypass the other.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-observability-depends-on-governance-and-identity","text":"Effective Azure observability requires alignment across three independently configurable systems: the identity chain (Entra→RBAC) determines workspace data access and who can see what telemetry, the governance hierarchy (Policy+RBAC) determines which monitoring policies are enforced across subscriptions, and the network default-deny stack (NSG+firewall) determines whether telemetry data can flow from on-premises and multi-cloud sources to Log Analytics workspaces.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-platform-security-three-pillar-convergence","text":"Azure security converges through three independently enforced pillars that must all be configured consistently for workload-level protection: identity (Entra→RBAC→Key Vault data-plane access via tiered FIPS protection), governance (Policy+RBAC cascading through management group hierarchy with additive-then-deny evaluation), and network (zero-trust dual-layer filtering at infrastructure IP and NSG/firewall levels).","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-policy-arc-extends-to-multicloud-onprem","text":"Azure Arc extends Azure Policy governance to multi-cloud and on-premises datacenters.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-policy-assignments-inherit-latest-definition","text":"Updating a policy definition automatically applies to all existing assignments; assignments always use the latest definition state.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-policy-assignments-use-latest-definition","text":"Updating an Azure Policy definition automatically applies to all existing assignments; assignments always use the latest definition state.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-policy-audit-if-not-exists-checks-child-resources","text":"auditIfNotExists assesses compliance based on a child or extension resource's properties, not the resource's own properties (unlike audit).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-policy-audit-if-not-exists-evaluates-child-resource","text":"`auditIfNotExists` assesses compliance based on a child or extension resource's properties, not the resource's own properties (unlike `audit`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-policy-best-practice-always-use-initiatives","text":"Azure Policy best practice: always use initiatives even for a single policy definition, for easier scaling later.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-policy-best-practice-start-with-audit","text":"Azure Policy best practice: start with audit/auditIfNotExists effects before enforcement effects (deny, modify, deployIfNotExists).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-policy-compliance-evaluation-every-24-hours","text":"Azure Policy automatic compliance evaluation occurs every 24 hours.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":90,"limit":20,"offset":0}