Skip to content

AWS Well-Architected Framework v10

Best for: Any organization running workloads on AWS that needs to evaluate architectural decisions against AWS best practices. Most relevant for teams preparing for Well-Architected Reviews with a Solutions Architect, companies pursuing AWS Partner certifications, or engineering teams that need to justify infrastructure decisions to leadership. No revenue or size threshold applies. A startup with a single account benefits as much as an enterprise managing hundreds.

Mandatory?Voluntary โ€” AWS best-practice framework
Who validates?Self-assessment via AWS Well-Architected Tool; optional AWS partner review
RenewalNo fixed cycle; review at architecture changes
ScopeAll AWS workloads; six pillars including Security

๐Ÿ› Amazon Web Services (AWS) ยท AWS Well-Architected Framework v10 Official source โ†’

Get Started

module "..." {
  source  = "awswellarchitected.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

  • What Compliance.tf automates

    • Account Governance: Runs controls checking AWS Organizations membership, security contact registration, and account contact detail completeness. Covers account_alternate_contact_security_registered, account_maintain_current_contact_details, and account_part_of_organizations.
    • API Security and Access Control: Checks API Gateway REST and HTTP API configurations for missing authorizers, public endpoint exposure, WAF association, and SSL certificate attachment. Covers 7 API Gateway controls across both V1 and V2 APIs.
    • Certificate Lifecycle: Detects ACM certificates expiring within 30 days and verifies certificate transparency logging is enabled. Flags API Gateway stages missing SSL certificates.
    • Resilience and Multi-AZ Architecture: Validates that EC2 auto scaling groups span multiple Availability Zones per the Reliability pillar.
    • Sensitive Data Exposure: Scans EC2 auto scaling launch configuration user data fields for embedded secrets, passwords, and sensitive configuration values.
    • Session and Timeout Configuration: Evaluates AppStream fleet timeout settings (idle disconnect, session disconnect, max user duration) and internet access configuration against recommended thresholds.

  • What you handle

    • Account Governance: Defining and enforcing the organizational unit (OU) structure, setting up Service Control Policies (SCPs), and maintaining a process to update contacts when personnel change.
    • API Security and Access Control: Designing the authorization strategy (Cognito, Lambda authorizer, IAM), writing and maintaining authorizer logic, and configuring WAF rules appropriate to your threat model.
    • Certificate Lifecycle: Investigating why auto-renewal failed for flagged certificates, managing certificates outside ACM (such as imported certificates), and monitoring Certificate Transparency logs for unauthorized issuance.
    • Resilience and Multi-AZ Architecture: Determining the right number of AZs for your RPO/RTO targets, testing failover scenarios, and ensuring application-level state management supports AZ loss.
    • Sensitive Data Exposure: Migrating secrets to AWS Secrets Manager or Parameter Store, rotating any exposed credentials, and implementing preventive controls such as SCPs or CI/CD pipeline scanning.
    • Session and Timeout Configuration: Adjusting timeout values to match actual user workflow requirements and configuring VPC egress controls for fleets with internet access disabled.

Controls by Category

API Gateway Security (4 controls)

This is where most findings accumulate. Reviewers look for unauthenticated API methods, publicly accessible REST API endpoints that should be private, and stages missing WAF associations or access logging. A recurring gap is V2 (HTTP API) routes left with no authorization type because teams assume V1 settings carry over.

API Gateway methods authorizer should be configured API Gateway routes should specify an authorization type API Gateway V2 authorizer should be configured API Gateway stage logging should be enabled

AppStream Fleet Configuration (4 controls)

The two things reviewers want to see: internet access disabled on fleets (traffic should route through a VPC with controlled egress) and session timeouts configured to reduce idle exposure windows. Evidence is pulled from fleet configuration details in the AppStream console or via describe-fleets API calls.

AppStream fleet default internet access should be disabled AppStream fleet idle disconnect timeout should be set to less than or equal to 10 mins AppStream fleet max user duration should be set to less than 10 hours AppStream fleet session disconnect timeout should be set to less than or equal to 5 mins

Certificate and Encryption Management (2 controls)

Auditors check for expiring ACM certificates and confirm transparency logging is enabled to catch misissued certificates. For API Gateway, they want to see SSL certificates attached to custom domain stages. Expired certificates cause outages, and teams frequently miss renewals when auto-renewal fails silently due to DNS validation issues.

ACM certificates should have transparency logging enabled compliance.tf module API Gateway stage should uses SSL certificate
Additional Controls (113)

AWS CloudTrail (4)

At least one enabled trail should be present in a region CloudTrail trails should be integrated with CloudWatch logs CloudTrail trail logs should be encrypted with KMS CMK CloudTrail trail log file validation should be enabled

AWS IAM (9)

Ensure IAM password policy requires a minimum length of 14 or greater Ensure IAM password policy requires at least one lowercase letter Ensure IAM password policy requires at least one number Ensure IAM password policy requires at least one symbol Ensure IAM password policy requires at least one uppercase letter Ensure IAM password policy prevents password reuse Password policies for IAM users should have strong configurations with minimum length of 8 or greater IAM password policies for users should have strong configurations Ensure IAM password policy expires passwords within 90 days or less

AWS KMS (1)

KMS CMK rotation should be enabled compliance.tf module

AWS Lambda (2)

Lambda functions CORS configuration should not allow all origins compliance.tf module Lambda functions should restrict public URL compliance.tf module

Amazon CloudFront (4)

CloudFront distributions should require encryption in transit compliance.tf module CloudFront distributions should have field level encryption enabled compliance.tf module CloudFront distributions access logs should be enabled compliance.tf module CloudFront distributions should have AWS WAF enabled compliance.tf module

Amazon CloudWatch (2)

CloudWatch alarm should have an action configured compliance.tf module Log group retention period should be at least 365 days compliance.tf module

Amazon CloudWatch Logs (1)

Log group encryption at rest should be enabled compliance.tf module

Amazon DynamoDB (2)

DynamoDB table should be encrypted with AWS KMS compliance.tf module DynamoDB table should have encryption enabled compliance.tf module

Amazon DynamoDB Accelerator (1)

DynamoDB Accelerator (DAX) clusters should be encrypted at rest

Amazon EBS (3)

Attached EBS volumes should have encryption enabled compliance.tf module EBS snapshots should be encrypted EBS volume encryption at rest should be enabled compliance.tf module

Amazon EC2 (4)

EC2 instances should have IAM profile attached compliance.tf module EC2 instances should not have a public IP address compliance.tf module EC2 instances should use IMDSv2 compliance.tf module Ensure IAM instance roles are used for AWS resource access from instances compliance.tf module

Amazon ECR (1)

ECR repositories should have image scan on push enabled compliance.tf module

Amazon EFS (2)

EFS file system encryption at rest should be enabled compliance.tf module EFS file systems should be encrypted with CMK compliance.tf module

Amazon EKS (4)

EKS clusters should have control plane audit logging enabled compliance.tf module EKS clusters endpoint public access should be restricted compliance.tf module EKS clusters endpoint should restrict public access compliance.tf module EKS clusters should be configured to have kubernetes secrets encrypted using KMS compliance.tf module

Amazon OpenSearch Service (8)

OpenSearch domains should have audit logging enabled. compliance.tf module OpenSearch domains cognito authentication should be enabled for kibana compliance.tf module OpenSearch domains should have encryption at rest enabled compliance.tf module OpenSearch domains should use HTTPS compliance.tf module OpenSearch domains should be in a VPC compliance.tf module OpenSearch domains internal user database should be disabled compliance.tf module OpenSearch domains logs to AWS CloudWatch Logs compliance.tf module OpenSearch domains node-to-node encryption should be enabled compliance.tf module

Amazon RDS (10)

RDS DB clusters should have automatic minor version upgrade enabled RDS DB instance automatic minor version upgrade should be enabled compliance.tf module RDS DB instances should be integrated with CloudWatch logs compliance.tf module RDS DB instance encryption at rest should be enabled compliance.tf module Database logging should be enabled compliance.tf module RDS for MariaDB DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instances should not use public subnet compliance.tf module RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instances should prohibit public access compliance.tf module RDS for SQL Server DB instances should publish logs to CloudWatch Logs compliance.tf module

Amazon Redshift (5)

AWS Redshift audit logging should be enabled compliance.tf module AWS Redshift should have automatic upgrades to major versions enabled compliance.tf module Redshift cluster audit logging and encryption should be enabled compliance.tf module AWS Redshift should have required maintenance settings compliance.tf module Redshift clusters should prohibit public access compliance.tf module

Amazon Route 53 (2)

Route53 domains privacy protection should be enabled Route 53 domains should have transfer lock enabled

Amazon S3 (14)

S3 buckets access control lists (ACLs) should not be used to manage user access to buckets compliance.tf module S3 bucket default encryption should be enabled compliance.tf module S3 bucket default encryption should be enabled with KMS compliance.tf module S3 buckets should have lifecycle policies configured compliance.tf module S3 bucket logging should be enabled compliance.tf module S3 bucket MFA delete should be enabled compliance.tf module S3 bucket ACLs should not be accessible to all authenticated user compliance.tf module S3 buckets object logging should be enabled S3 bucket policy should prohibit public access compliance.tf module S3 buckets should prohibit public read access compliance.tf module S3 buckets should prohibit public write access compliance.tf module S3 buckets with versioning enabled should have lifecycle policies configured compliance.tf module S3 bucket versioning should be enabled compliance.tf module S3 public access should be blocked at account level compliance.tf module

Amazon SNS (1)

SNS topics should be encrypted at rest compliance.tf module

Amazon SQS (2)

AWS SQS queues should be encrypted at rest compliance.tf module SQS queues should be encrypted with KMS CMK compliance.tf module

Amazon SageMaker (7)

SageMaker models should be in a VPC SageMaker models should have network isolation enabled SageMaker notebook instances should not have direct internet access SageMaker notebook instances should be encrypted using CMK SageMaker notebook instance encryption should be enabled SageMaker notebook instances should be in a VPC SageMaker notebook instances root access should be disabled

Amazon VPC (1)

VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to cassandra ports 7199 or 9160 or 8888 compliance.tf module

Elastic Load Balancing (10)

ELB application and classic load balancer logging should be enabled compliance.tf module ELB load balancers should prohibit public access compliance.tf module ELB application load balancers should be configured with defensive or strictest desync mitigation mode compliance.tf module ELB application load balancers should be configured to drop HTTP headers compliance.tf module Application Load Balancer should be configured to drop invalid http headers compliance.tf module Application and Network Load Balancers with listeners should use recommended security policies compliance.tf module Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit compliance.tf module ELB classic load balancers should span multiple availability zones compliance.tf module ELB network load balancers should have TLS listener security policy configured compliance.tf module ELB listeners SSL/TLS protocol version should be checked compliance.tf module

Other (13)

CloudFormation stacks should have notifications enabled Elasticsearch domains should have audit logging enabled Elasticsearch domains should have cognito authentication enabled ES domain encryption at rest should be enabled Elasticsearch domains should have internal user database enabled Elasticsearch domain should send logs to CloudWatch Elasticsearch domain node-to-node encryption should be enabled Access logging should be configured for API Gateway V2 Stages compliance.tf module Glue data catalog metadata encryption should be enabled Glue data catalog connection password encryption should be enabled Glue jobs bookmarks encryption should be enabled Glue jobs CloudWatch logs encryption should be enabled Glue jobs S3 encryption should be enabled

  • AWS Foundational Security Best Practices โ€” ๐ŸŸก Medium overlap (55%)

    AWS Foundational Security Best Practices (FSBP) shares many of the same underlying controls, particularly around API Gateway, ACM, and auto scaling. FSBP is more prescriptive and audit-oriented, while WAF is advisory and architecture-focused.

  • NIST 800-53 Rev 5 โ€” ๐ŸŸก Medium overlap (30%)

    The Security pillar of WAF maps loosely to NIST 800-53 control families such as AC (Access Control), SC (System and Communications Protection), and SI (System and Information Integrity). WAF lacks the granularity of 800-53 and does not cover administrative or physical controls.

  • NIST CSF v1.0 โ€” โšช Low overlap (25%)

    The NIST Cybersecurity Framework shares conceptual alignment with WAF's Security and Reliability pillars. CSF's Protect and Detect functions map to WAF security controls, but CSF addresses organizational governance topics that WAF does not cover.

Frequently Asked Questions

Does the Well-Architected Framework require a formal audit or certification?

No. WAF is a self-assessment framework with no certification body, no external auditor requirement, and no pass/fail outcome. You conduct reviews using the AWS Well-Architected Tool in the console, which produces a list of high-risk issues and improvement plans. AWS Solutions Architects can assist but are not auditors.

How does WAF v10 differ from earlier versions?

The "v10" label is a benchmark or package version label, not an AWS official framework version number. AWS updates Well-Architected guidance continuously across all six pillars. The most significant historical change was adding the Sustainability pillar in 2021. In the AWS Well- Architected Tool, you can update existing workload reviews to newer lens versions.

Can I use WAF review results to satisfy compliance requirements for other frameworks like SOC 2 or ISO 27001?

Not directly. WAF findings can inform remediation priorities and provide evidence of architectural review discipline, but no compliance framework accepts a WAF review as a substitute for its own assessment. Mapping WAF controls to SOC 2 or ISO 27001 controls can reduce duplicate effort, but each framework still requires its own evidence collection.

How long does a Well-Architected Review take?

A small, well-documented workload typically takes 2 to 4 hours. Complex workloads involving multiple teams can take days. The bottleneck is usually getting the right people (developers, ops, security) in the same room. Automated checks via compliance.tf can pre-populate technical findings and cut that time down.

Should every AWS workload go through a WAF review?

AWS recommends it, but in practice, prioritize production workloads handling sensitive data or business-critical functions. Development and sandbox workloads can be reviewed less frequently. A common policy is to require a WAF review before production launch and annually after that.