Use the Conformity Knowledge Base AI to help improve your Cloud Posture

AWS Well-Architected Tool in Use

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: WellArchitected-001

Ensure that Amazon Well-Architected Tool is used to review your cloud workloads against AWS best practices and get guidance on how to make them more secure, reliable, efficient and cost-effective. The Well-Architected Tool service use AWS Well-Architected Framework to compare your cloud application environment against best practices across five architectural pillars: security, reliability, performance efficiency, operational excellence and cost optimization. The main benefits of using Amazon Well-Architected Tool are: mature architectural guidance – the tool gives you access to the latest architectural best practices used by Amazon Web Services architects, consistent workload reviews – the service provides a consistent process to help you review and evaluate your AWS cloud workloads for optimization, and continuous improvement throughout the workload lifecycle – the tool makes it easy to save point-in-time milestones and track changes made to your AWS cloud workload architecture. Last but not least, there is no additional charge for using AWS Well-Architected Tool.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security
Reliability
Performance
efficiency
Operational
excellence
Cost
optimisation

With Amazon Well-Architected Tool service in use, you can analyze your workloads using a consistent process, understand any potential risks found at your AWS cloud architecture level and identify the next steps that must be taken for improvement. AWS recommends performing a workload review using the Well-Architected Tool after any major milestone achieved in your application development lifecycle.


Audit

To determine if Well-Architected Tool is enabled in your AWS account, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to AWS Well-Architected Tool dashboard at https://console.aws.amazon.com/wellarchitected/. If you are being redirected to the service Get started page, i.e.

How It Works

Amazon Well-Architected Tool is not currently enabled in the selected AWS region.

03 Change the AWS region from the navigation bar and repeat the audit process for the rest of the regions available. If Well-Architected Tool service is not in use within your AWS account, see Remediation/Resolution section to enable the service in order to plan on how to architect for AWS cloud using established best practices.

04 Repeat steps no. 1 – 3 for each Amazon Web Services account that you want to examine for AWS Well-Architected Tool status.

Using AWS CLI

01 Run the list-workloads command using custom query filters to list the IDs of the workloads, available in the selected region.

aws wellarchitected list-workloads
  --region us-west-2
  --query "WorkloadSummaries[*].WorkloadId"

02 The command output should return an array with the workload’s IDs. If the service is not in use an empty array will be returned:

[]

Remediation / Resolution

To benefit from AWS Well-Architected Tool (WA Tool) service, you have to define a workload based on one of your existing cloud applications, and answer a set of questions across the five pillars of the Well Architected Framework. The tool will then review your questions and will provide a plan describing the improvements that can be applied to your workload. To enable and make use of AWS Well-Architected Tool service, perform the following actions:

Due to the complex nature of analysing, addressing and resolving risks found by the Well Architected Tool, it is highly recommended to use the AWS console, not the AWS CLI.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to AWS Well-Architected Tool dashboard at https://console.aws.amazon.com/wellarchitected/.

03 In the navigation panel, select Workloads.

04 Click the Define workload button from the dashboard top menu to initiate the setup process.

05 On the Define workload page, within Workload properties section, provide the following information:

  1. In the Name box, enter a unique name for your new Well-Architected Tool workload.
  2. In the Description box, enter a short description of the workload that you want to define.
  3. Choose the type of industry associated with your workload from the Industry type dropdown list.
  4. From the Industry dropdown list, select the industry that best matches your workload.
  5. In the Environment category, choose the environment in which your workload runs. This can be Production – when your applications run in a production environment or Pre-production – when these run in a pre-production or staging environment.
  6. Within Regions section, check AWS Regions checkbox and select the regions in which your workload runs, and/or check Non-AWS regions checkbox and type the regions outside AWS cloud (on-premises or other cloud provider) in which your workload runs. Use both options if that is appropriate for your workload.
  7. If required, in the Account IDs box, enter the IDs of the AWS accounts associated with your defined workload. You can specify up to 100 unique AWS account IDs, separated by commas.
  8. Click Define workload to create your Well-Architected Tool workload.
  9. Choose the newly created Well-Architected Tool workload and click on its name to access the workload configuration page.
  10. Select the Review tab and click Continue review to start with the review process.
  11. On Review workload page, you have to answer questions across the five pillars of the AWS Well-Architected Framework: security, reliability, performance efficiency, operational excellence and cost optimization. For each available question, choose the AWS best practice(s) that you are currently following from the list provided. If you need more details about a certain best practice, click on the Info button next to each entry to view the additional information provided in the right panel. If you select Question does not apply to this workload or None of these option, AWS recommends that you include the reason in the Notes box. These notes are included in the workload review report and can be helpful in the future as new changes are made to your workload
  12. Click Next to continue with the next question. Make sure that you answer to all the questions provided by the AWS Well-Architected Tool service in this section.

06 After you answer all of the available questions, the review overview for your workload is displayed. In the Review overview section, click Save milestone button to capture the architectural health of your workload at this stage of the review. Inside Save milestone dialog box, provide a name for your milestone in the Milestone name box and click Save to confirm the action.

07 (Optional) You may also want to generate a workload review report at this time. To do that, click the >Generate report button available in the Review overview section. The file contains the status of the workload review for each of the five pillars of the AWS Well-Architected Framework, and the answers to all of the review questions. If successful, a PDF file that contains the workload review status is created, and you can save it on your machine.

08 Based on your answers during the workload review, the Amazon Well-Architected Tool service identifies areas of high and medium risk as measured against the AWS Well-Architected Framework best practices and uses the collected data to generate an improvement plan from your cloud workload. To view the improvement plan for your current workload, select the Improvement plan tab from the dashboard top panel. On the Improvement plan panel, within Improvement plan overview section, check for any potential risks found. If one or more risks are found:

=Improvement Plan Overview

select In progress option from the Improvement status dropdown list to update the improvement plan status in order to indicate that improvements are in progress.

09 The Improvement items section shows the recommended improvement items identified for your workload. The questions are ordered based on severity, with the high risk items listed first followed by the medium risk items. For each improvement item listed, click Recommended improvement items tab to expand the panel with the suggested best practices for the selected question. Each recommended improvement action links to detailed expert AWS guidance to help you eliminate, or at least mitigate, the identified risk(s).

10 As part of the improvement plan, choose an item from Improvement items section and follow the AWS guidance to remediate the issue by mitigating or eliminating the item risk. Once the selected workload risk is mitigated or eliminated, click on the pertinent question associated with the risk and update the answer to reflect the implemented changes. You can also add a note within the Notes box to record your improvement. Click Save and exit button to update the workload review. Once the change is processed, return to the Improvement plan overview section and check the number of High/Medium risks available. At this point you should notice a lower number of risks, meaning that your actions have improved your workload profile.

11 Repeat step no. 10 for each item available in Improvement items section. Once the improvement plan is complete, check the Improvement plan overview to make sure that all the risks were eliminated, then select Complete from the Improvement status dropdown list to update the improvement plan status for your workload.

12 To capture the architectural health of your workload at this point, select the Review tab, and click the Save milestone button from the dashboard top menu to save your progress as a milestone. Inside Save milestone dialog box, provide a name for your new milestone in the Milestone name box, then click Save to confirm your action.

13 If required, change the AWS region from the navigation bar and repeat steps no. 4 – 12 to make use of Amazon Well-Architected Tool service in other regions.

14 Repeat steps no. 1 – 13 for each Amazon Web Services account that you want to review with AWS Well-Architected Tool.

Using AWS CLI

01 Run create-workload command (OSX/Linux/UNIX) to create an AWS Well-Architected workload. The following parameters are required:

  1. --name, provide a unique name for your new Well-Architected Tool workload.
  2. --description, provide a short description of the workload that you want to define.
  3. --environment, this can be either PRODUCTION – when your applications run in a production environment or PREPRODUCTION – when these run in a pre-production or staging environment.
  4. --review-owner, the review owner of the workload. The name, email address, or identifier for the primary group or individual that owns the workload review process.
  5. --lenses, A list of Lenses. Current possible Lenses are serverless and wellarchitected
aws wellarchitected create-workload
  --name "Web Application"
  --description "A AWAF workload for my web application"
  --environment "PREPRODUCTION"
  --review-owner "owner@email.com"
  --lenses "serverless"

References

Publication date Mar 4, 2019

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

AWS Well-Architected Tool in Use

Risk Level: Medium