feat(compliance): AWS Well-Architected Framework Reliability Pillar v0.1 (#2536)

Co-authored-by: Sergio Garcia <sergargar1@gmail.com>
2026-02-10 06:45:08 +00:00 · 2023-06-29 19:13:38 +10:00
parent 01522ed8c7
commit a58f4b2498
3 changed files with 93 additions and 1 deletions
--- a/prowler/compliance/aws/aws_well_architected_framework_reliability_pillar_aws.json
+++ b/prowler/compliance/aws/aws_well_architected_framework_reliability_pillar_aws.json
@@ -0,0 +1,79 @@
+{
+  "Framework": "AWS-Well-Architected-Framework-Reliability-Pillar",
+  "Version": "",
+  "Provider": "AWS",
+  "Description": "Best Practices for the AWS Well-Architected Framework Reliability Pillar encompasses the ability of a workload to perform its intended function correctly and consistently when it’s expected to. This includes the ability to operate and test the workload through its total lifecycle.",
+  "Requirements": [
+    {
+      "Id": "REL09-BP03",
+      "Description": "Configure backups to be taken automatically based on a periodic schedule informed by the Recovery Point Objective (RPO), or by changes in the dataset. Critical datasets with low data loss requirements need to be backed up automatically on a frequent basis, whereas less critical data where some loss is acceptable can be backed up less frequently.",
+      "Attributes": [
+        {
+          "Name": "REL09-BP03 Perform data backup automatically",
+          "WellArchitectedQuestionId": "backing-up-data",
+          "WellArchitectedPracticeId": "rel_backing_up_data_automated_backups_data",
+          "Section": "Failure management",
+          "SubSection": "Backup up data",
+          "LevelOfRisk": "High",
+          "AssessmentMethod": "Automated",
+          "Description": "Configure backups to be taken automatically based on a periodic schedule informed by the Recovery Point Objective (RPO), or by changes in the dataset. Critical datasets with low data loss requirements need to be backed up automatically on a frequent basis, whereas less critical data where some loss is acceptable can be backed up less frequently.",
+          "ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/rel_backing_up_data_automated_backups_data.html#implementation-guidance"
+        }
+      ],
+      "Checks": [
+        "cloudformation_stacks_termination_protection_enabled",
+        "rds_instance_backup_enabled",
+        "rds_instance_deletion_protection",
+        "dynamodb_tables_pitr_enabled"
+      ]
+    },
+    {
+      "Id": "REL06-BP01",
+      "Description": "Monitor components and services of AWS workload effectifely, using tools like Amazon CloudWatch and AWS Health Dashboard. Define relevant metrics, set thresholds, and analyze metrics and logs for early detection of issues.",
+      "Attributes": [
+        {
+          "Name": "REL06-BP01 Monitor all components for the workload (Generation)",
+          "WellArchitectedQuestionId": "monitor-aws-resources",
+          "WellArchitectedPracticeId": "rel_monitor_aws_resources_monitor_resources",
+          "Section": "Change management",
+          "SubSection": "Monitor workload resources",
+          "LevelOfRisk": "High",
+          "AssessmentMethod": "Automated",
+          "Description": "Monitor components and services of AWS workload effectifely, using tools like Amazon CloudWatch and AWS Health Dashboard. Define relevant metrics, set thresholds, and analyze metrics and logs for early detection of issues.",
+          "ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/rel_monitor_aws_resources_monitor_resources.html#implementation-guidance"
+        }
+      ],
+      "Checks": [
+        "apigateway_logging_enabled",
+        "apigatewayv2_access_logging_enabled",
+        "awslambda_function_invoke_api_operations_cloudtrail_logging_enabled",
+        "cloudtrail_cloudwatch_logging_enabled",
+        "elb_logging_enabled",
+        "opensearch_service_domains_audit_logging_enabled",
+        "opensearch_service_domains_cloudwatch_logging_enabled",
+        "rds_instance_enhanced_monitoring_enabled",
+        "rds_instance_integration_cloudwatch_logs"
+      ]
+    },
+    {
+      "Id": "REL10-BP01",
+      "Description": "Distribute workload data and resources across multiple Availability Zones or, where necessary, across AWS Regions. These locations can be as diverse as required.",
+      "Attributes": [
+        {
+          "Name": "REL10-BP01 Deploy the workload to multiple locations",
+          "WellArchitectedQuestionId": "fault-isolation",
+          "WellArchitectedPracticeId": "rel_fault_isolation_multiaz_region_system",
+          "Section": "Failure management",
+          "SubSection": "Use fault isolation to protect your workload",
+          "LevelOfRisk": "High",
+          "AssessmentMethod": "Automated",
+          "Description": "Distribute workload data and resources across multiple Availability Zones or, where necessary, across AWS Regions. These locations can be as diverse as required.",
+          "ImplementationGuidanceUrl": "https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/use-fault-isolation-to-protect-your-workload.html#implementation-guidance."
+        }
+      ],
+      "Checks": [
+        "rds_instance_multi_az"
+      ]
+    }
+  ]
+}
--- a/prowler/lib/outputs/compliance.py
+++ b/prowler/lib/outputs/compliance.py
@@ -120,7 +120,7 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors):
                    csv_header = generate_csv_fields(Check_Output_CSV_CIS)

            elif (
-                compliance.Framework == "AWS-Well-Architected-Framework-Security-Pillar"
+                "AWS-Well-Architected-Framework" in compliance.Framework
                and compliance.Provider == "AWS"
            ):
                compliance_output = compliance.Framework
--- a/prowler/lib/outputs/file_descriptors.py
+++ b/prowler/lib/outputs/file_descriptors.py
@@ -164,6 +164,19 @@ def fill_file_descriptors(output_modes, output_directory, output_filename, audit
                        )
                        file_descriptors.update({output_mode: file_descriptor})

+                    elif (
+                        output_mode
+                        == "aws_well_architected_framework_reliability_pillar_aws"
+                    ):
+                        filename = f"{output_directory}/{output_filename}_aws_well_architected_framework_reliability_pillar_aws{csv_file_suffix}"
+                        file_descriptor = initialize_file_descriptor(
+                            filename,
+                            output_mode,
+                            audit_info,
+                            Check_Output_CSV_AWS_Well_Architected,
+                        )
+                        file_descriptors.update({output_mode: file_descriptor})
+
                    elif output_mode == "iso27001_2013_aws":
                        filename = f"{output_directory}/{output_filename}_iso27001_2013_aws{csv_file_suffix}"
                        file_descriptor = initialize_file_descriptor(