Profile Applicability:

  • Level 1

Description:

The AWS Well-Architected Tool helps you review your workloads against AWS best practices in five pillars: Operational Excellence, Security, Reliability, Performance Efficiency, and Cost Optimization. This tool evaluates workloads and identifies potential risks across these pillars, classifying them into risk levels (e.g., Medium, High). This SOP ensures that you identify and address medium and high risks in your workloads, improving the overall security, reliability, and efficiency of your AWS environment.

Rationale:

  • Security: Identifying medium and high risks early helps mitigate potential security threats, ensuring your workload follows best practices and is aligned with compliance requirements.

  • Operational Excellence: Addressing these risks enhances operational efficiency and stability, ensuring workloads are built for long-term success and sustainability.

  • Risk Mitigation: By resolving identified risks, you can reduce vulnerabilities in your cloud infrastructure, avoiding costly outages, breaches, or inefficient resource usage.

Impact:

Pros:

  • Improved Security and Reliability: Reduces the likelihood of incidents that affect security, availability, and performance.

  • Cost Efficiency: Mitigating risks ensures that resources are optimally allocated and that the application operates efficiently, reducing potential downtime or over-provisioning.

  • Compliance: Helps ensure your workloads are aligned with AWS security and architectural best practices, aiding in compliance with industry standards.

  • Operational Stability: Resolving high and medium risks makes the system more robust and resilient to failures.

Cons:

  • Initial Time Investment: Addressing risks may require an upfront investment of time and effort in reviewing, remediating, and implementing the recommendations provided by the tool.

  • Resource Usage: Some fixes may result in additional resource usage or configuration complexity, which could impact short-term operational goals.

Default Value:

By default, the AWS Well-Architected Tool does not automatically resolve medium and high risks. They must be identified through manual review or automated reports, after which mitigation measures must be planned and implemented.

Pre-requisite:

  • AWS IAM Permissions:

    • wellarchitected:ListWorkloads

    • wellarchitected:DescribeWorkload

    • wellarchitected:UpdateWorkload

  • AWS CLI installed and configured.

  • Workloads in the AWS Well-Architected Tool that have been reviewed and assessed for risks.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Well-Architected Tool under Services.

  3. In the AWS Well-Architected Tool, go to Workloads.

  4. Select the workload to review and click Review.

  5. In the review summary, look for any Medium or High risk findings listed in the Risks section.

  6. Review each risk item and ensure that a remediation plan is in place to resolve or mitigate the identified risks.

Using AWS CLI:

  1. To list the workloads and their corresponding risk findings, run the following command:

    aws wellarchitected list-workloads --query 'WorkloadSummaries[*].{Name:WorkloadName, Risk:RiskLevel}' --output table

  2. To get detailed findings for a specific workload, run:

    aws wellarchitected get-workload --workload-id <workload-id> --query 'Workload.Risks'

  3. Identify the medium and high risks listed for the workload and take note of the associated recommendations.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to the AWS Well-Architected Tool.

  2. Go to Workloads and select the workload you wish to assess.

  3. Review the Risks section for Medium and High risk items.

  4. For each identified risk, review the recommendations provided and implement the suggested mitigation actions.

  5. If additional configurations or services are required, implement them within the console as per the AWS Well-Architected recommendations.

  6. Track progress on risk mitigation in the Workload Review Summary.

Using AWS CLI:

  1. To resolve medium or high risks, you may need to update configuration settings or enable specific services based on the recommendations:

  2. For example, if a security risk is identified, you might need to enable AWS GuardDuty or AWS Config:

    aws guardduty enable-organization-admin-account --admin-account-id <admin-account-id>

  3. After implementing the changes, recheck the workload in the Well-Architected Tool to ensure that the risks have been mitigated:

    aws wellarchitected get-workload --workload-id <workload-id> --query 'Workload.Risks'

Backout Plan:

Using AWS Console:

  1. If the changes made to address medium or high risks lead to unexpected issues, sign in to the AWS Well-Architected Tool and undo the changes.

  2. Remove any newly added services or configurations that were implemented to mitigate risks.

  3. Re-run the AWS Well-Architected Tool to re-evaluate the workload and confirm that the previous risks are back in place or reduced.

Using AWS CLI:

  1. If any changes cause issues, remove or revert the resources or configurations that were added to resolve risks.

  2. Use the aws wellarchitected get-review-summary command to verify if any new risks appear or if previously resolved issues re-emerge.

  3. Make adjustments accordingly and re-check the workload’s status.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.