AWS Well-Architected Framework
The AWS Well-Architected Framework provides architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable workloads in AWS. Unlike prescriptive compliance benchmarks, the Well-Architected Framework offers guidance that helps you make informed decisions about your architecture.
Guardian Pro maps its automated checks to the Well-Architected Framework pillars, giving you continuous insight into how well your infrastructure aligns with AWS's own best practices.
The Six Pillars
The AWS Well-Architected Framework is organised around six pillars. Guardian Pro evaluates your infrastructure against each:
Operational Excellence
The Operational Excellence pillar focuses on running and monitoring systems to deliver business value and continually improving processes:
- Infrastructure as Code -- CloudFormation stack health, drift detection, template governance
- Monitoring and observability -- CloudWatch alarms, log groups, metric configurations
- Operational readiness -- Automated backups, snapshot policies, maintenance windows
- Change management -- Configuration tracking, tagging standards, resource organisation
Security
The Security pillar focuses on protecting information, systems, and assets through risk assessment and mitigation:
- Identity and access management -- IAM policies, MFA enforcement, least-privilege access
- Detection -- CloudTrail logging, VPC flow logs, security monitoring
- Infrastructure protection -- Security groups, network ACLs, VPC configurations
- Data protection -- Encryption at rest and in transit, key management
- Incident response -- Logging completeness, alerting configurations
Reliability
The Reliability pillar ensures that workloads perform their intended function correctly and consistently:
- Fault tolerance -- Multi-AZ deployments, auto-scaling, load balancing
- Backup and recovery -- Automated backups, snapshot policies, cross-region replication
- Service limits -- Resource quotas and scaling headroom
- Health monitoring -- Health checks, alarm configurations, dead letter queues
Performance Efficiency
The Performance Efficiency pillar focuses on using computing resources efficiently to meet requirements:
- Right-sized resources -- Instance types matched to workload requirements
- Scaling policies -- Auto-scaling configurations, target tracking policies
- Caching -- ElastiCache configurations, CloudFront distributions
- Database optimisation -- Read replicas, connection pooling, index usage
Cost Optimisation
The Cost Optimisation pillar focuses on achieving the best return on investment:
- Cost-effective resources -- Reserved instances, savings plans, spot instances
- Demand management -- Auto-scaling, scheduled scaling
- Waste elimination -- Unused resources, unattached volumes, idle load balancers
- Budget controls -- Cost monitoring, anomaly detection, spending alerts
Sustainability
The Sustainability pillar focuses on minimising the environmental impact of running cloud workloads:
- Resource efficiency -- Right-sizing, utilisation optimisation
- Managed services -- Leveraging serverless and managed services where appropriate
- Region selection -- Awareness of regional carbon intensity
How Guardian Pro Evaluates Well-Architected Controls
Guardian Pro maps its automated checks to Well-Architected best practices. Each control is evaluated based on the results of relevant checks across your environment:
| Status | Meaning |
|---|---|
| PASS | All mapped checks are passing, indicating alignment with this best practice |
| FAIL | One or more checks have detected deviations from this best practice |
| NOT APPLICABLE | The best practice targets services or patterns not present in your environment |
The AWS Well-Architected Framework is intentionally broad and context-dependent. Some best practices may not apply to every workload. Use exceptions to document architectural decisions where you have intentionally deviated from a recommendation.
Viewing Your Well-Architected Score
After subscribing to the Well-Architected framework:
- Open the Compliance Dashboard.
- Locate the AWS Well-Architected score card.
- Click through to see controls grouped by pillar.
- Filter by pillar to focus on a specific area (Security, Reliability, Cost Optimisation, etc.).
Per-Pillar Breakdown
The controls list allows you to filter by individual pillars, making it easy to focus your improvement efforts:
- Security pillar failing? Focus on encryption, access controls, and logging.
- Reliability pillar low? Look at multi-AZ deployments, backups, and auto-scaling.
- Cost Optimisation gaps? Review rightsizing, unused resources, and commitment coverage.
Common Well-Architected Gaps
Reliability
The most common reliability gaps include:
- Single-AZ databases -- RDS instances, ElastiCache clusters, or Elasticsearch domains deployed in a single availability zone
- No auto-scaling -- EC2 instances or ECS services without auto-scaling policies
- Missing backups -- Resources without automated backup or snapshot configurations
- No health checks -- Load balancers without properly configured health checks
Security
Frequent security gaps include:
- Unencrypted storage -- EBS volumes, S3 buckets, or databases without encryption
- Overly permissive access -- Security groups with 0.0.0.0/0 ingress, wildcard IAM policies
- Incomplete logging -- Missing CloudTrail coverage, disabled VPC flow logs
Cost Optimisation
Common cost optimisation findings include:
- Oversized instances -- EC2 or RDS instances running well below capacity
- Unattached resources -- EBS volumes, Elastic IPs, or load balancers with no active targets
- Missing commitment coverage -- On-demand spending that could benefit from Reserved Instances or Savings Plans
The Well-Architected Framework pairs well with Guardian Pro's Architecture Advisor. While the compliance view shows you where you deviate from best practices, the Architecture Advisor provides topology-aware analysis including failure simulation and risk radar.
Well-Architected Reviews
If you are conducting a formal AWS Well-Architected Review (using the AWS Well-Architected Tool), Guardian Pro's compliance data can accelerate the process:
- Pre-populate answers -- Use your Guardian Pro compliance scores to answer Well-Architected Review questions with data-backed evidence.
- Identify high-risk items (HRIs) -- Failing controls map directly to areas that would be flagged as high-risk items in a formal review.
- Generate improvement plans -- Export your failing controls as a prioritised improvement plan.
- Track progress -- Use compliance trends to track improvements over your review period.
Relationship to Other Frameworks
The Well-Architected Framework overlaps with other compliance frameworks in several areas:
- Security pillar overlaps significantly with the CIS AWS Foundations Benchmark
- Data protection controls align with GDPR encryption and access requirements
- Operational controls complement SOC 2 system operations criteria
Subscribing to multiple frameworks gives you a comprehensive view. Guardian Pro shows which checks are shared across frameworks, so a single fix can improve multiple compliance scores simultaneously.