Skip to content
APEX

Compliance & Cost

Compliance Matrix

Section titled “Compliance Matrix”

Generated: 2026-04-15 Version: 1.0 Environment: Development Primary Compliance Framework: GDPR

Executive Summary

Section titled “Executive Summary”
Compliance AreaCoverageStatus
Network Security90%
Data Protection75%⚠️
Access Control67%⚠️
Monitoring & Audit60%⚠️
Incident Response50%⚠️
Overall68%⚠️

Control Mapping

Section titled “Control Mapping”

Requirement 1: GDPR Data Residency and Network Security

Section titled “Requirement 1: GDPR Data Residency and Network Security”
ControlRequirementImplementationStatus
EU region residencyPersonal data remains in an EU regionAll primary resources deployed in swedencentral
Backend network isolationData services not publicly reachableStorage, Key Vault, and ACR use private endpoints and disabled public access
Encryption in transitTLS 1.2+ for customer-facing endpointsProduction and staging sites enforce TLS 1.2 and HTTPS-only

Evidence Location: agent-output/malta-catering/.asbuilt/

Evidence ItemTypeDate Collected
webapp.jsonAzure CLI output2026-04-15
keyvault.jsonAzure CLI output2026-04-15
storage.jsonAzure CLI output2026-04-15

Requirement 2: Access Control and Secret Management

Section titled “Requirement 2: Access Control and Secret Management”
ControlRequirementImplementationStatus
Production workload identityLeast-privilege access to dependenciesProduction site has AcrPull, Key Vault Secrets User, and Storage Table Data Contributor
Staging slot access parityPre-production path should mirror production dependency accessSlot identity exists but has no direct RBAC assignments⚠️
Customer/staff authenticationIdentity boundary should be enforced at the web tierApp Service Authentication is disabled in the deployed state⚠️

Evidence Location: agent-output/malta-catering/.asbuilt/

Evidence ItemTypeDate Collected
webapp-rbac.jsonAzure RBAC export2026-04-15
staging-rbac.jsonAzure RBAC export2026-04-15
webapp-auth.jsonAzure CLI output2026-04-15

Requirement 3: Logging, Audit, and Recovery Evidence

Section titled “Requirement 3: Logging, Audit, and Recovery Evidence”
ControlRequirementImplementationStatus
Centralized loggingWorkload telemetry retained centrallyLog Analytics workspace deployed with 30-day retention
Application telemetryRequest and failure telemetry for the web workloadWorkspace-linked Application Insights deployed
Backup evidenceRecoverability evidence for order dataNo automated Table Storage export or backup process deployed⚠️

Evidence Location: agent-output/malta-catering/.asbuilt/

Evidence ItemTypeDate Collected
loganalytics.jsonAzure CLI output2026-04-15
appinsights.jsonAzure CLI output2026-04-15
curl-prod.txtRuntime verification output2026-04-15

Gap Analysis

Section titled “Gap Analysis”
GapSeverityRisk LevelRemediationTimeline
Staging slot has no direct RBAC assignmentsHighSlot cannot reliably access ACR, Key Vault, or Storage during validationGrant the same three roles assigned to productionBefore next slot use
App Service Authentication is disabledMediumCustomer and staff identity boundary is not enforced at the platform edgeEnable Easy Auth and configure the required identity provider(s)Before demo hardening
No automated Table Storage export/backupMediumOrder data cannot be restored after logical deletion or corruptionAdd scheduled export to Blob Storage or equivalent backup processBefore production use
No application alert rules or action groupsLowFailures rely on manual observation rather than alertingAdd availability and failure alertsNext iteration
Monitoring endpoints remain publicly reachableLowApp Insights and Log Analytics are not restricted by private accessReassess if stricter monitoring isolation becomes requiredOptional

Production and staging endpoint probes returned HTTP 503 during the Step 7 evidence collection window, so operational recovery remains open until availability is restored.

Compliance Gaps by Severity

pie title Compliance Gaps by Severity
    "Critical" : 0
    "High" : 1
    "Medium" : 2
    "Low" : 2

Audit Trail

Section titled “Audit Trail”
DateAuditorFindingStatus
2026-04-1508-As-Built agentPrivate backend isolation verifiedClosed
2026-04-1508-As-Built agentStaging slot RBAC missingOpen
2026-04-1508-As-Built agentApp Service Authentication disabledOpen

Remediation Tracker

Section titled “Remediation Tracker”
FindingOwnerDue DateStatus
Grant staging slot AcrPull, Key Vault Secrets User, and Storage Table Data ContributorPlatform owner2026-04-22In Progress
Enable App Service AuthenticationApplication owner2026-04-22Todo
Implement storage export backup pathPlatform owner2026-05-15Todo
Add application alert rulesPlatform owner2026-05-15Todo

Azure Security Baseline Mapping

Section titled “Azure Security Baseline Mapping”
  • Storage account hardening: HTTPS-only, TLS 1.2, public access disabled, shared key disabled.
  • Key Vault hardening: RBAC enabled, purge protection enabled, soft delete enabled, public network disabled.
  • Registry hardening: Premium tier, admin user disabled, public network disabled, retention enabled.
  • Web tier: HTTPS-only, TLS 1.2, managed identity enabled.

As-Built Cost Estimate

Section titled “As-Built Cost Estimate”

Generated: 2026-04-15 Source: Deployed resource inventory + cost-estimate-subagent Region: swedencentral Environment: Development

Cost At-a-Glance

Section titled “Cost At-a-Glance”

Monthly Total: $139.06 | Annual: $1,668.72

StatusIndicator
Budget$500/month (soft) — Utilization: 27.8%
Cost TrendStable baseline with usage-based unknowns
Savings AvailableNot quantified in this run
ComplianceGDPR-aligned regional placement

Decision Summary

Section titled “Decision Summary”
  • Implemented: P0v3 Linux App Service Plan, production Web App, staging slot, Premium ACR, Standard LRS Storage, Key Vault Standard, 3 private endpoints, 3 private DNS zones, Log Analytics, Application Insights, and a monthly budget resource.
  • Deferred: Automated Table Storage backup/export, platform authentication, availability alerting, multi-region recovery.
  • Redesign Trigger: Any requirement for warm regional failover, measured backup RPO, or materially higher production traffic will require a new pricing pass.

Confidence: Medium | Expected Variance: ±15%

Design vs As-Built Summary

Section titled “Design vs As-Built Summary”
MetricDesign EstimateAs-BuiltVarianceStatus
Monthly Estimate$154.87$139.06-$15.81⚠️
Annual Estimate$1,858.44$1,668.72-$189.72⚠️

Design vs As-Built Cost Comparison

The as-built baseline is lower than the design estimate because the live pricing run treated Storage, Key Vault, Application Insights, Log Analytics, and Event Grid as usage-based services with no fixed baseline charge in the absence of observed consumption figures.

Requirements → Cost Mapping

Section titled “Requirements → Cost Mapping”
RequirementArchitecture DecisionCost ImpactMandatory
Always-on container hostingP0v3 Linux App Service Plan$64.97/monthYes
Private backend connectivity3 private endpoints + 3 private DNS zones$23.40/monthYes
Private container image pullACR Premium$50.69/monthYes
EU data residencyswedencentral placement$0.00 direct deltaYes
Secrets managementKey Vault Standard$0.00 baseline, operations-basedYes

Top 5 Cost Drivers

Section titled “Top 5 Cost Drivers”
RankResourceMonthly Cost% of TotalTrendOptimization
1App Service Plan P0v3$64.9746.7%StableReservation pricing not quantified in this run
2ACR Premium$50.6936.5%StableClean up unused images to limit usage-based growth
3Private Endpoints$21.9015.7%StableFixed baseline at current endpoint count
4Private DNS Zones$1.501.1%StableFixed baseline at current zone count
5Storage / Key Vault / Monitoring baselines$0.000.0%StableReprice after 30 days of real telemetry

Key Design Decisions Affecting Cost

Section titled “Key Design Decisions Affecting Cost”
DecisionCost ImpactBusiness RationaleStatus
P0v3 instead of S1$64.97/monthRegional deployment viability in the active subscriptionRequired
ACR Premium$50.69/monthRequired for private endpoint supportRequired
3 private endpoints$21.90/monthPrivate access to Storage, Key Vault, and ACRRequired
3 private DNS zones$1.50/monthName resolution for private endpointsRequired

What We Are Not Paying For (Yet)

Section titled “What We Are Not Paying For (Yet)”
  • Azure Front Door or WAF
  • Warm secondary-region deployment
  • Automated Table Storage backup/export process
  • Application alert rules or action groups
  • Measured data transfer, storage transaction, and log-ingestion overages

Cost Risk Indicators

Section titled “Cost Risk Indicators”
ResourceRisk LevelIssueMitigation
Storage AccountMediumBaseline excludes transactions and capacity growthRe-estimate after usage telemetry is available
Log AnalyticsMediumIngestion cost unresolved in this runKeep daily quota at 5 GB and review ingestion volume
ACR PremiumLowFixed unit priced, but storage growth not includedEnforce image cleanup and retention
Private EndpointsLowFixed hourly baselineNo action unless endpoint count changes

Quick Decision Matrix

Section titled “Quick Decision Matrix”

“If you need X, expect to pay Y more”

RequirementAdditional CostSKU ChangeVerdictNotes
Warm regional DRNot quantified in this runAdditional region-wide stackInvestigateRequires a fresh pricing pass
Measured backup/exportNot quantified in this runAdditional automation resourcesMonitorNeeded before production use
Availability alertsNot quantified in this runMonitoring add-onsMonitorOperationally recommended
Slot parity and authenticationNo meaningful baseline impact expectedConfig onlyGoMostly governance and runtime hardening

Savings Opportunities

Section titled “Savings Opportunities”

Reservation and commitment strategies should be evaluated once production workload patterns and SKU selections are confirmed.

StrategyApplicabilityPrerequisites
Reserved Instances (RI)YesStable App Service plan usage
Savings Plan (SP)YesCommitted compute spend confirmed
Spot / Low PriorityNoNot applicable to the current App Service design
Right-sizingYes30-day utilization data available
Dev/Test PricingYesConfirm subscription and licensing eligibility

Detailed Cost Breakdown

Section titled “Detailed Cost Breakdown”

IaC / Pricing Coverage

Section titled “IaC / Pricing Coverage”
SignalValueStatus
Templates scanned10
Resources detected12 cost-relevant services/components
Resources priced4 baseline-priced line items⚠️
Unpriced resourcesStorage usage, Key Vault operations, Log Analytics ingestion, Application Insights effective billing path, Event Grid operations, ACR stored data growth⚠️

Line Items

Section titled “Line Items”
CategoryServiceSKU / MeterQuantity / UnitsEst. Monthly
ComputeAzure App Service Plan (Linux dedicated)P0v3730 hours$64.97
ComputeAzure App Service Web AppIncluded in plan1 site + 1 slot$0.00
Data ServicesAzure Container RegistryPremium1 registry unit$50.69
Data ServicesAzure Storage AccountStandard_LRSUsage-based$0.00
Security/MgmtAzure Key VaultStandardUsage-based$0.00
NetworkingPrivate EndpointsStandard Private Endpoint3 x 730 hours$21.90
NetworkingPrivate DNS ZonesAzure DNS Private Zone3 zones$1.50
MonitoringLog Analytics WorkspacePerGB2018Low usage assumed$0.00
MonitoringApplication InsightsWorkspace-linked web componentLow usage assumed$0.00
MessagingEvent Grid system topicStandard operationsNo baseline identified$0.00

Notes

Section titled “Notes”
  • Pricing copied verbatim from the cost-estimate-subagent result and not hand-adjusted.
  • The returned estimate status was PARTIAL and confidence was Medium.
  • Design-vs-as-built variance is negative because the design artifact carried explicit baseline assumptions for Storage and monitoring that the as-built pricing run left unresolved at zero baseline.
  • Query timestamp reported by the pricing subagent: 2026-04-15T00:00:00Z.