well_architected_scorecard: overall_status: GAPS_IDENTIFIED generated_date: '2026-04-12T23:15:18.437115' architecture_name: /tmp/demo-flawed-arch.yaml customer: Demo Flawed Arch summary: total_checks: 23 total_passed: 1 total_gaps: 22 high_severity_gaps: 10 medium_severity_gaps: 10 low_severity_gaps: 2 pillars: security_compliance: status: GAPS_IDENTIFIED checks_passed: 0 checks_total: 15 categories: identity_access: passed: 0 total: 4 gaps: - check_id: SEC-IAM-001 area: Identity & Access finding: no IAM policy strategy defined or broad permissions used severity: HIGH recommendation: architecture specifies granular IAM policies per compartment/service wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html - check_id: SEC-IAM-002 area: Identity & Access finding: no MFA mentioned in identity setup severity: HIGH recommendation: MFA is specified in identity configuration wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html - check_id: SEC-IAM-003 area: Identity & Access finding: no mention of admin account restrictions severity: HIGH recommendation: separate admin groups defined for operations wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html - check_id: SEC-IAM-004 area: Identity & Access finding: stored credentials or API keys used for service accounts severity: HIGH recommendation: instance principals or resource principals specified for service-to-service auth wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html resource_isolation: passed: 0 total: 3 gaps: - check_id: SEC-ISO-001 area: Resource Isolation finding: flat compartment structure or no compartment strategy severity: HIGH recommendation: hierarchical compartment structure defined wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html - check_id: SEC-ISO-002 area: Resource Isolation finding: no tagging strategy defined severity: MEDIUM recommendation: defined tag namespaces with cost, environment, and owner tags wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html - check_id: SEC-ISO-004 area: Resource Isolation finding: user credentials used for cross-resource access severity: HIGH recommendation: resource principals used for cross-service access wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html database_security: passed: 0 total: 0 gaps: [] data_protection: passed: 0 total: 2 gaps: - check_id: SEC-DAT-001 area: Data Protection finding: any storage service without encryption at rest severity: HIGH recommendation: encryption at rest specified for all storage services wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html - check_id: SEC-DAT-002 area: Data Protection finding: using Oracle-managed keys or no key management strategy severity: MEDIUM recommendation: OCI Vault specified for key management wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html network_security: passed: 0 total: 3 gaps: - check_id: SEC-NET-001 area: Network Security finding: only Security Lists used without NSGs severity: MEDIUM recommendation: NSGs used as primary network security mechanism wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html - check_id: SEC-NET-002 area: Network Security finding: SSH open to 0.0.0.0/0 severity: HIGH recommendation: SSH access restricted to specific CIDR ranges or bastion wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html - check_id: SEC-NET-004 area: Network Security finding: OCI services accessed via internet gateway severity: MEDIUM recommendation: Service Gateway configured in VCN wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html monitoring_audit: passed: 0 total: 3 gaps: - check_id: SEC-MON-001 area: Monitoring & Audit finding: Cloud Guard not included in architecture severity: HIGH recommendation: Cloud Guard configured with appropriate recipes wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html - check_id: SEC-MON-002 area: Monitoring & Audit finding: audit service not mentioned or retention not configured severity: MEDIUM recommendation: Audit service enabled (enabled by default, verify retention) wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html - check_id: SEC-MON-003 area: Monitoring & Audit finding: no VCN Flow Logs configured severity: MEDIUM recommendation: VCN Flow Logs enabled for critical subnets wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html reliability_resilience: status: PASS_WITH_RECOMMENDATIONS checks_passed: 0 checks_total: 1 categories: scalability: passed: 0 total: 1 gaps: - check_id: REL-SCL-002 area: Scalability finding: no service limit review planned severity: LOW recommendation: service limit review mentioned in deployment plan wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/reliable-and-resilient-cloud-topology-practices1.html fault_tolerant_networking: passed: 0 total: 0 gaps: [] data_backup: passed: 0 total: 0 gaps: [] data_replication: passed: 0 total: 0 gaps: [] disaster_recovery: passed: 0 total: 0 gaps: [] performance_cost: status: PASS_WITH_RECOMMENDATIONS checks_passed: 0 checks_total: 2 categories: compute_sizing: passed: 0 total: 0 gaps: [] storage_strategy: passed: 0 total: 0 gaps: [] network_tuning: passed: 0 total: 0 gaps: [] cost_management: passed: 0 total: 2 gaps: - check_id: PERF-CST-003 area: Cost Management finding: no budget alerts configured severity: MEDIUM recommendation: OCI Budgets configured with alert thresholds wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/index.html - check_id: PERF-CST-004 area: Cost Management finding: no cost attribution tagging strategy severity: MEDIUM recommendation: cost-tracking tags defined and enforced wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/index.html operational_efficiency: status: GAPS_IDENTIFIED checks_passed: 1 checks_total: 5 categories: deployment_strategy: passed: 0 total: 1 gaps: - check_id: OPS-DEP-001 area: Deployment Strategy finding: no IaC strategy specified severity: HIGH recommendation: Terraform or Resource Manager specified for infrastructure provisioning wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html workload_monitoring: passed: 1 total: 2 gaps: - check_id: OPS-MON-003 area: Workload Monitoring finding: no centralized log analysis solution severity: MEDIUM recommendation: OCI Logging Analytics configured wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html os_management: passed: 0 total: 0 gaps: [] operations_support: passed: 0 total: 2 gaps: - check_id: OPS-SUP-001 area: Operations Support finding: no support plan consideration severity: LOW recommendation: Oracle support plan level specified and matches criticality wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html - check_id: OPS-SUP-002 area: Operations Support finding: no notification configuration severity: MEDIUM recommendation: OCI Notifications configured for operational events wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html distributed_cloud: status: NOT_APPLICABLE checks_passed: 0 checks_total: 0 categories: {} action_items: high_priority: - check_id: SEC-IAM-001 pillar: Identity & Access finding: no IAM policy strategy defined or broad permissions used recommendation: architecture specifies granular IAM policies per compartment/service - check_id: SEC-IAM-002 pillar: Identity & Access finding: no MFA mentioned in identity setup recommendation: MFA is specified in identity configuration - check_id: SEC-IAM-003 pillar: Identity & Access finding: no mention of admin account restrictions recommendation: separate admin groups defined for operations - check_id: SEC-IAM-004 pillar: Identity & Access finding: stored credentials or API keys used for service accounts recommendation: instance principals or resource principals specified for service-to-service auth - check_id: SEC-ISO-001 pillar: Resource Isolation finding: flat compartment structure or no compartment strategy recommendation: hierarchical compartment structure defined - check_id: SEC-ISO-004 pillar: Resource Isolation finding: user credentials used for cross-resource access recommendation: resource principals used for cross-service access - check_id: SEC-DAT-001 pillar: Data Protection finding: any storage service without encryption at rest recommendation: encryption at rest specified for all storage services - check_id: SEC-NET-002 pillar: Network Security finding: SSH open to 0.0.0.0/0 recommendation: SSH access restricted to specific CIDR ranges or bastion - check_id: SEC-MON-001 pillar: Monitoring & Audit finding: Cloud Guard not included in architecture recommendation: Cloud Guard configured with appropriate recipes - check_id: OPS-DEP-001 pillar: Deployment Strategy finding: no IaC strategy specified recommendation: Terraform or Resource Manager specified for infrastructure provisioning medium_priority: - check_id: SEC-ISO-002 pillar: Resource Isolation finding: no tagging strategy defined recommendation: defined tag namespaces with cost, environment, and owner tags - check_id: SEC-DAT-002 pillar: Data Protection finding: using Oracle-managed keys or no key management strategy recommendation: OCI Vault specified for key management - check_id: SEC-NET-001 pillar: Network Security finding: only Security Lists used without NSGs recommendation: NSGs used as primary network security mechanism - check_id: SEC-NET-004 pillar: Network Security finding: OCI services accessed via internet gateway recommendation: Service Gateway configured in VCN - check_id: SEC-MON-002 pillar: Monitoring & Audit finding: audit service not mentioned or retention not configured recommendation: Audit service enabled (enabled by default, verify retention) - check_id: SEC-MON-003 pillar: Monitoring & Audit finding: no VCN Flow Logs configured recommendation: VCN Flow Logs enabled for critical subnets - check_id: PERF-CST-003 pillar: Cost Management finding: no budget alerts configured recommendation: OCI Budgets configured with alert thresholds - check_id: PERF-CST-004 pillar: Cost Management finding: no cost attribution tagging strategy recommendation: cost-tracking tags defined and enforced - check_id: OPS-MON-003 pillar: Workload Monitoring finding: no centralized log analysis solution recommendation: OCI Logging Analytics configured - check_id: OPS-SUP-002 pillar: Operations Support finding: no notification configuration recommendation: OCI Notifications configured for operational events low_priority: - check_id: REL-SCL-002 pillar: Scalability finding: no service limit review planned recommendation: service limit review mentioned in deployment plan - check_id: OPS-SUP-001 pillar: Operations Support finding: no support plan consideration recommendation: Oracle support plan level specified and matches criticality references: framework: https://docs.oracle.com/en/solutions/oci-best-practices/index.html security: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html reliability: https://docs.oracle.com/en/solutions/oci-best-practices/reliable-and-resilient-cloud-topology-practices1.html operations: https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html distributed: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-distributed-cloud-implementation1.html