initial version

This commit is contained in:
2026-03-18 18:03:44 -03:00
commit 9d269e902b
136 changed files with 28175 additions and 0 deletions

View File

@@ -0,0 +1,131 @@
# OCI Well-Architected Framework — Pillar 5: Distributed Cloud
# Source: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-distributed-cloud-implementation1.html
pillar:
name: "Distributed Cloud"
id: distributed_cloud
wa_reference: "https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-distributed-cloud-implementation1.html"
reference: "https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-distributed-cloud-implementation1.html"
conditional: true
applies_when: "multi_region OR hybrid_cloud OR multicloud OR data_residency_requirements OR sovereign_requirements"
categories:
- name: "Deployment Strategy"
id: dc_deployment_strategy
checks:
- id: DC-DEP-001
name: "Deployment model selected"
description: "Appropriate deployment model selected (public, dedicated, hybrid, multicloud)"
auto_detect:
pass_if: "deployment model explicitly chosen with justification"
gap_if: "no explicit deployment model decision"
severity: HIGH
applies_when: "distributed_cloud_applicable"
- id: DC-DEP-002
name: "Data residency mapping"
description: "Data residency requirements mapped to region selection"
auto_detect:
pass_if: "data residency requirements documented with region mapping"
gap_if: "data residency requirements exist but no region mapping"
severity: HIGH
applies_when: "has_data_residency_requirements"
- id: DC-DEP-003
name: "Sovereign/Dedicated Region"
description: "Sovereign Cloud or Dedicated Region considered if required"
auto_detect:
pass_if: "Sovereign Cloud or Dedicated Region evaluated"
gap_if: "sovereignty requirements exist without cloud model evaluation"
severity: HIGH
applies_when: "has_sovereign_requirements"
- name: "Integration Across Environments"
id: dc_integration
checks:
- id: DC-INT-001
name: "Consistent IAM"
description: "Consistent IAM across all locations"
auto_detect:
pass_if: "unified IAM strategy across all deployment locations"
gap_if: "separate, uncoordinated IAM in different locations"
severity: HIGH
applies_when: "distributed_cloud_applicable"
- id: DC-INT-002
name: "Data synchronization"
description: "Data synchronization strategy between sites"
auto_detect:
pass_if: "data sync strategy defined (replication, ETL, streaming)"
gap_if: "no data synchronization strategy between sites"
severity: HIGH
applies_when: "distributed_cloud_applicable"
- id: DC-INT-003
name: "Cross-environment networking"
description: "Network connectivity between environments (FastConnect, VPN, DRG)"
auto_detect:
pass_if: "network connectivity defined between all environments"
gap_if: "no network connectivity plan between environments"
severity: HIGH
applies_when: "distributed_cloud_applicable"
- name: "Compliance & Sovereignty"
id: dc_compliance
checks:
- id: DC-CMP-001
name: "Data residency laws"
description: "Regional data residency laws addressed"
auto_detect:
pass_if: "applicable data residency laws identified and addressed"
gap_if: "data residency laws not evaluated"
severity: HIGH
applies_when: "has_data_residency_requirements"
- id: DC-CMP-002
name: "Encryption key locality"
description: "Encryption key locality requirements met"
auto_detect:
pass_if: "encryption keys stored in required jurisdictions"
gap_if: "key locality requirements not addressed"
severity: HIGH
applies_when: "has_data_residency_requirements"
- id: DC-CMP-003
name: "Cross-environment audit"
description: "Audit trail spans all environments"
auto_detect:
pass_if: "unified audit across all deployment locations"
gap_if: "audit gaps between environments"
severity: MEDIUM
applies_when: "distributed_cloud_applicable"
- name: "Unified Operations"
id: dc_operations
checks:
- id: DC-OPS-001
name: "Single pane of glass"
description: "Single pane of glass monitoring across environments"
auto_detect:
pass_if: "centralized monitoring spanning all environments"
gap_if: "separate monitoring per environment"
severity: MEDIUM
applies_when: "distributed_cloud_applicable"
- id: DC-OPS-002
name: "IaC consistency"
description: "IaC consistency across all deployment targets"
auto_detect:
pass_if: "same IaC tooling and patterns across all environments"
gap_if: "different IaC approaches in different environments"
severity: MEDIUM
applies_when: "distributed_cloud_applicable"
- id: DC-OPS-003
name: "Operations feedback loop"
description: "Feedback loop from operations to design"
auto_detect:
pass_if: "operational feedback process defined"
gap_if: "no formal feedback loop from operations to architecture"
severity: LOW
applies_when: "distributed_cloud_applicable"

View File

@@ -0,0 +1,115 @@
# OCI Well-Architected Framework — Landing Zone Patterns
# Reference: https://docs.oracle.com/en/solutions/cis-oci-benchmark/
landing_zones:
- name: "CIS OCI Landing Zone"
id: cis_landing_zone
description: "CIS Benchmark-aligned landing zone with security best practices baked in"
reference: "https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart"
use_when:
- "Enterprise customers requiring CIS compliance"
- "Greenfield OCI deployments"
- "Customers with regulatory requirements"
provides:
compartments:
- name: "Network"
purpose: "Hub VCN, DRG, FastConnect, VPN"
- name: "Security"
purpose: "Cloud Guard, Vault, Bastion, VSS"
- name: "AppDev"
purpose: "Application workloads, OKE, Functions"
- name: "Database"
purpose: "Database services, Data Safe"
- name: "ExaCS"
purpose: "Exadata Cloud Service (if applicable)"
networking:
- "Hub-spoke VCN topology via DRG"
- "Service Gateway for OCI service access"
- "NAT Gateway for outbound internet"
- "Bastion service for secure access"
- "NSGs for fine-grained network security"
identity:
- "Break-glass admin account"
- "Separation of duties (network, security, appdev admins)"
- "Least-privilege IAM policies"
- "Dynamic groups for instance principals"
security:
- "Cloud Guard with default recipes"
- "Security Zones for production"
- "VCN Flow Logs enabled"
- "OCI Vault for key management"
- "Vulnerability Scanning service"
governance:
- "Defined tags for cost tracking"
- "Budgets per compartment"
- "Notification topics for events"
- name: "Oracle Enterprise Landing Zone"
id: oelz
description: "Multi-environment enterprise landing zone with full lifecycle management"
reference: "https://github.com/oracle-quickstart/terraform-oci-open-lz"
use_when:
- "Large enterprise deployments"
- "Multi-workload environments"
- "Customers needing full environment isolation"
provides:
compartments:
- name: "Shared Infrastructure"
purpose: "Common services, networking hub, security"
- name: "Production"
purpose: "Production workloads with Security Zones"
- name: "Non-Production"
purpose: "Dev, test, staging environments"
- name: "Logging"
purpose: "Centralized logging and audit"
networking:
- "Hub VCN with Network Firewall option"
- "Spoke VCNs per workload/environment"
- "DRG for transit routing"
- "DNS views per environment"
identity:
- "Multiple Identity Domains"
- "Federated authentication"
- "Role-based access control"
security:
- "Cloud Guard with custom recipes"
- "Security Zones"
- "WAF integration"
- "Data Safe"
- name: "Minimal Landing Zone"
id: minimal_lz
description: "Lightweight landing zone for POCs, small workloads, or single-application deployments"
use_when:
- "Proof of concept"
- "Small workloads (< 10 resources)"
- "Single application deployment"
- "Developer sandbox"
provides:
compartments:
- name: "Workload"
purpose: "All resources for the workload"
networking:
- "Single VCN"
- "Public and private subnets"
- "Internet Gateway + NAT Gateway"
- "Service Gateway"
identity:
- "Basic IAM policies"
- "Instance principals for compute"
security:
- "Cloud Guard (default)"
- "Default encryption"
selection_criteria:
- condition: "regulatory_compliance OR enterprise_customer"
recommendation: "cis_landing_zone"
rationale: "CIS compliance provides strong security baseline and meets audit requirements"
- condition: "multi_environment AND large_enterprise"
recommendation: "oelz"
rationale: "Full environment isolation with centralized governance"
- condition: "poc OR small_workload OR single_application"
recommendation: "minimal_lz"
rationale: "Fast deployment without over-engineering; can upgrade to CIS later"

View File

@@ -0,0 +1,174 @@
# OCI Well-Architected Framework — Pillar 4: Operational Efficiency
# Source: https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html
pillar:
name: "Operational Efficiency"
id: operational_efficiency
wa_reference: "https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html"
reference: "https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html"
categories:
- name: "Deployment Strategy"
id: deployment_strategy
checks:
- id: OPS-DEP-001
name: "Infrastructure as Code"
description: "Infrastructure as Code (Terraform, Resource Manager) for all resources"
auto_detect:
pass_if: "Terraform or Resource Manager specified for infrastructure provisioning"
gap_if: "no IaC strategy specified"
severity: HIGH
applies_when: always
- id: OPS-DEP-002
name: "CI/CD pipeline"
description: "CI/CD pipeline defined for application deployment"
auto_detect:
pass_if: "CI/CD pipeline specified (OCI DevOps, Jenkins, GitLab, etc.)"
gap_if: "no CI/CD pipeline defined"
severity: MEDIUM
applies_when: "has_application_workloads"
- id: OPS-DEP-003
name: "Deployment strategy"
description: "Blue/green or canary deployment strategy for production changes"
auto_detect:
pass_if: "deployment strategy (blue/green, canary, rolling) defined"
gap_if: "no deployment strategy for production changes"
severity: MEDIUM
applies_when: "has_production_applications"
- id: OPS-DEP-004
name: "Environment parity"
description: "Environment parity (dev/staging/prod use same IaC templates)"
auto_detect:
pass_if: "same IaC templates used across environments with variable overrides"
gap_if: "different provisioning methods across environments"
severity: MEDIUM
applies_when: "has_multiple_environments"
- name: "Workload Monitoring"
id: workload_monitoring
checks:
- id: OPS-MON-001
name: "OCI Monitoring alarms"
description: "OCI Monitoring alarms configured for key metrics"
auto_detect:
pass_if: "monitoring alarms defined for CPU, memory, disk, network"
gap_if: "no monitoring alarms configured"
severity: HIGH
applies_when: always
- id: OPS-MON-002
name: "Custom application metrics"
description: "Custom metrics for application-specific KPIs"
auto_detect:
pass_if: "custom metrics defined for application performance"
gap_if: "no application-level monitoring beyond infrastructure metrics"
severity: MEDIUM
applies_when: "has_application_workloads"
- id: OPS-MON-003
name: "Logging Analytics"
description: "Logging Analytics for centralized log analysis"
auto_detect:
pass_if: "OCI Logging Analytics configured"
gap_if: "no centralized log analysis solution"
severity: MEDIUM
applies_when: always
- id: OPS-MON-004
name: "APM configured"
description: "APM configured for application tracing"
auto_detect:
pass_if: "OCI APM or third-party APM configured"
gap_if: "no application performance monitoring"
severity: LOW
applies_when: "has_application_workloads"
- id: OPS-MON-005
name: "Database Management"
description: "Database Management enabled for DB performance monitoring"
auto_detect:
pass_if: "OCI Database Management service enabled"
gap_if: "databases without performance monitoring"
severity: MEDIUM
applies_when: "has_databases"
- id: OPS-MON-006
name: "Ops Insights"
description: "Ops Insights for capacity planning"
auto_detect:
pass_if: "Ops Insights configured for capacity planning"
gap_if: "no capacity planning solution"
severity: LOW
applies_when: "has_production_workloads"
- name: "OS Management"
id: os_management
checks:
- id: OPS-OSM-001
name: "OS Management Hub"
description: "OS Management Hub for patch management"
auto_detect:
pass_if: "OS Management Hub configured for compute fleet"
gap_if: "no automated OS patch management"
severity: MEDIUM
applies_when: "has_compute_instances"
- id: OPS-OSM-002
name: "Automated patching schedule"
description: "Automated patching schedule for compute instances"
auto_detect:
pass_if: "patching schedule defined with maintenance windows"
gap_if: "no patching schedule for compute instances"
severity: MEDIUM
applies_when: "has_compute_instances"
- id: OPS-OSM-003
name: "Vulnerability remediation SLA"
description: "Vulnerability remediation SLA defined"
auto_detect:
pass_if: "vulnerability remediation timelines defined by severity"
gap_if: "no vulnerability remediation SLA"
severity: MEDIUM
applies_when: "has_compute_instances"
- name: "Operations Support"
id: operations_support
checks:
- id: OPS-SUP-001
name: "Support plan level"
description: "Support plan level appropriate for workload criticality"
auto_detect:
pass_if: "Oracle support plan level specified and matches criticality"
gap_if: "no support plan consideration"
severity: LOW
applies_when: always
- id: OPS-SUP-002
name: "Notification topics"
description: "Notification topics configured for operational events"
auto_detect:
pass_if: "OCI Notifications configured for operational events"
gap_if: "no notification configuration"
severity: MEDIUM
applies_when: always
- id: OPS-SUP-003
name: "Operational runbooks"
description: "Runbooks documented for common operational procedures"
auto_detect:
pass_if: "operational runbooks planned or documented"
gap_if: "no operational runbooks"
severity: LOW
applies_when: "has_production_workloads"
- id: OPS-SUP-004
name: "Automated remediation"
description: "OCI Events + Functions for automated remediation"
auto_detect:
pass_if: "event-driven automation configured for common issues"
gap_if: "no automated remediation"
severity: LOW
applies_when: "has_production_workloads"

View File

@@ -0,0 +1,156 @@
# OCI Well-Architected Framework — Pillar 3: Performance and Cost Optimization
# Source: https://docs.oracle.com/en/solutions/oci-best-practices/index.html
pillar:
name: "Performance and Cost Optimization"
id: performance_cost
wa_reference: "https://docs.oracle.com/en/solutions/oci-best-practices/index.html"
reference: "https://docs.oracle.com/en/solutions/oci-best-practices/index.html"
categories:
- name: "Compute Sizing"
id: compute_sizing
checks:
- id: PERF-CMP-001
name: "Right-sized shapes"
description: "Shapes selected based on workload profile (not over-provisioned)"
auto_detect:
pass_if: "compute shapes justified by workload requirements"
gap_if: "shapes selected without workload sizing analysis"
severity: MEDIUM
applies_when: "has_compute_instances"
- id: PERF-CMP-002
name: "Flex shapes used"
description: "Flex shapes used where possible (pay for what you use)"
auto_detect:
pass_if: "flex shapes specified for variable workloads"
gap_if: "fixed shapes used where flex would be more cost-effective"
severity: LOW
applies_when: "has_compute_instances"
- id: PERF-CMP-003
name: "Burstable for dev/test"
description: "Burstable instances considered for dev/test"
auto_detect:
pass_if: "burstable or preemptible instances for non-production"
gap_if: "production-grade shapes used for dev/test"
severity: LOW
applies_when: "has_dev_test_environments"
- id: PERF-CMP-004
name: "ARM (Ampere) considered"
description: "ARM (Ampere) considered for compatible workloads (better price/performance)"
auto_detect:
pass_if: "Ampere (A1/A2) shapes evaluated for compatible workloads"
gap_if: "x86 shapes used where ARM would provide better price/performance"
severity: LOW
applies_when: "has_compute_instances"
- name: "Storage Strategy"
id: storage_strategy
checks:
- id: PERF-STR-001
name: "Storage tier matches access pattern"
description: "Storage tier matches access pattern (Standard, Infrequent Access, Archive)"
auto_detect:
pass_if: "storage tiers aligned with data access frequency"
gap_if: "all data on Standard tier without tiering analysis"
severity: MEDIUM
applies_when: "has_object_storage"
- id: PERF-STR-002
name: "Block Volume performance tier"
description: "Block Volume performance tier matches IOPS needs"
auto_detect:
pass_if: "block volume performance tier matches documented IOPS requirements"
gap_if: "block volume tier not aligned with workload IOPS needs"
severity: MEDIUM
applies_when: "has_block_volumes"
- id: PERF-STR-003
name: "Object Storage auto-tiering"
description: "Auto-tiering enabled for Object Storage where applicable"
auto_detect:
pass_if: "auto-tiering configured for applicable buckets"
gap_if: "large object storage without auto-tiering evaluation"
severity: LOW
applies_when: "has_large_object_storage"
- name: "Network Tuning"
id: network_tuning
checks:
- id: PERF-NET-001
name: "Right-sized bandwidth"
description: "Bandwidth provisioned matches actual needs (not over-provisioned FastConnect)"
auto_detect:
pass_if: "FastConnect bandwidth justified by traffic analysis"
gap_if: "bandwidth provisioned without traffic analysis"
severity: MEDIUM
applies_when: "has_fastconnect"
- id: PERF-NET-002
name: "LB type justified"
description: "Network Load Balancer vs. Flexible Load Balancer decision justified"
auto_detect:
pass_if: "load balancer type selection documented with rationale"
gap_if: "load balancer type chosen without justification"
severity: LOW
applies_when: "has_load_balancers"
- name: "Cost Management"
id: cost_management
checks:
- id: PERF-CST-001
name: "BYOL analysis"
description: "BYOL vs. License Included analysis done"
auto_detect:
pass_if: "BYOL vs. License Included comparison documented"
gap_if: "licensing model chosen without analysis"
severity: HIGH
applies_when: "has_oracle_licensed_services"
- id: PERF-CST-002
name: "Reserved capacity considered"
description: "Reserved capacity considered for stable workloads (1-year or 3-year)"
auto_detect:
pass_if: "reserved capacity evaluated for stable production workloads"
gap_if: "all on-demand pricing for stable workloads"
severity: MEDIUM
applies_when: "has_stable_production_workloads"
- id: PERF-CST-003
name: "Budgets and cost alerts"
description: "Budgets and cost alerts configured per compartment"
auto_detect:
pass_if: "OCI Budgets configured with alert thresholds"
gap_if: "no budget alerts configured"
severity: MEDIUM
applies_when: always
- id: PERF-CST-004
name: "Cost attribution tagging"
description: "Tagging strategy enables cost attribution"
auto_detect:
pass_if: "cost-tracking tags defined and enforced"
gap_if: "no cost attribution tagging strategy"
severity: MEDIUM
applies_when: always
- id: PERF-CST-005
name: "Auto-scaling cost controls"
description: "Auto-scaling min/max configured to prevent runaway costs"
auto_detect:
pass_if: "auto-scaling policies include max limits"
gap_if: "auto-scaling without upper bounds"
severity: MEDIUM
applies_when: "has_auto_scaling"
- id: PERF-CST-006
name: "Non-prod optimization"
description: "Non-production environments use smaller shapes or are scheduled off"
auto_detect:
pass_if: "non-prod environments use reduced shapes or have schedules"
gap_if: "non-prod environments running same shapes as production 24/7"
severity: LOW
applies_when: "has_dev_test_environments"

View File

@@ -0,0 +1,156 @@
# OCI Well-Architected Framework — Personas and Role-to-Pillar Mapping
# Used to target Deal Accelerator outputs to the right audience
personas:
- name: "Cloud Architect"
id: cloud_architect
description: "Responsible for overall cloud architecture design and implementation"
primary_pillars:
- reliability_resilience
- security_compliance
- operational_efficiency
output_emphasis:
- "Full architecture diagram with all service interactions"
- "ADRs for all major design decisions"
- "Reliability and HA patterns"
- "Operational readiness checklist"
scorecard_focus:
lead_with: "Overall architecture health"
highlight_gaps: ["HIGH severity across all pillars"]
de_emphasize: ["LOW severity cost optimizations"]
- name: "Security Architect"
id: security_architect
description: "Responsible for security posture, compliance, and risk management"
primary_pillars:
- security_compliance
output_emphasis:
- "Security scorecard with all checks detailed"
- "IAM policy structure and federation design"
- "Encryption strategy (at-rest, in-transit, key management)"
- "Cloud Guard configuration and detector recipes"
- "Data Safe assessment and recommendations"
- "Network security architecture (NSGs, WAF, Firewall)"
- "Compliance mapping to regulatory requirements"
scorecard_focus:
lead_with: "Security and Compliance pillar"
highlight_gaps: ["All security gaps regardless of severity"]
de_emphasize: ["Performance optimization", "Cost management"]
- name: "Enterprise Architect"
id: enterprise_architect
description: "Responsible for strategic alignment, cost optimization, and enterprise governance"
primary_pillars:
- performance_cost
- distributed_cloud
- operational_efficiency
output_emphasis:
- "TCO analysis with BYOL and reserved capacity"
- "Business case with competitive positioning"
- "Distributed cloud strategy if applicable"
- "Governance model and tagging strategy"
- "Migration roadmap and phasing"
scorecard_focus:
lead_with: "Cost optimization and business alignment"
highlight_gaps: ["Cost management gaps", "Governance gaps"]
de_emphasize: ["Technical implementation details"]
- name: "Network Architect"
id: network_architect
description: "Responsible for network design, connectivity, and security"
primary_pillars:
- security_compliance
- reliability_resilience
output_emphasis:
- "VCN topology with CIDR ranges and subnet design"
- "FastConnect/VPN connectivity with redundancy"
- "DRG routing and transit networking"
- "NSG rules and WAF configuration"
- "DNS and Traffic Management design"
- "Network Firewall placement and rules"
scorecard_focus:
lead_with: "Network security and reliability checks"
highlight_gaps: ["Network-related gaps across all pillars"]
de_emphasize: ["Database security", "Application monitoring"]
- name: "Database Administrator"
id: dba
description: "Responsible for database architecture, performance, and operations"
primary_pillars:
- security_compliance
- reliability_resilience
- performance_cost
output_emphasis:
- "Database service selection rationale"
- "Data Guard / ADG configuration"
- "Backup and recovery strategy"
- "Data Safe configuration"
- "Performance tuning and monitoring"
- "TDE and encryption key management"
scorecard_focus:
lead_with: "Database security and reliability checks"
highlight_gaps: ["Database-related gaps across all pillars"]
de_emphasize: ["Network design", "Compute sizing"]
- name: "DevOps Engineer"
id: devops_engineer
description: "Responsible for CI/CD, IaC, and operational automation"
primary_pillars:
- operational_efficiency
output_emphasis:
- "Terraform module structure and Resource Manager stacks"
- "CI/CD pipeline design (OCI DevOps or third-party)"
- "Deployment strategy (blue/green, canary)"
- "Monitoring and alerting configuration"
- "Automated remediation with Events + Functions"
- "OS Management Hub setup"
scorecard_focus:
lead_with: "Operational Efficiency pillar"
highlight_gaps: ["IaC gaps", "CI/CD gaps", "Monitoring gaps"]
de_emphasize: ["Cost optimization", "Distributed cloud"]
- name: "CTO / VP Engineering"
id: cto
description: "Executive decision maker focused on risk, timeline, and strategic value"
primary_pillars:
- security_compliance
- reliability_resilience
- performance_cost
output_emphasis:
- "Executive summary (1-page)"
- "Risk register with mitigation strategies"
- "Competitive positioning vs AWS/Azure"
- "Implementation timeline with milestones"
- "Cost summary with optimization opportunities"
- "Well-Architected scorecard summary"
scorecard_focus:
lead_with: "Overall status with HIGH severity gaps"
highlight_gaps: ["HIGH severity only"]
de_emphasize: ["Technical implementation details", "LOW severity items"]
- name: "Finance / Procurement"
id: finance
description: "Focused on cost, licensing, and commercial terms"
primary_pillars:
- performance_cost
output_emphasis:
- "Detailed cost breakdown by service"
- "BYOL vs. License Included analysis"
- "Reserved capacity savings (1yr vs 3yr)"
- "Monthly and annual cost projections"
- "Budget configuration per compartment"
- "Comparison with current spend (on-prem or competitor)"
scorecard_focus:
lead_with: "Performance and Cost Optimization pillar"
highlight_gaps: ["Cost-related gaps only"]
de_emphasize: ["All technical pillars"]
# Mapping from political decision drivers to personas
decision_driver_mapping:
technical_leadership: [cloud_architect, cto]
security_focused: [security_architect]
cost_conscious: [enterprise_architect, finance]
operations_focused: [devops_engineer]
database_centric: [dba]
network_focused: [network_architect]
executive_sponsorship: [cto, finance]

View File

@@ -0,0 +1,213 @@
# OCI Well-Architected Framework — Pillar 2: Reliability and Resilience
# Source: https://docs.oracle.com/en/solutions/oci-best-practices/reliable-and-resilient-cloud-topology-practices1.html
pillar:
name: "Reliability and Resilience"
id: reliability_resilience
wa_reference: "https://docs.oracle.com/en/solutions/oci-best-practices/reliable-and-resilient-cloud-topology-practices1.html"
reference: "https://docs.oracle.com/en/solutions/oci-best-practices/reliable-and-resilient-cloud-topology-practices1.html"
categories:
- name: "Scalability"
id: scalability
checks:
- id: REL-SCL-001
name: "Auto-scaling configured"
description: "Auto-scaling configured for variable workloads"
auto_detect:
pass_if: "auto-scaling policies defined for compute or OKE"
gap_if: "variable workloads without auto-scaling"
severity: MEDIUM
applies_when: "has_variable_workloads"
- id: REL-SCL-002
name: "Service limits reviewed"
description: "Service limits reviewed and increased where needed"
auto_detect:
pass_if: "service limit review mentioned in deployment plan"
gap_if: "no service limit review planned"
severity: LOW
applies_when: always
- id: REL-SCL-003
name: "Capacity reservations"
description: "Capacity reservations for critical workloads"
auto_detect:
pass_if: "capacity reservations specified for critical compute"
gap_if: "critical production workloads without capacity reservations"
severity: MEDIUM
applies_when: "has_critical_workloads"
- name: "Fault-Tolerant Networking"
id: fault_tolerant_networking
checks:
- id: REL-NET-001
name: "Redundant FastConnect"
description: "Redundant FastConnect circuits (2 virtual circuits, different physical paths)"
auto_detect:
pass_if: "dual FastConnect circuits on diverse paths"
gap_if: "single FastConnect circuit without redundancy"
severity: HIGH
applies_when: "has_fastconnect"
- id: REL-NET-002
name: "VPN backup for FastConnect"
description: "VPN as backup if FastConnect is primary"
auto_detect:
pass_if: "IPSec VPN configured as FastConnect backup"
gap_if: "FastConnect without VPN backup"
severity: MEDIUM
applies_when: "has_fastconnect"
- id: REL-NET-003
name: "Redundant DRG tunnels"
description: "DRG with redundant tunnels"
auto_detect:
pass_if: "DRG configured with redundant IPSec tunnels"
gap_if: "DRG with single tunnel"
severity: MEDIUM
applies_when: "has_drg"
- id: REL-NET-004
name: "Load Balancer health checks"
description: "Load Balancer health checks configured"
auto_detect:
pass_if: "health check policies defined on load balancers"
gap_if: "load balancers without health checks"
severity: HIGH
applies_when: "has_load_balancers"
- id: REL-NET-005
name: "Multi-AD/FD compute placement"
description: "Multiple ADs or FDs used for compute placement"
auto_detect:
pass_if: "compute instances distributed across ADs or FDs"
gap_if: "all compute in single AD/FD"
severity: HIGH
applies_when: "has_production_compute"
- name: "Data Backup"
id: data_backup
checks:
- id: REL-BAK-001
name: "Automated database backups"
description: "Automated backups enabled for all databases"
auto_detect:
pass_if: "automated backup configured for all database services"
gap_if: "any database without automated backup"
severity: HIGH
applies_when: "has_databases"
- id: REL-BAK-002
name: "Backup retention policy"
description: "Backup retention policy defined and documented"
auto_detect:
pass_if: "backup retention periods specified"
gap_if: "no backup retention policy defined"
severity: MEDIUM
applies_when: "has_databases"
- id: REL-BAK-003
name: "Block Volume backups"
description: "Block Volume backups scheduled"
auto_detect:
pass_if: "block volume backup policies configured"
gap_if: "block volumes without backup schedules"
severity: MEDIUM
applies_when: "has_block_volumes"
- id: REL-BAK-004
name: "Cross-region backup copy"
description: "Cross-region backup copy for critical data"
auto_detect:
pass_if: "cross-region backup replication configured"
gap_if: "critical data without cross-region backup"
severity: MEDIUM
applies_when: "has_critical_data"
- id: REL-BAK-005
name: "Boot volume backups"
description: "Boot volume backups for compute instances"
auto_detect:
pass_if: "boot volume backup policies configured"
gap_if: "compute instances without boot volume backups"
severity: LOW
applies_when: "has_compute_instances"
- name: "Data Replication"
id: data_replication
checks:
- id: REL-REP-001
name: "Data Guard / ADG"
description: "Data Guard (or ADG for ADB) configured for HA databases"
auto_detect:
pass_if: "Data Guard or Autonomous Data Guard configured"
gap_if: "production databases without HA replication"
severity: HIGH
applies_when: "has_production_databases"
- id: REL-REP-002
name: "RPO/RTO documented"
description: "RPO/RTO documented and validated with actual testing"
auto_detect:
pass_if: "RPO and RTO targets defined with validation plan"
gap_if: "no RPO/RTO targets documented"
severity: HIGH
applies_when: "has_production_workloads"
- id: REL-REP-003
name: "Cross-region Object Storage replication"
description: "Cross-region replication for Object Storage"
auto_detect:
pass_if: "Object Storage replication configured to DR region"
gap_if: "critical object storage without cross-region replication"
severity: MEDIUM
applies_when: "has_critical_object_storage"
- name: "Disaster Recovery"
id: disaster_recovery
checks:
- id: REL-DR-001
name: "DR region identified"
description: "DR region identified and provisioned"
auto_detect:
pass_if: "DR region specified in architecture"
gap_if: "no DR region identified"
severity: HIGH
applies_when: "requires_dr"
- id: REL-DR-002
name: "DR architecture documented"
description: "DR architecture documented with switchover/failover procedures"
auto_detect:
pass_if: "DR runbook with switchover/failover procedures defined"
gap_if: "no DR procedures documented"
severity: HIGH
applies_when: "requires_dr"
- id: REL-DR-003
name: "DR drill schedule"
description: "DR drill schedule defined (quarterly minimum)"
auto_detect:
pass_if: "DR drill schedule defined"
gap_if: "no DR drill schedule"
severity: MEDIUM
applies_when: "requires_dr"
- id: REL-DR-004
name: "DNS failover"
description: "DNS failover or traffic management configured"
auto_detect:
pass_if: "OCI Traffic Management or DNS failover configured"
gap_if: "no automated DNS failover for DR"
severity: MEDIUM
applies_when: "requires_dr"
- id: REL-DR-005
name: "Application tier DR"
description: "Application tier DR strategy (pre-provisioned, Terraform-on-demand, or pilot light)"
auto_detect:
pass_if: "application DR strategy defined and documented"
gap_if: "no application tier DR strategy"
severity: HIGH
applies_when: "requires_dr"

View File

@@ -0,0 +1,324 @@
# OCI Well-Architected Framework — Pillar 1: Security and Compliance
# Source: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
pillar:
name: "Security and Compliance"
id: security_compliance
wa_reference: "https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html"
reference: "https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html"
categories:
- name: "Identity & Access"
id: identity_access
checks:
- id: SEC-IAM-001
name: "Least-privilege IAM policies"
description: "IAM policies follow least-privilege (not using broad 'manage all-resources')"
auto_detect:
pass_if: "architecture specifies granular IAM policies per compartment/service"
gap_if: "no IAM policy strategy defined or broad permissions used"
severity: HIGH
applies_when: always
- id: SEC-IAM-002
name: "MFA for human users"
description: "MFA enabled for all human users"
auto_detect:
pass_if: "MFA is specified in identity configuration"
gap_if: "no MFA mentioned in identity setup"
severity: HIGH
applies_when: always
- id: SEC-IAM-003
name: "Tenancy admin restricted"
description: "Tenancy admin account NOT used for day-to-day operations"
auto_detect:
pass_if: "separate admin groups defined for operations"
gap_if: "no mention of admin account restrictions"
severity: HIGH
applies_when: always
- id: SEC-IAM-004
name: "Instance/resource principals"
description: "Service accounts use instance principals or resource principals, not stored credentials"
auto_detect:
pass_if: "instance principals or resource principals specified for service-to-service auth"
gap_if: "stored credentials or API keys used for service accounts"
severity: HIGH
applies_when: always
- id: SEC-IAM-005
name: "Multiple Identity Domains"
description: "Multiple Identity Domains if multi-tenant or multi-environment"
auto_detect:
pass_if: "multiple identity domains defined"
gap_if: "single identity domain for multi-tenant setup"
severity: MEDIUM
applies_when: "multi_tenant or multi_environment"
- id: SEC-IAM-006
name: "IdP Federation"
description: "Federation configured with customer's IdP (AD, Okta, SAML)"
auto_detect:
pass_if: "federation with external IdP configured"
gap_if: "no IdP federation mentioned when enterprise customer"
severity: MEDIUM
applies_when: "enterprise_customer"
- name: "Resource Isolation"
id: resource_isolation
checks:
- id: SEC-ISO-001
name: "Compartment organization"
description: "Compartments organized by workload/environment (not flat)"
auto_detect:
pass_if: "hierarchical compartment structure defined"
gap_if: "flat compartment structure or no compartment strategy"
severity: HIGH
applies_when: always
- id: SEC-ISO-002
name: "Tagging strategy"
description: "Tags defined for cost tracking, environment, owner"
auto_detect:
pass_if: "defined tag namespaces with cost, environment, and owner tags"
gap_if: "no tagging strategy defined"
severity: MEDIUM
applies_when: always
- id: SEC-ISO-003
name: "Security Zones"
description: "Security Zones enabled for production compartments"
auto_detect:
pass_if: "Security Zones configured for production compartments"
gap_if: "no Security Zones for production workloads"
severity: MEDIUM
applies_when: "has_production_workloads"
- id: SEC-ISO-004
name: "Resource principal for cross-resource access"
description: "Cross-resource access uses resource principals, not user credentials"
auto_detect:
pass_if: "resource principals used for cross-service access"
gap_if: "user credentials used for cross-resource access"
severity: HIGH
applies_when: always
- name: "Database Security"
id: database_security
checks:
- id: SEC-DB-001
name: "Databases in private subnets"
description: "Databases in private subnets only"
auto_detect:
pass_if: "all database services placed in private subnets"
gap_if: "any database accessible from public subnet"
severity: HIGH
applies_when: "has_databases"
- id: SEC-DB-002
name: "TDE with customer-managed keys"
description: "TDE enabled with customer-managed keys (OCI Vault)"
auto_detect:
pass_if: "TDE with OCI Vault customer-managed keys specified"
gap_if: "Oracle-managed keys or no encryption key management specified"
severity: HIGH
applies_when: "has_databases"
- id: SEC-DB-003
name: "Key rotation policy"
description: "Key rotation < 90 days"
auto_detect:
pass_if: "key rotation policy defined with < 90 day interval"
gap_if: "no key rotation policy or > 90 day interval"
severity: MEDIUM
applies_when: "has_databases"
- id: SEC-DB-004
name: "Data Safe enabled"
description: "Data Safe enabled (audit, masking, VPD assessment)"
auto_detect:
pass_if: "Data Safe configured for database security assessment"
gap_if: "Data Safe not included in architecture"
severity: MEDIUM
applies_when: "has_databases"
- id: SEC-DB-005
name: "Private endpoints for ADB"
description: "Private endpoints for Autonomous Database"
auto_detect:
pass_if: "Autonomous Database configured with private endpoints"
gap_if: "Autonomous Database using public endpoints"
severity: HIGH
applies_when: "has_autonomous_database"
- id: SEC-DB-006
name: "Restricted DELETE permissions"
description: "DELETE permissions restricted to minimal users/groups"
auto_detect:
pass_if: "explicit restriction on DELETE permissions documented"
gap_if: "no mention of DELETE permission restrictions"
severity: MEDIUM
applies_when: "has_databases"
- id: SEC-DB-007
name: "Database security patches"
description: "Database security patches applied (CPU/PSU)"
auto_detect:
pass_if: "patching strategy defined for databases"
gap_if: "no database patching strategy"
severity: HIGH
applies_when: "has_databases"
- name: "Data Protection"
id: data_protection
checks:
- id: SEC-DAT-001
name: "Encryption at rest"
description: "Encryption at rest for all storage (Block, File, Object)"
auto_detect:
pass_if: "encryption at rest specified for all storage services"
gap_if: "any storage service without encryption at rest"
severity: HIGH
applies_when: always
- id: SEC-DAT-002
name: "OCI Vault key management"
description: "Keys managed in OCI Vault (not Oracle-managed)"
auto_detect:
pass_if: "OCI Vault specified for key management"
gap_if: "using Oracle-managed keys or no key management strategy"
severity: MEDIUM
applies_when: always
- id: SEC-DAT-003
name: "No public Object Storage"
description: "Object Storage buckets not publicly accessible"
auto_detect:
pass_if: "Object Storage buckets configured as private"
gap_if: "any Object Storage bucket publicly accessible without justification"
severity: HIGH
applies_when: "has_object_storage"
- id: SEC-DAT-004
name: "Retention rules"
description: "Retention rules on critical buckets"
auto_detect:
pass_if: "retention rules configured for critical data buckets"
gap_if: "no retention rules on critical data"
severity: MEDIUM
applies_when: "has_critical_data_in_object_storage"
- name: "Network Security"
id: network_security
checks:
- id: SEC-NET-001
name: "NSGs over Security Lists"
description: "NSGs preferred over Security Lists for fine-grained control"
auto_detect:
pass_if: "NSGs used as primary network security mechanism"
gap_if: "only Security Lists used without NSGs"
severity: MEDIUM
applies_when: always
- id: SEC-NET-002
name: "No default SSH from anywhere"
description: "Default security list modified (no SSH from 0.0.0.0/0)"
auto_detect:
pass_if: "SSH access restricted to specific CIDR ranges or bastion"
gap_if: "SSH open to 0.0.0.0/0"
severity: HIGH
applies_when: always
- id: SEC-NET-003
name: "WAF on internet-facing endpoints"
description: "WAF on all internet-facing endpoints"
auto_detect:
pass_if: "WAF configured for all internet-facing services"
gap_if: "internet-facing endpoints without WAF"
severity: HIGH
applies_when: "has_internet_facing_services"
- id: SEC-NET-004
name: "Service Gateway"
description: "Service Gateway for OCI service access (no internet traversal)"
auto_detect:
pass_if: "Service Gateway configured in VCN"
gap_if: "OCI services accessed via internet gateway"
severity: MEDIUM
applies_when: always
- id: SEC-NET-005
name: "Network Firewall"
description: "Network Firewall for hub VCN if required"
auto_detect:
pass_if: "Network Firewall deployed in hub VCN"
gap_if: "no Network Firewall in hub-spoke topology requiring deep packet inspection"
severity: LOW
applies_when: "hub_spoke_topology"
- id: SEC-NET-006
name: "TLS on Load Balancers"
description: "Load Balancers with TLS termination"
auto_detect:
pass_if: "TLS termination configured on load balancers"
gap_if: "load balancers without TLS"
severity: HIGH
applies_when: "has_load_balancers"
- id: SEC-NET-007
name: "Zero Trust Packet Routing"
description: "Zero Trust Packet Routing considered for sensitive workloads"
auto_detect:
pass_if: "ZTPR evaluated or configured"
gap_if: "ZTPR not considered for sensitive workloads"
severity: LOW
applies_when: "has_sensitive_workloads"
- name: "Monitoring & Audit"
id: monitoring_audit
checks:
- id: SEC-MON-001
name: "Cloud Guard enabled"
description: "Cloud Guard enabled with detector and responder recipes"
auto_detect:
pass_if: "Cloud Guard configured with appropriate recipes"
gap_if: "Cloud Guard not included in architecture"
severity: HIGH
applies_when: always
- id: SEC-MON-002
name: "OCI Audit enabled"
description: "OCI Audit service enabled"
auto_detect:
pass_if: "Audit service enabled (enabled by default, verify retention)"
gap_if: "audit service not mentioned or retention not configured"
severity: MEDIUM
applies_when: always
- id: SEC-MON-003
name: "VCN Flow Logs"
description: "VCN Flow Logs enabled"
auto_detect:
pass_if: "VCN Flow Logs enabled for critical subnets"
gap_if: "no VCN Flow Logs configured"
severity: MEDIUM
applies_when: always
- id: SEC-MON-004
name: "Vulnerability Scanning"
description: "Vulnerability Scanning enabled"
auto_detect:
pass_if: "OCI Vulnerability Scanning configured for compute instances"
gap_if: "no vulnerability scanning in architecture"
severity: MEDIUM
applies_when: "has_compute_instances"
- id: SEC-MON-005
name: "SIEM integration"
description: "Logs aggregated to SIEM if enterprise requirement"
auto_detect:
pass_if: "SIEM integration configured or Logging Analytics used"
gap_if: "no centralized log aggregation for enterprise workload"
severity: MEDIUM
applies_when: "enterprise_customer"