forked from diegoecab/oci-deal-accelerator
initial version
This commit is contained in:
131
kb/well-architected/distributed-cloud.yaml
Normal file
131
kb/well-architected/distributed-cloud.yaml
Normal file
@@ -0,0 +1,131 @@
|
||||
# OCI Well-Architected Framework — Pillar 5: Distributed Cloud
|
||||
# Source: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-distributed-cloud-implementation1.html
|
||||
|
||||
pillar:
|
||||
name: "Distributed Cloud"
|
||||
id: distributed_cloud
|
||||
wa_reference: "https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-distributed-cloud-implementation1.html"
|
||||
reference: "https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-distributed-cloud-implementation1.html"
|
||||
conditional: true
|
||||
applies_when: "multi_region OR hybrid_cloud OR multicloud OR data_residency_requirements OR sovereign_requirements"
|
||||
|
||||
categories:
|
||||
- name: "Deployment Strategy"
|
||||
id: dc_deployment_strategy
|
||||
checks:
|
||||
- id: DC-DEP-001
|
||||
name: "Deployment model selected"
|
||||
description: "Appropriate deployment model selected (public, dedicated, hybrid, multicloud)"
|
||||
auto_detect:
|
||||
pass_if: "deployment model explicitly chosen with justification"
|
||||
gap_if: "no explicit deployment model decision"
|
||||
severity: HIGH
|
||||
applies_when: "distributed_cloud_applicable"
|
||||
|
||||
- id: DC-DEP-002
|
||||
name: "Data residency mapping"
|
||||
description: "Data residency requirements mapped to region selection"
|
||||
auto_detect:
|
||||
pass_if: "data residency requirements documented with region mapping"
|
||||
gap_if: "data residency requirements exist but no region mapping"
|
||||
severity: HIGH
|
||||
applies_when: "has_data_residency_requirements"
|
||||
|
||||
- id: DC-DEP-003
|
||||
name: "Sovereign/Dedicated Region"
|
||||
description: "Sovereign Cloud or Dedicated Region considered if required"
|
||||
auto_detect:
|
||||
pass_if: "Sovereign Cloud or Dedicated Region evaluated"
|
||||
gap_if: "sovereignty requirements exist without cloud model evaluation"
|
||||
severity: HIGH
|
||||
applies_when: "has_sovereign_requirements"
|
||||
|
||||
- name: "Integration Across Environments"
|
||||
id: dc_integration
|
||||
checks:
|
||||
- id: DC-INT-001
|
||||
name: "Consistent IAM"
|
||||
description: "Consistent IAM across all locations"
|
||||
auto_detect:
|
||||
pass_if: "unified IAM strategy across all deployment locations"
|
||||
gap_if: "separate, uncoordinated IAM in different locations"
|
||||
severity: HIGH
|
||||
applies_when: "distributed_cloud_applicable"
|
||||
|
||||
- id: DC-INT-002
|
||||
name: "Data synchronization"
|
||||
description: "Data synchronization strategy between sites"
|
||||
auto_detect:
|
||||
pass_if: "data sync strategy defined (replication, ETL, streaming)"
|
||||
gap_if: "no data synchronization strategy between sites"
|
||||
severity: HIGH
|
||||
applies_when: "distributed_cloud_applicable"
|
||||
|
||||
- id: DC-INT-003
|
||||
name: "Cross-environment networking"
|
||||
description: "Network connectivity between environments (FastConnect, VPN, DRG)"
|
||||
auto_detect:
|
||||
pass_if: "network connectivity defined between all environments"
|
||||
gap_if: "no network connectivity plan between environments"
|
||||
severity: HIGH
|
||||
applies_when: "distributed_cloud_applicable"
|
||||
|
||||
- name: "Compliance & Sovereignty"
|
||||
id: dc_compliance
|
||||
checks:
|
||||
- id: DC-CMP-001
|
||||
name: "Data residency laws"
|
||||
description: "Regional data residency laws addressed"
|
||||
auto_detect:
|
||||
pass_if: "applicable data residency laws identified and addressed"
|
||||
gap_if: "data residency laws not evaluated"
|
||||
severity: HIGH
|
||||
applies_when: "has_data_residency_requirements"
|
||||
|
||||
- id: DC-CMP-002
|
||||
name: "Encryption key locality"
|
||||
description: "Encryption key locality requirements met"
|
||||
auto_detect:
|
||||
pass_if: "encryption keys stored in required jurisdictions"
|
||||
gap_if: "key locality requirements not addressed"
|
||||
severity: HIGH
|
||||
applies_when: "has_data_residency_requirements"
|
||||
|
||||
- id: DC-CMP-003
|
||||
name: "Cross-environment audit"
|
||||
description: "Audit trail spans all environments"
|
||||
auto_detect:
|
||||
pass_if: "unified audit across all deployment locations"
|
||||
gap_if: "audit gaps between environments"
|
||||
severity: MEDIUM
|
||||
applies_when: "distributed_cloud_applicable"
|
||||
|
||||
- name: "Unified Operations"
|
||||
id: dc_operations
|
||||
checks:
|
||||
- id: DC-OPS-001
|
||||
name: "Single pane of glass"
|
||||
description: "Single pane of glass monitoring across environments"
|
||||
auto_detect:
|
||||
pass_if: "centralized monitoring spanning all environments"
|
||||
gap_if: "separate monitoring per environment"
|
||||
severity: MEDIUM
|
||||
applies_when: "distributed_cloud_applicable"
|
||||
|
||||
- id: DC-OPS-002
|
||||
name: "IaC consistency"
|
||||
description: "IaC consistency across all deployment targets"
|
||||
auto_detect:
|
||||
pass_if: "same IaC tooling and patterns across all environments"
|
||||
gap_if: "different IaC approaches in different environments"
|
||||
severity: MEDIUM
|
||||
applies_when: "distributed_cloud_applicable"
|
||||
|
||||
- id: DC-OPS-003
|
||||
name: "Operations feedback loop"
|
||||
description: "Feedback loop from operations to design"
|
||||
auto_detect:
|
||||
pass_if: "operational feedback process defined"
|
||||
gap_if: "no formal feedback loop from operations to architecture"
|
||||
severity: LOW
|
||||
applies_when: "distributed_cloud_applicable"
|
||||
115
kb/well-architected/landing-zones.yaml
Normal file
115
kb/well-architected/landing-zones.yaml
Normal file
@@ -0,0 +1,115 @@
|
||||
# OCI Well-Architected Framework — Landing Zone Patterns
|
||||
# Reference: https://docs.oracle.com/en/solutions/cis-oci-benchmark/
|
||||
|
||||
landing_zones:
|
||||
- name: "CIS OCI Landing Zone"
|
||||
id: cis_landing_zone
|
||||
description: "CIS Benchmark-aligned landing zone with security best practices baked in"
|
||||
reference: "https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart"
|
||||
use_when:
|
||||
- "Enterprise customers requiring CIS compliance"
|
||||
- "Greenfield OCI deployments"
|
||||
- "Customers with regulatory requirements"
|
||||
provides:
|
||||
compartments:
|
||||
- name: "Network"
|
||||
purpose: "Hub VCN, DRG, FastConnect, VPN"
|
||||
- name: "Security"
|
||||
purpose: "Cloud Guard, Vault, Bastion, VSS"
|
||||
- name: "AppDev"
|
||||
purpose: "Application workloads, OKE, Functions"
|
||||
- name: "Database"
|
||||
purpose: "Database services, Data Safe"
|
||||
- name: "ExaCS"
|
||||
purpose: "Exadata Cloud Service (if applicable)"
|
||||
networking:
|
||||
- "Hub-spoke VCN topology via DRG"
|
||||
- "Service Gateway for OCI service access"
|
||||
- "NAT Gateway for outbound internet"
|
||||
- "Bastion service for secure access"
|
||||
- "NSGs for fine-grained network security"
|
||||
identity:
|
||||
- "Break-glass admin account"
|
||||
- "Separation of duties (network, security, appdev admins)"
|
||||
- "Least-privilege IAM policies"
|
||||
- "Dynamic groups for instance principals"
|
||||
security:
|
||||
- "Cloud Guard with default recipes"
|
||||
- "Security Zones for production"
|
||||
- "VCN Flow Logs enabled"
|
||||
- "OCI Vault for key management"
|
||||
- "Vulnerability Scanning service"
|
||||
governance:
|
||||
- "Defined tags for cost tracking"
|
||||
- "Budgets per compartment"
|
||||
- "Notification topics for events"
|
||||
|
||||
- name: "Oracle Enterprise Landing Zone"
|
||||
id: oelz
|
||||
description: "Multi-environment enterprise landing zone with full lifecycle management"
|
||||
reference: "https://github.com/oracle-quickstart/terraform-oci-open-lz"
|
||||
use_when:
|
||||
- "Large enterprise deployments"
|
||||
- "Multi-workload environments"
|
||||
- "Customers needing full environment isolation"
|
||||
provides:
|
||||
compartments:
|
||||
- name: "Shared Infrastructure"
|
||||
purpose: "Common services, networking hub, security"
|
||||
- name: "Production"
|
||||
purpose: "Production workloads with Security Zones"
|
||||
- name: "Non-Production"
|
||||
purpose: "Dev, test, staging environments"
|
||||
- name: "Logging"
|
||||
purpose: "Centralized logging and audit"
|
||||
networking:
|
||||
- "Hub VCN with Network Firewall option"
|
||||
- "Spoke VCNs per workload/environment"
|
||||
- "DRG for transit routing"
|
||||
- "DNS views per environment"
|
||||
identity:
|
||||
- "Multiple Identity Domains"
|
||||
- "Federated authentication"
|
||||
- "Role-based access control"
|
||||
security:
|
||||
- "Cloud Guard with custom recipes"
|
||||
- "Security Zones"
|
||||
- "WAF integration"
|
||||
- "Data Safe"
|
||||
|
||||
- name: "Minimal Landing Zone"
|
||||
id: minimal_lz
|
||||
description: "Lightweight landing zone for POCs, small workloads, or single-application deployments"
|
||||
use_when:
|
||||
- "Proof of concept"
|
||||
- "Small workloads (< 10 resources)"
|
||||
- "Single application deployment"
|
||||
- "Developer sandbox"
|
||||
provides:
|
||||
compartments:
|
||||
- name: "Workload"
|
||||
purpose: "All resources for the workload"
|
||||
networking:
|
||||
- "Single VCN"
|
||||
- "Public and private subnets"
|
||||
- "Internet Gateway + NAT Gateway"
|
||||
- "Service Gateway"
|
||||
identity:
|
||||
- "Basic IAM policies"
|
||||
- "Instance principals for compute"
|
||||
security:
|
||||
- "Cloud Guard (default)"
|
||||
- "Default encryption"
|
||||
|
||||
selection_criteria:
|
||||
- condition: "regulatory_compliance OR enterprise_customer"
|
||||
recommendation: "cis_landing_zone"
|
||||
rationale: "CIS compliance provides strong security baseline and meets audit requirements"
|
||||
|
||||
- condition: "multi_environment AND large_enterprise"
|
||||
recommendation: "oelz"
|
||||
rationale: "Full environment isolation with centralized governance"
|
||||
|
||||
- condition: "poc OR small_workload OR single_application"
|
||||
recommendation: "minimal_lz"
|
||||
rationale: "Fast deployment without over-engineering; can upgrade to CIS later"
|
||||
174
kb/well-architected/operational-efficiency.yaml
Normal file
174
kb/well-architected/operational-efficiency.yaml
Normal file
@@ -0,0 +1,174 @@
|
||||
# OCI Well-Architected Framework — Pillar 4: Operational Efficiency
|
||||
# Source: https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html
|
||||
|
||||
pillar:
|
||||
name: "Operational Efficiency"
|
||||
id: operational_efficiency
|
||||
wa_reference: "https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html"
|
||||
reference: "https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html"
|
||||
|
||||
categories:
|
||||
- name: "Deployment Strategy"
|
||||
id: deployment_strategy
|
||||
checks:
|
||||
- id: OPS-DEP-001
|
||||
name: "Infrastructure as Code"
|
||||
description: "Infrastructure as Code (Terraform, Resource Manager) for all resources"
|
||||
auto_detect:
|
||||
pass_if: "Terraform or Resource Manager specified for infrastructure provisioning"
|
||||
gap_if: "no IaC strategy specified"
|
||||
severity: HIGH
|
||||
applies_when: always
|
||||
|
||||
- id: OPS-DEP-002
|
||||
name: "CI/CD pipeline"
|
||||
description: "CI/CD pipeline defined for application deployment"
|
||||
auto_detect:
|
||||
pass_if: "CI/CD pipeline specified (OCI DevOps, Jenkins, GitLab, etc.)"
|
||||
gap_if: "no CI/CD pipeline defined"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_application_workloads"
|
||||
|
||||
- id: OPS-DEP-003
|
||||
name: "Deployment strategy"
|
||||
description: "Blue/green or canary deployment strategy for production changes"
|
||||
auto_detect:
|
||||
pass_if: "deployment strategy (blue/green, canary, rolling) defined"
|
||||
gap_if: "no deployment strategy for production changes"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_production_applications"
|
||||
|
||||
- id: OPS-DEP-004
|
||||
name: "Environment parity"
|
||||
description: "Environment parity (dev/staging/prod use same IaC templates)"
|
||||
auto_detect:
|
||||
pass_if: "same IaC templates used across environments with variable overrides"
|
||||
gap_if: "different provisioning methods across environments"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_multiple_environments"
|
||||
|
||||
- name: "Workload Monitoring"
|
||||
id: workload_monitoring
|
||||
checks:
|
||||
- id: OPS-MON-001
|
||||
name: "OCI Monitoring alarms"
|
||||
description: "OCI Monitoring alarms configured for key metrics"
|
||||
auto_detect:
|
||||
pass_if: "monitoring alarms defined for CPU, memory, disk, network"
|
||||
gap_if: "no monitoring alarms configured"
|
||||
severity: HIGH
|
||||
applies_when: always
|
||||
|
||||
- id: OPS-MON-002
|
||||
name: "Custom application metrics"
|
||||
description: "Custom metrics for application-specific KPIs"
|
||||
auto_detect:
|
||||
pass_if: "custom metrics defined for application performance"
|
||||
gap_if: "no application-level monitoring beyond infrastructure metrics"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_application_workloads"
|
||||
|
||||
- id: OPS-MON-003
|
||||
name: "Logging Analytics"
|
||||
description: "Logging Analytics for centralized log analysis"
|
||||
auto_detect:
|
||||
pass_if: "OCI Logging Analytics configured"
|
||||
gap_if: "no centralized log analysis solution"
|
||||
severity: MEDIUM
|
||||
applies_when: always
|
||||
|
||||
- id: OPS-MON-004
|
||||
name: "APM configured"
|
||||
description: "APM configured for application tracing"
|
||||
auto_detect:
|
||||
pass_if: "OCI APM or third-party APM configured"
|
||||
gap_if: "no application performance monitoring"
|
||||
severity: LOW
|
||||
applies_when: "has_application_workloads"
|
||||
|
||||
- id: OPS-MON-005
|
||||
name: "Database Management"
|
||||
description: "Database Management enabled for DB performance monitoring"
|
||||
auto_detect:
|
||||
pass_if: "OCI Database Management service enabled"
|
||||
gap_if: "databases without performance monitoring"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_databases"
|
||||
|
||||
- id: OPS-MON-006
|
||||
name: "Ops Insights"
|
||||
description: "Ops Insights for capacity planning"
|
||||
auto_detect:
|
||||
pass_if: "Ops Insights configured for capacity planning"
|
||||
gap_if: "no capacity planning solution"
|
||||
severity: LOW
|
||||
applies_when: "has_production_workloads"
|
||||
|
||||
- name: "OS Management"
|
||||
id: os_management
|
||||
checks:
|
||||
- id: OPS-OSM-001
|
||||
name: "OS Management Hub"
|
||||
description: "OS Management Hub for patch management"
|
||||
auto_detect:
|
||||
pass_if: "OS Management Hub configured for compute fleet"
|
||||
gap_if: "no automated OS patch management"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_compute_instances"
|
||||
|
||||
- id: OPS-OSM-002
|
||||
name: "Automated patching schedule"
|
||||
description: "Automated patching schedule for compute instances"
|
||||
auto_detect:
|
||||
pass_if: "patching schedule defined with maintenance windows"
|
||||
gap_if: "no patching schedule for compute instances"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_compute_instances"
|
||||
|
||||
- id: OPS-OSM-003
|
||||
name: "Vulnerability remediation SLA"
|
||||
description: "Vulnerability remediation SLA defined"
|
||||
auto_detect:
|
||||
pass_if: "vulnerability remediation timelines defined by severity"
|
||||
gap_if: "no vulnerability remediation SLA"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_compute_instances"
|
||||
|
||||
- name: "Operations Support"
|
||||
id: operations_support
|
||||
checks:
|
||||
- id: OPS-SUP-001
|
||||
name: "Support plan level"
|
||||
description: "Support plan level appropriate for workload criticality"
|
||||
auto_detect:
|
||||
pass_if: "Oracle support plan level specified and matches criticality"
|
||||
gap_if: "no support plan consideration"
|
||||
severity: LOW
|
||||
applies_when: always
|
||||
|
||||
- id: OPS-SUP-002
|
||||
name: "Notification topics"
|
||||
description: "Notification topics configured for operational events"
|
||||
auto_detect:
|
||||
pass_if: "OCI Notifications configured for operational events"
|
||||
gap_if: "no notification configuration"
|
||||
severity: MEDIUM
|
||||
applies_when: always
|
||||
|
||||
- id: OPS-SUP-003
|
||||
name: "Operational runbooks"
|
||||
description: "Runbooks documented for common operational procedures"
|
||||
auto_detect:
|
||||
pass_if: "operational runbooks planned or documented"
|
||||
gap_if: "no operational runbooks"
|
||||
severity: LOW
|
||||
applies_when: "has_production_workloads"
|
||||
|
||||
- id: OPS-SUP-004
|
||||
name: "Automated remediation"
|
||||
description: "OCI Events + Functions for automated remediation"
|
||||
auto_detect:
|
||||
pass_if: "event-driven automation configured for common issues"
|
||||
gap_if: "no automated remediation"
|
||||
severity: LOW
|
||||
applies_when: "has_production_workloads"
|
||||
156
kb/well-architected/performance-cost.yaml
Normal file
156
kb/well-architected/performance-cost.yaml
Normal file
@@ -0,0 +1,156 @@
|
||||
# OCI Well-Architected Framework — Pillar 3: Performance and Cost Optimization
|
||||
# Source: https://docs.oracle.com/en/solutions/oci-best-practices/index.html
|
||||
|
||||
pillar:
|
||||
name: "Performance and Cost Optimization"
|
||||
id: performance_cost
|
||||
wa_reference: "https://docs.oracle.com/en/solutions/oci-best-practices/index.html"
|
||||
reference: "https://docs.oracle.com/en/solutions/oci-best-practices/index.html"
|
||||
|
||||
categories:
|
||||
- name: "Compute Sizing"
|
||||
id: compute_sizing
|
||||
checks:
|
||||
- id: PERF-CMP-001
|
||||
name: "Right-sized shapes"
|
||||
description: "Shapes selected based on workload profile (not over-provisioned)"
|
||||
auto_detect:
|
||||
pass_if: "compute shapes justified by workload requirements"
|
||||
gap_if: "shapes selected without workload sizing analysis"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_compute_instances"
|
||||
|
||||
- id: PERF-CMP-002
|
||||
name: "Flex shapes used"
|
||||
description: "Flex shapes used where possible (pay for what you use)"
|
||||
auto_detect:
|
||||
pass_if: "flex shapes specified for variable workloads"
|
||||
gap_if: "fixed shapes used where flex would be more cost-effective"
|
||||
severity: LOW
|
||||
applies_when: "has_compute_instances"
|
||||
|
||||
- id: PERF-CMP-003
|
||||
name: "Burstable for dev/test"
|
||||
description: "Burstable instances considered for dev/test"
|
||||
auto_detect:
|
||||
pass_if: "burstable or preemptible instances for non-production"
|
||||
gap_if: "production-grade shapes used for dev/test"
|
||||
severity: LOW
|
||||
applies_when: "has_dev_test_environments"
|
||||
|
||||
- id: PERF-CMP-004
|
||||
name: "ARM (Ampere) considered"
|
||||
description: "ARM (Ampere) considered for compatible workloads (better price/performance)"
|
||||
auto_detect:
|
||||
pass_if: "Ampere (A1/A2) shapes evaluated for compatible workloads"
|
||||
gap_if: "x86 shapes used where ARM would provide better price/performance"
|
||||
severity: LOW
|
||||
applies_when: "has_compute_instances"
|
||||
|
||||
- name: "Storage Strategy"
|
||||
id: storage_strategy
|
||||
checks:
|
||||
- id: PERF-STR-001
|
||||
name: "Storage tier matches access pattern"
|
||||
description: "Storage tier matches access pattern (Standard, Infrequent Access, Archive)"
|
||||
auto_detect:
|
||||
pass_if: "storage tiers aligned with data access frequency"
|
||||
gap_if: "all data on Standard tier without tiering analysis"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_object_storage"
|
||||
|
||||
- id: PERF-STR-002
|
||||
name: "Block Volume performance tier"
|
||||
description: "Block Volume performance tier matches IOPS needs"
|
||||
auto_detect:
|
||||
pass_if: "block volume performance tier matches documented IOPS requirements"
|
||||
gap_if: "block volume tier not aligned with workload IOPS needs"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_block_volumes"
|
||||
|
||||
- id: PERF-STR-003
|
||||
name: "Object Storage auto-tiering"
|
||||
description: "Auto-tiering enabled for Object Storage where applicable"
|
||||
auto_detect:
|
||||
pass_if: "auto-tiering configured for applicable buckets"
|
||||
gap_if: "large object storage without auto-tiering evaluation"
|
||||
severity: LOW
|
||||
applies_when: "has_large_object_storage"
|
||||
|
||||
- name: "Network Tuning"
|
||||
id: network_tuning
|
||||
checks:
|
||||
- id: PERF-NET-001
|
||||
name: "Right-sized bandwidth"
|
||||
description: "Bandwidth provisioned matches actual needs (not over-provisioned FastConnect)"
|
||||
auto_detect:
|
||||
pass_if: "FastConnect bandwidth justified by traffic analysis"
|
||||
gap_if: "bandwidth provisioned without traffic analysis"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_fastconnect"
|
||||
|
||||
- id: PERF-NET-002
|
||||
name: "LB type justified"
|
||||
description: "Network Load Balancer vs. Flexible Load Balancer decision justified"
|
||||
auto_detect:
|
||||
pass_if: "load balancer type selection documented with rationale"
|
||||
gap_if: "load balancer type chosen without justification"
|
||||
severity: LOW
|
||||
applies_when: "has_load_balancers"
|
||||
|
||||
- name: "Cost Management"
|
||||
id: cost_management
|
||||
checks:
|
||||
- id: PERF-CST-001
|
||||
name: "BYOL analysis"
|
||||
description: "BYOL vs. License Included analysis done"
|
||||
auto_detect:
|
||||
pass_if: "BYOL vs. License Included comparison documented"
|
||||
gap_if: "licensing model chosen without analysis"
|
||||
severity: HIGH
|
||||
applies_when: "has_oracle_licensed_services"
|
||||
|
||||
- id: PERF-CST-002
|
||||
name: "Reserved capacity considered"
|
||||
description: "Reserved capacity considered for stable workloads (1-year or 3-year)"
|
||||
auto_detect:
|
||||
pass_if: "reserved capacity evaluated for stable production workloads"
|
||||
gap_if: "all on-demand pricing for stable workloads"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_stable_production_workloads"
|
||||
|
||||
- id: PERF-CST-003
|
||||
name: "Budgets and cost alerts"
|
||||
description: "Budgets and cost alerts configured per compartment"
|
||||
auto_detect:
|
||||
pass_if: "OCI Budgets configured with alert thresholds"
|
||||
gap_if: "no budget alerts configured"
|
||||
severity: MEDIUM
|
||||
applies_when: always
|
||||
|
||||
- id: PERF-CST-004
|
||||
name: "Cost attribution tagging"
|
||||
description: "Tagging strategy enables cost attribution"
|
||||
auto_detect:
|
||||
pass_if: "cost-tracking tags defined and enforced"
|
||||
gap_if: "no cost attribution tagging strategy"
|
||||
severity: MEDIUM
|
||||
applies_when: always
|
||||
|
||||
- id: PERF-CST-005
|
||||
name: "Auto-scaling cost controls"
|
||||
description: "Auto-scaling min/max configured to prevent runaway costs"
|
||||
auto_detect:
|
||||
pass_if: "auto-scaling policies include max limits"
|
||||
gap_if: "auto-scaling without upper bounds"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_auto_scaling"
|
||||
|
||||
- id: PERF-CST-006
|
||||
name: "Non-prod optimization"
|
||||
description: "Non-production environments use smaller shapes or are scheduled off"
|
||||
auto_detect:
|
||||
pass_if: "non-prod environments use reduced shapes or have schedules"
|
||||
gap_if: "non-prod environments running same shapes as production 24/7"
|
||||
severity: LOW
|
||||
applies_when: "has_dev_test_environments"
|
||||
156
kb/well-architected/personas.yaml
Normal file
156
kb/well-architected/personas.yaml
Normal file
@@ -0,0 +1,156 @@
|
||||
# OCI Well-Architected Framework — Personas and Role-to-Pillar Mapping
|
||||
# Used to target Deal Accelerator outputs to the right audience
|
||||
|
||||
personas:
|
||||
- name: "Cloud Architect"
|
||||
id: cloud_architect
|
||||
description: "Responsible for overall cloud architecture design and implementation"
|
||||
primary_pillars:
|
||||
- reliability_resilience
|
||||
- security_compliance
|
||||
- operational_efficiency
|
||||
output_emphasis:
|
||||
- "Full architecture diagram with all service interactions"
|
||||
- "ADRs for all major design decisions"
|
||||
- "Reliability and HA patterns"
|
||||
- "Operational readiness checklist"
|
||||
scorecard_focus:
|
||||
lead_with: "Overall architecture health"
|
||||
highlight_gaps: ["HIGH severity across all pillars"]
|
||||
de_emphasize: ["LOW severity cost optimizations"]
|
||||
|
||||
- name: "Security Architect"
|
||||
id: security_architect
|
||||
description: "Responsible for security posture, compliance, and risk management"
|
||||
primary_pillars:
|
||||
- security_compliance
|
||||
output_emphasis:
|
||||
- "Security scorecard with all checks detailed"
|
||||
- "IAM policy structure and federation design"
|
||||
- "Encryption strategy (at-rest, in-transit, key management)"
|
||||
- "Cloud Guard configuration and detector recipes"
|
||||
- "Data Safe assessment and recommendations"
|
||||
- "Network security architecture (NSGs, WAF, Firewall)"
|
||||
- "Compliance mapping to regulatory requirements"
|
||||
scorecard_focus:
|
||||
lead_with: "Security and Compliance pillar"
|
||||
highlight_gaps: ["All security gaps regardless of severity"]
|
||||
de_emphasize: ["Performance optimization", "Cost management"]
|
||||
|
||||
- name: "Enterprise Architect"
|
||||
id: enterprise_architect
|
||||
description: "Responsible for strategic alignment, cost optimization, and enterprise governance"
|
||||
primary_pillars:
|
||||
- performance_cost
|
||||
- distributed_cloud
|
||||
- operational_efficiency
|
||||
output_emphasis:
|
||||
- "TCO analysis with BYOL and reserved capacity"
|
||||
- "Business case with competitive positioning"
|
||||
- "Distributed cloud strategy if applicable"
|
||||
- "Governance model and tagging strategy"
|
||||
- "Migration roadmap and phasing"
|
||||
scorecard_focus:
|
||||
lead_with: "Cost optimization and business alignment"
|
||||
highlight_gaps: ["Cost management gaps", "Governance gaps"]
|
||||
de_emphasize: ["Technical implementation details"]
|
||||
|
||||
- name: "Network Architect"
|
||||
id: network_architect
|
||||
description: "Responsible for network design, connectivity, and security"
|
||||
primary_pillars:
|
||||
- security_compliance
|
||||
- reliability_resilience
|
||||
output_emphasis:
|
||||
- "VCN topology with CIDR ranges and subnet design"
|
||||
- "FastConnect/VPN connectivity with redundancy"
|
||||
- "DRG routing and transit networking"
|
||||
- "NSG rules and WAF configuration"
|
||||
- "DNS and Traffic Management design"
|
||||
- "Network Firewall placement and rules"
|
||||
scorecard_focus:
|
||||
lead_with: "Network security and reliability checks"
|
||||
highlight_gaps: ["Network-related gaps across all pillars"]
|
||||
de_emphasize: ["Database security", "Application monitoring"]
|
||||
|
||||
- name: "Database Administrator"
|
||||
id: dba
|
||||
description: "Responsible for database architecture, performance, and operations"
|
||||
primary_pillars:
|
||||
- security_compliance
|
||||
- reliability_resilience
|
||||
- performance_cost
|
||||
output_emphasis:
|
||||
- "Database service selection rationale"
|
||||
- "Data Guard / ADG configuration"
|
||||
- "Backup and recovery strategy"
|
||||
- "Data Safe configuration"
|
||||
- "Performance tuning and monitoring"
|
||||
- "TDE and encryption key management"
|
||||
scorecard_focus:
|
||||
lead_with: "Database security and reliability checks"
|
||||
highlight_gaps: ["Database-related gaps across all pillars"]
|
||||
de_emphasize: ["Network design", "Compute sizing"]
|
||||
|
||||
- name: "DevOps Engineer"
|
||||
id: devops_engineer
|
||||
description: "Responsible for CI/CD, IaC, and operational automation"
|
||||
primary_pillars:
|
||||
- operational_efficiency
|
||||
output_emphasis:
|
||||
- "Terraform module structure and Resource Manager stacks"
|
||||
- "CI/CD pipeline design (OCI DevOps or third-party)"
|
||||
- "Deployment strategy (blue/green, canary)"
|
||||
- "Monitoring and alerting configuration"
|
||||
- "Automated remediation with Events + Functions"
|
||||
- "OS Management Hub setup"
|
||||
scorecard_focus:
|
||||
lead_with: "Operational Efficiency pillar"
|
||||
highlight_gaps: ["IaC gaps", "CI/CD gaps", "Monitoring gaps"]
|
||||
de_emphasize: ["Cost optimization", "Distributed cloud"]
|
||||
|
||||
- name: "CTO / VP Engineering"
|
||||
id: cto
|
||||
description: "Executive decision maker focused on risk, timeline, and strategic value"
|
||||
primary_pillars:
|
||||
- security_compliance
|
||||
- reliability_resilience
|
||||
- performance_cost
|
||||
output_emphasis:
|
||||
- "Executive summary (1-page)"
|
||||
- "Risk register with mitigation strategies"
|
||||
- "Competitive positioning vs AWS/Azure"
|
||||
- "Implementation timeline with milestones"
|
||||
- "Cost summary with optimization opportunities"
|
||||
- "Well-Architected scorecard summary"
|
||||
scorecard_focus:
|
||||
lead_with: "Overall status with HIGH severity gaps"
|
||||
highlight_gaps: ["HIGH severity only"]
|
||||
de_emphasize: ["Technical implementation details", "LOW severity items"]
|
||||
|
||||
- name: "Finance / Procurement"
|
||||
id: finance
|
||||
description: "Focused on cost, licensing, and commercial terms"
|
||||
primary_pillars:
|
||||
- performance_cost
|
||||
output_emphasis:
|
||||
- "Detailed cost breakdown by service"
|
||||
- "BYOL vs. License Included analysis"
|
||||
- "Reserved capacity savings (1yr vs 3yr)"
|
||||
- "Monthly and annual cost projections"
|
||||
- "Budget configuration per compartment"
|
||||
- "Comparison with current spend (on-prem or competitor)"
|
||||
scorecard_focus:
|
||||
lead_with: "Performance and Cost Optimization pillar"
|
||||
highlight_gaps: ["Cost-related gaps only"]
|
||||
de_emphasize: ["All technical pillars"]
|
||||
|
||||
# Mapping from political decision drivers to personas
|
||||
decision_driver_mapping:
|
||||
technical_leadership: [cloud_architect, cto]
|
||||
security_focused: [security_architect]
|
||||
cost_conscious: [enterprise_architect, finance]
|
||||
operations_focused: [devops_engineer]
|
||||
database_centric: [dba]
|
||||
network_focused: [network_architect]
|
||||
executive_sponsorship: [cto, finance]
|
||||
213
kb/well-architected/reliability-resilience.yaml
Normal file
213
kb/well-architected/reliability-resilience.yaml
Normal file
@@ -0,0 +1,213 @@
|
||||
# OCI Well-Architected Framework — Pillar 2: Reliability and Resilience
|
||||
# Source: https://docs.oracle.com/en/solutions/oci-best-practices/reliable-and-resilient-cloud-topology-practices1.html
|
||||
|
||||
pillar:
|
||||
name: "Reliability and Resilience"
|
||||
id: reliability_resilience
|
||||
wa_reference: "https://docs.oracle.com/en/solutions/oci-best-practices/reliable-and-resilient-cloud-topology-practices1.html"
|
||||
reference: "https://docs.oracle.com/en/solutions/oci-best-practices/reliable-and-resilient-cloud-topology-practices1.html"
|
||||
|
||||
categories:
|
||||
- name: "Scalability"
|
||||
id: scalability
|
||||
checks:
|
||||
- id: REL-SCL-001
|
||||
name: "Auto-scaling configured"
|
||||
description: "Auto-scaling configured for variable workloads"
|
||||
auto_detect:
|
||||
pass_if: "auto-scaling policies defined for compute or OKE"
|
||||
gap_if: "variable workloads without auto-scaling"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_variable_workloads"
|
||||
|
||||
- id: REL-SCL-002
|
||||
name: "Service limits reviewed"
|
||||
description: "Service limits reviewed and increased where needed"
|
||||
auto_detect:
|
||||
pass_if: "service limit review mentioned in deployment plan"
|
||||
gap_if: "no service limit review planned"
|
||||
severity: LOW
|
||||
applies_when: always
|
||||
|
||||
- id: REL-SCL-003
|
||||
name: "Capacity reservations"
|
||||
description: "Capacity reservations for critical workloads"
|
||||
auto_detect:
|
||||
pass_if: "capacity reservations specified for critical compute"
|
||||
gap_if: "critical production workloads without capacity reservations"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_critical_workloads"
|
||||
|
||||
- name: "Fault-Tolerant Networking"
|
||||
id: fault_tolerant_networking
|
||||
checks:
|
||||
- id: REL-NET-001
|
||||
name: "Redundant FastConnect"
|
||||
description: "Redundant FastConnect circuits (2 virtual circuits, different physical paths)"
|
||||
auto_detect:
|
||||
pass_if: "dual FastConnect circuits on diverse paths"
|
||||
gap_if: "single FastConnect circuit without redundancy"
|
||||
severity: HIGH
|
||||
applies_when: "has_fastconnect"
|
||||
|
||||
- id: REL-NET-002
|
||||
name: "VPN backup for FastConnect"
|
||||
description: "VPN as backup if FastConnect is primary"
|
||||
auto_detect:
|
||||
pass_if: "IPSec VPN configured as FastConnect backup"
|
||||
gap_if: "FastConnect without VPN backup"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_fastconnect"
|
||||
|
||||
- id: REL-NET-003
|
||||
name: "Redundant DRG tunnels"
|
||||
description: "DRG with redundant tunnels"
|
||||
auto_detect:
|
||||
pass_if: "DRG configured with redundant IPSec tunnels"
|
||||
gap_if: "DRG with single tunnel"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_drg"
|
||||
|
||||
- id: REL-NET-004
|
||||
name: "Load Balancer health checks"
|
||||
description: "Load Balancer health checks configured"
|
||||
auto_detect:
|
||||
pass_if: "health check policies defined on load balancers"
|
||||
gap_if: "load balancers without health checks"
|
||||
severity: HIGH
|
||||
applies_when: "has_load_balancers"
|
||||
|
||||
- id: REL-NET-005
|
||||
name: "Multi-AD/FD compute placement"
|
||||
description: "Multiple ADs or FDs used for compute placement"
|
||||
auto_detect:
|
||||
pass_if: "compute instances distributed across ADs or FDs"
|
||||
gap_if: "all compute in single AD/FD"
|
||||
severity: HIGH
|
||||
applies_when: "has_production_compute"
|
||||
|
||||
- name: "Data Backup"
|
||||
id: data_backup
|
||||
checks:
|
||||
- id: REL-BAK-001
|
||||
name: "Automated database backups"
|
||||
description: "Automated backups enabled for all databases"
|
||||
auto_detect:
|
||||
pass_if: "automated backup configured for all database services"
|
||||
gap_if: "any database without automated backup"
|
||||
severity: HIGH
|
||||
applies_when: "has_databases"
|
||||
|
||||
- id: REL-BAK-002
|
||||
name: "Backup retention policy"
|
||||
description: "Backup retention policy defined and documented"
|
||||
auto_detect:
|
||||
pass_if: "backup retention periods specified"
|
||||
gap_if: "no backup retention policy defined"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_databases"
|
||||
|
||||
- id: REL-BAK-003
|
||||
name: "Block Volume backups"
|
||||
description: "Block Volume backups scheduled"
|
||||
auto_detect:
|
||||
pass_if: "block volume backup policies configured"
|
||||
gap_if: "block volumes without backup schedules"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_block_volumes"
|
||||
|
||||
- id: REL-BAK-004
|
||||
name: "Cross-region backup copy"
|
||||
description: "Cross-region backup copy for critical data"
|
||||
auto_detect:
|
||||
pass_if: "cross-region backup replication configured"
|
||||
gap_if: "critical data without cross-region backup"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_critical_data"
|
||||
|
||||
- id: REL-BAK-005
|
||||
name: "Boot volume backups"
|
||||
description: "Boot volume backups for compute instances"
|
||||
auto_detect:
|
||||
pass_if: "boot volume backup policies configured"
|
||||
gap_if: "compute instances without boot volume backups"
|
||||
severity: LOW
|
||||
applies_when: "has_compute_instances"
|
||||
|
||||
- name: "Data Replication"
|
||||
id: data_replication
|
||||
checks:
|
||||
- id: REL-REP-001
|
||||
name: "Data Guard / ADG"
|
||||
description: "Data Guard (or ADG for ADB) configured for HA databases"
|
||||
auto_detect:
|
||||
pass_if: "Data Guard or Autonomous Data Guard configured"
|
||||
gap_if: "production databases without HA replication"
|
||||
severity: HIGH
|
||||
applies_when: "has_production_databases"
|
||||
|
||||
- id: REL-REP-002
|
||||
name: "RPO/RTO documented"
|
||||
description: "RPO/RTO documented and validated with actual testing"
|
||||
auto_detect:
|
||||
pass_if: "RPO and RTO targets defined with validation plan"
|
||||
gap_if: "no RPO/RTO targets documented"
|
||||
severity: HIGH
|
||||
applies_when: "has_production_workloads"
|
||||
|
||||
- id: REL-REP-003
|
||||
name: "Cross-region Object Storage replication"
|
||||
description: "Cross-region replication for Object Storage"
|
||||
auto_detect:
|
||||
pass_if: "Object Storage replication configured to DR region"
|
||||
gap_if: "critical object storage without cross-region replication"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_critical_object_storage"
|
||||
|
||||
- name: "Disaster Recovery"
|
||||
id: disaster_recovery
|
||||
checks:
|
||||
- id: REL-DR-001
|
||||
name: "DR region identified"
|
||||
description: "DR region identified and provisioned"
|
||||
auto_detect:
|
||||
pass_if: "DR region specified in architecture"
|
||||
gap_if: "no DR region identified"
|
||||
severity: HIGH
|
||||
applies_when: "requires_dr"
|
||||
|
||||
- id: REL-DR-002
|
||||
name: "DR architecture documented"
|
||||
description: "DR architecture documented with switchover/failover procedures"
|
||||
auto_detect:
|
||||
pass_if: "DR runbook with switchover/failover procedures defined"
|
||||
gap_if: "no DR procedures documented"
|
||||
severity: HIGH
|
||||
applies_when: "requires_dr"
|
||||
|
||||
- id: REL-DR-003
|
||||
name: "DR drill schedule"
|
||||
description: "DR drill schedule defined (quarterly minimum)"
|
||||
auto_detect:
|
||||
pass_if: "DR drill schedule defined"
|
||||
gap_if: "no DR drill schedule"
|
||||
severity: MEDIUM
|
||||
applies_when: "requires_dr"
|
||||
|
||||
- id: REL-DR-004
|
||||
name: "DNS failover"
|
||||
description: "DNS failover or traffic management configured"
|
||||
auto_detect:
|
||||
pass_if: "OCI Traffic Management or DNS failover configured"
|
||||
gap_if: "no automated DNS failover for DR"
|
||||
severity: MEDIUM
|
||||
applies_when: "requires_dr"
|
||||
|
||||
- id: REL-DR-005
|
||||
name: "Application tier DR"
|
||||
description: "Application tier DR strategy (pre-provisioned, Terraform-on-demand, or pilot light)"
|
||||
auto_detect:
|
||||
pass_if: "application DR strategy defined and documented"
|
||||
gap_if: "no application tier DR strategy"
|
||||
severity: HIGH
|
||||
applies_when: "requires_dr"
|
||||
324
kb/well-architected/security-compliance.yaml
Normal file
324
kb/well-architected/security-compliance.yaml
Normal file
@@ -0,0 +1,324 @@
|
||||
# OCI Well-Architected Framework — Pillar 1: Security and Compliance
|
||||
# Source: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
|
||||
|
||||
pillar:
|
||||
name: "Security and Compliance"
|
||||
id: security_compliance
|
||||
wa_reference: "https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html"
|
||||
reference: "https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html"
|
||||
|
||||
categories:
|
||||
- name: "Identity & Access"
|
||||
id: identity_access
|
||||
checks:
|
||||
- id: SEC-IAM-001
|
||||
name: "Least-privilege IAM policies"
|
||||
description: "IAM policies follow least-privilege (not using broad 'manage all-resources')"
|
||||
auto_detect:
|
||||
pass_if: "architecture specifies granular IAM policies per compartment/service"
|
||||
gap_if: "no IAM policy strategy defined or broad permissions used"
|
||||
severity: HIGH
|
||||
applies_when: always
|
||||
|
||||
- id: SEC-IAM-002
|
||||
name: "MFA for human users"
|
||||
description: "MFA enabled for all human users"
|
||||
auto_detect:
|
||||
pass_if: "MFA is specified in identity configuration"
|
||||
gap_if: "no MFA mentioned in identity setup"
|
||||
severity: HIGH
|
||||
applies_when: always
|
||||
|
||||
- id: SEC-IAM-003
|
||||
name: "Tenancy admin restricted"
|
||||
description: "Tenancy admin account NOT used for day-to-day operations"
|
||||
auto_detect:
|
||||
pass_if: "separate admin groups defined for operations"
|
||||
gap_if: "no mention of admin account restrictions"
|
||||
severity: HIGH
|
||||
applies_when: always
|
||||
|
||||
- id: SEC-IAM-004
|
||||
name: "Instance/resource principals"
|
||||
description: "Service accounts use instance principals or resource principals, not stored credentials"
|
||||
auto_detect:
|
||||
pass_if: "instance principals or resource principals specified for service-to-service auth"
|
||||
gap_if: "stored credentials or API keys used for service accounts"
|
||||
severity: HIGH
|
||||
applies_when: always
|
||||
|
||||
- id: SEC-IAM-005
|
||||
name: "Multiple Identity Domains"
|
||||
description: "Multiple Identity Domains if multi-tenant or multi-environment"
|
||||
auto_detect:
|
||||
pass_if: "multiple identity domains defined"
|
||||
gap_if: "single identity domain for multi-tenant setup"
|
||||
severity: MEDIUM
|
||||
applies_when: "multi_tenant or multi_environment"
|
||||
|
||||
- id: SEC-IAM-006
|
||||
name: "IdP Federation"
|
||||
description: "Federation configured with customer's IdP (AD, Okta, SAML)"
|
||||
auto_detect:
|
||||
pass_if: "federation with external IdP configured"
|
||||
gap_if: "no IdP federation mentioned when enterprise customer"
|
||||
severity: MEDIUM
|
||||
applies_when: "enterprise_customer"
|
||||
|
||||
- name: "Resource Isolation"
|
||||
id: resource_isolation
|
||||
checks:
|
||||
- id: SEC-ISO-001
|
||||
name: "Compartment organization"
|
||||
description: "Compartments organized by workload/environment (not flat)"
|
||||
auto_detect:
|
||||
pass_if: "hierarchical compartment structure defined"
|
||||
gap_if: "flat compartment structure or no compartment strategy"
|
||||
severity: HIGH
|
||||
applies_when: always
|
||||
|
||||
- id: SEC-ISO-002
|
||||
name: "Tagging strategy"
|
||||
description: "Tags defined for cost tracking, environment, owner"
|
||||
auto_detect:
|
||||
pass_if: "defined tag namespaces with cost, environment, and owner tags"
|
||||
gap_if: "no tagging strategy defined"
|
||||
severity: MEDIUM
|
||||
applies_when: always
|
||||
|
||||
- id: SEC-ISO-003
|
||||
name: "Security Zones"
|
||||
description: "Security Zones enabled for production compartments"
|
||||
auto_detect:
|
||||
pass_if: "Security Zones configured for production compartments"
|
||||
gap_if: "no Security Zones for production workloads"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_production_workloads"
|
||||
|
||||
- id: SEC-ISO-004
|
||||
name: "Resource principal for cross-resource access"
|
||||
description: "Cross-resource access uses resource principals, not user credentials"
|
||||
auto_detect:
|
||||
pass_if: "resource principals used for cross-service access"
|
||||
gap_if: "user credentials used for cross-resource access"
|
||||
severity: HIGH
|
||||
applies_when: always
|
||||
|
||||
- name: "Database Security"
|
||||
id: database_security
|
||||
checks:
|
||||
- id: SEC-DB-001
|
||||
name: "Databases in private subnets"
|
||||
description: "Databases in private subnets only"
|
||||
auto_detect:
|
||||
pass_if: "all database services placed in private subnets"
|
||||
gap_if: "any database accessible from public subnet"
|
||||
severity: HIGH
|
||||
applies_when: "has_databases"
|
||||
|
||||
- id: SEC-DB-002
|
||||
name: "TDE with customer-managed keys"
|
||||
description: "TDE enabled with customer-managed keys (OCI Vault)"
|
||||
auto_detect:
|
||||
pass_if: "TDE with OCI Vault customer-managed keys specified"
|
||||
gap_if: "Oracle-managed keys or no encryption key management specified"
|
||||
severity: HIGH
|
||||
applies_when: "has_databases"
|
||||
|
||||
- id: SEC-DB-003
|
||||
name: "Key rotation policy"
|
||||
description: "Key rotation < 90 days"
|
||||
auto_detect:
|
||||
pass_if: "key rotation policy defined with < 90 day interval"
|
||||
gap_if: "no key rotation policy or > 90 day interval"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_databases"
|
||||
|
||||
- id: SEC-DB-004
|
||||
name: "Data Safe enabled"
|
||||
description: "Data Safe enabled (audit, masking, VPD assessment)"
|
||||
auto_detect:
|
||||
pass_if: "Data Safe configured for database security assessment"
|
||||
gap_if: "Data Safe not included in architecture"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_databases"
|
||||
|
||||
- id: SEC-DB-005
|
||||
name: "Private endpoints for ADB"
|
||||
description: "Private endpoints for Autonomous Database"
|
||||
auto_detect:
|
||||
pass_if: "Autonomous Database configured with private endpoints"
|
||||
gap_if: "Autonomous Database using public endpoints"
|
||||
severity: HIGH
|
||||
applies_when: "has_autonomous_database"
|
||||
|
||||
- id: SEC-DB-006
|
||||
name: "Restricted DELETE permissions"
|
||||
description: "DELETE permissions restricted to minimal users/groups"
|
||||
auto_detect:
|
||||
pass_if: "explicit restriction on DELETE permissions documented"
|
||||
gap_if: "no mention of DELETE permission restrictions"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_databases"
|
||||
|
||||
- id: SEC-DB-007
|
||||
name: "Database security patches"
|
||||
description: "Database security patches applied (CPU/PSU)"
|
||||
auto_detect:
|
||||
pass_if: "patching strategy defined for databases"
|
||||
gap_if: "no database patching strategy"
|
||||
severity: HIGH
|
||||
applies_when: "has_databases"
|
||||
|
||||
- name: "Data Protection"
|
||||
id: data_protection
|
||||
checks:
|
||||
- id: SEC-DAT-001
|
||||
name: "Encryption at rest"
|
||||
description: "Encryption at rest for all storage (Block, File, Object)"
|
||||
auto_detect:
|
||||
pass_if: "encryption at rest specified for all storage services"
|
||||
gap_if: "any storage service without encryption at rest"
|
||||
severity: HIGH
|
||||
applies_when: always
|
||||
|
||||
- id: SEC-DAT-002
|
||||
name: "OCI Vault key management"
|
||||
description: "Keys managed in OCI Vault (not Oracle-managed)"
|
||||
auto_detect:
|
||||
pass_if: "OCI Vault specified for key management"
|
||||
gap_if: "using Oracle-managed keys or no key management strategy"
|
||||
severity: MEDIUM
|
||||
applies_when: always
|
||||
|
||||
- id: SEC-DAT-003
|
||||
name: "No public Object Storage"
|
||||
description: "Object Storage buckets not publicly accessible"
|
||||
auto_detect:
|
||||
pass_if: "Object Storage buckets configured as private"
|
||||
gap_if: "any Object Storage bucket publicly accessible without justification"
|
||||
severity: HIGH
|
||||
applies_when: "has_object_storage"
|
||||
|
||||
- id: SEC-DAT-004
|
||||
name: "Retention rules"
|
||||
description: "Retention rules on critical buckets"
|
||||
auto_detect:
|
||||
pass_if: "retention rules configured for critical data buckets"
|
||||
gap_if: "no retention rules on critical data"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_critical_data_in_object_storage"
|
||||
|
||||
- name: "Network Security"
|
||||
id: network_security
|
||||
checks:
|
||||
- id: SEC-NET-001
|
||||
name: "NSGs over Security Lists"
|
||||
description: "NSGs preferred over Security Lists for fine-grained control"
|
||||
auto_detect:
|
||||
pass_if: "NSGs used as primary network security mechanism"
|
||||
gap_if: "only Security Lists used without NSGs"
|
||||
severity: MEDIUM
|
||||
applies_when: always
|
||||
|
||||
- id: SEC-NET-002
|
||||
name: "No default SSH from anywhere"
|
||||
description: "Default security list modified (no SSH from 0.0.0.0/0)"
|
||||
auto_detect:
|
||||
pass_if: "SSH access restricted to specific CIDR ranges or bastion"
|
||||
gap_if: "SSH open to 0.0.0.0/0"
|
||||
severity: HIGH
|
||||
applies_when: always
|
||||
|
||||
- id: SEC-NET-003
|
||||
name: "WAF on internet-facing endpoints"
|
||||
description: "WAF on all internet-facing endpoints"
|
||||
auto_detect:
|
||||
pass_if: "WAF configured for all internet-facing services"
|
||||
gap_if: "internet-facing endpoints without WAF"
|
||||
severity: HIGH
|
||||
applies_when: "has_internet_facing_services"
|
||||
|
||||
- id: SEC-NET-004
|
||||
name: "Service Gateway"
|
||||
description: "Service Gateway for OCI service access (no internet traversal)"
|
||||
auto_detect:
|
||||
pass_if: "Service Gateway configured in VCN"
|
||||
gap_if: "OCI services accessed via internet gateway"
|
||||
severity: MEDIUM
|
||||
applies_when: always
|
||||
|
||||
- id: SEC-NET-005
|
||||
name: "Network Firewall"
|
||||
description: "Network Firewall for hub VCN if required"
|
||||
auto_detect:
|
||||
pass_if: "Network Firewall deployed in hub VCN"
|
||||
gap_if: "no Network Firewall in hub-spoke topology requiring deep packet inspection"
|
||||
severity: LOW
|
||||
applies_when: "hub_spoke_topology"
|
||||
|
||||
- id: SEC-NET-006
|
||||
name: "TLS on Load Balancers"
|
||||
description: "Load Balancers with TLS termination"
|
||||
auto_detect:
|
||||
pass_if: "TLS termination configured on load balancers"
|
||||
gap_if: "load balancers without TLS"
|
||||
severity: HIGH
|
||||
applies_when: "has_load_balancers"
|
||||
|
||||
- id: SEC-NET-007
|
||||
name: "Zero Trust Packet Routing"
|
||||
description: "Zero Trust Packet Routing considered for sensitive workloads"
|
||||
auto_detect:
|
||||
pass_if: "ZTPR evaluated or configured"
|
||||
gap_if: "ZTPR not considered for sensitive workloads"
|
||||
severity: LOW
|
||||
applies_when: "has_sensitive_workloads"
|
||||
|
||||
- name: "Monitoring & Audit"
|
||||
id: monitoring_audit
|
||||
checks:
|
||||
- id: SEC-MON-001
|
||||
name: "Cloud Guard enabled"
|
||||
description: "Cloud Guard enabled with detector and responder recipes"
|
||||
auto_detect:
|
||||
pass_if: "Cloud Guard configured with appropriate recipes"
|
||||
gap_if: "Cloud Guard not included in architecture"
|
||||
severity: HIGH
|
||||
applies_when: always
|
||||
|
||||
- id: SEC-MON-002
|
||||
name: "OCI Audit enabled"
|
||||
description: "OCI Audit service enabled"
|
||||
auto_detect:
|
||||
pass_if: "Audit service enabled (enabled by default, verify retention)"
|
||||
gap_if: "audit service not mentioned or retention not configured"
|
||||
severity: MEDIUM
|
||||
applies_when: always
|
||||
|
||||
- id: SEC-MON-003
|
||||
name: "VCN Flow Logs"
|
||||
description: "VCN Flow Logs enabled"
|
||||
auto_detect:
|
||||
pass_if: "VCN Flow Logs enabled for critical subnets"
|
||||
gap_if: "no VCN Flow Logs configured"
|
||||
severity: MEDIUM
|
||||
applies_when: always
|
||||
|
||||
- id: SEC-MON-004
|
||||
name: "Vulnerability Scanning"
|
||||
description: "Vulnerability Scanning enabled"
|
||||
auto_detect:
|
||||
pass_if: "OCI Vulnerability Scanning configured for compute instances"
|
||||
gap_if: "no vulnerability scanning in architecture"
|
||||
severity: MEDIUM
|
||||
applies_when: "has_compute_instances"
|
||||
|
||||
- id: SEC-MON-005
|
||||
name: "SIEM integration"
|
||||
description: "Logs aggregated to SIEM if enterprise requirement"
|
||||
auto_detect:
|
||||
pass_if: "SIEM integration configured or Logging Analytics used"
|
||||
gap_if: "no centralized log aggregation for enterprise workload"
|
||||
severity: MEDIUM
|
||||
applies_when: "enterprise_customer"
|
||||
Reference in New Issue
Block a user