Government Cloud Routing
All requests are routed exclusively to government-authorized cloud environments:- AWS GovCloud: Claude models via Amazon Bedrock (FedRAMP High, DoD IL5)
- GCP Assured Workloads (IL5): Gemini models via Vertex AI (FedRAMP High, DoD IL5)
- GCP Assured Workloads (IL2): Claude models via Vertex AI with Anthropic SDK (FedRAMP High, DoD IL2)
- Azure Government: GPT models via Azure OpenAI Service (FedRAMP High, DoD IL5)
Cross-Cloud Authentication
GCP: Consus Gateway uses Workload Identity Federation (WIF) to authenticate from AWS GovCloud to GCP. No static credentials are stored. The Lambda’s AWS IAM role is exchanged for a short-lived GCP access token on each request. Tokens expire after 1 hour and are never persisted. Azure: Authentication to Azure OpenAI uses an API key stored in AWS Secrets Manager, encrypted with a customer-managed KMS key. The key is loaded into Lambda process memory at cold start and never written to disk or logs. Network access to the Azure OpenAI endpoint is restricted by firewall rules to the Lambda NAT gateway IP only.Network Isolation
Lambda runs in private VPC subnets with no direct internet access. AWS service traffic (Bedrock, Secrets Manager, DynamoDB, CloudWatch) flows through VPC endpoints (PrivateLink) and never leaves the private network. External provider traffic (GCP Vertex AI, Azure OpenAI) routes through a NAT gateway, authenticated and encrypted, but with no inbound path from the internet.Encryption & Transport
- TLS 1.2+ enforced on all connections
- FIPS 140-2 validated endpoints enabled by default for all service calls
- All data at rest encrypted with customer-managed keys (AWS KMS for GovCloud resources, Cloud KMS for GCP resources, Azure Key Vault for Azure Government resources)
- Provider error messages are sanitized before logging to prevent prompt content leakage
Audit Logging
- AWS: API Gateway access logs retained for 365 days, Lambda logs for 90 days (CMMC AU-11)
- GCP: Data Access audit logs enabled for Vertex AI and IAM, exported to a dedicated GCS bucket with 3-year retention lock
- Azure: Diagnostic logs (Audit, RequestResponse, Trace) retained for 365 days in Log Analytics
- All logs are KMS-encrypted and contain only operational metadata, never prompt or response content
- CORS origins must be explicitly configured with no wildcard defaults
Compliance Controls
Consus Gateway implements controls aligned with:- CMMC 2.0 Level 2: including FIPS 140-2 endpoints (3.13.11), explicit CORS configuration (3.4.2), input validation limits (3.14.2), and audit log retention (AU-11)
- FedRAMP High: including input validation (SI-10), boundary protection (SC-7), continuous monitoring (CA-7), and data residency (US regions only)
- DoD IL2: including US-only data residency, audit logging, and partner model procurement via GCP Marketplace
- DoD IL5: including customer-managed encryption keys across all providers (AWS KMS, GCP Cloud KMS, Azure Key Vault), VPC Service Controls, Private Service Connect, and Access Approval for Google support access
Restricted Features
The following tool types are blocked and will return a400 error with a compliance-specific message:
- Web search (
web_search,web_search_preview): sends queries to third-party services (Brave Search) outside the FedRAMP/IL data handling boundary - Code interpreter (
code_interpreter): executes code outside the authorization boundary
function tools are permitted. This restriction is enforced at the API validation layer as well as with the organizational policies at the CSP.
Tool Call Governance
function tools are allowed, but the gateway applies governance to both the tool definitions you send and the tool calls the model returns.
At the request boundary. The input screener inspects every tool schema before forwarding it to a provider. Schemas whose parameter names describe an outbound destination (for example destination_url, webhook_url, callback_url, forward_to, send_to, post_to, upload_url, ingest_url, and other destination-bearing names) are rejected with 400 invalid_request_error. The check walks the full JSON Schema tree, including nested properties, array items, $defs, and conditional branches, so an exfiltration shape cannot be hidden deeper in the schema. Ambiguous names such as url, endpoint, and host are accepted since they legitimately appear in read tools (database connection helpers, internal API readers, and so on).
At the response boundary. When a model returns tool calls, the gateway parses each arguments payload and extracts outbound destination tokens (URIs with a scheme and raw IPv4 literals). When any are found, the response carries an advisory field called x_consus_governance that lists every detected destination along with the tool call id and tool name. Tool call arguments themselves are not modified. The signal is visible on both non-streaming responses and the final SSE chunk of streamed responses. An audit event (tool_call_governance_flag) is recorded server-side for every flagged response.
This is a signal, not a block. The gateway does not execute tool calls and is not in the right position to decide whether a destination is acceptable for your application. Clients that handle CUI should consume the x_consus_governance field before executing a flagged tool call. See Customer Responsibility for the client contract and Chat Completions for the wire format.
Your Application
For details on what your application is responsible for, including tool call security, content filtering, and API key management, see Customer Responsibility.Data Flow
