AWS Well Architected Framework


Data centers have been around for half a century. Today, building a well-architected data center is second nature. But what about building a well-architected cloud infrastructure. Are IT professionals up for the challenge?

Fortunately, Amazon Web Services has created the AWS Well-Architected Framework as a guide to designing and operating reliable, secure, efficient, and cost-effective systems in the cloud. When combined with CloudCheckr, the well-architected framework becomes a blueprint for cloud cost management and security.

This white paper explains the concepts that make up the AWS Well-Architected Framework and how to use CloudCheckr, alongside the framework, to achieve operational excellence.

Our Leadership Principles


The key to the AWS Well-Architected Framework are the five “Pillars” of Operational Excellence, Security, Reliability, Performance Efficiency, and Cost Optimization. We will look at each of these pillars, in detail.

Operational Excellence

The Operational Excellence pillar of the AWS Well-Architected Framework addresses the need to prepare in advance when designing a cloud infrastructure, but also to record metrics throughout operation and the ability to evolve and refine your infrastructure and operational procedures over time.

CloudCheckr helps achieve operational excellence, through a robust tagging system designed to track all cloud service consumption. After all, if you can’t measure it, you can’t manage it.

Additionally, CloudCheckr includes Change Monitoring and offers several Best Practice Checks to enforce tagging and the use of CloudTrail and CloudWatch, to be able to obtain metrics. Finally, based on these metrics, CloudCheckr makes recommendations including Reserved Instance Purchases, Rebalancing, Right Sizing and more. By following these recommendations, CloudCheckr customers report saving 30% or more on their cloud spend.

CloudCheckr Change Monitoring Report


To address the security pillar, the AWS Well-Architected Framework offers guidelines around IAM (Identity and Access Management), data protection and incident response. Additionally, the security pillar discusses the physical security inherent in AWS’ facilities. This is part of the AWS Shared Responsibility Model; Amazon is responsible for security of the cloud and the customer is responsible for security in the cloud.

The AWS Shared Responsibility Model

Of the 550+ Best Practice Checks in CloudCheckr, dozens are specifically focused on IAM, such as ensuring passwords contain uppercase, lowercase, and special characters, are long enough, and changed frequently. Administrators can choose which of these rules are important to them and rely on CloudCheckr to make sure those policies are enforced. CloudCheckr recommends RBAC (Role-Based Access Control) is used to limit who has what capabilities, even if they change jobs.

Sample CloudCheckr IAM Best Practice Checks
CloudCheckr Always Fix Dialog Box

The Security pillar recommends automating security best practices. CloudCheckr’s BPCs run throughout the day, and, in when any security vulnerabilities are discovered, CloudCheckr’s “Fix Now” and “Always Fix” automated self-healing Best Practice Checks can even fix the vulnerability and notify the administrators, even while they sleep!

Data should be protected, in transit and at rest, according to the Security pillar. CloudCheckr enforces this with Best Practice Checks that look for encryption at rest and if SSL/TLS is enabled for network traffic.

Sample CloudCheckr Encryption and SSL Best Practice Checks

CloudCheckr Total Compliance

CloudCheckr maps 35 distinct regulatory frameworks including HIPAA, CIS, PCI-DSS, NIST and others, to our 550+ Best Practice Checks. The result is a Cloud Compliance score that shows how effectively an organization is meeting each of those standards. The score is plotted over time and is a great way to ensure best practices are being followed and to prove compliance during an audit.


Reliability, the next pillar in the AWS Well-Architected Framework, means that cloud services continue to function, despite outages, DDoS (Distributed Denial of Service) attacks, and other potential causes of downtime. CloudCheckr’s Best Practice Checks ensure high availability by requiring that snapshots are maintained properly and that Load Balancers with healthy instances, spread out over multiple Availability Zones are used to protect against man-made or natural disaster.

CloudCheckr Availability Best Practice Checks

AWS recommends that administrators “stop guessing capacity” and use tools, like CloudCheckr, to monitor utilization and optimize provisioning. AWS also suggests user “manage change in automation” and avoid manual tasks. The only practical way to scale reliably is through automation, and automation can also avoid human error.

Performance Efficiency

The next pillar is Performance Efficiency, or the ability to achieve the desired level of performance, at the lowest cost. CloudCheckr’s Heat Maps can display, graphically, the hot or cold usage levels of a particular instance, over time.

CloudCheckr Heat Map

To ensure efficiency, the CloudCheckr Right Sizing report recommends changes, up or down, for size and type of RIs, based on the utilization levels of CPU and the Network, and optionally Memory.

CloudCheckr Right Sizing Report

The greatest efficiencies are a result of CloudCheckr’s automation tools. Through Workflow Automation, Self-Healing, and Custom Alerts, cloud managers can focus on higher-level tasks, and manage their growing cloud at scale. These time savings are a major win for personal and corporate efficiency. Cost efficiency is further ensured through the CloudCheckr tools discussed in the next pillar, Cost Optimization.

Cost Optimization

The Cost Optimization pillar makes sure an organization is not spending resources on unused or underutilized resources. CloudCheckr’s Cost Savings Report displays the potential savings by adopting recommendations for previous generation, unused and underutilized resources, as well as acquisition of RIs (Reserved Instances) and Spot Instances.

CloudCheckr Cost Savings Report
CloudCheckr Cost Alerts

CloudCheckr helps organizations manage costs through a robust tagging system designed to track all cloud service consumption. After all, if you can’t measure it, you can’t manage it.

Organizations can match supply and demand through RI Mapping, RI Unsharing, and RI Rebalancing, to leverage Reserved Instance purchases across the entire enterprise, or across multiple customers in the case of a reseller. Expenditure awareness is achieved with Cost Alerts and Spend Analysis reports, which can be exported as PDF or CSV files. Resellers can view Profit Analysis as well, showing their margin for actual costs versus List Cost pricing.

CloudCheckr Spend Analysis Detail Report
CloudCheckr Profit Analysis Report


The AWS Well-Architected Framework is just that, a framework. Like the frame of a house, you still need to add walls, plumbing, electricity, a roof, furniture, etc. to make it a home. CloudCheckr adds vital application of elements to the AWS Well-Architected Framework, to ensure your cloud infrastructure conforms to industry standard guidelines, while making sure you are not overspending on services.

Need a Well-Architected Review expert through AWS Enterprise Support? Get started with a complimentary 15-minute assessment at