AWS Well-Architected Framework

Design principles across reliability, security, cost, performance, and sustainability

Language / Topic

Amazon Web Services

Rules

AWS Well-Architected Framework · balanced balanced

- Design for failure: use multi-AZ deployments, health checks, and auto-scaling for all production workloads

- Apply the principle of least privilege across all layers (IAM, security groups, NACLs)

- Use managed services (RDS, DynamoDB, SQS) over self-managed alternatives when possible

- Implement cost controls: use tagging, budgets, and right-sizing recommendations from Cost Explorer

- Enable CloudTrail, Config, and GuardDuty in all accounts for governance and threat detection

- Design for failure: use multi-AZ deployments, health checks, auto-scaling, and circuit breakers

- Apply least privilege across all layers: IAM policies, security groups, NACLs, and resource policies

- Use managed services (RDS, DynamoDB, SQS, ECS Fargate) over self-managed EC2 when possible

- Implement cost controls: enforce tagging, set up AWS Budgets with alerts, review Cost Explorer weekly

- Enable CloudTrail, Config, GuardDuty, and Security Hub in all accounts

- Use infrastructure as code (CloudFormation, CDK, or Terraform) — never create resources manually in console

- Implement well-defined VPC architecture: public/private subnets, NAT gateways, VPC endpoints for AWS services

- Use async messaging (SQS, SNS, EventBridge) to decouple components and improve resilience

- Set up proper monitoring: CloudWatch alarms, dashboards, and X-Ray tracing for distributed systems

- Implement backup strategies: automated snapshots, cross-region replication, and tested restore procedures

- Use Route 53 health checks and failover routing for high availability across regions

- Apply the shared responsibility model: understand what AWS manages vs. what you must secure