williamlimasilva/aws-well-architected-review

AWS Well-Architected Review

This workflow performs a structured AWS Well-Architected Framework (WAF) review against your workload's IaC files and deployed infrastructure. It identifies risks across all 6 WAF pillars and creates GitHub issues to track remediation.

Prerequisites

• AWS CLI configured and authenticated
• IaC files present in the repository (Terraform, CloudFormation, CDK, or SAM)
• GitHub MCP server configured and authenticated

Workflow Steps

Step 1: Load Well-Architected Framework Reference

Fetch current AWS WAF best practices:

• https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html
• Pillar-specific lenses relevant to the workload type (Serverless, SaaS, etc.)

Step 2: Discover IaC & Architecture

Scan the repository for IaC files:

• Terraform: **/*.tf
• CloudFormation/SAM: **/*.yaml, **/*.json (CFn templates)
• CDK: lib/**/*.ts, bin/**/*.ts, cdk.json

Identify key AWS services in use (compute, data, networking, security, observability) and generate a Mermaid architecture diagram.

Step 3: Pillar-by-Pillar Review

Pillar 1: Operational Excellence

• [ ] All infrastructure defined as IaC (no manual console changes)
• [ ] Consistent tagging strategy applied across all resources
• [ ] CloudWatch alarms defined for key metrics
• [ ] Automated deployment pipeline present (no manual deployments)
• [ ] CloudTrail enabled for audit logging
• [ ] Runbooks or operational documentation present

Pillar 2: Security

• [ ] IAM roles use least-privilege policies (no * actions without justification)
• [ ] No hardcoded credentials in IaC or code
• [ ] Secrets managed via Secrets Manager or SSM Parameter Store
• [ ] S3 buckets have public access blocked and server-side encryption enabled
• [ ] Sensitive resources placed in private subnets
• [ ] Security groups restrict inbound to minimum required ports/CIDRs
• [ ] KMS encryption enabled for sensitive data stores (RDS, EBS, S3, SQS, DynamoDB)
• [ ] SSL/TLS enforced on all endpoints (enforceSSL: true)
• [ ] GuardDuty enabled (aws guardduty list-detectors)
• [ ] AWS WAF configured on public-facing APIs and CloudFront distributions
• [ ] MFA delete enabled on critical S3 buckets

Pillar 3: Reliability

• [ ] Multi-AZ deployments for production databases (RDS Multi-AZ, DynamoDB Global Tables)
• [ ] Auto Scaling configured with appropriate policies for EC2/ECS
• [ ] S3 versioning and lifecycle policies configured
• [ ] RDS automated backups enabled with appropriate retention period
• [ ] DynamoDB Point-in-Time Recovery (PITR) enabled
• [ ] Dead Letter Queues (DLQ) configured for Lambda, SQS, SNS
• [ ] Route 53 health checks configured for DNS failover
• [ ] Lambda reserved concurrency set to prevent noisy-neighbor throttling

Pillar 4: Performance Efficiency

• [ ] Right-sized instance types (Lambda memory, EC2 type, RDS class)
• [ ] Graviton/ARM instances used where available (Lambda arm64, EC2 Graviton)
• [ ] Caching implemented (ElastiCache, DAX, CloudFront, API Gateway caching)
• [ ] CloudFront used for global static content delivery
• [ ] Aurora Serverless or DynamoDB On-Demand for variable load patterns
• [ ] Lambda Provisioned Concurrency for latency-critical synchronous paths

Pillar 5: Cost Optimization

• [ ] EC2 Reserved Instances or Savings Plans for steady-state workloads
• [ ] S3 lifecycle policies moving data to cheaper storage tiers
• [ ] Lambda arm64 architecture adopted (20% cost reduction)
• [ ] VPC Endpoints for S3/DynamoDB to avoid NAT Gateway charges
• [ ] gp2 EBS volumes migrated to gp3 (same performance, 20% cheaper)
• [ ] Development/test environments have auto-shutdown schedules
• [ ] AWS Budgets and Cost Anomaly Detection configured
• [ ] Unattached EBS volumes and idle EC2 instances identified

Pillar 6: Sustainability

• [ ] Graviton/ARM instances selected where available
• [ ] Serverless/managed services preferred over always-on EC2
• [ ] S3 lifecycle policies reduce unnecessary long-term data storage
• [ ] Auto Scaling configured to avoid over-provisioning
• [ ] Region selection considers AWS renewable energy commitments

Step 4: Risk Classification

For each finding, classify:

• High Risk: Security vulnerability, single point of failure, no backup/recovery
• Medium Risk: Suboptimal reliability, cost inefficiency, performance concern
• Low Risk: Best practice deviation, minor optimization opportunity

Step 5: User Confirmation

🏗️ AWS Well-Architected Review Summary

📊 Review Results:
• IaC Files Analyzed: X
• AWS Services Identified: Y
• Total Findings: Z
  • High Risk: A (immediate action required)
  • Medium Risk: B (should address soon)
  • Low Risk: C (nice to have)

🔴 Top High Risk Findings:
1. [Pillar]: [Finding] — [Why it matters]
2. [Pillar]: [Finding] — [Why it matters]

💡 This will create Z individual GitHub issues + 1 EPIC issue.

❓ Proceed with creating GitHub issues? (y/n)

Step 6: Create Individual Finding Issues

Label with "well-architected" and the pillar name (e.g., "security", "reliability").

Title: [WAF-<PILLAR>] [Brief Finding] — [Risk Level]

Body:

## 🏗️ Well-Architected Finding: [Brief Title]

**Pillar**: [Name] | **Risk Level**: [High/Medium/Low] | **Effort**: [Low/Medium/High]

### 📋 Description
[Clear explanation of the finding and why it matters]

### 🔧 Remediation

**IaC Fix** (preferred):
```hcl
# Terraform example
resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
  bucket = aws_s3_bucket.example.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "aws:kms"
    }
  }
}

AWS CLI fallback:

aws s3api put-bucket-encryption --bucket <name> \
  --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms"}}]}'

📚 AWS Reference

• [WAF Best Practice Link]
• [AWS Documentation Link]

✅ Validation

• [ ] Change implemented in IaC and deployed
• [ ] AWS Config rule passes (if applicable)
• [ ] Security Hub finding resolved (if applicable)

Well-Architected Question: [WAF question this maps to]

### Step 7: Create EPIC Tracking Issue
Label with "well-architected" and "epic".

**Title**: `[EPIC] AWS Well-Architected Review — X findings across 6 pillars`

**Body**: Executive summary with pillar breakdown table (finding counts by pillar and risk level), Mermaid architecture diagram, prioritized checklist linking all individual issues (High → Medium → Low), and success criteria:
- All High-risk findings resolved
- Medium findings have accepted mitigation plans
- No regression in existing CloudWatch alarms or Config rules

## Error Handling
- **No IaC Files Found**: Limit review to live resource discovery via AWS CLI and note the gap
- **Insufficient AWS Permissions**: List required read-only permissions for the review
- **GitHub Creation Failure**: Output all findings as formatted markdown to console

## Success Criteria
- ✅ All 6 WAF pillars reviewed against IaC and live infrastructure
- ✅ All findings classified by risk level and pillar
- ✅ Actionable remediation steps with IaC examples for each finding
- ✅ GitHub issues created for team tracking
- ✅ Architecture diagram generated for EPIC context
- ✅ AWS documentation references included