At Cloud Conformity, we often harp on about the AWS Well-Architected Framework and for very good reason. The framework underpins our entire platform and forms our Knowledge Base to ensure your cloud infrastructure is the most resilient, secure and efficient for your needs. Here we break down exactly what the framework is by looking at the individual pillars and what they mean for users, along with a few pointers to get you started.
What is the Well-Architected Framework made up of?
Amazon’s Well-Architected Framework is made up of Five Pillars (Operational Excellence, Security, Reliability, Performance Efficiency and Cost Optimization) which help to provide a stable and consistent base from which to initially design your infrastructure, and to keep referring back to as the infrastructure evolves.
Why should I use the architected framework at all?
By using the five AWS pillars, you can continue to challenge your designs and logic from different views as your organization’s needs change. They can also help you to look at your environments more holistically and objectively pinpoint where significant priorities and actions need to be made.
The newest pillar to the family, Operational Excellence only came into the picture at re:Invent 2016. It was introduced to encourage cloud architects to continually re-evaluate their existing environments and the processes around them, i.e. let’s not get idle and complacent! This pillar also encourages teams to get into good process habits such as commentary for audit trails, only making small, easily-reversible changes and always considering potential failure when building.
A great way to start with this pillar is to increase your usage of automation and get into the routine of using CloudFormation for all operations and configurations. The benefit of using Infrastructure as Code (IaC) is its consistency, speediness and the lower costs for projects to be created and deployed. To help with this pillar and instill more confidence in using IaC, we launched the CloudFormation Template Scanner in beta for Cloud Conformity customers. The tool tests your CloudFormation scripts before deployment so only the cleanest and most secure templates make it to your environments.
It’s also important to regularly review and challenge the operations behind your environments and team. Some questions to ask:
- Why is that process in place?
- How is it still relevant to our needs today?
- What is the primary goal of this procedure?
Often a topic that comes in as an afterthought, AWS instead want to keep security high up on the agenda and do this by using the Shared-Responsibility Model. Ultimately it is the user’s responsibility when it comes to the security in the cloud. It’s important that security is looked at from all angles and on multiple levels: before construction with security-led design, during use with proactive risk assessments and after incident mishaps with well-rehearsed and practised plans.
Have a look at your own infrastructure to see how well you’re following security best practice. For example when using AWS IAM, ask yourself:
- How much activity is there on the root user account?
- How often are you your access keys automatically rotated?
- Which IAM users can be deleted now?
AWS CloudTrail is also key for this pillar as it records all AWS API calls to your account; how thoroughly has this been enabled throughout your infrastructure?
As more security breaches hit the news and data protection has become a key focus, meeting this pillar’s standard should always be in mind. I’m quite sure everyone could do without a hefty GDPR penalty!
The pillar of reliability seems like a bit of a no-brainer but you’d be surprised at how often it’s not thought about in its entirety. Not only does it involve recovery from failure or service disruptions, but it also includes the issue of capacity management and scalability. Once again, AWS wants to encourage architects to start from a solid foundation from which changes can be easily and dynamically made.
The use of CloudFormation scripts can help in recovery by creating a Clean Room for deeper and more secure investigation, as can scheduling time to practice and test these very processes. A few questions to consider for your process:
- How much of the recovery is automated?
- What are the various access levels and who has what?
- When was the last time the entire process was tested?
When it comes to capacity and availability, it’s this part of the pillar that is easily overlooked. We can fall into the trap of not wanting to overspend on resources, however by utilising AWS Cloud Watch alarms and setting limits you can be sure that what you have is entirely sufficient.
This pillar is all about computing resources, their ability to meet requirements and to evolve as needs change. Allowing your architecture to be flexible and creative will open up more possibilities, and more than likely you’ll find yourself employing various approaches to suit different workloads.
It’s important to collect data for frequent review to check your infrastructure is working as efficiently as it can. Using any of the AWS monitoring services will help you to know if performance is below the expected and any calls need immediate action. Setting limits here is another great way to heighten performance ability.
Serverless architecture can be a great win for this pillar, as can the use of AWS Lambda and AWS CloudFront to reduce latency. Experiment often to see what works best where — it’s through this continuous review and testing that you’ll be shown where some easy compromises can be made for the benefit of the entire infrastructure.
One of the greatest benefits of using AWS Cloud is the lower costs vs on-prem or data centre setups. However as we’ve often seen, this hasn’t always followed through in reality simply because of oversights and short-term plans.
The best cost optimization model is the utilization and consumption approach. With this you’ll be better equipped to understand what a realistic and economical spend should look like for your projects and workloads. Once again, taking the time to monitor and allocate costs and data will be your friend in the long term here.
While there may be times of compromise or trade-offs such as lengthier processing times for lower costs (or vice versa), by understanding how services like AWS Glacier (archived data) and CloudFormation (automation) can ultimately give you the more significant economical impact, you can prioritize more easily. It’s also hugely beneficial to be aware of the various instance types available as AWS continue to introduce varying versions with cost benefits dependent on your workloads.
The Five Pillars of the Well-Architected Framework are there to serve and guide users from the very start of their AWS cloud journey. Within each pillar the constant theme is monitoring and challenging the current set up and process on a regular basis, as your infrastructure and organization continues evolves.
While getting to know AWS services can feel a little like a minefield at first, for the safest and most highly optimized arrangement experimenting in a test environment is the best method. All of the AWS services work under the five pillars, however; it’s through understanding your unique needs, that they’ll come into their own to work for you and your projects.
AWS are excellent at listening to feedback and introducing changes, so it’s always worth keeping up to date with their service improvements, changes and launches. They want their users to feel confident using AWS and to feel the many benefits of cloud computing, which are actually quite aptly named by these very pillars!
We wholeheartedly believe that knowledge is power and want to continue to provide education on AWS best practice so the public cloud world becomes easier to understand, navigate and most importantly, enjoy! We provide the rationale behind each rule so that your team are effortlessly learning while helping to create and maintain the infrastructure that your organization runs on.
In just three minutes, you can plug in an AWS account to Cloud Conformity as the conformity bot runs close to 500 checks against your AWS accounts in real-time to ensure that you’re as compliant as possible when it comes to these pillars, their design principles and best practice.