Private preview notice:
This article describes features that are currently only available in private preview.
Please contact [email protected] to learn how you can get access.
Once you've onboarded a cloud account and created a workload in CoreStack, you can run an assessment on that workload to review its resources based on established cloud architecture guidelines and best practices. The purpose of assessments is to provide users with a way to clearly understand the state of their workloads and take steps to improve their performance and efficiency.
In the CoreStack Compass product offering, an assessment is a process where the platform analyzes all cloud resources in a workload as per the selected framework (e.g. AWS Well-Architected Framework). It provides a set of questions and best practices for users to run through along with insights and remediation suggestions for any issues detected by the CoreStack platform.
Depending upon the scope of your workload, there are multiple assessment options you can choose to trigger:
- AWS WAF AND AWS SERVERLESS: This option will be available if your workload has AWS accounts set up under its tiers.
- AZURE: This option will be available if your workload has Azure accounts set up under its tiers.
- CSMC-WAF: This option will be available if your workload has both AWS and Azure accounts set up under its tiers.
For AWS, there are two options available while creating the assessment:
- Start assessment without sync = True: In this case, the assessment details will not sync with your AWS console.
- Start assessment with sync = True: In this case, the assessment details will be synced with your AWS console.
On the Start Assessment section that appears, make sure to enable the option to Sync workload to AWS Well Architected Tool. Then fill in the required details and click on Start Assessment.
For cases where Start assessment with sync = true, it’s mandatory to have READ + WRITE ACCESS.
Whatever assessment name is provided while creating the assessment, the same name will be used to create a workload in the same selected region within your AWS console (i.e. in your selected cloud account).
This AWS sync mentioned above will be a ONE-WAY-SYNC only.
Updates from the CoreStack assessment will also be updated in your AWS console, but if any changes are made in the AWS console, those same changes won't be updated in your CoreStack WAF assessment.
Follow the steps outlined below to create and run your assessment.
We recommend that the user starting the assessment be assigned the Assessment Owner role. If the assessment is created by a user with Tenant Owner or Admin roles, the assessment view page is known to have issues loading the first time.
In the left-hand navigation bar, select Well Architected > Frameworks to go to a list of your available frameworks. Based on the framework of interest, you can click on the assess button on the framework card to begin the assessment process. This will redirect you to the Resource > Workloads page.
- Alternatively, you can directly go this page by selecting Resource > Workloads in the left navigation bar, to go to a list of your available cloud workloads.
For the workload you want to run the assessment on, click the three dots icon on the right-most edge of the row then select Start assessment from the drop-down options.
- Any workloads that already have an assessment done or in progress will show a symbol under the WAF Standards column, indicating which platform and completion percentage.
- If nothing is showing in the WAF Standards column, then there is no current assessment for that workload.
Only one assessment can be created per workload -- this is because assessments can be run continuously while saving snapshots ("milestones") of a workload's state over time, meaning there's no need to create a new assessment each time. Continue reading here for more information.
After selecting Start Assessment, a form will open with a few fields to complete to enable this assessment.
- In the Assessment Name field, type in a name for the assessment.
- In the Description field, type in a description for this assessment (e.g. What it's for, which resources it's assessing, etc.).
- In the Workload Name field, click to open to drop-down menu and select a workload name for this assessment.
- In the Assessment Owner field, click to open to drop-down menu and select a user you want to assign as the owner of this assessment (owners can update the assessment and submit for approval).
- In the Assessment Approver field, click to open the drop-down menu and select a user you want to assign as the approver for this assessment (approvers review the results and mark an assessment as formally approved).
- In the Select Standard field, click to open the drop-down menu and choose which cloud platform framework you want this assessment to use for measuring best practices (e.g. AWS, Azure). See the note below to learn about using custom standards/frameworks.
If you want to view the assessment results natively in the AWS Well-Architected Tool in your selected cloud account as well, click on the Sync Workload to AWS Well Architected Tool slider to enable this feature. This means that your findings can be unified and viewed across both locations.
- In the Select AWS cloud account that we should sync the progress to field, click to open the drop-down menu and select the cloud account you want to sync the assessment results data with.
- In the Select AWS region that this workload progression is synced to field, click to open the drop-down menu and select the cloud region the assessment results are synced to.
Once all the fields are completed, select the Continue button in the bottom right corner to launch the assessment process.
Adding custom frameworks:
CoreStack supports the use of custom frameworks to assess your workloads against. This is accomplished at the stage where you select which cloud standard/framework to use by manually configuring a .json file to measure the standards you desire, then uploading the file.
Follow the steps outlined below to complete your assessment.
Once your assessment has launched, you'll proceed to a page where you can view lists of questions and best practices, along with a view along the top of the page showing the current assessment scan status and the info you input in the previous steps.
The questions and best practices shown here align to the core pillars of the well-architected framework of whichever cloud platform you're using. The pillars for the selected framework in context are displayed in the CoreStack UI as categories along the top banner.
For example, for AWS Well Architected the following pillars are shown:
- Cost Optimization
- Operational Excellence
- Performance Efficiency
These questions can be reviewed and addressed either by an individual architect or by a team of users (e.g. Security Ops team), whichever suits your needs best.
To navigate between questions, select one from the left-side menu showing them as a numbered list, with a checkmark beside each item.
- Below each question are two status tags: the first indicating the risk associated (None/Medium/High), and the second indicating whether it is pending, complete, or not applicable to your workload scenario (Open/Resolved/Not applicable).
Once selected, you should see an expanded list of best practices arranged in rows underneath the question. Each best practice has an empty checkbox next to it, along with a short description, tool tip for more information, and other details.
- If it says Automated below a best practice item, that means CoreStack is able to validate it automatically. It will show "Scan in progress" or highlight any issues once the scan is complete.
- If it says Manual below a best practice item, that means a user needs to manually check and/or confirm that a particular best practice is being met (click the See Recommendations link beside it for next step guidance).
For automated best practice checklist items, you may not be able to fill in the check box until the scan has completed. You can add comments on best practices at any point.
To mark a best practice item as addressed, select the check box next to it and then upload files and/or add comments to show what has been done to complete it, as well as collect evidence.
- To add a comment, select the speech bubble icon to open a text field, then type in your comment and press the Enter key to submit.
- To add files, select the attachment/paperclip icon to open a dialog box. Drag and drop any files you wish to add into the box, or click Browse File to search your local files and select one manually. Once finished, click to X icon in the top right corner of the dialog box to close it.
Once a best practice has been marked as addressed, the Owner must review and mark it as resolved in order to proceed with the assessment.
Updating and resolving best practices:
Please note that marking the check box next to a best practice item does not mean it is fully resolved yet. Checking a box simply means that the user assigned to it is indicating that step has been addressed, and is ready for review by the Owner.
Once a best practice check box has been marked, the Owner for that item needs to manually review it to ensure it's been properly addressed, then mark it as resolved. This can be done by either clicking the Status field and changing it to Resolved, or by selecting the three-dot icon to open a drop-down menu and choosing to either mark it as "resolved" or "not applicable."
All best practices must be marked as "resolved" or "not applicable" before marking the question as resolved.
Each question has an Owner and Assign To field shown alongside it. By default, the assessment owner is selected as the Owner and Assignee for all best practices and questions.
- Users assigned as the Owner are responsible for marking the question as resolved once it is completed.
- Users assigned in the Assign To field are responsible for actually performing the actions needed to verify the best practice is being met.
- Since some organizations might have separate teams or specialists who are best equipped to handle certain questions, this makes it easy to delegate questions to the relevant stakeholders inside your organization.
To assign a specific question an owner, click the Owner drop-down menu to the right of the question and select a user.
To assign a specific question to a team or individual, click the Assign To drop-down menu to the right of the question and select one or multiple users.
By following this process and completing questions in the assessment, you get a comprehensive view of the current states of your workloads and can share the findings easily with other important members of your organization. And by organizing this information in one place, you can get the insights needed to start optimizing your cloud workloads according to best practices.
At any point you can check the overall summary of your assessment, which provides an intuitive dashboard view of how many best practices you've completed, where any issues are detected, and how severe those issues are.
Follow the steps outlined below to review your assessment outcomes.
To view the overall summary of your assessment, scroll to the bottom of the page and click the View Summary button on the bottom right corner.
The summary is broken down into two sections on this page: Assessment Summary, and Overall Results.
The Assessment Summary view shows a flowchart visualization for how many best practices questions have are Open, Resolved, or Not Applicable.
- Click on any of the Open, Resolved, or Not Applicable segments to drill-down further and see a pie chart visualization of which specific best practices are affected, and their priority level (High, Medium, Low, None).
- Click again on any of the segments in the pie chart to be taken directly to the affected best practice questions in the assessment view.
- You can change the filter settings by selecting the View By button in the top left corner of the dashboard and choosing for the drop-down options.
The Overall Summary view shows a scorecard spectrum view indicating how well your workload is meeting best practices based on the questions that have been addressed. It also shows smaller, individual scorecards below indicating your score across each of the core pillars of the well-architected framework, and how many questions are still open -- this helps give users a clear understanding of how well-architected their workloads are in each area of a framework.
- A lower score (red, 0-33) means it is critical that you take the actions necessary to resolve any issues to meet best practices.
- A higher score (green, 67-100) means you are meeting most if not all best practices, and have a well-postured workload.
To export assessment results, select Export in the top-right corner of the dashboard view, then select PDF or screenshot to download the information in either file format.
- This allows you to share information like overall status, policy alignment, issue resolution suggestions, and more with other stakeholders.
Once any items are completed, the user(s) assigned the "Assessment Owner" role can submit them for approval. The user assigned the "Approver" role can then review the assessment, mark things as approved, and then create a milestone once everything is deemed complete.
A milestone is a snapshot of the completed workload assessment in the state it's in at that particular point in time.
Follow the steps outlined below to create a milestone for this assessment.
To submit an assessment for approval, go to the Summary view, scroll to the bottom of the page, and select the Submit for Approval button.
- This button may be disabled if not enough best practice questions have been answered.
Before you can click the submit button, all required best practices and questions must be marked as either Resolved or Not applicable.
Once submitted, the user assigned as the assessment Approver in an earlier step receives an email notification prompting them to go and review the assessment.
When the Approver user logs in to CoreStack, they can go to Workloads and click on the assessment status icon to view the assessment summary. Here, they will see an option to approve or reject the assessment.
- If rejected, then the assessment Owner is notified by email to edit the assessment and re-submit for approval.
- If approved, then the assessment Owner should see a new Create Milestone button on the assessment summary page. Click this to create a milestone.
As mentioned previously, assessments aren't one-time processes. They can be run continuously at different periods, which is why saving milestones is useful -- It gives you a historical understanding of the state of your workloads over time.
Updated 2 months ago