Evidence & Audit

Sovereign compliance must be verifiable. This page describes what evidence types WAF++ expects for the Sovereign pillar and how audits are structured.

Evidence Types

Evidence Type	Description	Typical Sources
Architecture Evidence	Diagrams, data flow diagrams, trust boundary documentation, region labels	Draw.io, C4 diagrams, Architecture Decision Records (ADR)
IaC Evidence	Terraform code, plans, state snapshots, CI logs, policy-as-code configurations	Git repository, Terraform Cloud, atlantis, CI/CD logs
Config Evidence	Exported configurations, resource graph, KMS key policies, security group rules	AWS Config snapshots, Azure Resource Graph, GCP Asset Inventory
Logging Evidence	CloudTrail/audit logs, admin actions, break-glass sessions, egress logs, KMS accesses	CloudTrail, CloudWatch, Azure Monitor, GCP Cloud Audit Logs
Process Evidence	Runbooks, change records, access review records, restore test reports, exit drill reports	ITSM system (Jira, ServiceNow), GitLab Issues, Confluence
Contract Evidence	Subprocessor lists, DPA agreements, SLA/compliance artefacts, provider attestations	Contract management, PDF archive, provider portal (BSI C5 attestations)

Evidence Type

Description

Typical Sources

Architecture Evidence

Diagrams, data flow diagrams, trust boundary documentation, region labels

Draw.io, C4 diagrams, Architecture Decision Records (ADR)

IaC Evidence

Terraform code, plans, state snapshots, CI logs, policy-as-code configurations

Git repository, Terraform Cloud, atlantis, CI/CD logs

Config Evidence

Exported configurations, resource graph, KMS key policies, security group rules

AWS Config snapshots, Azure Resource Graph, GCP Asset Inventory

Logging Evidence

CloudTrail/audit logs, admin actions, break-glass sessions, egress logs, KMS accesses

CloudTrail, CloudWatch, Azure Monitor, GCP Cloud Audit Logs

Process Evidence

Runbooks, change records, access review records, restore test reports, exit drill reports

ITSM system (Jira, ServiceNow), GitLab Issues, Confluence

Contract Evidence

Subprocessor lists, DPA agreements, SLA/compliance artefacts, provider attestations

Contract management, PDF archive, provider portal (BSI C5 attestations)

Minimum Evidence Requirements

Every piece of evidence in the sovereign context MUST:

Be dated and versioned (no undated screenshots)
Be assigned to a control ID (e.g. WAF-SOV-070 in the filename/metadata)
Be traceable: source, responsible party, scope clearly identifiable
Be retained: according to the retention policy (at least 3 years for compliance evidence)

Audit Structure (Sovereign Focus)

A sovereign audit typically follows this sequence:

Phase 1: Verify Policy Foundation

Does a data residency policy exist? → WAF-SOV-010
Is it versioned and current?
Does it cover all data classes and environments?

Phase 2: Verify Technical Enforcement

Is region pinning enforced in IaC? → WAF-SOV-020
Are there SCP/policy/org policy guardrails?
Are there no hard-coded non-sovereign regions in IaC?

Phase 3: Verify Leak Paths

The most common sovereignty gaps are:

Backup replication → WAF-SOV-030
- Where do backups replicate to? Are restore tests documented?
Observability exports → WAF-SOV-040
- Where are logs, traces, metrics sent?
Egress paths → WAF-SOV-090
- Are there open security groups or unmonitored egress paths?

Phase 4: Verify Key Control

Which data category uses which key model? → WAF-SOV-050
Is key rotation enabled?
Is there a key deletion process?

Phase 5: Verify Access Control and Operations

IAM without wildcard permissions? → WAF-SOV-060
Break-glass process documented and evidenced? → WAF-SOV-070
Dependency register current? → WAF-SOV-080

Phase 6: Verify Exit Capability

Does an exit plan exist? → WAF-SOV-100
When was the last exit drill conducted?
Is the result documented?

Evidence Mapping per Control

Control ID	Primary Evidence	Secondary Evidence
WAF-SOV-010	Data residency policy (versioned)	IaC provider configurations
WAF-SOV-020	Terraform variable validation, SCP/org policy	CI log with blocked non-region deployment
WAF-SOV-030	Terraform backup configuration	Restore test records
WAF-SOV-040	CloudTrail config + log group retention	Flow log configuration
WAF-SOV-050	KMS key policy + enable_key_rotation	KMS access logs
WAF-SOV-060	IAM policy documents (no wildcard)	Quarterly access review record
WAF-SOV-070	Break-glass runbook + CloudTrail alarm config	Post-incident review record
WAF-SOV-080	Dependency register (Git) + terraform.lock.hcl	DPA reference list
WAF-SOV-090	Security group rules + VPC endpoint resources	VPC flow log config
WAF-SOV-100	Exit plan document	Annual drill report

Control ID

Primary Evidence

Secondary Evidence

WAF-SOV-010

Data residency policy (versioned)

IaC provider configurations

WAF-SOV-020

Terraform variable validation, SCP/org policy

CI log with blocked non-region deployment

WAF-SOV-030

Terraform backup configuration

Restore test records

WAF-SOV-040

CloudTrail config + log group retention

Flow log configuration

WAF-SOV-050

KMS key policy + enable_key_rotation

KMS access logs

WAF-SOV-060

IAM policy documents (no wildcard)

Quarterly access review record

WAF-SOV-070

Break-glass runbook + CloudTrail alarm config

Post-incident review record

WAF-SOV-080

Dependency register (Git) + terraform.lock.hcl

DPA reference list

WAF-SOV-090

Security group rules + VPC endpoint resources

VPC flow log config

WAF-SOV-100

Exit plan document

Annual drill report

Automated Evidence Collection

The WAF++ checker integration enables automated evidence collection:

# Example: WAF++ Checker invocation
wafpp check \
  --pillar sovereign \
  --controls WAF-SOV-010,WAF-SOV-020,WAF-SOV-050 \
  --engine terraform \
  --path ./infrastructure/terraform \
  --output-format sarif \
  --evidence-export ./evidence/sovereign-$(date +%Y-%m).json

The checker generates: * SARIF report for CI integration * JSON evidence artefact with timestamp and control ID mapping * Markdown summary for pull request comments