Files
oci-deal-accelerator/examples/output-demo-pharma-mx/opt05-wa-scorecard.yaml
root 3c88df33f8 Add demo presentation + 14 deliverables for PharmaCorp Mexico scenario
- gen_demo_deck.py: Generates 11-slide demo presentation using Oracle FY26
  template. LLM-agnostic messaging (works on Claude, Codex, GPT, Gemini).
  Before/After comparison, 14 live prompts in table format.
- examples/output-demo-pharma-mx/: Complete deliverable set for a pharma
  migration scenario (ExaCS X6 → OCI ExaCS X11M, dual-region DR, SOX).
  One file per skill option (1-14): pptx, drawio, pdf, xlsx, json, yaml.
- Improved prompts: richer discovery context (SOX compliance, dual
  FastConnect, Hub-Spoke, OCI Vault), intentionally flawed arch for WA
  review (1/23 passed), DEP field findings, ECAL gap analysis.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-12 23:24:35 -03:00

349 lines
15 KiB
YAML

well_architected_scorecard:
overall_status: GAPS_IDENTIFIED
generated_date: '2026-04-12T23:15:18.437115'
architecture_name: /tmp/demo-flawed-arch.yaml
customer: Demo Flawed Arch
summary:
total_checks: 23
total_passed: 1
total_gaps: 22
high_severity_gaps: 10
medium_severity_gaps: 10
low_severity_gaps: 2
pillars:
security_compliance:
status: GAPS_IDENTIFIED
checks_passed: 0
checks_total: 15
categories:
identity_access:
passed: 0
total: 4
gaps:
- check_id: SEC-IAM-001
area: Identity & Access
finding: no IAM policy strategy defined or broad permissions used
severity: HIGH
recommendation: architecture specifies granular IAM policies per compartment/service
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
- check_id: SEC-IAM-002
area: Identity & Access
finding: no MFA mentioned in identity setup
severity: HIGH
recommendation: MFA is specified in identity configuration
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
- check_id: SEC-IAM-003
area: Identity & Access
finding: no mention of admin account restrictions
severity: HIGH
recommendation: separate admin groups defined for operations
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
- check_id: SEC-IAM-004
area: Identity & Access
finding: stored credentials or API keys used for service accounts
severity: HIGH
recommendation: instance principals or resource principals specified for
service-to-service auth
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
resource_isolation:
passed: 0
total: 3
gaps:
- check_id: SEC-ISO-001
area: Resource Isolation
finding: flat compartment structure or no compartment strategy
severity: HIGH
recommendation: hierarchical compartment structure defined
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
- check_id: SEC-ISO-002
area: Resource Isolation
finding: no tagging strategy defined
severity: MEDIUM
recommendation: defined tag namespaces with cost, environment, and owner
tags
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
- check_id: SEC-ISO-004
area: Resource Isolation
finding: user credentials used for cross-resource access
severity: HIGH
recommendation: resource principals used for cross-service access
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
database_security:
passed: 0
total: 0
gaps: []
data_protection:
passed: 0
total: 2
gaps:
- check_id: SEC-DAT-001
area: Data Protection
finding: any storage service without encryption at rest
severity: HIGH
recommendation: encryption at rest specified for all storage services
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
- check_id: SEC-DAT-002
area: Data Protection
finding: using Oracle-managed keys or no key management strategy
severity: MEDIUM
recommendation: OCI Vault specified for key management
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
network_security:
passed: 0
total: 3
gaps:
- check_id: SEC-NET-001
area: Network Security
finding: only Security Lists used without NSGs
severity: MEDIUM
recommendation: NSGs used as primary network security mechanism
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
- check_id: SEC-NET-002
area: Network Security
finding: SSH open to 0.0.0.0/0
severity: HIGH
recommendation: SSH access restricted to specific CIDR ranges or bastion
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
- check_id: SEC-NET-004
area: Network Security
finding: OCI services accessed via internet gateway
severity: MEDIUM
recommendation: Service Gateway configured in VCN
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
monitoring_audit:
passed: 0
total: 3
gaps:
- check_id: SEC-MON-001
area: Monitoring & Audit
finding: Cloud Guard not included in architecture
severity: HIGH
recommendation: Cloud Guard configured with appropriate recipes
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
- check_id: SEC-MON-002
area: Monitoring & Audit
finding: audit service not mentioned or retention not configured
severity: MEDIUM
recommendation: Audit service enabled (enabled by default, verify retention)
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
- check_id: SEC-MON-003
area: Monitoring & Audit
finding: no VCN Flow Logs configured
severity: MEDIUM
recommendation: VCN Flow Logs enabled for critical subnets
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
reliability_resilience:
status: PASS_WITH_RECOMMENDATIONS
checks_passed: 0
checks_total: 1
categories:
scalability:
passed: 0
total: 1
gaps:
- check_id: REL-SCL-002
area: Scalability
finding: no service limit review planned
severity: LOW
recommendation: service limit review mentioned in deployment plan
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/reliable-and-resilient-cloud-topology-practices1.html
fault_tolerant_networking:
passed: 0
total: 0
gaps: []
data_backup:
passed: 0
total: 0
gaps: []
data_replication:
passed: 0
total: 0
gaps: []
disaster_recovery:
passed: 0
total: 0
gaps: []
performance_cost:
status: PASS_WITH_RECOMMENDATIONS
checks_passed: 0
checks_total: 2
categories:
compute_sizing:
passed: 0
total: 0
gaps: []
storage_strategy:
passed: 0
total: 0
gaps: []
network_tuning:
passed: 0
total: 0
gaps: []
cost_management:
passed: 0
total: 2
gaps:
- check_id: PERF-CST-003
area: Cost Management
finding: no budget alerts configured
severity: MEDIUM
recommendation: OCI Budgets configured with alert thresholds
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/index.html
- check_id: PERF-CST-004
area: Cost Management
finding: no cost attribution tagging strategy
severity: MEDIUM
recommendation: cost-tracking tags defined and enforced
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/index.html
operational_efficiency:
status: GAPS_IDENTIFIED
checks_passed: 1
checks_total: 5
categories:
deployment_strategy:
passed: 0
total: 1
gaps:
- check_id: OPS-DEP-001
area: Deployment Strategy
finding: no IaC strategy specified
severity: HIGH
recommendation: Terraform or Resource Manager specified for infrastructure
provisioning
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html
workload_monitoring:
passed: 1
total: 2
gaps:
- check_id: OPS-MON-003
area: Workload Monitoring
finding: no centralized log analysis solution
severity: MEDIUM
recommendation: OCI Logging Analytics configured
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html
os_management:
passed: 0
total: 0
gaps: []
operations_support:
passed: 0
total: 2
gaps:
- check_id: OPS-SUP-001
area: Operations Support
finding: no support plan consideration
severity: LOW
recommendation: Oracle support plan level specified and matches criticality
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html
- check_id: OPS-SUP-002
area: Operations Support
finding: no notification configuration
severity: MEDIUM
recommendation: OCI Notifications configured for operational events
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html
distributed_cloud:
status: NOT_APPLICABLE
checks_passed: 0
checks_total: 0
categories: {}
action_items:
high_priority:
- check_id: SEC-IAM-001
pillar: Identity & Access
finding: no IAM policy strategy defined or broad permissions used
recommendation: architecture specifies granular IAM policies per compartment/service
- check_id: SEC-IAM-002
pillar: Identity & Access
finding: no MFA mentioned in identity setup
recommendation: MFA is specified in identity configuration
- check_id: SEC-IAM-003
pillar: Identity & Access
finding: no mention of admin account restrictions
recommendation: separate admin groups defined for operations
- check_id: SEC-IAM-004
pillar: Identity & Access
finding: stored credentials or API keys used for service accounts
recommendation: instance principals or resource principals specified for service-to-service
auth
- check_id: SEC-ISO-001
pillar: Resource Isolation
finding: flat compartment structure or no compartment strategy
recommendation: hierarchical compartment structure defined
- check_id: SEC-ISO-004
pillar: Resource Isolation
finding: user credentials used for cross-resource access
recommendation: resource principals used for cross-service access
- check_id: SEC-DAT-001
pillar: Data Protection
finding: any storage service without encryption at rest
recommendation: encryption at rest specified for all storage services
- check_id: SEC-NET-002
pillar: Network Security
finding: SSH open to 0.0.0.0/0
recommendation: SSH access restricted to specific CIDR ranges or bastion
- check_id: SEC-MON-001
pillar: Monitoring & Audit
finding: Cloud Guard not included in architecture
recommendation: Cloud Guard configured with appropriate recipes
- check_id: OPS-DEP-001
pillar: Deployment Strategy
finding: no IaC strategy specified
recommendation: Terraform or Resource Manager specified for infrastructure provisioning
medium_priority:
- check_id: SEC-ISO-002
pillar: Resource Isolation
finding: no tagging strategy defined
recommendation: defined tag namespaces with cost, environment, and owner tags
- check_id: SEC-DAT-002
pillar: Data Protection
finding: using Oracle-managed keys or no key management strategy
recommendation: OCI Vault specified for key management
- check_id: SEC-NET-001
pillar: Network Security
finding: only Security Lists used without NSGs
recommendation: NSGs used as primary network security mechanism
- check_id: SEC-NET-004
pillar: Network Security
finding: OCI services accessed via internet gateway
recommendation: Service Gateway configured in VCN
- check_id: SEC-MON-002
pillar: Monitoring & Audit
finding: audit service not mentioned or retention not configured
recommendation: Audit service enabled (enabled by default, verify retention)
- check_id: SEC-MON-003
pillar: Monitoring & Audit
finding: no VCN Flow Logs configured
recommendation: VCN Flow Logs enabled for critical subnets
- check_id: PERF-CST-003
pillar: Cost Management
finding: no budget alerts configured
recommendation: OCI Budgets configured with alert thresholds
- check_id: PERF-CST-004
pillar: Cost Management
finding: no cost attribution tagging strategy
recommendation: cost-tracking tags defined and enforced
- check_id: OPS-MON-003
pillar: Workload Monitoring
finding: no centralized log analysis solution
recommendation: OCI Logging Analytics configured
- check_id: OPS-SUP-002
pillar: Operations Support
finding: no notification configuration
recommendation: OCI Notifications configured for operational events
low_priority:
- check_id: REL-SCL-002
pillar: Scalability
finding: no service limit review planned
recommendation: service limit review mentioned in deployment plan
- check_id: OPS-SUP-001
pillar: Operations Support
finding: no support plan consideration
recommendation: Oracle support plan level specified and matches criticality
references:
framework: https://docs.oracle.com/en/solutions/oci-best-practices/index.html
security: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
reliability: https://docs.oracle.com/en/solutions/oci-best-practices/reliable-and-resilient-cloud-topology-practices1.html
operations: https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html
distributed: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-distributed-cloud-implementation1.html