-
Notifications
You must be signed in to change notification settings - Fork 0
/
lens.json
1369 lines (1365 loc) · 96.7 KB
/
lens.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"schemaVersion": "2021-11-01",
"name": "GCR Key Workload",
"description": "GCR Key Workload",
"pillars": [
{
"id": "pillar_id_1",
"name": "Security",
"questions": [
{
"id": "pillar_1_q01",
"title": "SEC 1 How do you securely operate your workload?",
"description": "To operate your workload securely, you must apply overarching best practices to every area of security. Take requirements and processes that you have defined in operational excellence at an organizational and workload level, and apply them to all areas. Staying up to date with recommendations from AWS, industry sources, and threat intelligence helps you evolve your threat model and control objectives. Automating security processes, testing, and validation allow you to scale your security operations.",
"choices": [
{
"id": "pillar_1_q01choice1",
"title": "P2 Separate workloads using accounts",
"helpfulResource": {
"displayText": "Establish common guardrails and isolation between environments (such as production, development, and test) and workloads through a multi-account strategy. Account-level separation is strongly recommended, as it provides a strong isolation boundary for security, billing, and access."
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q01choice2",
"title": "P0 Secure account root user and properties",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nMFA on Root Account 7DAFEmoDos\n\nIAM Password Policy Yw2K9puPzl\n\nDetails:\nThe root user is the most privileged user in an AWS account, with full administrative access to all resources within the account, and in some cases cannot be constrained by security policies. Disabling programmatic access to the root user, establishing appropriate controls for the root user, and avoiding routine use of the root user helps reduce the risk of inadvertent exposure of the root credentials and subsequent compromise of the cloud environment.\n\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "option_no",
"title": "None of these",
"helpfulResource": {
"displayText": "Choose this if your workload does not follow these best practices."
}
}
],
"riskRules": [
{
"condition": "(!pillar_1_q01choice2)",
"risk": "HIGH_RISK"
},
{
"condition": "default",
"risk": "NO_RISK"
}
]
},
{
"id": "pillar_1_q02",
"title": "SEC 2 How do you manage identities for people and machines?",
"description": "There are two types of identities you need to manage when approaching operating secure AWS workloads. Understanding the type of identity you need to manage and grant access helps you verify the right identities have access to the right resources under the right conditions. Human Identities: Your administrators, developers, operators, and end users require an identity to access your AWS environments and applications. These are members of your organization, or external users with whom you collaborate, and who interact with your AWS resources via a web browser, client application, or interactive command line tools. Machine Identities: Your service applications, operational tools, and workloads require an identity to make requests to AWS services, for example, to read data. These identities include machines running in your AWS environment such as Amazon EC2 instances or AWS Lambda functions. You may also manage machine identities for external parties who need access. Additionally, you may also have machines outside of AWS that need access to your AWS environment.",
"choices": [
{
"id": "pillar_1_q02choice1",
"title": "P0 Use strong sign-in mechanisms - Enforce MFA for root account , power user accounts",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nMFA on Root Account 7DAFEmoDos\n\nPassword policies for IAM users should have strong configurations\n\nHardware MFA should be enabled for the root user\n\nMFA should be enabled for all IAM users that have a console password\n\nDetails:\nSign-ins (authentication using sign-in credentials) can present risks when not using mechanisms like multi-factor authentication (MFA), especially in situations where sign-in credentials have been inadvertently disclosed or are easily guessed. Use strong sign-in mechanisms to reduce these risks by requiring MFA. We also recommend requiring strong password policies.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q02choice2",
"title": "P1 Use strong sign-in mechanisms - Enforce strong password policy",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nIAM Password Policy Yw2K9puPzl\n\nDetails:\nWe recommend enforcing strong password policies for IAM users.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q02choice3",
"title": "P2 Use temporary credentials",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nCodeBuild project environment variables should not contain clear text credentials\n\nDetails:\nWhen doing any type of authentication, it's best to use temporary credentials instead of long-term credentials to reduce or eliminate risks, such as credentials being inadvertently disclosed, shared, or stolen.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q02choice4",
"title": "P0 Store and use secrets securely - i.e. never Exposed Access Keys in public Git Repo",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nIAM Access Key Rotation DqdJqYeRm5\n\nExposed Access Keys 12Fnkpl8Y5\n\nDetails:\nA workload requires an automated capability to prove its identity to databases, resources, and third-party services. This is accomplished using secret access credentials, such as API access keys, passwords, and OAuth tokens. Using a purpose-built service to store, manage, and rotate these credentials helps reduce the likelihood that those credentials become compromised. Never Exposed Access Keys to public like Git Repo.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q02choice5",
"title": "P1 Store and use secrets securely - i.e. store database, app secret etc in Secret Manager or equivalent.",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nIAM Access Key Rotation DqdJqYeRm5\n\nExposed Access Keys 12Fnkpl8Y5\n\nDetails:\nA workload requires an automated capability to prove its identity to databases, resources, and third-party services. This is accomplished using secret access credentials, such as API access keys, passwords, and OAuth tokens. Using a purpose-built service to store, manage, and rotate these credentials helps reduce the likelihood that those credentials become compromised. Never Exposed Access Keys to public like Git Repo."
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q02choice6",
"title": "P2 Rely on a centralized identity provider",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nIAM Use\n\nCodeBuild GitHub or Bitbucket source repository URLs should use OAuth\n\nIAM authentication should be configured for RDS clusters\n\nIAM authentication should be configured for RDS instances\n\nDetails:\nFor workforce identities (employees and contractors), rely on an identity provider that allows you to manage identities in a centralized place. This makes it easier to manage access across multiple applications and systems, because you are creating, assigning, managing, revoking, and auditing access from a single location.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q02choice7",
"title": "P0 Audit and rotate credentials periodically - i.e. IAM Access Key Rotation",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nIAM Access Key Rotation DqdJqYeRm5\n\nACM certificates should be renewed after a specified time period\n\nAPI Gateway REST and WebSocket API execution logging should be enabled\n\nSecrets Manager secrets should have automatic rotation enabled\n\nSecrets Manager secrets should be rotated within a specified number of days\n\nDetails:\nAudit and rotate credentials periodically to limit how long the credentials can be used to access your resources. Long-term credentials create many risks, and these risks can be reduced by rotating long-term credentials regularly.\n\nWe recommend the access key is active and has been rotated in the last 90 days.\n\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q02choice8",
"title": "P1 Audit credentials periodically - i.e. enables CloudTrail to track user activity and API usage",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nAWS CloudTrail Logging vjafUGJ9H0\n\nDetails:\nTrusted Advisor Checks:\n\nAWS CloudTrail Logging vjafUGJ9H0\n\nAudit user activity and API usage through enables CloudTrail."
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "option_no",
"title": "None of these",
"helpfulResource": {
"displayText": "Choose this if your workload does not follow these best practices."
}
}
],
"riskRules": [
{
"condition": "pillar_1_q02choice1 && pillar_1_q02choice2 && pillar_1_q02choice4 && pillar_1_q02choice5 && pillar_1_q02choice7 && pillar_1_q02choice8 ",
"risk": "NO_RISK"
},
{
"condition": "(!pillar_1_q02choice1) || (!pillar_1_q02choice4) || (!pillar_1_q02choice7)",
"risk": "HIGH_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]
},
{
"id": "pillar_1_q03",
"title": "SEC 3 How do you manage permissions for people and machines?",
"description": "Manage permissions to control access to people and machine identities that require access to AWS and your workload. Permissions control who can access what, and under what conditions.",
"choices": [
{
"id": "pillar_1_q03choice1",
"title": "P2 Define access requirements",
"helpfulResource": {
"displayText": "Each component or resource of your workload needs to be accessed by administrators, end users, or other components. Have a clear definition of who or what should have access to each component, choose the appropriate identity type and method of authentication and authorization."
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q03choice2",
"title": "P1 Grant least privilege access - i.e. No non-administrator users or roles have administrator privileges.",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nRDS DB Instances should prohibit public access, determined by the PubliclyAccessible configuration Hs4Ma3G192\n\nS3 permissions granted to other AWS accounts in bucket policies should be restricted Hs4Ma3G169 \n\nUnused IAM user credentials should be removed Hs4Ma3G144\n\nIAM root user access key should not exist Hs4Ma3G140\n\nIAM users should not have IAM policies attached Hs4Ma3G138\n\nIAM policies should not allow full \"*\" administrative privileges Hs4Ma3G137\n\nIAM principals should not have IAM inline policies that allow decryption actions on all KMS keys Hs4Ma3G134\n\nIAM customer managed policies should not allow decryption actions on all KMS keys Hs4Ma3G133\n\nDetails:\nIt's a best practice to grant only the access that identities require to perform specific actions on specific resources under specific conditions. Use group and identity attributes to dynamically set permissions at scale, rather than defining permissions for individual users. For example, you can allow a group of developers access to manage only resources for their project. This way, if a developer leaves the project, the developer's access is automatically revoked without changing the underlying access policies.\n\nNo non-administrator users or roles have administrator privileges."
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q03choice3",
"title": "P2 Share resources securely within your organization",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nAmazon ECS task definitions should have secure networking modes and user definitions. Hs4Ma3G145 \n\nCloudTrail log file validation should be enabled Hs4Ma3G109\n\nAWS CloudTrail Logging vjafUGJ9H0\n\nDetails:\nAs the number of workloads grows, you might need to share access to resources in those workloads or provision the resources multiple times across multiple accounts. You might have constructs to compartmentalize your environment, such as having development, testing, and production environments. However, having separation constructs does not limit you from being able to share securely. By sharing components that overlap, you can reduce operational overhead and allow for a consistent experience without guessing what you might have missed while creating the same resource multiple times.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q03choice4",
"title": "P2 Reduce permissions continuously",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nRemove unused Secrets Manager secrets Hs4Ma3G114\n\nDetails:\nAs your teams determine what access is required, remove unneeded permissions and establish review processes to achieve least privilege permissions. Continually monitor and remove unused identities and permissions for both human and machine access.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q03choice5",
"title": "P1 Manage access based on life cycle",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nUnused Network Access Control Lists should be removed Hs4Ma3G209\n\nIAM users' access keys should be rotated every 90 days or less Hs4Ma3G139\n\nIAM Access Key Rotation DqdJqYeRm5\n\nDetails:\nIntegrate access controls with operator and application lifecycle and your centralized federation provider. For example, remove a user's access when they leave the organization or change roles.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q03choice6",
"title": "P1 Analyze public and cross account access",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nRDS snapshot should be private Hs4Ma3G194\n\nS3 buckets should prohibit public write access Hs4Ma3G172\n\nS3 Block Public Access setting should be enabled Hs4Ma3G170\n\nAmazon S3 Bucket Permissions Pfx0RwqBli\n\nDetails:\nContinually monitor findings that highlight public and cross-account access. Reduce public access and cross-account access to only the specific resources that require this access.\n"
},
"improvementPlan": {
"displayText": "S3 buckets should prohibit public write access Hs4Ma3G172\n\nS3 Block Public Access setting should be enabled Hs4Ma3G170\n\nAmazon S3 Bucket Permissions Pfx0RwqBli\n\n"
}
},
{
"id": "option_no",
"title": "None of these",
"helpfulResource": {
"displayText": "Choose this if your workload does not follow these best practices."
}
}
],
"riskRules": [
{
"condition": " pillar_1_q03choice2 && pillar_1_q03choice5 && pillar_1_q03choice6 ",
"risk": "NO_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]
},
{
"id": "pillar_1_q04",
"title": "SEC 4 How do you detect and investigate security events?",
"description": "Capture and analyze events from logs and metrics to gain visibility. Take action on security events and potential threats to help secure your workload.",
"choices": [
{
"id": "pillar_1_q04choice1",
"title": "P1 Configure service and application logging",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nCloudFront distributions should have logging enabled\n\nAmazon Elasticsearch Service domains should have audit logging enabled\n\nDatabase logging should be enabled\n\nEnhanced monitoring should be configured for RDS DB instances\n\nAWS WAF Classic Global Web ACL logging should be enabled\n\nApplication and Classic Load Balancers logging should be enabled\n\nAmazon Elasticsearch Service domain error logging to CloudWatch Logs should be enabled\n\nAn RDS event notifications subscription should be configured for critical cluster events\n\nAn RDS event notifications subscription should be configured for critical database security group events\n\nAn RDS event notifications subscription should be configured for critical database instance events\n\nAn RDS event notifications subscription should be configured for critical database parameter group events\n\nElastic Beanstalk environments should have enhanced health reporting enabled\n\nAPI Gateway REST API stages should have AWS X-Ray tracing enabled\n\nAPI Gateway REST and WebSocket API execution logging should be enabled\n\nCloudTrail trails should be integrated with Amazon CloudWatch Logs\n\nAmazon Redshift clusters should have audit logging enabled\n\nDetails:\nRetain security event logs from services and applications. This is a fundamental principle of security for audit, investigations, and operational use cases, and a common security requirement driven by governance, risk, and compliance (GRC) standards, policies, and procedures.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q04choice2",
"title": "P1 Analyze logs, findings, and metrics centrally",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nGuardDuty should be enabled\n\nDetails:\nSecurity operations teams rely on the collection of logs and the use of search tools to discover potential events of interest, which might indicate unauthorized activity or unintentional change. However, simply analyzing collected data and manually processing information is insufficient to keep up with the volume of information flowing from complex architectures. Analysis and reporting alone don't facilitate the assignment of the right resources to work an event in a timely fashion."
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "option_no",
"title": "None of these",
"helpfulResource": {
"displayText": "Choose this if your workload does not follow these best practices."
}
}
],
"riskRules": [
{
"condition": "pillar_1_q04choice1 && pillar_1_q04choice2 ",
"risk": "NO_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]
},
{
"id": "pillar_1_q05",
"title": "SEC 5 How do you protect your network resources?",
"description": "Any workload that has some form of network connectivity, whether it's the internet or a private network, requires multiple layers of defense to help protect from external and internal network-based threats.",
"choices": [
{
"id": "pillar_1_q05choice1",
"title": "P1 Create network layers",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nThe VPC default security group should not allow inbound and outbound traffic Hs4Ma3G118 \n\nDetails:\nGroup components that share sensitivity requirements into layers to minimize the potential scope of impact of unauthorized access. For example, a database cluster in a virtual private cloud (VPC) with no need for internet access should be placed in subnets with no route to or from the internet. Traffic should only flow from the adjacent next least sensitive resource. Consider a web application sitting behind a load balancer. Your database should not be accessible directly from the load balancer. Only the business logic or web server should have direct access to your database.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q05choice2",
"title": "P0 Control traffic at all layers - restrict public subnet access.",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nVPC flow logging should be enabled in all VPCs\n\nAmazon Elasticsearch Service domains should be in a VPC\n\nECS services should not have public IP addresses assigned to them automatically Hs4Ma3G146\n\nSecurity Groups - Unrestricted Access 1iG5NDGVre\n\nSecurity Groups - Specific Ports Unrestricted HCP4007jGY\n\nAmazon RDS Security Group Access Risk\n\nELB Security Groups xSqX82fQu\n\nAmazon RDS Security Group Access Risk nNauJisYIT\n\nClassic Load Balancers with HTTPS/SSL listeners should use a predefined security policy that has strong configuration Hs4Ma3G205\n\nCloudFront distributions should have WAF enabled Hs4Ma3G201\n\nIAM customer managed policies that you create should not allow wildcard actions for services Hs4Ma3G185\n\nSecurity groups should only allow unrestricted incoming traffic for authorized ports Hs4Ma3G178\n\nRDS instances should be deployed in a VPC Hs4Ma3G165 \n\nLambda function policies should prohibit public access Hs4Ma3G131\n\nAPI Gateway should be associated with a WAF Web ACL Hs4Ma3G125\n\nEC2 instances should not have a public IPv4 address Hs4Ma3G123\n\nVPC flow logging should be enabled in all VPCs Hs4Ma3G122\n\nSecrets Manager secrets should be rotated within a specified number of days Hs4Ma3G112\n\nRedshift clusters should use enhanced VPC routing Hs4Ma3G104\n\nDetails:\nWhen architecting your network topology, you should examine the connectivity requirements of each component. For example, if a component requires internet accessibility (inbound and outbound), connectivity to VPCs, edge services, and external data centers.\n\nYou should restrict access to port by default, only unrestricted access (0.0.0.0/0) to 80, 25, 443, 465 or specific application ports on need basis. \n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q05choice3",
"title": "P1 Control traffic at all layers - restrict private subnet access.",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nSecurity Groups - Specific Ports Unrestricted HCP4007jGY\n\nDetails:\nWhen architecting your network topology, you should examine the connectivity requirements of each component. For example, if a component requires internet accessibility (inbound and outbound), connectivity to VPCs, edge services, and external data centers.\n\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "option_no",
"title": "None of these",
"helpfulResource": {
"displayText": "Choose this if your workload does not follow these best practices."
}
}
],
"riskRules": [
{
"condition": "pillar_1_q05choice1 && pillar_1_q05choice2 && pillar_1_q05choice3 ",
"risk": "NO_RISK"
},
{
"condition": "(!pillar_1_q05choice2)",
"risk": "HIGH_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]
},
{
"id": "pillar_1_q06",
"title": "SEC 6 How do you protect your compute resources?",
"description": "Compute resources in your workload require multiple layers of defense to help protect from external and internal threats. Compute resources include EC2 instances, containers, AWS Lambda functions, database services, IoT devices, and more.",
"choices": [
{
"id": "pillar_1_q06choice1",
"title": "P2 Perform vulnerability management",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nAmazon EC2 instances with Microsoft SQL Server end of support Qsdfp3A4L3\n\nDetails:\nFrequently scan and patch for vulnerabilities in your code, dependencies, and in your infrastructure to help protect against new threats.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q06choice2",
"title": "P1 Reduce attack surface",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nSecurity Groups - Unrestricted Access 1iG5NDGVre\n\nSecurity Groups - Specific Ports Unrestricted HCP4007jGY\n\nAmazon RDS Security Group Access Risk\n\nELB Security Groups\n\nEC2 instances should not use multiple ENIs Hs4Ma3G208\n\nSecurity groups should not allow unrestricted access to ports with high risk Hs4Ma3G204 \n\nApplication load balancer should be configured to drop http headers Hs4Ma3G183\n\nDatabase Migration Service replication instances should not be public Hs4Ma3G132\n\nLambda functions should use supported runtimes Hs4Ma3G130\n\nAWS Lambda Functions Using Deprecated Runtimes L4dfs2Q4C5\n\nAmazon Redshift clusters should prohibit public access Hs4Ma3G103\n\nAmazon Elastic MapReduce cluster master nodes should not have public IP addresses Hs4Ma3G101\n\nAmazon SageMaker notebook instances should not have direct internet access Hs4Ma3G100\n\nDetails:\nReduce your exposure to unintended access by hardening operating systems and minimizing the components, libraries, and externally consumable services in use. Start by reducing unused components, whether they are operating system packages or applications, for Amazon Elastic Compute Cloud (Amazon EC2)-based workloads, or external software modules in your code, for all workloads. You can find many hardening and security configuration guides for common operating systems and server software. For example, you can start with the Center for Internet Security and iterate.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q06choice3",
"title": "P2 Implement managed services",
"helpfulResource": {
"displayText": "-"
},
"improvementPlan": {
"displayText": "EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT Hs4Ma3G157\n\nEC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation Hs4Ma3G156\n\nElastic Beanstalk managed platform updates should be enabled Hs4Ma3G149"
}
},
{
"id": "pillar_1_q06choice4",
"title": "P1 Automate compute protection",
"helpfulResource": {
"displayText": "-"
},
"improvementPlan": {
"displayText": "Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service Hs4Ma3G206\n\nAWS Config should be enabled Hs4Ma3G196\n\nAuto scaling groups associated with a load balancer should use load balancer health checks Hs4Ma3G177\n\nRDS DB instances should be configured to copy tags to snapshots Hs4Ma3G164\n\nRDS DB clusters should be configured to copy tags to snapshots Hs4Ma3G163\n\nRDS automatic minor version upgrades should be enabled Hs4Ma3G162\n\nAmazon RDS engine minor version upgrade is required c1qf5bt003"
}
},
{
"id": "option_no",
"title": "None of these",
"helpfulResource": {
"displayText": "Choose this if your workload does not follow these best practices."
}
}
],
"riskRules": [
{
"condition": "pillar_1_q06choice2 && pillar_1_q06choice4 ",
"risk": "NO_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]
},
{
"id": "pillar_1_q08",
"title": "SEC 8 How do you protect your data at rest?",
"description": "Protect your data at rest by implementing multiple controls, to reduce the risk of unauthorized access or mishandling.",
"choices": [
{
"id": "pillar_1_q08choice1",
"title": "P2 Implement secure key management",
"helpfulResource": {
"displayText": "Secure key management includes the storage, rotation, access control, and monitoring of key material required to secure data at rest for your workload.\n\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q08choice2",
"title": "P1 Enforce encryption at rest according to the organization encryption requirement",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nAPI Gateway REST API cache data should be encrypted at rest Hs4Ma3G202 \n\nAmazon Elasticsearch Service domains should have encryption at-rest enabled Hs4Ma3G197 \n\nRDS DB instances should have encryption at-rest enabled Hs4Ma3G193 \n\nRDS cluster snapshots and database snapshots should be encrypted at rest Hs4Ma3G191 \n\nS3 buckets should have server-side encryption enabled Hs4Ma3G167 \n\nElastic File System should be configured to encrypt file data at-rest using AWS KMS Hs4Ma3G159 \n\nAmazon SQS queues should be encrypted at rest Hs4Ma3G136 \n\nDynamoDB Accelerator (DAX) clusters should be encrypted at rest Hs4Ma3G126 \n\nAttached EBS volumes should be encrypted at-rest Hs4Ma3G117 \n\nCloudTrail should have encryption at-rest enabled Hs4Ma3G110 \n\nDetails:\nEnforce your defined encryption requirements based on your organization s policies, regulatory obligations and standards to help meet organizational, legal, and compliance requirements. Encryption maintains the confidentiality of sensitive data in the event of unauthorized access or accidental disclosure.\n\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q08choice3",
"title": "P1 Automate data at rest protection",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nCloudFront distributions should have a default root object configured Hs4Ma3G200 \n\nRDS DB instances should have deletion protection enabled Hs4Ma3G198 \n\nRDS clusters should have deletion protection enabled Hs4Ma3G190 \n\nDetails:\nUse automated tools to validate and enforce data at rest controls continuously, for example, verify that there are only encrypted storage resources. You can automate validation that all EBS volumes are encrypted using AWS Config Rules. AWS Security Hub can also verify several different controls through automated checks against security standards. Additionally, your AWS Config Rules can automatically remediate noncompliant resources.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q08choice4",
"title": "P1 Enforce access control",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nAmazon RDS Public Snapshots rSs93HQwa1 \n\nAmazon EBS Public Snapshots ePs02jT06w \n\nAmazon S3 Bucket Permissions Pfx0RwqBli \n\nSSM documents should not be public Hs4Ma3G158 \n\nEBS snapshots should not be public, determined by the ability to be restorable by anyone Hs4Ma3G116 \n\nEC2 instances should use Instance Metadata Service Version 2 (IMDSv2) Hs4Ma3G124\n\nDetails:\nTo help protect your data at rest, enforce access control using mechanisms, such as isolation and versioning, and apply the principle of least privilege. Prevent the granting of public access to your data.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "option_no",
"title": "None of these",
"helpfulResource": {
"displayText": "Choose this if your workload does not follow these best practices."
}
}
],
"riskRules": [
{
"condition": "pillar_1_q08choice1 && pillar_1_q08choice2 && pillar_1_q08choice3 && pillar_1_q08choice4 ",
"risk": "NO_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]
},
{
"id": "pillar_1_q09",
"title": "SEC 9 How do you protect your data in transit?",
"description": "Protect your data in transit by implementing multiple controls to reduce the risk of unauthorized access or loss.",
"choices": [
{
"id": "pillar_1_q09choice1",
"title": "P1 Implement secure key and certificate management",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nELB Listener Security a2sEc6ILx \n\nCloudFront SSL Certificate on the Origin Server N430c450f2 \n\nDetails:\nTransport Layer Security (TLS) certificates are used to secure network communications and establish the identity of websites, resources, and workloads over the internet, as well as private networks.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q09choice2",
"title": "P1 Enforce encryption in transit according to the organization encryption requirement",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nAPI Gateway REST API stages should be configured to use SSL certificates for backend authentication\n\nConnections to Amazon Elasticsearch Service domains should be encrypted using TLS 1.2 Hs4Ma3G187 \n\nClassic Load Balancer listeners should be configured with HTTPS or TLS termination Hs4Ma3G182 \n\nClassic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager Hs4Ma3G181 \n\nS3 buckets should require requests to use Secure Socket Layer Hs4Ma3G168 \n\nElasticsearch domains should encrypt data sent between nodes Hs4Ma3G150 \n\nCloudFront distributions should require encryption in transit Hs4Ma3G107 \n\nConnections to Amazon Redshift clusters should be encrypted in transit Hs4Ma3G102 \n\nELB Listener Security a2sEc6ILx\n\nDetails:\nEnforce your defined encryption requirements based on your organization s policies, regulatory obligations and standards to help meet organizational, legal, and compliance requirements. Only use protocols with encryption when transmitting sensitive data outside of your virtual private cloud (VPC). Encryption helps maintain data confidentiality even when the data transits untrusted networks.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "option_no",
"title": "None of these",
"helpfulResource": {
"displayText": "Choose this if your workload does not follow these best practices."
}
}
],
"riskRules": [
{
"condition": "pillar_1_q09choice1 && pillar_1_q09choice2 ",
"risk": "NO_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]
},
{
"id": "pillar_1_q10",
"title": "SEC 10 How do you anticipate, respond to, and recover from incidents?",
"description": "Preparation is critical to timely and effective investigation, response to, and recovery from security incidents to help minimize disruption to your organization.",
"choices": [
{
"id": "pillar_1_q10choice1",
"title": "P2 Identify key personnel and external resources",
"helpfulResource": {
"displayText": "Identify internal and external personnel, resources, and legal obligations that would help your organization respond to an incident."
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q10choice2",
"title": "P2 Develop incident management plans",
"helpfulResource": {
"displayText": "The first document to develop for incident response is the incident response plan. The incident response plan is designed to be the foundation for your incident response program and strategy."
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_1_q10choice3",
"title": "P2 Run simulations",
"helpfulResource": {
"displayText": "As organizations grow and evolve over time, so does the threat landscape, making it important to continually review your incident response capabilities. Running simulations (also known as game days) is one method that can be used to perform this assessment. Simulations use real-world security event scenarios designed to mimic a threat actor’s tactics, techniques, and procedures (TTPs) and allow an organization to exercise and evaluate their incident response capabilities by responding to these mock cyber events as they might occur in reality."
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "option_no",
"title": "None of these",
"helpfulResource": {
"displayText": "-"
}
}
],
"riskRules": [
{
"condition": "default",
"risk": "NO_RISK"
}
]
},
{
"id": "pillar_1_q11",
"title": "SEC 11 How do you incorporate and validate the security properties of applications throughout the deployment lifecycle?",
"description": "Training people, testing using automation, understanding dependencies, and validating the security properties of tools and applications help to reduce the likelihood of security issues in production workloads.",
"choices": [
{
"id": "pillar_1_q11choice1",
"title": "P2 Perform regular penetration testing",
"helpfulResource": {
"displayText": "Perform regular penetration testing of your software. This mechanism helps identify potential software issues that cannot be detected by automated testing or a manual code review. It can also help you understand the efficacy of your detective controls. Penetration testing should try to determine if the software can be made to perform in unexpected ways, such as exposing data that should be protected, or granting broader permissions than expected."
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "option_no",
"title": "None of these",
"helpfulResource": {
"displayText": "Choose this if your workload does not follow these best practices."
}
}
],
"riskRules": [
{
"condition": "default",
"risk": "NO_RISK"
}
]
}
]
},
{
"id": "pillar_id_2",
"name": "Performance",
"questions": [
{
"id": "pillar_2_q02",
"title": "PERF 2 How do you select and use compute resources in your workload?",
"description": "The more efficient compute solution for a workload varies based on application design, usage patterns, and configuration settings. Architectures can use different compute solutions for various components and turn on different features to improve performance. Selecting the wrong compute solution for an architecture can lead to lower performance efficiency.",
"choices": [
{
"id": "pillar_2_q02choice1",
"title": "P2 Select the best compute options for your workload",
"helpfulResource": {
"displayText": "Selecting the most appropriate compute option for your workload allows you to improve performance, reduce unnecessary infrastructure costs, and lower the operational efforts required to maintain your workload.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_2_q02choice2",
"title": "P2 Scale your compute resources dynamically",
"helpfulResource": {
"displayText": "Use the elasticity of the cloud to scale your compute resources up or down dynamically to match your needs and avoid over- or under-provisioning capacity for your workload.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_2_q02choice3",
"title": "P1 Configure and right-size compute resources",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nLarge Number of EC2 Security Group Rules Applied to an Instance\n\nDetails:\nConfigure and right-size compute resources to match your workload's performance requirements and avoid under- or over-utilized resources.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "option_no",
"title": "None of these",
"helpfulResource": {
"displayText": "Choose this if your workload does not follow these best practices."
}
}
],
"riskRules": [
{
"condition": "pillar_2_q02choice3 ",
"risk": "NO_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]
},
{
"id": "pillar_2_q03",
"title": "PERF 3 How do you store, manage, and access data in your workload?",
"description": "The more efficient storage solution for a system varies based on the kind of access operation (block, file, or object), patterns of access (random or sequential), required throughput, frequency of access (online, offline, archival), frequency of update (WORM, dynamic), and availability and durability constraints. Well-architected systems use multiple storage solutions and turn on different features to improve performance and use resources efficiently.",
"choices": [
{
"id": "pillar_2_q03choice1",
"title": "P2 Collect and record data store performance metrics",
"helpfulResource": {
"displayText": "Track and record relevant performance metrics for your data store to understand how your data management solutions are performing. These metrics can help you optimize your data store, verify that your workload requirements are met, and provide a clear overview on how the workload performs.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_2_q03choice2",
"title": "P1 Evaluate available configuration options for data store",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \n\nOverutilized Amazon EBS Magnetic Volumes\n\nAmazon EBS Provisioned IOPS (SSD) Volume Attachment Configuration\n\nAmazon EC2 to EBS Throughput Optimization\n\nAmazon EFS Throughput Mode Optimization\n\nDetails:\nUnderstand and evaluate the various features and configuration options available for your data stores to optimize storage space and performance for your workload.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_2_q03choice3",
"title": "P2 Implement strategies to improve query performance in data store",
"helpfulResource": {
"displayText": "Implement strategies to optimize data and improve data query to enable more scalability and efficient performance for your workload.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "option_no",
"title": "None of these",
"helpfulResource": {
"displayText": "Choose this if your workload does not follow these best practices."
}
}
],
"riskRules": [
{
"condition": "pillar_2_q03choice2",
"risk": "NO_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]
},
{
"id": "pillar_2_q04",
"title": "PERF 4 How do you select and configure networking resources in your workload?",
"description": "This question includes guidance and best practices to design, configure, and operate efficient networking and content delivery solutions in the cloud.",
"choices": [
{
"id": "pillar_2_q04choice1",
"title": "P1 Understand how networking impacts performance",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nAmazon Route 53 Alias Resource Record Sets\n\nDetails:\nEvaluate networking features in the cloud that may increase performance. Measure the impact of these features through testing, metrics, and analysis. For example, take advantage of network-level features that are available to reduce latency, network distance, or jitter.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_2_q04choice2",
"title": "P2 Optimize network configuration based on metrics",
"helpfulResource": {
"displayText": "Use collected and analyzed data to make informed decisions about optimizing your network configuration.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "option_no",
"title": "None of these",
"helpfulResource": {
"displayText": "Choose this if your workload does not follow these best practices."
}
}
],
"riskRules": [
{
"condition": "pillar_2_q04choice1 ",
"risk": "NO_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]
},
{
"id": "pillar_2_q05",
"title": "PERF 5 What process do you use to support more performance efficiency for your workload?",
"description": "When architecting workloads, there are principles and practices that you can adopt to help you better run efficient high-performing cloud workloads. To adopt a culture that fosters performance efficiency of cloud workloads, consider these key principles and practices.",
"choices": [
{
"id": "pillar_2_q05choice1",
"title": "P2 Use monitoring solutions to understand the areas where performance is most critical",
"helpfulResource": {
"displayText": "Understand and identify areas where increasing the performance of your workload will have a positive impact on efficiency or customer experience. For example, a website that has a large amount of customer interaction can benefit from using edge services to move content delivery closer to customers.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_2_q05choice2",
"title": "P2 Load test your workload",
"helpfulResource": {
"displayText": "Load test your workload to verify it can handle production load and identify any performance bottleneck.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "option_no",
"title": "None of these",
"helpfulResource": {
"displayText": "Choose this if your workload does not follow these best practices."
}
}
],
"riskRules": [
{
"condition": "default",
"risk": "NO_RISK"
}
]
}
]
},
{
"id": "pillar_id_3",
"name": "Reliability",
"questions": [
{
"id": "pillar_3_q01",
"title": "REL 1 How do you manage service quotas and constraints?",
"description": "For cloud-based workload architectures, there are Service Quotas (which are also referred to as service limits). These quotas exist to prevent accidentally provisioning more resources than you need and to limit request rates on API operations so as to protect services from abuse. There are also resource constraints, for example, the rate that you can push bits down a fiber-optic cable, or the amount of storage on a physical disk.",
"choices": [
{
"id": "pillar_3_q01choice1",
"title": "P1 Monitor and manage quotas",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nService limits checks flagged as Yellow (80%), Red (100%) \n\nDetails:\nEvaluate your potential usage and increase your quotas appropriately, allowing for planned growth in usage."
},
"improvementPlan": {
"displayText": "Service limits checks flagged as Yellow (80%), Red (100%)"
}
},
{
"id": "pillar_3_q01choice2",
"title": "P1 Ensure that a sufficient gap exists between the current quotas and the maximum usage to accommodate failover",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nService limits checks flagged as Yellow (80%), Red (100%) \n\nDetails:\n\nWhen a resource fails or is inaccessible, that resource might still be counted against a quota until it's successfully terminated. Verify that your quotas cover the overlap of failed or inaccessible resources and their replacements. You should consider use cases like network failure, Availability Zone failure, or Regional failures when calculating this gap.\n\n"
},
"improvementPlan": {
"displayText": "Service limits checks flagged as Yellow (80%), Red (100%)"
}
},
{
"id": "option_no",
"title": "None of these",
"helpfulResource": {
"displayText": "Choose this if your workload does not follow these best practices."
}
}
],
"riskRules": [
{
"condition": "pillar_3_q01choice1 && pillar_3_q01choice2 ",
"risk": "NO_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]
},
{
"id": "pillar_3_q03",
"title": "REL 2 How do you plan your network topology?",
"description": "Workloads often exist in multiple environments. These include multiple cloud environments (both publicly accessible and private) and possibly your existing data center infrastructure. Plans must include network considerations such as intra- and inter-system connectivity, public IP address management, private IP address management, and domain name resolution.",
"choices": [
{
"id": "pillar_3_q03choice0",
"title": "P0 Use highly available network connectivity for your workload public endpoints",
"helpfulResource": {
"displayText": "Building highly available network connectivity to public endpoints of your workloads can help you reduce downtime due to loss of connectivity and improve the availability and SLA of your workload. *To achieve this, use highly available DNS, content delivery networks (CDNs), API gateways, load balancing, or reverse proxies."
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_3_q03choice1",
"title": "P0 Provision redundant connectivity between private networks in the cloud , on-premises , cloud to cloud environments",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nVPN Tunnel Redundancy S45wrEXrLz \n\nAWS Direct Connect Location Redundancy 8M012Ph3U5 \n\nAWS Direct Connect Virtual Interface Redundancy 4g3Nt5M1Th \n\nAWS Direct Connect Connection Redundancy 0t121N1Ty3 \n\nDetails:\nUse multiple AWS Direct Connect connections or VPN tunnels between separately deployed private networks. Use multiple Direct Connect locations for high availability. If using multiple AWS Regions, ensure redundancy in at least two of them. You might want to evaluate AWS Marketplace appliances that terminate VPNs. If you use AWS Marketplace appliances, deploy redundant instances for high availability in different Availability Zones."
},
"improvementPlan": {
"displayText": "VPN Tunnel Redundancy S45wrEXrLz \n\nAWS Direct Connect Location Redundancy 8M012Ph3U5 \n\nAWS Direct Connect Virtual Interface Redundancy 4g3Nt5M1Th \n\nAWS Direct Connect Connection Redundancy 0t121N1Ty3"
}
},
{
"id": "pillar_3_q03choice2",
"title": "P2 Ensure IP subnet allocation accounts for expansion and availability",
"helpfulResource": {
"displayText": "Amazon VPC IP address ranges must be large enough to accommodate workload requirements, including factoring in future expansion and allocation of IP addresses to subnets across Availability Zones. This includes load balancers, EC2 instances, and container-based applications.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "pillar_3_q03choice3",
"title": "P2 Enforce non-overlapping private IPv4 address ranges in all private address spaces where they are connected",
"helpfulResource": {
"displayText": "Details:\nThe IP address ranges of each of your VPCs must not overlap when peered or connected via VPN. You must similarly avoid IP address conflicts between a VPC and on-premises environments or with other cloud providers that you use. You must also have a way to allocate private IP address ranges when needed.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "option_no",
"title": "None of these",
"helpfulResource": {
"displayText": "Choose this if your workload does not follow these best practices."
}
}
],
"riskRules": [
{
"condition": "pillar_3_q03choice0 && pillar_3_q03choice1",
"risk": "NO_RISK"
},
{
"condition": "default",
"risk": "HIGH_RISK"
}
]
},
{
"id": "pillar_3_q08",
"title": "REL 7 How do you design your workload to adapt to changes in demand?",
"description": "A scalable workload provides elasticity to add or remove resources automatically so that they closely match the current demand at any given point in time.",
"choices": [
{
"id": "pillar_3_q08choice1",
"title": "P1 Use automation when obtaining or scaling resources",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nAuto Scaling Group Resources 8CNsSllI5v\n\nDetails:\nWhen replacing impaired resources or scaling your workload, automate the process by using managed AWS services, such as Amazon S3 and AWS Auto Scaling. You can also use third-party tools and AWS SDKs to automate scaling.\n"
},
"improvementPlan": {
"displayText": "Auto Scaling Group Resources 8CNsSllI5v"
}
},
{
"id": "pillar_3_q08choice2",
"title": "P1 Obtain resources upon detection of impairment to a workload",
"helpfulResource": {
"displayText": "Trusted Advisor Checks: \nAuto Scaling Group Health Check CLOG40CDO8\n\nDetails:\nScale resources reactively when necessary if availability is impacted, to restore workload availability.\n"
},
"improvementPlan": {
"displayText": "Auto Scaling Group Health Check CLOG40CDO8"
}
},
{
"id": "pillar_3_q08choice3",
"title": "P2 Load test your workload",
"helpfulResource": {
"displayText": "Adopt a load testing methodology to measure if scaling activity meets workload requirements.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "option_no",
"title": "None of these",
"helpfulResource": {
"displayText": "Choose this if your workload does not follow these best practices."
}
}
],
"riskRules": [
{
"condition": "pillar_3_q08choice1 && pillar_3_q08choice2",
"risk": "NO_RISK"
},
{
"condition": "default",
"risk": "MEDIUM_RISK"
}
]
},
{
"id": "pillar_3_q09",
"title": "REL 8 How do you implement change?",
"description": "Controlled changes are necessary to deploy new functionality, and to verify that the workloads and the operating environment are running known software and can be patched or replaced in a predictable manner. If these changes are uncontrolled, then it makes it difficult to predict the effect of these changes, or to address issues that arise because of them.",
"choices": [
{
"id": "pillar_3_q09choice1",
"title": "P2 Use runbooks for standard activities such as deployment",
"helpfulResource": {
"displayText": "Runbooks are the predefined procedures to achieve specific outcomes. Use runbooks to perform standard activities, whether done manually or automatically. Examples include deploying a workload, patching a workload, or making DNS modifications.\n"
},
"improvementPlan": {
"displayText": "-"
}
},
{
"id": "option_no",
"title": "None of these",
"helpfulResource": {
"displayText": "Choose this if your workload does not follow these best practices."
}
}
],
"riskRules": [
{
"condition": "default",
"risk": "NO_RISK"
}
]
},
{