Authors: Shweta Vohra, Siddhartha Sood, Balakrishnan Sreenivasan
With experience utilizing WAF reviews, we have built the systematic guidance and checklist based on our own experiences to help teams undergoing Well Architected Framework Reviews. This is starting point for Reviewers, Architects and Developers to plan for AWS WAF Review.
To use this framework efficiently there is preparation required for each of the six fundamental pillars. In case you are new to AWS WAF Review then What is AWS WAF?. The team or individual architect performing this well architected review should be thorough and qualified in following aspects:
- First and foremost - Reviewer must be an "AWS Solution Architect - Professional Certified" and even better if person is "AWS WAF Certified Reviewer" for well architected framework (Check AWS Well-Architected Partner Bootcamp if you have access). In any case reviewer should be well versed with all assistive AWS services and tool.
- One should know all six pillars and should have read whitepapers as mentioned below. This is by far the most comprehensive yet best guidance about these pillars:
- Get accustomed with Well architected framework Tool through AWS Console. Reviewer should know the tool and its features, and different reports that it can produce. One should also complete AWS well architected comprehensive Labs to get acquainted to various aspects linked with each pillar.
- Define the workload or in other words logical group of resources that needs to be reviewed. It can be one application, resources in one account or vpc, group of accounts or any other organization centric criteria. Additionally, Reviewer also need to know the organization, requirements and prioritize in advance workload for which review needs to be conducted.
- Bring all required stakeholders together for efficient review. These should be representative/s who can support all facets of organization such as developer, architects, governance, operational, Security, business, and strategy.
- Involve domain or industry specialist if AWS Well Architected Industry specific lens review required. Refer section on Industry lenses for more details.
Steps to Follow:
- Open AWS WAF Tool -> Open your AWS account and navigate to space (Region, VPC, Workload etc.) where review needs to be performed for upcoming or already present workload/Software.
- Search -> "AWS Well-Architected Tool" on AWS console
- Define-> workload on same AWS account, different account, or upcoming design
- Document the Workload State -> Review an architecture by answering a set of Questions. Choose answers grouped into Six Pillars. Review screen on AWS console looks like as specified in below image for your reference.
- Review the Improvement Plan after review completion &
- Make Improvements and Measure Progress
Example Process Involved:
Below table gives high level guidance on operational excellence pillar (as an example) for how to systematically prepare for each pillar review during AWS Well Architected Framework Review:
As mentioned in above table, reviewer should prepare customized review guidelines, processes and services that are applicable to workload and client organization for which review is being planned.
Review report gives outcomes in form of two types of Risk items:
High Risks Items (HRIs) and Medium Risk Items (MRIs)
Tool also provides prioritized improvement plan for each prioritized pillars based on high-risk items. Reviewer should help client priortize the High and Medium Risk items to incorporate in their AWS Cloud, services and applications. Both reviewer and reviewee team (client) should agree on creating further milestone reviews. This helps in continuous evolving workloads and ensuring that review feedback is incorporated.
For example, milestones can be design time, pre Go-Live, version 1 release, new feature release, architecture board continuous reviews etc. On AWS tool sample milestones appear as given below in snapshot:
Architecture on cloud is not one time activity. Therefore, reviewer should be reviewing workloads with continuous milestones and frequent reviews as per frequency decided mutually with client. Ideally it should be done every quarter so to overcome all high and medium risks associated with reviewed workload and enforcing best practices to the maximum. However timelines should be adopted as per client and reviewers mutual agreement.
Watch out for articles:
Specific Example Guidance - Will be added soon!