AWS Monitoring & Management
Well-Architected Tool
Review your workloads against AWS best practices across six pillars
The AWS Well-Architected Tool is a structured self-assessment framework that helps cloud architects review workloads against AWS best practices across six pillars: Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability. It produces a prioritized improvement plan with identified high-risk issues (HRIs) and medium-risk issues (MRIs) specific to your workload.
The Six Pillars - What Each One Covers
Each pillar addresses a distinct dimension of well-architected design. In an interview, you should know the design principles and key topics for each:
| Pillar | Core Question | Key Topics |
|---|---|---|
| Operational Excellence | Can you run and monitor systems to deliver business value and improve supporting processes? | IaC, runbooks, observability, deployment safety, learning from failures |
| Security | Can you protect information, systems, and assets while delivering business value? | Identity, IAM least privilege, detection, infrastructure protection, data protection, incident response |
| Reliability | Can the workload recover from disruptions and meet availability targets? | Multi-AZ, fault isolation, backup/restore, retries, chaos engineering, DR strategies |
| Performance Efficiency | Can you use computing resources efficiently as demand changes? | Right-sizing, managed services, caching, CDN, database engine selection |
| Cost Optimization | Can you achieve business outcomes at the lowest price? | Reserved/Savings Plans, right-sizing, idle resources, storage tiering, Spot instances |
| Sustainability | Can you minimize environmental impact of running cloud workloads? | Utilization efficiency, managed services, storage lifecycle, reducing idle resources |
Sustainability was added as the sixth pillar in 2021. It focuses on minimizing the environmental impact of cloud workloads. In interviews, if asked about the pillars, most people list five. Including Sustainability shows current knowledge.
Each pillar has its own whitepaper (called a Pillar Whitepaper) and associated Lens (specialized extensions for specific workloads like serverless, SaaS, IoT, machine learning, etc.). Lenses add domain-specific questions on top of the core framework.
Conducting a Well-Architected Review
A Well-Architected Review is a structured interview/assessment of a specific workload (not an entire account). The process: define a workload, answer the framework questions, review the identified risks, and create a milestone marking the current state.
| Step | What Happens | Output |
|---|---|---|
| 1. Define workload | Name the workload, describe it, select applicable lenses and industry | Workload definition in the tool |
| 2. Answer questions | For each pillar, answer questions about best practices implemented (Yes/No/Not applicable) | Risk count per pillar |
| 3. Review findings | Tool shows HRIs (High Risk Issues) and MRIs (Medium Risk Issues) per pillar | Prioritized risk list with AWS guidance |
| 4. Save milestone | Snapshot the current state of the review | Baseline for comparing future reviews |
| 5. Create improvement plan | Select which issues to address and by when | Tracked improvement items |
Milestones are the mechanism for tracking improvement over time. By saving a milestone before and after a remediation sprint, you can demonstrate measurable improvement: "We reduced HRIs from 12 to 3 over this quarter." This is valuable for engineering leadership and compliance reporting.
# Create a workload in the Well-Architected Tool
aws wellarchitected create-workload \
--workload-name "E-Commerce Platform" \
--description "Main customer-facing storefront" \
--review-owner "platform-team@example.com" \
--environment PRODUCTION \
--aws-regions us-east-1 us-west-2 \
--lenses wellarchitected serverless
# List all workloads
aws wellarchitected list-workloads
# Get answers for a specific pillar
aws wellarchitected list-answers \
--workload-id xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \
--lens-alias wellarchitected \
--pillar-id securityLenses - Specialized Extensions for Specific Domains
Lenses add domain-specific questions on top of or alongside the core framework. They help teams assess workloads with unique architectural patterns.
| Lens | What It Adds | Best For |
|---|---|---|
| Serverless Lens | Questions specific to Lambda, API Gateway, DynamoDB, Step Functions patterns | Event-driven, serverless-first architectures |
| SaaS Lens | Multi-tenancy, isolation models, tenant tiering, onboarding automation | SaaS platform teams |
| IoT Lens | Device management, edge computing, message ingestion at scale, OTA updates | IoT device fleets |
| Machine Learning Lens | Data quality, model governance, MLOps, inference infrastructure | ML/AI workloads |
| Data Analytics Lens | Data lake architecture, query performance, data governance | Analytics platforms |
| Custom Lens | Define your own questions for internal standards, compliance frameworks, or company policies | Org-specific requirements |
Custom Lenses are particularly valuable for large organizations. You can encode your own architecture standards, internal compliance requirements, or technology choices as a lens and apply it to all workloads reviewed in your organization. Custom lenses are shared via the AWS Well-Architected Tool console.
Running Reviews at Scale and Integrating into the SDLC
For organizations with many workloads, the Well-Architected Tool API and AWS Well-Architected Labs help automate and embed reviews into existing processes.
| Approach | Description |
|---|---|
| WA Labs | Free hands-on labs for implementing best practices for each pillar - use as learning resources and implementation guides |
| WA Reviews in CI/CD | Run automated architecture checks using the API as part of a deployment pipeline; block releases with critical HRIs |
| Scheduled reviews | Mandate quarterly reviews for production workloads; track HRI reduction as an engineering KPI |
| AWS WA Partner reviews | AWS APN partners can conduct formal reviews and submit findings directly to your WA Tool account |
| Trusted Advisor integration | Some Trusted Advisor checks map directly to WA findings; use both for automated + guided coverage |
Embedding WA reviews into new service launch checklists is a best practice at scale. Before a new workload goes to production, teams complete a WA review, document identified HRIs, and either remediate them or accept the risks with documented justification. This creates an auditable record of architectural decisions.
The Well-Architected Tool is free. You pay nothing for the assessments themselves. The cost comes from implementing the recommendations (e.g., enabling Multi-AZ on RDS or adding a NAT Gateway for resilience). Frame WA reviews as an investment in reliability and cost efficiency, not a compliance overhead.
# Get improvement plan - see all identified risks
aws wellarchitected get-lens-review \
--workload-id xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \
--lens-alias wellarchitected
# Save a milestone to track improvement over time
aws wellarchitected create-milestone \
--workload-id xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \
--milestone-name "Q2-2025-baseline"
# List all milestones for a workload
aws wellarchitected list-milestones \
--workload-id xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxInterview Focus Points
- 1Name the six pillars of the AWS Well-Architected Framework and describe what each one covers.
- 2What is a High Risk Issue (HRI) vs a Medium Risk Issue (MRI) in a Well-Architected review?
- 3What is a Well-Architected Lens and give two examples of available lenses?
- 4How do you use milestones in the Well-Architected Tool to track improvement over time?
- 5How would you embed Well-Architected reviews into a CI/CD pipeline or new service launch process?
- 6What is the relationship between the Well-Architected Framework and Trusted Advisor?
- 7How does the Reliability pillar address disaster recovery - what are the four DR strategies and their tradeoffs?
- 8Walk me through how you would conduct a Well-Architected review for a production microservices workload.
- 9What is a Custom Lens and when would you create one?