Understanding key elements of CoreStack assessments

Learn about the automated assessment triggered by CoreStack after you first onboard a new cloud account.

Before we dive in to CoreStack Assessments, it might help to understand some of the key components that comprise them. Namely: workloads, assessments, and frameworks.

Workloads

A workload is a logical group of resources that represents a business application or system. Workloads are dynamic in nature, and the resources within them can be added or removed.

Workloads can span across various cloud providers and resources in multiple cloud accounts that are organized into tiers. Tiers are groupings of resources made using query-based filters.

Workloads support versioning to track changes in the workload overtime. Any change in workload filters or workload tags creates a new version. Users have the flexibility to create new versions from existing versions, and view the version changes over time.

When you run a Workload Assessment, you can assess a workload against Assessment Frameworks.

Frameworks

A framework provides the means to evaluate/assess your cloud workloads/accounts against laid out design principles, best practices, and standard procedures. Each major cloud provider has defined their specific Well-Architected Framework, which helps its customers evaluate their cloud resources and ensure they conform to industry-defined best practices. Both industry standard and custom frameworks are supported by CoreStack.

Each assessment framework consists of a series of questions along with their specific best practices. These questions are grouped under specific pillars, and the hierarchy is:

  1. Pillars
  2. Questions
  3. Best practices

In theory, the assessment/evaluation is done through manual means where each best practice is evaluated for its applicability and marked as being adhered to or not based on evidences/evaluations. CoreStack has a collection of policies developed to help evaluate some of these best practices, and some of these are mapped against best practices.

Such best practices which have policies mapped can be assessed automatically through policy execution, and hence are considered "Automated" in nature. Other best practices with no policy mapping are "Manual" in nature. Each best practice also shows its risk classification as High/Medium/Low and has its own recommendation for risk mitigation.

Assessments

An assessment is the encapsulation of the actual assessment process that evaluates a workload against a particular cloud provider's Well-Architected Framework.

Assessments, once run, show you the progress of the assessment starting with initiation and going on to approval and eventually completion -- along with milestones. Assessments also include an iterative process where users answer questions and best practices for each of their relevant workloads; as well as provide attachments and comments as needed.

Score Calculation for Assessments

Score:

Count of resolved best practices / Count of applicable best practices

Progress Status:

(Count of resolved best practices + Count of best practices that are not applicable) / Total best practices

Assessment Run States

When an assessment is triggered, it can be in any of the states described below:

StateDescriptionRules
In progressAfter the assessment has started and till it is either completed or abandoned.
CompletedPost completion of approval of the assessment.The assessment owner can approve the assessment run at any state by marking best practice as Verified and adding mandatory comments.
AbandonedAssessment run is abandoned. It could be for multiple reasons, such as, retirement or inactivation of workload or framework.Can be marked as Abandoned from any state.

State of Best Practice

Various status of best practices are explained in the table below:

StatusDescription
OpenFor Manual assessments, the status is Open till the reviewer marks it as Verified. By default, all best parctices (both Manual and Automated) are in Open status.
VerifiedA user's action which indicates that best practice is followed.

- If the best practices are Manual in nature, then the reviewer can review them and mark as Verified.
- If best practices are Automatic in nature, but shows policy violation when the assessment is run, then the reviewer has the option to mark them as Verified with Exception with mandatory comments.
- If there are no policy violation found during Automatioc scan, then the best practices are automatically set to Verified status.
Not ApplicableA reviewer can mark a best practice as Not Applicable.

Status of Question

The status of a question depends on the status of best practices. Refer to the table that shows the status of question.

StatusDescription
OpenIf any of the best practice for a question is in Open status, then the overall status of the question is Open.
VerifiedA question is marked as Verified if at least one best practice is in Verified status and rest of the best practices are either Verified or Not applicable.
Not ApplicableQuestion having Not Applicable status are not considered within the assessment. A question becomes Not Applicable when all the best practices under that question are not applicable.