{"id":272,"date":"2026-04-13T11:01:18","date_gmt":"2026-04-13T11:01:18","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/aws-well-architected-tool-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-management-and-governance\/"},"modified":"2026-04-13T11:01:18","modified_gmt":"2026-04-13T11:01:18","slug":"aws-well-architected-tool-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-management-and-governance","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/aws-well-architected-tool-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-management-and-governance\/","title":{"rendered":"AWS Well-Architected Tool Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Management and governance"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

Management and governance<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

AWS Well-Architected Tool is an AWS Management and governance service that helps you review, measure, and improve your cloud architectures against AWS best practices.<\/p>\n\n\n\n

In simple terms: you describe a workload (an application or system), answer guided questions, and the tool identifies risks and recommended improvements using the AWS Well-Architected Framework pillars.<\/p>\n\n\n\n

Technically, AWS Well-Architected Tool is a managed review workflow that organizes your architecture assessment into workloads<\/strong>, evaluates them using lenses<\/strong> (including the AWS Well-Architected Framework lens), tracks high-risk issues (HRIs)<\/strong>, and lets you create milestones<\/strong> to snapshot progress over time. It also supports automation through an API\/SDK so teams can standardize reviews and reporting across many workloads and accounts.<\/p>\n\n\n\n

The problem it solves is common in real environments: teams scale faster than architecture documentation and governance. Without a consistent method, architecture reviews become subjective, inconsistent, and hard to operationalize. AWS Well-Architected Tool provides a repeatable mechanism to identify risks early, align on best practices, track improvements, and demonstrate governance over time.<\/p>\n\n\n\n

2. What is AWS Well-Architected Tool?<\/h2>\n\n\n\n

Official purpose:<\/strong> AWS Well-Architected Tool helps you review the state of your workloads and compares them to the latest AWS architectural best practices<\/strong>. It is designed to operationalize the AWS Well-Architected Framework in a consistent, auditable way.\nOfficial docs: https:\/\/docs.aws.amazon.com\/wellarchitected\/latest\/userguide\/what-is-aws-well-architected-tool.html<\/p>\n\n\n\n

Core capabilities<\/h3>\n\n\n\n
    \n
  • Create and manage workloads<\/strong> (applications\/systems you want to review).<\/li>\n
  • Assess workloads using lenses<\/strong> (sets of questions and best practices), including AWS-provided lenses and custom lenses<\/strong>.<\/li>\n
  • Identify high-risk issues (HRIs)<\/strong> and improvement opportunities.<\/li>\n
  • Capture point-in-time snapshots via milestones<\/strong> to track progress.<\/li>\n
  • Share workloads with other AWS principals\/accounts (for collaboration and reviews).<\/li>\n
  • Programmatic access via the AWS Well-Architected Tool API<\/strong> (for automation and reporting).<\/li>\n<\/ul>\n\n\n\n

    Major components (conceptual model)<\/h3>\n\n\n\n
      \n
    • Workload:<\/strong> A reviewed system\/application, including metadata such as environment, regions, and answers to review questions.<\/li>\n
    • Lens:<\/strong> A structured set of best-practice questions. AWS provides the core Well-Architected Framework lens and may provide additional domain lenses (availability varies; use what appears in your console).<\/li>\n
    • Question \/ Best practice:<\/strong> Each lens contains questions mapped to best practices.<\/li>\n
    • Risk levels & HRIs:<\/strong> The tool flags risks based on your answers (HRIs are the most urgent).<\/li>\n
    • Milestone:<\/strong> A snapshot of your workload\u2019s review state at a point in time.<\/li>\n
    • Sharing \/ collaboration:<\/strong> Controlled access to workloads and reviews.<\/li>\n
    • API\/SDK:<\/strong> Enables repeatable governance and integration with internal tooling.<\/li>\n<\/ul>\n\n\n\n

      Service type and scope<\/h3>\n\n\n\n
        \n
      • Service type:<\/strong> Managed governance\/review tool (console + API). It does not deploy infrastructure; it helps you assess and govern it.<\/li>\n
      • Scope:<\/strong> Workloads are created per AWS account<\/strong> and accessed via IAM permissions. Workload sharing enables cross-account collaboration.<\/li>\n
      • Regional vs global:<\/strong> AWS Well-Architected Tool is a regional service<\/strong> (you select a region in the console). Your workload can describe architectures spanning multiple regions, but the review data is stored\/managed in the region where you create the workload. Verify region availability and data residency requirements in official docs and the AWS Regional Services List: https:\/\/aws.amazon.com\/about-aws\/global-infrastructure\/regional-product-services\/<\/li>\n<\/ul>\n\n\n\n

        How it fits into the AWS ecosystem<\/h3>\n\n\n\n

        AWS Well-Architected Tool complements (not replaces) operational services:\n– AWS Organizations \/ multi-account strategy:<\/strong> Perform consistent reviews across accounts; use sharing and standard processes.\n– AWS IAM \/ IAM Identity Center:<\/strong> Control who can create, view, and update reviews.\n– AWS CloudTrail:<\/strong> Audit API actions performed in the tool.\n– AWS Config, Trusted Advisor, Security Hub, CloudWatch, Systems Manager:<\/strong> These provide operational signals and controls; Well-Architected Tool provides a structured architecture-review process to guide improvements using those signals.<\/p>\n\n\n\n

        3. Why use AWS Well-Architected Tool?<\/h2>\n\n\n\n

        Business reasons<\/h3>\n\n\n\n
          \n
        • Reduce risk and downtime:<\/strong> Identify design gaps before they become incidents.<\/li>\n
        • Make architecture decisions consistent:<\/strong> Standardize how teams evaluate architectures.<\/li>\n
        • Improve time-to-market responsibly:<\/strong> Ship faster without skipping governance.<\/li>\n
        • Support stakeholder reporting:<\/strong> Milestones and reports help communicate progress and risk posture to leadership.<\/li>\n<\/ul>\n\n\n\n

          Technical reasons<\/h3>\n\n\n\n
            \n
          • Framework-driven reviews:<\/strong> Align to AWS best practices across pillars.<\/li>\n
          • Repeatability:<\/strong> Run the same review pattern across dozens\/hundreds of workloads.<\/li>\n
          • Versioned progress tracking:<\/strong> Milestones provide traceability over time.<\/li>\n
          • Automation:<\/strong> API-based workflows enable inventory, reporting, and governance at scale.<\/li>\n<\/ul>\n\n\n\n

            Operational reasons<\/h3>\n\n\n\n
              \n
            • Create a review cadence:<\/strong> Quarterly reviews, pre-launch reviews, or post-incident reviews.<\/li>\n
            • Operationalize improvements:<\/strong> HRIs can drive backlog items and remediation plans.<\/li>\n
            • Better handoffs:<\/strong> Shared workload reviews improve collaboration among platform, security, and app teams.<\/li>\n<\/ul>\n\n\n\n

              Security\/compliance reasons<\/h3>\n\n\n\n
                \n
              • Evidence of governance:<\/strong> Auditors often want proof of architecture oversight. Milestones and review artifacts can help demonstrate process (but do not replace formal compliance controls).<\/li>\n
              • Shared language:<\/strong> Security, engineering, and ops teams can align on risk categories and best-practice expectations.<\/li>\n<\/ul>\n\n\n\n

                Scalability\/performance reasons<\/h3>\n\n\n\n
                  \n
                • Design for growth:<\/strong> The Performance Efficiency pillar helps teams identify bottlenecks and plan capacity\/scaling strategies.<\/li>\n
                • Avoid re-architecture costs:<\/strong> Catch foundational issues early (networking, data design, scaling patterns).<\/li>\n<\/ul>\n\n\n\n

                  When teams should choose AWS Well-Architected Tool<\/h3>\n\n\n\n
                    \n
                  • You run workloads on AWS and need a structured<\/strong> architecture review process.<\/li>\n
                  • You want to standardize best practices across multiple teams\/accounts.<\/li>\n
                  • You need to track improvements over time with milestones.<\/li>\n
                  • You want to build an internal governance program (architecture reviews as code\/process).<\/li>\n<\/ul>\n\n\n\n

                    When teams should not choose it<\/h3>\n\n\n\n
                      \n
                    • You need real-time operational monitoring<\/strong> or automated drift remediation (use CloudWatch, Config, Systems Manager, etc.).<\/li>\n
                    • Your workloads are entirely outside AWS and you need a cloud-agnostic tool with deep integrations across multiple clouds (you might use internal checklists or third-party governance platforms).<\/li>\n
                    • You are looking for a service that automatically fixes issues; AWS Well-Architected Tool identifies risk and recommendations, but remediation is up to your team.<\/li>\n<\/ul>\n\n\n\n

                      4. Where is AWS Well-Architected Tool used?<\/h2>\n\n\n\n

                      Industries<\/h3>\n\n\n\n
                        \n
                      • SaaS and technology:<\/strong> Standardizing reviews across many microservices.<\/li>\n
                      • Financial services \/ regulated industries:<\/strong> Governance, audit trails, and repeatable review processes.<\/li>\n
                      • Healthcare:<\/strong> Aligning security and reliability practices with compliance needs.<\/li>\n
                      • E-commerce \/ media:<\/strong> Performance and resilience under demand spikes.<\/li>\n
                      • Public sector \/ education:<\/strong> Governance and cost controls across many teams.<\/li>\n<\/ul>\n\n\n\n

                        Team types<\/h3>\n\n\n\n
                          \n
                        • Platform engineering and cloud enablement teams (standardize review processes).<\/li>\n
                        • Solution architects (pre-launch and design reviews).<\/li>\n
                        • SRE\/operations (post-incident learning, reliability reviews).<\/li>\n
                        • Security engineering and GRC (security posture improvement and evidence of process).<\/li>\n
                        • Product engineering teams (self-service reviews as part of delivery).<\/li>\n<\/ul>\n\n\n\n

                          Workloads and architectures<\/h3>\n\n\n\n
                            \n
                          • Microservices and container platforms (EKS\/ECS).<\/li>\n
                          • Serverless applications (Lambda\/API Gateway\/event-driven).<\/li>\n
                          • Data platforms (lake\/warehouse\/streaming).<\/li>\n
                          • Traditional 3-tier web apps and enterprise apps.<\/li>\n
                          • Hybrid connectivity (VPN\/Direct Connect) architectures.<\/li>\n<\/ul>\n\n\n\n

                            Real-world deployment contexts<\/h3>\n\n\n\n
                              \n
                            • Pre-production gates:<\/strong> Reviews before launch or major releases.<\/li>\n
                            • Post-migration:<\/strong> Validate architecture after moving to AWS.<\/li>\n
                            • Continuous improvement:<\/strong> Quarterly or semiannual reviews.<\/li>\n
                            • M&A \/ portfolio rationalization:<\/strong> Assess and standardize inherited workloads.<\/li>\n<\/ul>\n\n\n\n

                              Production vs dev\/test usage<\/h3>\n\n\n\n
                                \n
                              • Production:<\/strong> Most valuable when assessing critical production workloads and tracking milestones over time.<\/li>\n
                              • Dev\/test:<\/strong> Useful for teaching best practices early and preventing \u201cbad patterns\u201d from reaching production.<\/li>\n<\/ul>\n\n\n\n

                                5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                                Below are realistic scenarios where AWS Well-Architected Tool fits well.<\/p>\n\n\n\n

                                1) Pre-launch architecture review for a new production workload<\/h3>\n\n\n\n
                                  \n
                                • Problem:<\/strong> Teams are about to launch without a consistent review process.<\/li>\n
                                • Why this service fits:<\/strong> Provides a structured checklist aligned to AWS best practices.<\/li>\n
                                • Example:<\/strong> A payments API prepares for GA; architects run a Well-Architected review and address HRIs before launch.<\/li>\n<\/ul>\n\n\n\n

                                  2) Standardized quarterly reviews across a microservices portfolio<\/h3>\n\n\n\n
                                    \n
                                  • Problem:<\/strong> Hundreds of services drift over time; architecture standards vary by team.<\/li>\n
                                  • Why it fits:<\/strong> Repeatable reviews; milestones show progress and prevent regression.<\/li>\n
                                  • Example:<\/strong> Platform team requires a quarterly milestone for each tier-1 service.<\/li>\n<\/ul>\n\n\n\n

                                    3) Post-incident resilience review (\u201clearning review\u201d)<\/h3>\n\n\n\n
                                      \n
                                    • Problem:<\/strong> A major outage occurred; root causes point to architectural gaps.<\/li>\n
                                    • Why it fits:<\/strong> Reliability pillar and operational excellence questions guide remediation planning.<\/li>\n
                                    • Example:<\/strong> After a regional dependency issue, the team reviews failover design and creates an improvement plan.<\/li>\n<\/ul>\n\n\n\n

                                      4) Migration readiness and modernization planning<\/h3>\n\n\n\n
                                        \n
                                      • Problem:<\/strong> Lift-and-shift apps run, but aren\u2019t optimized for AWS.<\/li>\n
                                      • Why it fits:<\/strong> Identifies cost, performance, and reliability improvements after migration.<\/li>\n
                                      • Example:<\/strong> An ERP workload is moved to EC2; review highlights backup strategy gaps and scaling opportunities.<\/li>\n<\/ul>\n\n\n\n

                                        5) Security baseline assessment for regulated workloads<\/h3>\n\n\n\n
                                          \n
                                        • Problem:<\/strong> Security requirements are known, but implementation is inconsistent.<\/li>\n
                                        • Why it fits:<\/strong> Security pillar questions drive consistent controls and operational practices.<\/li>\n
                                        • Example:<\/strong> A healthcare app review identifies gaps in audit logging and identity governance.<\/li>\n<\/ul>\n\n\n\n

                                          6) Cost optimization program across business units<\/h3>\n\n\n\n
                                            \n
                                          • Problem:<\/strong> Cloud spend increases; teams lack a consistent approach to cost efficiency.<\/li>\n
                                          • Why it fits:<\/strong> Cost Optimization pillar provides targeted questions and actions.<\/li>\n
                                          • Example:<\/strong> FinOps team reviews top-10 spend workloads and uses HRIs to prioritize savings work.<\/li>\n<\/ul>\n\n\n\n

                                            7) Multi-account governance for a cloud center of excellence (CCoE)<\/h3>\n\n\n\n
                                              \n
                                            • Problem:<\/strong> Many accounts and teams; no consistent architecture oversight.<\/li>\n
                                            • Why it fits:<\/strong> Workload reviews plus sharing enable centralized visibility while keeping app ownership.<\/li>\n
                                            • Example:<\/strong> CCoE defines a review standard and requires milestone evidence for production workloads.<\/li>\n<\/ul>\n\n\n\n

                                              8) Introducing new engineers to AWS architectural best practices<\/h3>\n\n\n\n
                                                \n
                                              • Problem:<\/strong> New hires build services but lack AWS best-practice context.<\/li>\n
                                              • Why it fits:<\/strong> The guided questions teach the \u201cwhy\u201d behind design choices.<\/li>\n
                                              • Example:<\/strong> A bootcamp uses a sample workload review as a training exercise.<\/li>\n<\/ul>\n\n\n\n

                                                9) Vendor\/partner collaboration on architecture (with controlled sharing)<\/h3>\n\n\n\n
                                                  \n
                                                • Problem:<\/strong> External partner needs to participate in a review without broad account access.<\/li>\n
                                                • Why it fits:<\/strong> Share workload review access with least privilege.<\/li>\n
                                                • Example:<\/strong> A consulting partner reviews reliability and security choices for a new platform.<\/li>\n<\/ul>\n\n\n\n

                                                  10) Creating an internal \u201carchitecture review as code\u201d workflow<\/h3>\n\n\n\n
                                                    \n
                                                  • Problem:<\/strong> Reviews are manual and hard to track.<\/li>\n
                                                  • Why it fits:<\/strong> API enables automation: list workloads, track HRIs, export artifacts, build dashboards.<\/li>\n
                                                  • Example:<\/strong> A CI job checks that a workload has a recent milestone before allowing a major production release.<\/li>\n<\/ul>\n\n\n\n

                                                    11) Consolidating architecture documentation and decision records<\/h3>\n\n\n\n
                                                      \n
                                                    • Problem:<\/strong> Architecture docs are scattered across wikis and tickets.<\/li>\n
                                                    • Why it fits:<\/strong> The workload object provides a consistent, searchable home for review outcomes.<\/li>\n
                                                    • Example:<\/strong> Architects record key decisions and notes per question and track improvements over time.<\/li>\n<\/ul>\n\n\n\n

                                                      12) Assessing shared platform services (network, identity, CI\/CD)<\/h3>\n\n\n\n
                                                        \n
                                                      • Problem:<\/strong> Platform teams also own \u201cworkloads\u201d that impact many apps.<\/li>\n
                                                      • Why it fits:<\/strong> Apply the framework lens to platform components and track improvements.<\/li>\n
                                                      • Example:<\/strong> Identity platform review identifies gaps in break-glass access procedures and logging.<\/li>\n<\/ul>\n\n\n\n

                                                        6. Core Features<\/h2>\n\n\n\n

                                                        This section focuses on current, commonly used AWS Well-Architected Tool capabilities. If a feature\u2019s availability differs by region or account type, verify in official docs<\/strong>.<\/p>\n\n\n\n

                                                        Workloads<\/h3>\n\n\n\n
                                                          \n
                                                        • What it does:<\/strong> Creates a named entity representing an application\/system and its architecture review data.<\/li>\n
                                                        • Why it matters:<\/strong> Establishes a consistent unit of governance and reporting.<\/li>\n
                                                        • Practical benefit:<\/strong> Lets you track risk and improvements by application, team, or business unit.<\/li>\n
                                                        • Caveats:<\/strong> Workloads are created in a specific AWS region; plan for data residency and standardize which region your organization uses.<\/li>\n<\/ul>\n\n\n\n

                                                          AWS-provided lenses (including the AWS Well-Architected Framework lens)<\/h3>\n\n\n\n
                                                            \n
                                                          • What it does:<\/strong> Provides structured questions aligned to the Well-Architected pillars.<\/li>\n
                                                          • Why it matters:<\/strong> Standardizes how architects evaluate and improve designs.<\/li>\n
                                                          • Practical benefit:<\/strong> Teams get consistent recommendations and can compare maturity across workloads.<\/li>\n
                                                          • Caveats:<\/strong> Lens content can evolve. Re-run reviews periodically to align with updated best practices.<\/li>\n<\/ul>\n\n\n\n

                                                            Custom lenses<\/h3>\n\n\n\n
                                                              \n
                                                            • What it does:<\/strong> Allows organizations to create their own lens tailored to internal standards (for example, security baselines or platform requirements).<\/li>\n
                                                            • Why it matters:<\/strong> Many companies have requirements beyond generic guidance.<\/li>\n
                                                            • Practical benefit:<\/strong> Embed organizational policies and reusable patterns into the review process.<\/li>\n
                                                            • Caveats:<\/strong> Custom lenses require maintenance and governance (versioning, ownership, review). Validate custom lens questions for clarity and actionability.<\/li>\n<\/ul>\n\n\n\n

                                                              Question-level notes, choices, and review workflow<\/h3>\n\n\n\n
                                                                \n
                                                              • What it does:<\/strong> Captures answers to lens questions, notes, and rationale.<\/li>\n
                                                              • Why it matters:<\/strong> Architecture decisions need context, not just checkboxes.<\/li>\n
                                                              • Practical benefit:<\/strong> Helps with knowledge transfer and auditability of decisions.<\/li>\n
                                                              • Caveats:<\/strong> Avoid putting secrets (passwords, keys) into notes.<\/li>\n<\/ul>\n\n\n\n

                                                                Risk identification (including High-Risk Issues \/ HRIs)<\/h3>\n\n\n\n
                                                                  \n
                                                                • What it does:<\/strong> Flags risk levels based on answers, surfacing HRIs to prioritize remediation.<\/li>\n
                                                                • Why it matters:<\/strong> Not all issues are equal; HRIs help triage.<\/li>\n
                                                                • Practical benefit:<\/strong> Teams can focus limited time on the most impactful improvements first.<\/li>\n
                                                                • Caveats:<\/strong> The tool identifies risk based on framework logic; your context may change priority. Use engineering judgment.<\/li>\n<\/ul>\n\n\n\n

                                                                  Improvement plans and reports<\/h3>\n\n\n\n
                                                                    \n
                                                                  • What it does:<\/strong> Provides ways to summarize results and recommended improvements for a workload review.<\/li>\n
                                                                  • Why it matters:<\/strong> Teams need actionable outputs, not just assessment data.<\/li>\n
                                                                  • Practical benefit:<\/strong> Supports converting review outcomes into a remediation backlog.<\/li>\n
                                                                  • Caveats:<\/strong> Export\/report formats and options may vary. Use the console options available in your region and verify in docs.<\/li>\n<\/ul>\n\n\n\n

                                                                    Milestones (point-in-time snapshots)<\/h3>\n\n\n\n
                                                                      \n
                                                                    • What it does:<\/strong> Captures a snapshot of the workload review at a moment in time.<\/li>\n
                                                                    • Why it matters:<\/strong> Architecture is a moving target; milestones show progress and regression.<\/li>\n
                                                                    • Practical benefit:<\/strong> Enables governance like \u201cmust have a milestone within last 90 days\u201d for tier-1 workloads.<\/li>\n
                                                                    • Caveats:<\/strong> Milestones are snapshots, not automatic enforcement. You still need process and ownership.<\/li>\n<\/ul>\n\n\n\n

                                                                      Sharing and collaboration<\/h3>\n\n\n\n
                                                                        \n
                                                                      • What it does:<\/strong> Lets you share workloads for review collaboration, potentially across accounts.<\/li>\n
                                                                      • Why it matters:<\/strong> Reviews often involve multiple teams (security, platform, app).<\/li>\n
                                                                      • Practical benefit:<\/strong> Enables distributed ownership while keeping centralized governance.<\/li>\n
                                                                      • Caveats:<\/strong> Treat sharing as access control. Use least privilege and periodically review who has access.<\/li>\n<\/ul>\n\n\n\n

                                                                        API\/SDK access (automation)<\/h3>\n\n\n\n
                                                                          \n
                                                                        • What it does:<\/strong> Allows programmatic management of workloads, lens reviews, milestones, and sharing.<\/li>\n
                                                                        • Why it matters:<\/strong> At scale, manual reviews and reporting become a bottleneck.<\/li>\n
                                                                        • Practical benefit:<\/strong> Build dashboards, automate compliance checks, export review status to internal systems.<\/li>\n
                                                                        • Caveats:<\/strong> API permissions must be carefully scoped. Also account for regional endpoints.<\/li>\n<\/ul>\n\n\n\n

                                                                          Tagging (resource organization)<\/h3>\n\n\n\n
                                                                            \n
                                                                          • What it does:<\/strong> Supports tags for workloads (and possibly other entities depending on AWS support; verify in docs).<\/li>\n
                                                                          • Why it matters:<\/strong> Tags enable cost allocation, ownership mapping, and portfolio views.<\/li>\n
                                                                          • Practical benefit:<\/strong> Filter workloads by team, environment, system tier, or compliance domain.<\/li>\n
                                                                          • Caveats:<\/strong> Standardize tag keys\/values to avoid fragmentation.<\/li>\n<\/ul>\n\n\n\n

                                                                            7. Architecture and How It Works<\/h2>\n\n\n\n

                                                                            High-level architecture<\/h3>\n\n\n\n

                                                                            AWS Well-Architected Tool is a managed AWS service. You interact through:\n– AWS Management Console<\/strong> (interactive reviews, HRIs, milestones)\n– AWS Well-Architected Tool API<\/strong> (automation)\n– IAM<\/strong> for authentication\/authorization<\/p>\n\n\n\n

                                                                            The service stores your workload review metadata and answers. You can share workloads with other principals\/accounts for collaboration.<\/p>\n\n\n\n

                                                                            Request\/data\/control flow (conceptual)<\/h3>\n\n\n\n
                                                                              \n
                                                                            1. User authenticates to AWS via IAM (or IAM Identity Center in many orgs).<\/li>\n
                                                                            2. User opens AWS Well-Architected Tool in a chosen region.<\/li>\n
                                                                            3. User creates a workload and selects one or more lenses.<\/li>\n
                                                                            4. User answers lens questions; the service evaluates risk and flags HRIs.<\/li>\n
                                                                            5. User generates reports\/improvement plan and captures milestones.<\/li>\n
                                                                            6. Optional: automation via API lists workloads, exports results, enforces review cadence.<\/li>\n<\/ol>\n\n\n\n

                                                                              Integrations and related services<\/h3>\n\n\n\n

                                                                              Common integrations in real environments:\n– AWS IAM \/ IAM Identity Center:<\/strong> access control.\n– AWS Organizations:<\/strong> multi-account governance patterns.\n– AWS CloudTrail:<\/strong> audit API calls (who changed what).\n– AWS Service Quotas:<\/strong> track any service limits (verify quotas for this service).\n– Ticketing\/Backlog tools:<\/strong> not a native AWS integration, but teams commonly export improvement items and track them in Jira\/ADO\/GitHub Issues (manual or automated).<\/p>\n\n\n\n

                                                                              Dependency services<\/h3>\n\n\n\n

                                                                              AWS Well-Architected Tool itself is managed; you don\u2019t provision compute. The main \u201cdependencies\u201d are your identity and governance foundations:\n– IAM roles\/policies\n– Org structure (if used)\n– CloudTrail for auditing<\/p>\n\n\n\n

                                                                              Security\/authentication model<\/h3>\n\n\n\n
                                                                                \n
                                                                              • Uses AWS IAM<\/strong> for authentication and authorization.<\/li>\n
                                                                              • Access is controlled by IAM permissions to the Well-Architected Tool API actions and resource ARNs.<\/li>\n
                                                                              • Sharing workloads extends access to other principals\/accounts (within boundaries you control).<\/li>\n<\/ul>\n\n\n\n

                                                                                Networking model<\/h3>\n\n\n\n
                                                                                  \n
                                                                                • Primarily accessed via the public AWS Console endpoints.<\/li>\n
                                                                                • API calls go to regional service endpoints over HTTPS.<\/li>\n
                                                                                • If you have strict egress requirements, validate endpoint behavior and corporate network allowlists. For private connectivity requirements, verify in official docs<\/strong> whether the service supports AWS PrivateLink\/VPC endpoints in your region (do not assume).<\/li>\n<\/ul>\n\n\n\n

                                                                                  Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n
                                                                                    \n
                                                                                  • Use AWS CloudTrail<\/strong> to log API actions for change tracking and audits.<\/li>\n
                                                                                  • Use IAM Access Analyzer and periodic access reviews for principals who can share or modify workloads.<\/li>\n
                                                                                  • Establish governance standards:<\/li>\n
                                                                                  • Naming conventions for workloads<\/li>\n
                                                                                  • Required tags (Owner, CostCenter, Environment, DataClassification)<\/li>\n
                                                                                  • Review cadence and milestone frequency<\/li>\n
                                                                                  • HRI remediation SLAs for tier-1 workloads<\/li>\n<\/ul>\n\n\n\n

                                                                                    Simple diagram (conceptual)<\/h4>\n\n\n\n
                                                                                    flowchart LR\n  U[Engineer \/ Architect] -->|Console or API| WA[AWS Well-Architected Tool (Regional)]\n  WA --> L[Lenses (AWS-provided + Custom)]\n  WA --> R[Review Results\\nRisks \/ HRIs]\n  R --> M[Milestones]\n  R --> P[Improvement Plan \/ Reports]\n<\/code><\/pre>\n\n\n\n
                                                                                    Production-style diagram (governed multi-account usage)<\/h4>\n\n\n\n
                                                                                    flowchart TB\n  subgraph Org[AWS Organization]\n    A1[App Account(s)]\n    A2[Shared Services \/ Platform Account]\n    A3[Security \/ Audit Account]\n  end\n\n  IdP[IAM Identity Center \/ IAM Federation] --> IAM[IAM Permissions & Roles]\n\n  IAM --> WA1[AWS Well-Architected Tool\\n(Region chosen by org)]\n  A1 -->|Workload owners create\/update reviews| WA1\n  A2 -->|Platform team contributes| WA1\n  A3 -->|Security reviewers read\/verify| WA1\n\n  WA1 --> CT[CloudTrail Logs]\n  CT --> SIEM[Central log archive \/ SIEM\\n(optional)]\n\n  WA1 --> EXP[Exports \/ Reports]\n  EXP --> Repo[Internal repo or docs site\\n(optional)]\n  EXP --> Backlog[Ticketing \/ backlog system\\n(manual or automated)]\n\n  classDef optional stroke-dasharray: 5 5;\n  class SIEM,Repo,Backlog optional;\n<\/code><\/pre>\n\n\n\n
                                                                                    8. Prerequisites<\/h2>\n\n\n\n
                                                                                    Account requirements<\/h3>\n\n\n\n
                                                                                      \n
                                                                                    • An active AWS account<\/strong> with access to the AWS Management Console.<\/li>\n
                                                                                    • If you work in a multi-account org, you may want:<\/li>\n
                                                                                    • AWS Organizations configured<\/li>\n
                                                                                    • A standard \u201cgovernance\u201d account strategy<\/li>\n
                                                                                    • A chosen home region for reviews (for consistency and data residency)<\/li>\n<\/ul>\n\n\n\n
                                                                                      Permissions \/ IAM roles<\/h3>\n\n\n\n
                                                                                      You need IAM permissions to use AWS Well-Architected Tool. AWS provides documentation and API action names. The safest approach is:\n– Start with broader access for lab usage (in a sandbox).\n– Tighten to least privilege for production.<\/p>\n\n\n\n
                                                                                      Practical minimum for labs:<\/strong> ability to create and manage workloads in AWS Well-Architected Tool in a single region.<\/p>\n\n\n\n
                                                                                      If you do not have an AWS-managed policy available in your account, you can create a customer-managed policy. Example (broad for lab; tighten in production):<\/p>\n\n\n\n
                                                                                      {\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"WellArchitectedToolFullAccessForLab\",\n      \"Effect\": \"Allow\",\n      \"Action\": \"wellarchitected:*\",\n      \"Resource\": \"*\"\n    }\n  ]\n}\n<\/code><\/pre>\n\n\n\n
                                                                                      For production, scope permissions to specific actions and resources; use CloudTrail to see required calls. Verify the latest IAM actions and resource ARN formats in the official API reference<\/strong>:\nhttps:\/\/docs.aws.amazon.com\/wellarchitected\/latest\/APIReference\/Welcome.html<\/p>\n\n\n\n
                                                                                      Billing requirements<\/h3>\n\n\n\n
                                                                                        \n
                                                                                      • AWS Well-Architected Tool is generally advertised as no additional charge<\/strong> for using the tool itself (see Pricing section).<\/li>\n
                                                                                      • You still need billing enabled for your AWS account.<\/li>\n
                                                                                      • Indirect costs may exist for logging\/auditing exports and any remediation changes you implement.<\/li>\n<\/ul>\n\n\n\n
                                                                                        CLI\/SDK\/tools needed<\/h3>\n\n\n\n
                                                                                          \n
                                                                                        • Optional but recommended for automation:<\/li>\n
                                                                                        • AWS CLI v2<\/strong> (configured with credentials and region)<\/li>\n
                                                                                        • Python\/boto3 or other AWS SDKs (optional)<\/li>\n
                                                                                        • Configure credentials:<\/li>\n
                                                                                        • aws configure<\/code> (for local dev) or<\/li>\n
                                                                                        • SSO\/IAM Identity Center auth flows (enterprise)<\/li>\n<\/ul>\n\n\n\n
                                                                                          Region availability<\/h3>\n\n\n\n
                                                                                            \n
                                                                                          • You must choose a region where AWS Well-Architected Tool is available.<\/li>\n
                                                                                          • Standardize a region for your organization\u2019s reviews unless data residency requires otherwise.<\/li>\n
                                                                                          • Verify: https:\/\/aws.amazon.com\/about-aws\/global-infrastructure\/regional-product-services\/<\/li>\n<\/ul>\n\n\n\n
                                                                                            Quotas\/limits<\/h3>\n\n\n\n
                                                                                              \n
                                                                                            • Service quotas apply (for example, number of workloads, lenses, milestones, shares).\nCheck Service Quotas<\/strong> in the AWS console and\/or the service documentation. Do not assume numeric limits without verification.<\/li>\n<\/ul>\n\n\n\n
                                                                                              Prerequisite services<\/h3>\n\n\n\n
                                                                                                \n
                                                                                              • None required to \u201crun\u201d the tool; it is managed.<\/li>\n
                                                                                              • Recommended for governance:<\/li>\n
                                                                                              • AWS CloudTrail enabled (ideally organization-wide)<\/li>\n
                                                                                              • IAM Identity Center or strong IAM role governance for access control<\/li>\n<\/ul>\n\n\n\n
                                                                                                9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                                                Current pricing model (accurate, non-fabricated)<\/h3>\n\n\n\n
                                                                                                AWS Well-Architected Tool is commonly documented by AWS as being provided at no charge<\/strong> for using the tool. However, always confirm using official sources because pricing and conditions can change.<\/p>\n\n\n\n
                                                                                                  \n
                                                                                                • Primary product page (commonly references pricing at a high level): https:\/\/aws.amazon.com\/well-architected\/<\/li>\n
                                                                                                • User guide entry point: https:\/\/docs.aws.amazon.com\/wellarchitected\/latest\/userguide\/what-is-aws-well-architected-tool.html<\/li>\n
                                                                                                • For broader estimation of related AWS costs, use AWS Pricing Calculator: https:\/\/calculator.aws\/<\/li>\n<\/ul>\n\n\n\n
                                                                                                  If you need a contractual view for enterprise procurement, verify with AWS Sales or your AWS account team.<\/p>\n\n\n\n
                                                                                                  Pricing dimensions<\/h3>\n\n\n\n
                                                                                                    \n
                                                                                                  • Direct cost for AWS Well-Architected Tool usage:<\/strong> Typically $0 (verify in official sources above).<\/li>\n
                                                                                                  • Indirect costs:<\/strong> You may incur costs for:<\/li>\n
                                                                                                  • CloudTrail<\/strong> management events logging and storage (S3, CloudWatch Logs) if you store\/retain logs.<\/li>\n
                                                                                                  • Any automation<\/strong> infrastructure you build (Lambda, Step Functions, EventBridge, ECS, etc.).<\/li>\n
                                                                                                  • Any remediation changes<\/strong> you implement in your workloads (for example, adding Multi-AZ databases, additional NAT gateways, extra logging, backups).<\/li>\n<\/ul>\n\n\n\n
                                                                                                    Cost drivers (what actually changes your bill)<\/h3>\n\n\n\n
                                                                                                      \n
                                                                                                    • Increased resiliency often increases spend (multi-region, multi-AZ, backups).<\/li>\n
                                                                                                    • More logging and longer retention increases storage costs.<\/li>\n
                                                                                                    • Security controls (WAF, GuardDuty, Security Hub, KMS usage) may add cost.<\/li>\n
                                                                                                    • Performance improvements (caching, higher instance sizes, provisioned throughput) may add cost\u2014though can also reduce waste.<\/li>\n<\/ul>\n\n\n\n
                                                                                                      Hidden or indirect costs<\/h3>\n\n\n\n
                                                                                                        \n
                                                                                                      • People\/time cost:<\/strong> Reviews take engineering time; standardize to reduce overhead.<\/li>\n
                                                                                                      • Governance overhead:<\/strong> Custom lenses and org-wide processes need ownership.<\/li>\n
                                                                                                      • Tooling integration:<\/strong> Exporting and tracking HRIs may require custom scripts or pipelines.<\/li>\n<\/ul>\n\n\n\n
                                                                                                        Network\/data transfer implications<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        • The tool itself is metadata-driven; network costs are typically negligible.<\/li>\n
                                                                                                        • If exports are stored centrally or copied across regions\/accounts, data transfer and storage costs may apply.<\/li>\n<\/ul>\n\n\n\n
                                                                                                          How to optimize cost (while using the tool)<\/h3>\n\n\n\n
                                                                                                            \n
                                                                                                          • Treat the tool as free governance, but optimize the remediation plan:<\/li>\n
                                                                                                          • Prioritize HRIs<\/strong> and high-impact improvements.<\/li>\n
                                                                                                          • Quantify cost impact of each remediation item (FinOps + architects).<\/li>\n
                                                                                                          • Use milestones to avoid \u201creview churn\u201d and focus on measurable improvements.<\/li>\n
                                                                                                          • Minimize operational overhead:<\/li>\n
                                                                                                          • Standardize tags and workload metadata.<\/li>\n
                                                                                                          • Use profiles\/custom lenses carefully to reduce duplicate work (verify availability in your environment).<\/li>\n<\/ul>\n\n\n\n
                                                                                                            Example low-cost starter estimate<\/h3>\n\n\n\n
                                                                                                            A starter setup can be effectively $0 additional<\/strong> for the tool itself:\n– Use AWS Well-Architected Tool in one region.\n– Create a few workloads and milestones.\n– Keep exports local\/manual.\n– Ensure CloudTrail is already enabled (many accounts have it by default; org-wide trails may add S3 storage but are usually a standard security baseline anyway).<\/p>\n\n\n\n
                                                                                                            Because exact costs depend on your existing CloudTrail\/logging setup and retention, do not assume a numeric estimate\u2014use the AWS Pricing Calculator for S3\/CloudWatch Logs retention scenarios.<\/p>\n\n\n\n
                                                                                                            Example production cost considerations<\/h3>\n\n\n\n
                                                                                                            In a mature environment:\n– CloudTrail organization trail + long retention in S3 Glacier can be a predictable baseline.\n– A centralized reporting pipeline (Lambda\/Step Functions + storage) adds modest monthly costs.\n– The bigger costs come from implementing<\/strong> recommendations:\n  – Multi-AZ and cross-region architectures\n  – More comprehensive monitoring and alerting\n  – Backup\/DR strategies\n  – Security services and encryption usage<\/p>\n\n\n\n
                                                                                                            10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                                                            Objective<\/h3>\n\n\n\n
                                                                                                            Create a workload in AWS Well-Architected Tool, run a basic Well-Architected review, identify HRIs, capture a milestone, export\/share results, and then clean up.<\/p>\n\n\n\n
                                                                                                            Lab Overview<\/h3>\n\n\n\n
                                                                                                            You will:\n1. Confirm access and region selection.\n2. Create a workload with core metadata and tags.\n3. Apply the AWS Well-Architected Framework lens and answer a subset of questions.\n4. Review risks\/HRIs and create an improvement plan.\n5. Create a milestone snapshot.\n6. (Optional) Use AWS CLI to list workloads via the API.\n7. Validate results and clean up by deleting the workload.<\/p>\n\n\n\n
                                                                                                            This lab is designed to be safe and low-cost because AWS Well-Architected Tool itself is typically no-charge (verify). You will not deploy any infrastructure.<\/p>\n\n\n\n
                                                                                                            \n\n\n\n
                                                                                                            Step 1: Prepare IAM access and choose a region<\/h3>\n\n\n\n
                                                                                                              \n
                                                                                                            1. Sign in to the AWS Management Console<\/strong>.<\/li>\n
                                                                                                            2. In the top-right region selector, choose a region where AWS Well-Architected Tool is available (many organizations standardize on one region).<\/li>\n<\/ol>\n\n\n\n
                                                                                                              Expected outcome:<\/strong> You have a chosen region selected and can navigate the console.<\/p>\n\n\n\n
                                                                                                                \n
                                                                                                              1. Confirm you have permissions:\n   – If you can open the AWS Well-Architected Tool console and see the landing page, you likely have at least read access.\n   – If you see AccessDeniedException<\/code>, you need an admin or IAM owner to grant wellarchitected:*<\/code> (or a least-privilege set).<\/li>\n<\/ol>\n\n\n\n
                                                                                                                Open the service: https:\/\/console.aws.amazon.com\/wellarchitected\/<\/p>\n\n\n\n
                                                                                                                Expected outcome:<\/strong> The AWS Well-Architected Tool console loads without permission errors.<\/p>\n\n\n\n
                                                                                                                \n\n\n\n
                                                                                                                Step 2: Create a workload<\/h3>\n\n\n\n
                                                                                                                  \n
                                                                                                                1. In AWS Well-Architected Tool, choose Workloads<\/strong>.<\/li>\n
                                                                                                                2. Choose Create workload<\/strong>.<\/li>\n
                                                                                                                3. \n
                                                                                                                  Fill out key fields (names may vary slightly):\n   – Name:<\/strong> wa-lab-webapp<\/code>\n   – Description:<\/strong> Lab workload for learning AWS Well-Architected Tool<\/code>\n   – Environment:<\/strong> Development<\/code> (or Production<\/code> if you want to simulate prod governance)\n   – Review owner:<\/strong> your email or team alias\n   – AWS Regions:<\/strong> select the region(s) your workload uses (for the lab, select your current region)\n   – Industry type<\/strong> and other metadata: set what is appropriate for the lab<\/p>\n<\/li>\n
                                                                                                                4. \n
                                                                                                                  Add tags (recommended even for a lab):\n   – Owner = <your-name-or-team><\/code>\n   – Environment = lab<\/code>\n   – System = wa-training<\/code><\/p>\n<\/li>\n
                                                                                                                5. \n
                                                                                                                  Choose Create<\/strong>.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                  Expected outcome:<\/strong> A new workload named wa-lab-webapp<\/code> appears in your workloads list.<\/p>\n\n\n\n
                                                                                                                  Verification:<\/strong>\n– Open the workload and confirm the metadata and tags are visible.<\/p>\n\n\n\n
                                                                                                                  \n\n\n\n
                                                                                                                  Step 3: Add the AWS Well-Architected Framework lens and start a review<\/h3>\n\n\n\n
                                                                                                                    \n
                                                                                                                  1. Open the workload.<\/li>\n
                                                                                                                  2. Find the Lenses<\/strong> section.<\/li>\n
                                                                                                                  3. \n
                                                                                                                    Ensure the AWS Well-Architected Framework<\/strong> lens is applied\/selected (often the default).\n   – If the console asks you to select lenses, choose the AWS Well-Architected Framework lens.\n   – If you see additional AWS lenses, you may add them, but for this lab stick to the framework lens.<\/p>\n<\/li>\n
                                                                                                                  4. \n
                                                                                                                    Start the review and begin answering questions. For a quick lab pass:\n   – Pick one pillar<\/strong> (for example, Security or Reliability).\n   – Answer a handful of questions honestly for a simple web app:<\/p>\n
                                                                                                                      \n
                                                                                                                    • For items you have not implemented, choose the option that indicates a gap (this will likely produce risks\/HRIs).<\/li>\n
                                                                                                                    • Add a short note explaining assumptions (example: \u201cThis is a dev workload; no DR implemented yet.\u201d)<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                      Expected outcome:<\/strong> You have saved answers to several questions and the workload review shows progress.<\/p>\n\n\n\n
                                                                                                                      Verification:<\/strong>\n– Navigate back to the pillar overview and confirm the answered count increased.<\/p>\n\n\n\n
                                                                                                                      \n\n\n\n
                                                                                                                      Step 4: Review identified risks (including HRIs) and generate an improvement plan<\/h3>\n\n\n\n
                                                                                                                        \n
                                                                                                                      1. In the workload, open the Risks<\/strong> view or the High risk issues (HRIs)<\/strong> view (naming may vary).<\/li>\n
                                                                                                                      2. Review the flagged items.<\/li>\n
                                                                                                                      3. \n
                                                                                                                        For at least one HRI:\n   – Open the question.\n   – Read the recommended best practices.\n   – Add a note describing a remediation task (example: \u201cEnable centralized logging and define alerting for authentication failures.\u201d)\n   – If your workflow supports it, mark an owner or priority (options vary).<\/p>\n<\/li>\n
                                                                                                                      4. \n
                                                                                                                        Generate an improvement plan or report using the console option available (for example \u201cImprovement plan\u201d and\/or \u201cExport\/Download report\u201d).\n   – If export formats (PDF\/JSON\/CSV) are offered, choose one suitable for your process.\n   – If you do not see export options in your region\/account, skip export and proceed\u2014feature availability can vary. Verify in official docs<\/strong>.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                        Expected outcome:<\/strong> You can see a prioritized list of risks\/HRIs and have a tangible output (improvement plan\/report) or at least a visible set of actionable items in the console.<\/p>\n\n\n\n
                                                                                                                        Verification:<\/strong>\n– Confirm at least one risk\/HRI is visible (if you answered in a way that indicates gaps).\n– Confirm notes were saved.<\/p>\n\n\n\n
                                                                                                                        \n\n\n\n
                                                                                                                        Step 5: Create a milestone snapshot<\/h3>\n\n\n\n
                                                                                                                          \n
                                                                                                                        1. In the workload, find Milestones<\/strong>.<\/li>\n
                                                                                                                        2. Choose Create milestone<\/strong>.<\/li>\n
                                                                                                                        3. Enter:\n   – Milestone name:<\/strong> baseline-review<\/code>\n   – Description:<\/strong> Initial lab baseline review<\/code><\/li>\n
                                                                                                                        4. Create the milestone.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                          Expected outcome:<\/strong> A milestone named baseline-review<\/code> appears, capturing the current review state.<\/p>\n\n\n\n
                                                                                                                          Verification:<\/strong>\n– Open the milestone and confirm it is tied to the workload and includes the review snapshot details.<\/p>\n\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          Step 6 (Optional): Use AWS CLI to confirm API access and list workloads<\/h3>\n\n\n\n
                                                                                                                          This is optional but useful for automation-oriented teams.<\/p>\n\n\n\n
                                                                                                                            \n
                                                                                                                          1. Ensure AWS CLI v2 is installed:<\/li>\n<\/ol>\n\n\n\n
                                                                                                                            aws --version\n<\/code><\/pre>\n\n\n\n
                                                                                                                              \n
                                                                                                                            1. Ensure you are authenticated and have a default region set (the same region you used in the console):<\/li>\n<\/ol>\n\n\n\n
                                                                                                                              aws configure list\n<\/code><\/pre>\n\n\n\n
                                                                                                                                \n
                                                                                                                              1. List workloads (API names and output depend on AWS CLI version; verify the command group exists for your CLI build):<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                aws wellarchitected list-workloads\n<\/code><\/pre>\n\n\n\n
                                                                                                                                If you use named profiles:<\/p>\n\n\n\n
                                                                                                                                aws --profile yourprofile --region us-east-1 wellarchitected list-workloads\n<\/code><\/pre>\n\n\n\n
                                                                                                                                Expected outcome:<\/strong> The CLI returns a list including wa-lab-webapp<\/code>.<\/p>\n\n\n\n
                                                                                                                                Verification:<\/strong>\n– Confirm the workload name\/id appears in output.<\/p>\n\n\n\n
                                                                                                                                Common issue:<\/strong> If the CLI says the command group doesn\u2019t exist, update AWS CLI v2 and verify that wellarchitected<\/code> commands are available for your version. Also confirm you\u2019re using the correct region.<\/p>\n\n\n\n
                                                                                                                                \n\n\n\n
                                                                                                                                Validation<\/h3>\n\n\n\n
                                                                                                                                Use this checklist to confirm the lab succeeded:<\/p>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                • You can open the workload wa-lab-webapp<\/code>.<\/li>\n
                                                                                                                                • At least one pillar shows answered questions.<\/li>\n
                                                                                                                                • The workload shows identified risks (and likely HRIs if you selected \u201cnot implemented\u201d style answers).<\/li>\n
                                                                                                                                • A milestone named baseline-review<\/code> exists.<\/li>\n
                                                                                                                                • (Optional) aws wellarchitected list-workloads<\/code> returns your workload.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                  For deeper validation in governed environments:\n– Check AWS CloudTrail<\/strong> for wellarchitected.amazonaws.com<\/code> events corresponding to workload creation\/updates (exact event names vary).<\/p>\n\n\n\n
                                                                                                                                  \n\n\n\n
                                                                                                                                  Troubleshooting<\/h3>\n\n\n\n
                                                                                                                                  1) AccessDenied \/ insufficient permissions<\/strong>\n– Symptom: Console shows permission errors, or API calls fail.\n– Fix:\n  – Ensure your role\/user has required wellarchitected:*<\/code> actions (or least-privilege set).\n  – Verify permission boundaries\/SCPs in AWS Organizations aren\u2019t blocking the service.<\/p>\n\n\n\n
                                                                                                                                  2) Workload not visible after creation<\/strong>\n– Symptom: You created a workload but can\u2019t find it.\n– Fix:\n  – Confirm you are in the same AWS region<\/strong> where you created it.\n  – Confirm you\u2019re in the same AWS account (or the workload was shared to you).<\/p>\n\n\n\n
                                                                                                                                  3) Cannot share workload<\/strong>\n– Symptom: Sharing fails or invitation cannot be accepted.\n– Fix:\n  – Verify both accounts\/roles have necessary permissions.\n  – Confirm any org SCPs allow required Well-Architected actions.<\/p>\n\n\n\n
                                                                                                                                  4) CLI commands not found<\/strong>\n– Symptom: aws: error: argument ... invalid choice<\/code>\n– Fix:\n  – Upgrade AWS CLI v2.\n  – Verify service command group availability for your installed version.\n  – Check the AWS CLI reference and the service API reference.<\/p>\n\n\n\n
                                                                                                                                  \n\n\n\n
                                                                                                                                  Cleanup<\/h3>\n\n\n\n
                                                                                                                                  To avoid cluttering your governance inventory:<\/p>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  1. In AWS Well-Architected Tool, open wa-lab-webapp<\/code>.<\/li>\n
                                                                                                                                  2. Remove sharing (if you shared it) to revoke access.<\/li>\n
                                                                                                                                  3. Delete milestones if required by your org process (some workflows delete with workload; verify behavior).<\/li>\n
                                                                                                                                  4. Choose Delete workload<\/strong>.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                    Expected outcome:<\/strong> The workload no longer appears in the workloads list.<\/p>\n\n\n\n
                                                                                                                                    If you created a customer-managed IAM policy for the lab:\n– Detach it from users\/roles and delete it (only if it\u2019s not used elsewhere).<\/p>\n\n\n\n
                                                                                                                                    11. Best Practices<\/h2>\n\n\n\n
                                                                                                                                    Architecture best practices (using the tool effectively)<\/h3>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    • Treat workload reviews as living artifacts:<\/strong> Update reviews after major architectural changes, incidents, or migrations.<\/li>\n
                                                                                                                                    • Define workload boundaries clearly:<\/strong> One workload should represent a cohesive system with a clear owner.<\/li>\n
                                                                                                                                    • Use milestones strategically:<\/strong><\/li>\n
                                                                                                                                    • baseline<\/code><\/li>\n
                                                                                                                                    • pre-launch<\/code><\/li>\n
                                                                                                                                    • post-launch-30d<\/code><\/li>\n
                                                                                                                                    • quarterly-review-YYYY-Q#<\/code><\/li>\n
                                                                                                                                    • Focus on HRIs first:<\/strong> HRIs are designed to highlight the highest-priority gaps.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                      IAM\/security best practices<\/h3>\n\n\n\n
                                                                                                                                        \n
                                                                                                                                      • Prefer role-based access<\/strong> over long-lived IAM users.<\/li>\n
                                                                                                                                      • Grant least privilege:<\/li>\n
                                                                                                                                      • Separate roles for read-only reviewers<\/strong> vs workload editors<\/strong>.<\/li>\n
                                                                                                                                      • Restrict who can share workloads<\/strong> externally\/cross-account.<\/li>\n
                                                                                                                                      • Use AWS Organizations SCPs carefully:<\/li>\n
                                                                                                                                      • Don\u2019t block required governance tools, but limit risky actions in production accounts.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                        Cost best practices<\/h3>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        • Use the tool to find cost inefficiencies, but evaluate recommendations with FinOps:<\/li>\n
                                                                                                                                        • Some reliability\/security improvements increase spend.<\/li>\n
                                                                                                                                        • Some performance improvements reduce spend via right-sizing and caching.<\/li>\n
                                                                                                                                        • Export improvement items and estimate cost impact per item before implementation.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                          Performance best practices<\/h3>\n\n\n\n
                                                                                                                                            \n
                                                                                                                                          • Use review outcomes to drive:<\/li>\n
                                                                                                                                          • Load testing strategy<\/li>\n
                                                                                                                                          • Observability improvements (metrics, traces, logs)<\/li>\n
                                                                                                                                          • Scaling model selection (horizontal\/vertical, caching, async processing)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                            Reliability best practices<\/h3>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            • Tie HRI remediation to reliability targets:<\/li>\n
                                                                                                                                            • RTO\/RPO<\/li>\n
                                                                                                                                            • Error budgets<\/li>\n
                                                                                                                                            • Dependency mapping<\/li>\n
                                                                                                                                            • Use milestones to verify reliability posture improves after changes.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                              Operations best practices<\/h3>\n\n\n\n
                                                                                                                                                \n
                                                                                                                                              • Standardize an operating model:<\/li>\n
                                                                                                                                              • Who runs reviews (owner + architect + security)<\/li>\n
                                                                                                                                              • How often<\/li>\n
                                                                                                                                              • How HRIs translate into backlog items<\/li>\n
                                                                                                                                              • How completion is verified (milestone + evidence links)<\/li>\n
                                                                                                                                              • Keep notes actionable:<\/li>\n
                                                                                                                                              • Link to runbooks\/design docs (store links, not secrets).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                Governance\/tagging\/naming best practices<\/h3>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                • Use consistent workload naming, e.g.:<\/li>\n
                                                                                                                                                • <businessunit>-<system>-<env><\/code> \u2192 payments-api-prod<\/code><\/li>\n
                                                                                                                                                • Standardize tags:<\/li>\n
                                                                                                                                                • Owner<\/code>, Team<\/code>, CostCenter<\/code>, Environment<\/code>, Criticality<\/code>, DataClassification<\/code><\/li>\n
                                                                                                                                                • Define review SLAs:<\/li>\n
                                                                                                                                                • Tier-0\/Tier-1 workloads must have a milestone within 90 days<\/li>\n
                                                                                                                                                • HRIs must be addressed within X days (organizational policy)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                  12. Security Considerations<\/h2>\n\n\n\n
                                                                                                                                                  Identity and access model<\/h3>\n\n\n\n
                                                                                                                                                    \n
                                                                                                                                                  • AWS Well-Architected Tool uses IAM-based authorization<\/strong>.<\/li>\n
                                                                                                                                                  • Key security controls:<\/li>\n
                                                                                                                                                  • Restrict write access to workload owners\/architects.<\/li>\n
                                                                                                                                                  • Use read-only roles for auditors and stakeholders.<\/li>\n
                                                                                                                                                  • Control sharing permissions to prevent unintended exposure.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                    Encryption<\/h3>\n\n\n\n
                                                                                                                                                      \n
                                                                                                                                                    • Data is accessed over HTTPS\/TLS.<\/li>\n
                                                                                                                                                    • For encryption at rest, AWS services typically use service-managed mechanisms; confirm specifics in the service security documentation. Verify in official docs<\/strong> for exact encryption\/KMS details applicable to AWS Well-Architected Tool.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                      Network exposure<\/h3>\n\n\n\n
                                                                                                                                                        \n
                                                                                                                                                      • Console and API are accessed via AWS regional endpoints over the internet.<\/li>\n
                                                                                                                                                      • If you have strict network controls:<\/li>\n
                                                                                                                                                      • Maintain allowlists for AWS console\/service endpoints.<\/li>\n
                                                                                                                                                      • Verify whether private connectivity options (e.g., PrivateLink) exist for your region\/service\u2014do not assume.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                        Secrets handling<\/h3>\n\n\n\n
                                                                                                                                                          \n
                                                                                                                                                        • Do not store secrets in:<\/li>\n
                                                                                                                                                        • Workload descriptions<\/li>\n
                                                                                                                                                        • Question notes<\/li>\n
                                                                                                                                                        • Improvement plan exports<\/li>\n
                                                                                                                                                        • Instead:<\/li>\n
                                                                                                                                                        • Reference secret locations (e.g., \u201cstored in Secrets Manager under standard naming\u201d), without including secret values.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                          Audit\/logging<\/h3>\n\n\n\n
                                                                                                                                                            \n
                                                                                                                                                          • Enable and retain CloudTrail<\/strong> logs for governance:<\/li>\n
                                                                                                                                                          • Identify who created\/edited workloads and milestones.<\/li>\n
                                                                                                                                                          • Track sharing actions.<\/li>\n
                                                                                                                                                          • Centralize logs in a dedicated security account when operating at scale.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                            Compliance considerations<\/h3>\n\n\n\n
                                                                                                                                                              \n
                                                                                                                                                            • AWS Well-Architected Tool can support governance evidence (process evidence), but:<\/li>\n
                                                                                                                                                            • It does not replace compliance tooling such as AWS Audit Manager or GRC platforms.<\/li>\n
                                                                                                                                                            • Treat it as part of a broader control framework.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                              Common security mistakes<\/h3>\n\n\n\n
                                                                                                                                                                \n
                                                                                                                                                              • Over-permissive IAM policies granting wellarchitected:*<\/code> to all developers in production accounts.<\/li>\n
                                                                                                                                                              • Allowing unrestricted sharing without approvals.<\/li>\n
                                                                                                                                                              • Storing internal architecture details that violate internal data classification rules.<\/li>\n
                                                                                                                                                              • Treating tool outputs as \u201ccertification\u201d rather than guidance.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                Secure deployment recommendations (practical)<\/h3>\n\n\n\n
                                                                                                                                                                  \n
                                                                                                                                                                • Create separate roles:<\/li>\n
                                                                                                                                                                • WellArchitectedReviewerReadOnly<\/code><\/li>\n
                                                                                                                                                                • WellArchitectedWorkloadEditor<\/code><\/li>\n
                                                                                                                                                                • WellArchitectedAdmin<\/code> (restricted)<\/li>\n
                                                                                                                                                                • Require tags for ownership and data classification.<\/li>\n
                                                                                                                                                                • Require milestones before production launch for critical workloads.<\/li>\n
                                                                                                                                                                • Review shared workload access quarterly.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                  13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                                                                  Because AWS services evolve, confirm details in the latest docs. Common gotchas include:<\/p>\n\n\n\n
                                                                                                                                                                    \n
                                                                                                                                                                  • Regional nature:<\/strong> Workloads are managed in the region you select. Teams often \u201close\u201d workloads by switching regions in the console.<\/li>\n
                                                                                                                                                                  • Not a remediation engine:<\/strong> The tool highlights issues but does not automatically fix infrastructure.<\/li>\n
                                                                                                                                                                  • Quotas exist:<\/strong> Limits on workloads, milestones, lenses, shares, etc. Use Service Quotas and official docs to confirm.<\/li>\n
                                                                                                                                                                  • Consistency requires process:<\/strong> Without organizational standards (naming, tagging, cadence), the tool becomes a set of one-off reviews.<\/li>\n
                                                                                                                                                                  • Lens updates over time:<\/strong> AWS may update lens content; treat reviews as periodic, not once-and-done.<\/li>\n
                                                                                                                                                                  • Export\/report expectations:<\/strong> Report formats and export options can vary; don\u2019t build fragile automation without validating outputs in your environment.<\/li>\n
                                                                                                                                                                  • Sharing governance:<\/strong> Sharing is powerful but can create unintended access paths if not controlled.<\/li>\n
                                                                                                                                                                  • Notes can become stale:<\/strong> Encourage teams to update notes when architecture changes; stale rationale is a common source of confusion.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                    14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                                                                    AWS Well-Architected Tool is a governance\/review workflow. Alternatives vary: some provide operational checks, some provide compliance evidence, and some are manual processes.<\/p>\n\n\n\n
                                                                                                                                                                    Comparison table<\/h3>\n\n\n\n
                                                                                                                                                                    \n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                                    Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                    AWS Well-Architected Tool<\/strong><\/td>\nStructured architecture reviews on AWS<\/td>\nFramework-aligned questions, HRIs, milestones, sharing, API automation<\/td>\nDoes not auto-remediate; requires process discipline; regional context<\/td>\nYou need repeatable architecture reviews and governance artifacts<\/td>\n<\/tr>\n
                                                                                                                                                                    AWS Trusted Advisor<\/strong><\/td>\nContinuous best-practice checks for AWS accounts<\/td>\nAutomated checks; quick wins; integrates with support plans<\/td>\nScope is checks-based; not a full review workflow<\/td>\nYou want automated account-level checks alongside reviews<\/td>\n<\/tr>\n
                                                                                                                                                                    AWS Config<\/strong><\/td>\nConfiguration recording and compliance rules<\/td>\nDetect drift; enforce policies; evidence<\/td>\nRequires setup; not an architecture review framework<\/td>\nYou need continuous compliance\/drift detection and policy enforcement<\/td>\n<\/tr>\n
                                                                                                                                                                    AWS Security Hub<\/strong><\/td>\nSecurity posture aggregation and findings<\/td>\nCentral security findings; standards alignment<\/td>\nSecurity-focused; not full architecture review<\/td>\nYou need continuous security visibility and findings management<\/td>\n<\/tr>\n
                                                                                                                                                                    AWS Audit Manager<\/strong><\/td>\nAudit evidence collection<\/td>\nEvidence automation and reporting<\/td>\nAudit-focused; not architecture decision guidance<\/td>\nYou need compliance evidence collection and audit readiness<\/td>\n<\/tr>\n
                                                                                                                                                                    AWS Control Tower<\/strong><\/td>\nLanding zone governance<\/td>\nGuardrails, account factory, baseline controls<\/td>\nNot an architecture review tool<\/td>\nYou need multi-account governance foundations<\/td>\n<\/tr>\n
                                                                                                                                                                    Azure Advisor (Microsoft Azure)<\/strong><\/td>\nBest-practice recommendations in Azure<\/td>\nAutomated recommendations<\/td>\nAzure-specific; different framework<\/td>\nYou are primarily on Azure<\/td>\n<\/tr>\n
                                                                                                                                                                    Google Cloud Active Assist \/ Architecture Framework guidance<\/strong><\/td>\nRecommendations in Google Cloud<\/td>\nAutomated insights and guidance<\/td>\nGCP-specific; different workflow<\/td>\nYou are primarily on GCP<\/td>\n<\/tr>\n
                                                                                                                                                                    Manual checklists \/ spreadsheets \/ internal review boards<\/strong><\/td>\nCloud-agnostic reviews<\/td>\nFully customizable; no vendor dependency<\/td>\nHard to scale; inconsistent; limited audit trail unless engineered<\/td>\nYou need cloud-agnostic governance and can invest in internal tooling<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                    15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                                                                    Enterprise example: Regulated multi-account organization standardizing governance<\/h3>\n\n\n\n
                                                                                                                                                                      \n
                                                                                                                                                                    • Problem:<\/strong> A financial services company has 200+ AWS accounts. Architecture reviews are inconsistent across teams, and auditors want evidence of ongoing oversight for critical workloads.<\/li>\n
                                                                                                                                                                    • Proposed architecture (process architecture):<\/strong><\/li>\n
                                                                                                                                                                    • Standardize one region for AWS Well-Architected Tool reviews.<\/li>\n
                                                                                                                                                                    • Use AWS Organizations and IAM roles to separate:
                                                                                                                                                                        \n
                                                                                                                                                                      • Workload owners (edit)<\/li>\n
                                                                                                                                                                      • Central architects (review\/edit)<\/li>\n
                                                                                                                                                                      • Security auditors (read-only)<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                                                      • Require:
                                                                                                                                                                          \n
                                                                                                                                                                        • A baseline milestone for every tier-1 workload<\/li>\n
                                                                                                                                                                        • Quarterly milestone updates<\/li>\n
                                                                                                                                                                        • HRI remediation tracking in the corporate backlog tool (export + ticket creation)<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                                                        • Use CloudTrail centralized logging for auditability.<\/li>\n
                                                                                                                                                                        • Why AWS Well-Architected Tool was chosen:<\/strong><\/li>\n
                                                                                                                                                                        • Aligns directly to AWS Well-Architected Framework.<\/li>\n
                                                                                                                                                                        • Provides milestones and a consistent review structure.<\/li>\n
                                                                                                                                                                        • Enables controlled sharing for cross-team reviews.<\/li>\n
                                                                                                                                                                        • Expected outcomes:<\/strong><\/li>\n
                                                                                                                                                                        • Consistent review process across accounts.<\/li>\n
                                                                                                                                                                        • Reduced production risk due to prioritized HRI remediation.<\/li>\n
                                                                                                                                                                        • Clear audit trail of review cadence and improvements.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                          Startup\/small-team example: Rapid growth with minimal governance overhead<\/h3>\n\n\n\n
                                                                                                                                                                            \n
                                                                                                                                                                          • Problem:<\/strong> A startup\u2019s AWS footprint grows quickly (serverless APIs + managed databases). Incidents increase due to missing operational processes and unclear ownership.<\/li>\n
                                                                                                                                                                          • Proposed architecture (process architecture):<\/strong><\/li>\n
                                                                                                                                                                          • Create one workload per product domain.<\/li>\n
                                                                                                                                                                          • Run a review before each major release.<\/li>\n
                                                                                                                                                                          • Use milestones: pre-release<\/code> and post-release<\/code>.<\/li>\n
                                                                                                                                                                          • Track HRIs in GitHub Issues with a simple label convention.<\/li>\n
                                                                                                                                                                          • Why AWS Well-Architected Tool was chosen:<\/strong><\/li>\n
                                                                                                                                                                          • Lightweight and typically no-charge for the tool.<\/li>\n
                                                                                                                                                                          • Provides immediate structure without building internal governance software.<\/li>\n
                                                                                                                                                                          • Expected outcomes:<\/strong><\/li>\n
                                                                                                                                                                          • Faster identification of reliability and security gaps.<\/li>\n
                                                                                                                                                                          • Better engineering habits (monitoring, runbooks, backups).<\/li>\n
                                                                                                                                                                          • Reduced incident rate as high-risk items are addressed systematically.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                            16. FAQ<\/h2>\n\n\n\n
                                                                                                                                                                            1) Is AWS Well-Architected Tool the same as the AWS Well-Architected Framework?<\/strong>\nNo. The Framework is the set of principles and pillars; AWS Well-Architected Tool is the managed service that helps you run reviews using lenses based on the framework.<\/p>\n\n\n\n
                                                                                                                                                                            2) Does AWS Well-Architected Tool deploy or change AWS resources?<\/strong>\nNo. It records review information and recommendations. You implement changes in your own workloads.<\/p>\n\n\n\n
                                                                                                                                                                            3) Is AWS Well-Architected Tool free?<\/strong>\nAWS commonly states the tool is provided at no additional charge. Always verify current pricing statements on official AWS pages: https:\/\/aws.amazon.com\/well-architected\/<\/p>\n\n\n\n
                                                                                                                                                                            4) Is AWS Well-Architected Tool regional or global?<\/strong>\nIt is a regional service in practice (you select a region). Standardize a region for your organization unless you have data residency requirements.<\/p>\n\n\n\n
                                                                                                                                                                            5) What is a \u201cworkload\u201d in the tool?<\/strong>\nA workload is the unit you review\u2014typically an application, platform component, or system with an owner and defined scope.<\/p>\n\n\n\n
                                                                                                                                                                            6) What is a \u201clens\u201d?<\/strong>\nA lens is a set of questions and best practices for a particular perspective (the core lens is the AWS Well-Architected Framework lens). You can also create custom lenses.<\/p>\n\n\n\n
                                                                                                                                                                            7) What are HRIs (High-Risk Issues)?<\/strong>\nHRIs are the highest priority risks identified based on your answers, intended to help teams focus remediation efforts.<\/p>\n\n\n\n
                                                                                                                                                                            8) Can I create custom lenses for internal standards?<\/strong>\nYes, AWS Well-Architected Tool supports custom lenses. Establish governance for lens ownership, versioning, and quality.<\/p>\n\n\n\n
                                                                                                                                                                            9) Can I share a workload review with another AWS account or team?<\/strong>\nThe tool supports sharing for collaboration. Use least privilege and review shared access periodically.<\/p>\n\n\n\n
                                                                                                                                                                            10) Can I automate reporting across many workloads?<\/strong>\nYes. Use the AWS Well-Architected Tool API to list workloads, retrieve reviews, and build internal reporting. API reference: https:\/\/docs.aws.amazon.com\/wellarchitected\/latest\/APIReference\/Welcome.html<\/p>\n\n\n\n
                                                                                                                                                                            11) How often should we run reviews?<\/strong>\nCommon patterns: pre-launch, after major architecture changes, after incidents, and quarterly for critical workloads. Choose a cadence aligned to workload criticality.<\/p>\n\n\n\n
                                                                                                                                                                            12) Does the tool integrate directly with Jira\/ServiceNow?<\/strong>\nNot as a guaranteed native integration. Many teams export improvement items and create tickets manually or with custom automation.<\/p>\n\n\n\n
                                                                                                                                                                            13) Should we store sensitive data in review notes?<\/strong>\nNo. Avoid secrets and sensitive identifiers in notes. Reference secured documents\/locations instead.<\/p>\n\n\n\n
                                                                                                                                                                            14) How do milestones help?<\/strong>\nMilestones snapshot your review state so you can prove progress, compare changes over time, and avoid losing historical context.<\/p>\n\n\n\n
                                                                                                                                                                            15) Can we use AWS Well-Architected Tool for non-AWS workloads?<\/strong>\nThe framework is AWS-oriented, and the tool is an AWS service. You can document conceptual architectures, but it is best suited for workloads running on AWS.<\/p>\n\n\n\n
                                                                                                                                                                            17. Top Online Resources to Learn AWS Well-Architected Tool<\/h2>\n\n\n\n
                                                                                                                                                                            \n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                                            Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                            Official documentation<\/td>\nAWS Well-Architected Tool User Guide<\/td>\nCore concepts, workflows, and definitions<\/td>\n<\/tr>\n
                                                                                                                                                                            Official documentation<\/td>\nAWS Well-Architected Tool \u2013 \u201cWhat is\u2026\u201d<\/td>\nQuick orientation and scope<\/td>\n<\/tr>\n
                                                                                                                                                                            API reference<\/td>\nAWS Well-Architected Tool API Reference<\/td>\nRequired for automation, IAM scoping, and integrations<\/td>\n<\/tr>\n
                                                                                                                                                                            Framework<\/td>\nAWS Well-Architected Framework<\/td>\nExplains pillars, design principles, and best practices behind the tool<\/td>\n<\/tr>\n
                                                                                                                                                                            Landing page<\/td>\nAWS Well-Architected (product page)<\/td>\nHigh-level overview and current references (also check pricing statements)<\/td>\n<\/tr>\n
                                                                                                                                                                            Regional availability<\/td>\nAWS Regional Services List<\/td>\nValidate region availability and planning<\/td>\n<\/tr>\n
                                                                                                                                                                            Pricing estimation<\/td>\nAWS Pricing Calculator<\/td>\nEstimate indirect costs (logging, automation, remediation)<\/td>\n<\/tr>\n
                                                                                                                                                                            Videos<\/td>\nAWS YouTube Channel (search \u201cWell-Architected Tool\u201d)<\/td>\nWalkthroughs, demos, and best-practice talks (verify recency)<\/td>\n<\/tr>\n
                                                                                                                                                                            Architecture guidance<\/td>\nAWS Architecture Center<\/td>\nPatterns and reference architectures to implement improvements<\/td>\n<\/tr>\n
                                                                                                                                                                            Governance<\/td>\nAWS Organizations documentation<\/td>\nUseful for multi-account governance patterns that pair with reviews<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                            Direct links:\n– User Guide: https:\/\/docs.aws.amazon.com\/wellarchitected\/latest\/userguide\/what-is-aws-well-architected-tool.html\n– API Reference: https:\/\/docs.aws.amazon.com\/wellarchitected\/latest\/APIReference\/Welcome.html\n– AWS Well-Architected Framework: https:\/\/docs.aws.amazon.com\/wellarchitected\/latest\/framework\/welcome.html\n– AWS Well-Architected (landing): https:\/\/aws.amazon.com\/well-architected\/\n– AWS Architecture Center: https:\/\/aws.amazon.com\/architecture\/\n– AWS Pricing Calculator: https:\/\/calculator.aws\/  <\/p>\n\n\n\n
                                                                                                                                                                            18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                                                                            The following providers may offer training related to AWS, cloud architecture, DevOps, SRE, and governance. Verify current course syllabi and delivery modes on their websites.<\/p>\n\n\n\n
                                                                                                                                                                            \n\n\n\n\n\n\n\n\n
                                                                                                                                                                            Institute<\/th>\nSuitable Audience<\/th>\nLikely Learning Focus<\/th>\nMode<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                            DevOpsSchool.com<\/td>\nDevOps engineers, architects, SREs, platform teams<\/td>\nAWS\/DevOps practices, governance, operational readiness<\/td>\nCheck website<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                            ScmGalaxy.com<\/td>\nEngineers and managers<\/td>\nDevOps, SCM, cloud fundamentals and practices<\/td>\nCheck website<\/td>\nhttps:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                            CLoudOpsNow.in<\/td>\nCloud\/ops practitioners<\/td>\nCloud operations, automation, governance concepts<\/td>\nCheck website<\/td>\nhttps:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n
                                                                                                                                                                            SreSchool.com<\/td>\nSREs, operations, reliability engineers<\/td>\nReliability, incident management, operational excellence<\/td>\nCheck website<\/td>\nhttps:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                            AiOpsSchool.com<\/td>\nOps\/SRE and automation teams<\/td>\nAIOps concepts, monitoring\/automation practices<\/td>\nCheck website<\/td>\nhttps:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                            19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                                                                            These sites are presented as training resources\/platforms (verify current offerings and credentials on each site).<\/p>\n\n\n\n
                                                                                                                                                                            \n\n\n\n\n\n\n\n
                                                                                                                                                                            Platform\/Site<\/th>\nLikely Specialization<\/th>\nSuitable Audience<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                            RajeshKumar.xyz<\/td>\nDevOps\/cloud training content (verify scope)<\/td>\nEngineers, DevOps learners<\/td>\nhttps:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n
                                                                                                                                                                            devopstrainer.in<\/td>\nDevOps and cloud training (verify course list)<\/td>\nBeginners to intermediate DevOps engineers<\/td>\nhttps:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n
                                                                                                                                                                            devopsfreelancer.com<\/td>\nFreelance DevOps services\/training (verify offerings)<\/td>\nTeams seeking hands-on help<\/td>\nhttps:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                            devopssupport.in<\/td>\nDevOps support and training resources (verify scope)<\/td>\nOps\/DevOps practitioners<\/td>\nhttps:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                            20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                                                                            These organizations may provide consulting related to AWS, DevOps, cloud governance, and architecture reviews. Verify service details and case studies directly with each company.<\/p>\n\n\n\n
                                                                                                                                                                            \n\n\n\n\n\n\n
                                                                                                                                                                            Company<\/th>\nLikely Service Area<\/th>\nWhere They May Help<\/th>\nConsulting Use Case Examples<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                            cotocus.com<\/td>\nCloud\/DevOps consulting (verify exact offerings)<\/td>\nArchitecture reviews, delivery enablement, platform guidance<\/td>\nSet up an architecture review program; operational readiness improvements<\/td>\nhttps:\/\/cotocus.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                            DevOpsSchool.com<\/td>\nDevOps\/cloud consulting and training (verify exact offerings)<\/td>\nDevOps transformation, governance processes, skills enablement<\/td>\nImplement review cadence; build automation around reporting<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                            DEVOPSCONSULTING.IN<\/td>\nDevOps consulting (verify exact offerings)<\/td>\nCI\/CD, automation, reliability practices<\/td>\nConvert HRIs into remediation roadmap; improve incident response workflows<\/td>\nhttps:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                            21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                                                                            What to learn before AWS Well-Architected Tool<\/h3>\n\n\n\n
                                                                                                                                                                              \n
                                                                                                                                                                            • AWS fundamentals: IAM, VPC basics, EC2, S3, RDS, Lambda<\/li>\n
                                                                                                                                                                            • Core operational services: CloudWatch, CloudTrail<\/li>\n
                                                                                                                                                                            • Basic architecture concepts: availability, fault tolerance, scaling, backups<\/li>\n
                                                                                                                                                                            • Security essentials: least privilege, encryption basics, logging\/auditing<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                              What to learn after AWS Well-Architected Tool<\/h3>\n\n\n\n
                                                                                                                                                                                \n
                                                                                                                                                                              • Implementing recommendations with AWS services:<\/li>\n
                                                                                                                                                                              • Reliability: Multi-AZ patterns, DR strategies, backup\/restore testing<\/li>\n
                                                                                                                                                                              • Security: Security Hub, GuardDuty, IAM Access Analyzer, KMS patterns<\/li>\n
                                                                                                                                                                              • Operations: Observability (metrics\/logs\/traces), incident response, runbooks<\/li>\n
                                                                                                                                                                              • Cost: tagging strategy, budgets, cost allocation, right-sizing<\/li>\n
                                                                                                                                                                              • Governance at scale:<\/li>\n
                                                                                                                                                                              • AWS Organizations and Control Tower (landing zones)<\/li>\n
                                                                                                                                                                              • AWS Config rules and conformance packs<\/li>\n
                                                                                                                                                                              • Policy-as-code approaches (IaC + guardrails)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                Job roles that use it<\/h3>\n\n\n\n
                                                                                                                                                                                  \n
                                                                                                                                                                                • Solutions Architect \/ Cloud Architect<\/li>\n
                                                                                                                                                                                • DevOps Engineer \/ Platform Engineer<\/li>\n
                                                                                                                                                                                • Site Reliability Engineer (SRE)<\/li>\n
                                                                                                                                                                                • Security Engineer \/ Cloud Security Architect<\/li>\n
                                                                                                                                                                                • Cloud Governance \/ FinOps practitioner<\/li>\n
                                                                                                                                                                                • Technical Program Manager (architecture governance programs)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                  Certification path (AWS)<\/h3>\n\n\n\n
                                                                                                                                                                                  AWS certifications change over time; verify current names and paths on the official AWS Training and Certification site: https:\/\/aws.amazon.com\/certification\/\nTypical relevant cert tracks include:\n– Architect-focused certifications (associate\/professional)\n– Security specialty (if applicable)\n– DevOps engineer-focused certifications<\/p>\n\n\n\n
                                                                                                                                                                                  Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                                                                    \n
                                                                                                                                                                                  • Create a portfolio of 5 workloads and run baseline reviews for each.<\/li>\n
                                                                                                                                                                                  • Create a custom lens representing your team\u2019s production readiness checklist.<\/li>\n
                                                                                                                                                                                  • Build a small script using the API to:<\/li>\n
                                                                                                                                                                                  • list workloads<\/li>\n
                                                                                                                                                                                  • detect workloads without a milestone in the last N days (time-based governance)<\/li>\n
                                                                                                                                                                                  • export a simple report to CSV for leadership<\/li>\n
                                                                                                                                                                                  • Run a \u201cgame day\u201d and then update the review based on lessons learned, capturing a milestone.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                    22. Glossary<\/h2>\n\n\n\n
                                                                                                                                                                                      \n
                                                                                                                                                                                    • AWS Well-Architected Framework:<\/strong> AWS\u2019s set of architectural best practices organized into pillars (Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, Sustainability).  <\/li>\n
                                                                                                                                                                                    • AWS Well-Architected Tool:<\/strong> The AWS managed service that helps you conduct and track Well-Architected reviews using lenses.<\/li>\n
                                                                                                                                                                                    • Workload:<\/strong> A reviewed system\/application entity in the tool.<\/li>\n
                                                                                                                                                                                    • Lens:<\/strong> A question set used to evaluate a workload (AWS-provided or custom).<\/li>\n
                                                                                                                                                                                    • Pillar:<\/strong> A best-practice domain in the framework (e.g., Security, Reliability).<\/li>\n
                                                                                                                                                                                    • Best practice:<\/strong> Recommended design or operational approach represented in lens questions.<\/li>\n
                                                                                                                                                                                    • Risk level:<\/strong> Severity\/priority categorization derived from answers.<\/li>\n
                                                                                                                                                                                    • HRI (High-Risk Issue):<\/strong> A top-priority risk flagged by the tool based on answers.<\/li>\n
                                                                                                                                                                                    • Milestone:<\/strong> A point-in-time snapshot of a workload review used for tracking progress.<\/li>\n
                                                                                                                                                                                    • Sharing:<\/strong> Granting other principals\/accounts access to a workload review for collaboration.<\/li>\n
                                                                                                                                                                                    • IAM (Identity and Access Management):<\/strong> AWS service controlling authentication and authorization for the tool.<\/li>\n
                                                                                                                                                                                    • CloudTrail:<\/strong> AWS auditing service that logs API activity (useful for governance evidence).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                      23. Summary<\/h2>\n\n\n\n
                                                                                                                                                                                      AWS Well-Architected Tool (AWS) is a Management and governance service that helps teams run consistent architecture reviews using AWS best practices. It matters because it turns the AWS Well-Architected Framework into an actionable, repeatable process: define workloads, answer lens questions, prioritize HRIs, and track progress using milestones.<\/p>\n\n\n\n
                                                                                                                                                                                      Cost-wise, the tool itself is typically provided at no additional charge (verify on official AWS pages), but implementing recommendations can change your AWS bill\u2014especially for resilience, logging, and security controls. Security-wise, use IAM least privilege, control workload sharing, and rely on CloudTrail for auditability.<\/p>\n\n\n\n
                                                                                                                                                                                      Use AWS Well-Architected Tool when you need structured reviews, governance evidence, and portfolio-level consistency. Combine it with operational services (CloudWatch, Config, Security Hub) to implement and sustain improvements. Next, learn to automate reviews and reporting with the AWS Well-Architected Tool API and integrate the improvement plan into your engineering backlog and governance cadence.<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                                                                      Management and governance<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,33],"tags":[],"class_list":["post-272","post","type-post","status-publish","format-standard","hentry","category-aws","category-management-and-governance"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/272","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=272"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/272\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=272"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=272"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=272"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}