Acrolinx updates

Author: Brian Tray

articles/operator-nexus/concepts-security.md

@@ -47,17 +47,17 @@ You have the option to enable Defender for Containers protection within Defender
 
 ## Cloud security is a shared responsibility
 
-It is important to understand that in a cloud environment, security is a [shared responsibility](../security/fundamentals/shared-responsibility.md) between you and the cloud provider. The responsibilities vary depending on the type of cloud service your workloads run on, whether it is Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS), as well as where the workloads are hosted – within the cloud provider’s or your own on-premises datacenters.
+It's important to understand that in a cloud environment, security is a [shared responsibility](../security/fundamentals/shared-responsibility.md) between you and the cloud provider. The responsibilities vary depending on the type of cloud service your workloads run on, whether it is Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS), as well as where the workloads are hosted – within the cloud provider’s or your own on-premises datacenters.
 
 Azure Operator Nexus workloads run on servers in your datacenters, so you are in control of changes to your on-premises environment. Microsoft periodically makes new platform releases available that contain security and other updates. You must then decide when to apply these releases to your environment as appropriate for your organization’s business needs.
 
 ## Kubernetes Security Benchmark Scanning
 
 Industry standard security benchmarking tools are used to scan the Azure Operator Nexus platform for security compliance. These tools include [OpenSCAP](https://public.cyber.mil/stigs/scap/), to evaluate compliance with Kubernetes Security Technical Implementation Guide (STIG) controls, and Aqua Security’s [Kube-Bench](https://github.com/aquasecurity/kube-bench/tree/main), to evaluate compliance with the Center for Internet Security (CIS) Kubernetes Benchmarks.
 
-Some controls are not technically feasible to implement in the Azure Operator Nexus environment, and these excepted controls are documented below for the applicable Nexus layers.
+Some controls aren't technically feasible to implement in the Azure Operator Nexus environment, and these excepted controls are documented below for the applicable Nexus layers.
 
-Environmental controls such as RBAC and Service Account tests are not evaluated by these tools, as the outcomes may differ based on customer requirements.
+Environmental controls such as RBAC and Service Account tests aren't evaluated by these tools, as the outcomes may differ based on customer requirements.
 
 **NTF = Not Technically Feasible**
 
@@ -71,10 +71,10 @@ Environmental controls such as RBAC and Service Account tests are not evaluated
 |---|---|---|---|
 |V-242386|The Kubernetes API server must have the insecure port flag disabled|NTF|This check is deprecated in v1.24.0 and greater|
 |V-242397|The Kubernetes kubelet staticPodPath must not enable static pods|NTF|Only enabled for control nodes, required for kubeadm|
-|V-242403|Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event|NTF|Certain API requests and responses contain secrets and therefore are not captured in the audit logs|
+|V-242403|Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event|NTF|Certain API requests and responses contain secrets and therefore aren't captured in the audit logs|
 |V-242424|Kubernetes Kubelet must enable tlsPrivateKeyFile for client authentication to secure service|NTF|Kubelet SANS contains hostname only|
 |V-242425|Kubernetes Kubelet must enable tlsCertFile for client authentication to secure service.|NTF|Kubelet SANS contains hostname only|
-|V-242434|Kubernetes Kubelet must enable kernel protection.|NTF|Enabling kernel protection is not feasible for kubeadm in Nexus|
+|V-242434|Kubernetes Kubelet must enable kernel protection.|NTF|Enabling kernel protection isn't feasible for kubeadm in Nexus|
 
 
 *Nexus Kubernetes/NAKS*
@@ -85,10 +85,10 @@ Environmental controls such as RBAC and Service Account tests are not evaluated
 |---|---|---|---|
 |V-242386|The Kubernetes API server must have the insecure port flag disabled|NTF|This check is deprecated in v1.24.0 and greater|
 |V-242397|The Kubernetes kubelet staticPodPath must not enable static pods|NTF|Only enabled for control nodes, required for kubeadm|
-|V-242403|Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event|NTF|Certain API requests and responses contain secrets and therefore are not captured in the audit logs|
+|V-242403|Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event|NTF|Certain API requests and responses contain secrets and therefore aren't captured in the audit logs|
 |V-242424|Kubernetes Kubelet must enable tlsPrivateKeyFile for client authentication to secure service|NTF|Kubelet SANS contains hostname only|
 |V-242425|Kubernetes Kubelet must enable tlsCertFile for client authentication to secure service.|NTF|Kubelet SANS contains hostname only|
-|V-242434|Kubernetes Kubelet must enable kernel protection.|NTF|Enabling kernel protection is not feasible for kubeadm in Nexus|
+|V-242434|Kubernetes Kubelet must enable kernel protection.|NTF|Enabling kernel protection isn't feasible for kubeadm in Nexus|
 
 
 *Cluster Manager - Azure Kubernetes*
@@ -108,7 +108,7 @@ As a secure service, Azure Kubernetes Service (AKS) complies with SOC, ISO, PCI
 |---|---|---|---|
 |1|Control Plane Components|||
 |1.1|Control Plane Node Configuration Files|||
-|1.1.12|Ensure that the etcd data directory ownership is set to etcd:etcd|NTF|Nexus is root:root, etcd user is not configured for kubeadm|
+|1.1.12|Ensure that the etcd data directory ownership is set to etcd:etcd|NTF|Nexus is root:root, etcd user isn't configured for kubeadm|
 |1.2|API Server|||
 |1.1.12|Ensure that the --kubelet-certificate-authority argument is set as appropriate|NTF|Kubelet SANS includes hostname only|
 
@@ -121,15 +121,13 @@ As a secure service, Azure Kubernetes Service (AKS) complies with SOC, ISO, PCI
 |---|---|---|---|
 |1|Control Plane Components|||
 |1.1|Control Plane Node Configuration Files|||
-|1.1.12|Ensure that the etcd data directory ownership is set to etcd:etcd|NTF|Nexus is root:root, etcd user is not configured for kubeadm|
+|1.1.12|Ensure that the etcd data directory ownership is set to etcd:etcd|NTF|Nexus is root:root, etcd user isn't configured for kubeadm|
 |1.2|API Server|||
 |1.1.12|Ensure that the --kubelet-certificate-authority argument is set as appropriate|NTF|Kubelet SANS includes hostname only|
 
 
 *Cluster Manager - Azure Kubernetes*
 
-The Operator Nexus Cluster Manager is an AKS implementation. The following image shows the Kube-Bench exceptions for the Cluster Manager AKS implementation.
+The Operator Nexus Cluster Manager is an AKS implementation. The following image shows the Kube-Bench exceptions for the Cluster Manager AKS implementation. A full report for CIS Benchmark control evaluaztion of Azure Kubernetes Service (AKS) can be found [here](/azure/aks/cis-kubernetes)
 
 :::image type="content" source="media/security/cm_kubebench.png" alt-text="Screenshot of Cluster Manager Kube-Bench exceptions" lightbox="media/security/cm_kubebench.png":::
-
-