feat: cleaning up supportability

acx1729 · acx1729 · commit de0d5eafd064 · 2024-10-06T16:48:42.000-04:00
diff --git a/compliance/frameworks/baseline/supportability/aws_baseline_supportability.yaml b/compliance/frameworks/baseline/supportability/aws_baseline_supportability.yaml
@@ -0,0 +1,21 @@
+ID: aws_baseline_supportability
+Title: "AWS Baseline Supportability"
+Description: "Supportability checks for AWS resources."
+AutoAssign: true
+Children:
+  - aws_baseline_supportability_compute
+  - aws_baseline_supportability_kubernetes_management
+  - aws_baseline_supportability_networking
+  - aws_baseline_supportability_certificates
+  - aws_baseline_supportability_logging_and_monitoring
+  - aws_baseline_supportability_database
+  - aws_baseline_supportability_iam_and_security
+Controls: []
+Enabled: true
+SectionCode: aws_baseline_supportability
+Tags:
+  baseline_category:
+    - supportability
+  type:
+    - BASELINE
+TracksDriftEvents: false
diff --git a/compliance/frameworks/baseline/supportability/aws_baseline_supportability_certificates.yaml b/compliance/frameworks/baseline/supportability/aws_baseline_supportability_certificates.yaml
@@ -0,0 +1,16 @@
+ID: aws_baseline_supportability_certificates
+Title: "AWS Baseline Supportability - Certificates"
+Description: "Ensure AWS certificates are managed properly."
+AutoAssign: true
+Controls:
+  - aws_acm_certificate_expired
+  - aws_acm_certificates_validity
+  - aws_acm_certificates_with_wildcard_domain_names
+Enabled: true
+SectionCode: aws_baseline_supportability_certificates
+Tags:
+  baseline_category:
+    - supportability
+  type:
+    - BASELINE
+TracksDriftEvents: false
diff --git a/compliance/frameworks/baseline/supportability/aws_baseline_supportability_compute.yaml b/compliance/frameworks/baseline/supportability/aws_baseline_supportability_compute.yaml
@@ -0,0 +1,18 @@
+ID: aws_baseline_supportability_compute
+Title: "AWS Baseline Supportability - Compute"
+Description: "Ensure AWS compute resources are configured for supportability."
+AutoAssign: true
+Controls:
+  - aws_ec2_instance_naming_conventions
+  - aws_ebs_volumes_attached_to_stopped_ec2_instances
+  - aws_unused_aws_ec2_key_pairs
+  - aws_ec2_instances_with_multiple_elastic_network_interfaces
+  - aws_check_for_ecs_container_instance_agent_version
+Enabled: true
+SectionCode: aws_baseline_supportability_compute
+Tags:
+  baseline_category:
+    - supportability
+  type:
+    - BASELINE
+TracksDriftEvents: false
diff --git a/compliance/frameworks/baseline/supportability/aws_baseline_supportability_database.yaml b/compliance/frameworks/baseline/supportability/aws_baseline_supportability_database.yaml
@@ -0,0 +1,15 @@
+ID: aws_baseline_supportability_database
+Title: "AWS Baseline Supportability - Database"
+Description: "Ensure AWS RDS instances are configured for supportability."
+AutoAssign: true
+Controls:
+  - aws_rds_database_instances_have_a_minimum_acceptable_backup_policy
+  - aws_rds_database_instances_must_have_a_minimum_acceptable_restore_time
+Enabled: true
+SectionCode: aws_baseline_supportability_database
+Tags:
+  baseline_category:
+    - supportability
+  type:
+    - BASELINE
+TracksDriftEvents: false
diff --git a/compliance/frameworks/baseline/supportability/aws_baseline_supportability_iam_and_security.yaml b/compliance/frameworks/baseline/supportability/aws_baseline_supportability_iam_and_security.yaml
@@ -0,0 +1,16 @@
+ID: aws_baseline_supportability_iam_and_security
+Title: "AWS Baseline Supportability - IAM and Security"
+Description: "Ensure AWS IAM policies and security are configured for supportability."
+AutoAssign: true
+Controls:
+  - aws_multi_account_centralized_management
+  - aws_use_aws_managed_policy_to_access_amazon_ecr_repositories
+  - aws_use_aws_managed_policy_to_manage_aws_resources
+Enabled: true
+SectionCode: aws_baseline_supportability_iam_and_security
+Tags:
+  baseline_category:
+    - supportability
+  type:
+    - BASELINE
+TracksDriftEvents: false
diff --git a/compliance/frameworks/baseline/supportability/aws_baseline_supportability_kubernetes_management.yaml b/compliance/frameworks/baseline/supportability/aws_baseline_supportability_kubernetes_management.yaml
@@ -0,0 +1,18 @@
+ID: aws_baseline_supportability_kubernetes_management
+Title: "AWS Baseline Supportability - Kubernetes Management"
+Description: "Ensure AWS EKS clusters are configured for supportability."
+AutoAssign: true
+Controls:
+  - aws_disable_remote_access_to_eks_cluster_node_groups
+  - aws_enable_cloudtrail_logging_for_kubernetes_api_calls
+  - aws_eks_cluster_node_group_iam_role_policies
+  - aws_use_oidc_provider_for_authenticating_kubernetes_api_calls
+  - aws_enable_cloudwatch_container_insights
+Enabled: true
+SectionCode: aws_baseline_supportability_kubernetes_management
+Tags:
+  baseline_category:
+    - supportability
+  type:
+    - BASELINE
+TracksDriftEvents: false
diff --git a/compliance/frameworks/baseline/supportability/aws_baseline_supportability_logging_and_monitoring.yaml b/compliance/frameworks/baseline/supportability/aws_baseline_supportability_logging_and_monitoring.yaml
@@ -0,0 +1,22 @@
+ID: aws_baseline_supportability_logging_and_monitoring
+Title: "AWS Baseline Supportability - Logging and Monitoring"
+Description: "Ensure AWS logging and monitoring is configured for supportability."
+AutoAssign: true
+Controls:
+  - aws_opensearch_slow_logs
+  - aws_enable_serverless_log_exports
+  - aws_instance_level_events_subscriptions
+  - aws_log_exports
+  - aws_performance_insights
+  - aws_security_groups_events_subscriptions
+  - aws_ecs_task_log_driver_in_use
+  - aws_lifecycle_policy_in_use
+  - aws_enable_aurora_cluster_copy_tags_to_snapshots
+Enabled: true
+SectionCode: aws_baseline_supportability_logging_and_monitoring
+Tags:
+  baseline_category:
+    - supportability
+  type:
+    - BASELINE
+TracksDriftEvents: false
diff --git a/compliance/frameworks/baseline/supportability/aws_baseline_supportability_networking.yaml b/compliance/frameworks/baseline/supportability/aws_baseline_supportability_networking.yaml
@@ -0,0 +1,15 @@
+ID: aws_baseline_supportability_networking
+Title: "AWS Baseline Supportability - Networking"
+Description: "Ensure AWS networking resources are configured for supportability."
+AutoAssign: true
+Controls:
+  - aws_unused_elastic_network_interfaces
+  - aws_use_aws_managed_policy_to_manage_networking_resources
+Enabled: true
+SectionCode: aws_baseline_supportability_networking
+Tags:
+  baseline_category:
+    - supportability
+  type:
+    - BASELINE
+TracksDriftEvents: false
diff --git a/compliance/frameworks/baseline/supportability/azure_baseline_supportability_general_practices.yaml b/compliance/frameworks/baseline/supportability/azure_baseline_supportability_general_practices.yaml
@@ -0,0 +1,14 @@
+ID: azure_baseline_supportability_general_practices
+Title: "Azure Baseline Supportability - General Practices"
+Description: "Ensure general practices for Azure resources are in place."
+AutoAssign: true
+Controls:
+  - azure_disable_plain_ftp_deployment
+Enabled: true
+SectionCode: azure_baseline_supportability_general_practices
+Tags:
+  baseline_category:
+    - supportability
+  type:
+    - BASELINE
+TracksDriftEvents: false
diff --git a/compliance/frameworks/baseline/supportability/azure_baseline_supportability_key_vault_and_certificates.yaml b/compliance/frameworks/baseline/supportability/azure_baseline_supportability_key_vault_and_certificates.yaml
@@ -0,0 +1,16 @@
+ID: azure_baseline_supportability_key_vault_and_certificates
+Title: "Azure Baseline Supportability - Key Vault and Certificates"
+Description: "Ensure Azure Key Vault and certificates are configured for supportability."
+AutoAssign: true
+Controls:
+  - azure_keyvault_logging_enabled
+  - azure_configure_minimum_tls_version
+  - azure_enable_transparent_data_encryption_for_sql_managed_instance_using_customer_managed_keys
+Enabled: true
+SectionCode: azure_baseline_supportability_key_vault_and_certificates
+Tags:
+  baseline_category:
+    - supportability
+  type:
+    - BASELINE
+TracksDriftEvents: false
diff --git a/compliance/frameworks/baseline/supportability/azure_baseline_supportability_kubernetes_management.yaml b/compliance/frameworks/baseline/supportability/azure_baseline_supportability_kubernetes_management.yaml
@@ -0,0 +1,18 @@
+ID: azure_baseline_supportability_kubernetes_management
+Title: "Azure Baseline Supportability - Kubernetes Management"
+Description: "Ensure Azure Kubernetes Service (AKS) clusters are configured for supportability."
+AutoAssign: true
+Controls:
+  - azure_enable_defender_for_cloud_for_aks_clusters
+  - azure_use_azure_cni_add_on_for_managing_network_resources
+  - azure_use_microsoft_entra_id_integration_for_aks_clusters
+  - azure_use_user_assigned_managed_identities_for_aks_clusters
+  - azure_kubernetes_api_version
+Enabled: true
+SectionCode: azure_baseline_supportability_kubernetes_management
+Tags:
+  baseline_category:
+    - supportability
+  type:
+    - BASELINE
+TracksDriftEvents: false
diff --git a/compliance/frameworks/baseline/supportability/azure_baseline_supportability_networking.yaml b/compliance/frameworks/baseline/supportability/azure_baseline_supportability_networking.yaml
@@ -0,0 +1,14 @@
+ID: azure_baseline_supportability_networking
+Title: "Azure Baseline Supportability - Networking"
+Description: "Ensure Azure networking resources are configured for supportability."
+AutoAssign: true
+Controls:
+  - azure_use_network_contributor_role_for_managing_azure_network_resources
+Enabled: true
+SectionCode: azure_baseline_supportability_networking
+Tags:
+  baseline_category:
+    - supportability
+  type:
+    - BASELINE
+TracksDriftEvents: false
diff --git a/compliance/frameworks/baseline/supportability/root.yaml b/compliance/frameworks/baseline/supportability/root.yaml
@@ -1,53 +1,18 @@
-ID: sre_supportability
-Title: "SRE Supportability"
-Description: "Supportability Framework aligns with SRE principles and the Well-Architected Framework, ensuring systems are monitorable, maintainable, and optimized for rapid issue resolution."
+ID: azure_baseline_supportability
+Title: "Azure Baseline Supportability"
+Description: "Supportability checks for Azure resources."
 AutoAssign: true
-Children: []
-Controls:
-  - azure_keyvault_logging_enabled
-  - azure_enable_defender_for_cloud_for_aks_clusters
-  - azure_disable_plain_ftp_deployment
-  - azure_enable_transparent_data_encryption_for_sql_managed_instance_using_customer_managed_keys
-  - azure_configure_minimum_tls_version
-  - azure_use_azure_cni_add_on_for_managing_network_resources
-  - azure_use_microsoft_entra_id_integration_for_aks_clusters
-  - azure_use_user_assigned_managed_identities_for_aks_clusters
-  - azure_kubernetes_api_version
-  - azure_use_network_contributor_role_for_managing_azure_network_resources
-  - aws_ec2_instance_naming_conventions
-  - aws_unused_elastic_network_interfaces
-  - aws_multi_account_centralized_management
-  - aws_acm_certificate_expired
-  - aws_acm_certificates_validity
-  - aws_acm_certificates_with_wildcard_domain_names
-  - aws_ebs_volumes_attached_to_stopped_ec2_instances
-  - aws_unused_aws_ec2_key_pairs
-  - aws_opensearch_slow_logs
-  - aws_enable_aurora_cluster_copy_tags_to_snapshots
-  - aws_enable_serverless_log_exports
-  - aws_instance_level_events_subscriptions
-  - aws_log_exports
-  - aws_performance_insights
-  - aws_security_groups_events_subscriptions
-  - aws_rds_database_instances_have_a_minimum_acceptable_backup_policy
-  - aws_rds_database_instances_must_have_a_minimum_acceptable_restore_time
-  - aws_lifecycle_policy_in_use
-  - aws_ecs_task_log_driver_in_use
-  - aws_check_for_ecs_container_instance_agent_version
-  - aws_disable_remote_access_to_eks_cluster_node_groups
-  - aws_enable_cloudtrail_logging_for_kubernetes_api_calls
-  - aws_eks_cluster_node_group_iam_role_policies
-  - aws_use_aws_managed_policy_to_manage_networking_resources
-  - aws_use_aws_managed_policy_to_access_amazon_ecr_repositories
-  - aws_use_aws_managed_policy_to_manage_aws_resources
-  - aws_use_oidc_provider_for_authenticating_kubernetes_api_calls
-  - aws_enable_cloudwatch_container_insights
-  - aws_ec2_instances_with_multiple_elastic_network_interfaces
+Children:
+  - azure_baseline_supportability_key_vault_and_certificates
+  - azure_baseline_supportability_kubernetes_management
+  - azure_baseline_supportability_networking
+  - azure_baseline_supportability_general_practices
+Controls: []
 Enabled: true
-SectionCode: sre_supportability
+SectionCode: azure_baseline_supportability
 Tags:
-  score_category:
+  baseline_category:
     - supportability
   type:
-    - SCORE
-TracksDriftEvents: false
+    - BASELINE
+TracksDriftEvents: false
