Articles

Review Your AWS Architecture Against the Well-Architected Framework (2026)

April 16, 2026 5 min read

The AWS Well-Architected Framework is less a rigid checklist and more a dynamic lens through which to view and improve your cloud deployments, often revealing surprising inefficiencies in areas you thought were already optimized.

Let’s walk through a hypothetical scenario. Imagine you’re running a web application on EC2 instances behind an Application Load Balancer (ALB), with your database in RDS.

+-----------------+      +-----------------+      +-----------------+
|   User Traffic  |----->|       ALB       |----->|  EC2 Instances  |
+-----------------+      +-----------------+      +-----------------+
                                                           |
                                                           v
                                                    +-----------------+
                                                    |       RDS       |
                                                    +-----------------+

This is a common pattern. You’ve likely focused on getting it working. The Well-Architected Framework pushes you to consider how well it’s working across five pillars: Operational Excellence, Security, Reliability, Performance Efficiency, and Cost Optimization.

Operational Excellence is about running and monitoring systems to deliver business value and continually improving processes and procedures.

  • What it looks like: You have CloudWatch alarms set for CPU utilization on your EC2 instances, and you can see logs from your application. Your deployment process involves SSHing into instances and running scripts.
  • The Well-Architected View: Are your alarms too high or too low? Do they trigger meaningful actions? Are your logs comprehensive and easy to search? Is your deployment process repeatable, auditable, and automated?
  • Deep Dive - Automation: For instance, instead of manual deployments, you might use AWS CodeDeploy. This service integrates with your CI/CD pipeline (e.g., CodePipeline, Jenkins) to automate application deployments to EC2 instances, Lambda, and ECS. It handles rolling updates, provides traffic shifting capabilities, and can automatically roll back if issues are detected. The command to register an EC2 instance with a deployment group might look like:
    aws deploy register --instance-name i-0123456789abcdef0 --deployment-group-name MyWebApp-DG --region us-east-1
    This ensures deployments are consistent and less prone to human error.

Security is about protecting information, systems, and assets while delivering business value through risk assessments and mitigation strategies.

  • What it looks like: You have security groups on your EC2 instances that allow traffic from the ALB’s security group on port 80/443. Your RDS instance is in a private subnet.
  • The Well-Architected View: Are your security groups too permissive? Is your data encrypted at rest and in transit? Are you using IAM roles instead of access keys for EC2 instances? Have you considered a Web Application Firewall (WAF)?
  • Deep Dive - Least Privilege: A common oversight is granting overly broad permissions. Instead of attaching policies directly to users or EC2 instances, you should use IAM roles. For example, an EC2 instance needing to write to an S3 bucket should assume a role with a policy like:
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::my-app-bucket/logs/*"
        }
    ]
}
    This policy grants permission only to s3:PutObject on a specific prefix (logs/*) within a designated bucket (my-app-bucket), adhering to the principle of least privilege.

Reliability is about ensuring a system can recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions.

  • What it looks like: Your EC2 instances are in a single Availability Zone (AZ). Your RDS instance is a single instance.
  • The Well-Architected View: What happens if the AZ goes down? What if the RDS instance fails? Are you using Auto Scaling? Have you implemented health checks?
  • Deep Dive - Multi-AZ for RDS: To improve reliability, you’d configure RDS for Multi-AZ deployment. This automatically provisions and maintains a synchronous standby replica in a different Availability Zone. In the event of planned maintenance or an unplanned outage, RDS automatically fails over to the standby replica. When creating an RDS instance, this is a simple checkbox in the console or a parameter in CloudFormation/CDK: MultiAZ: true. This ensures minimal downtime during database availability events.

Performance Efficiency is about using IT and computing resources efficiently to meet system requirements and to maintain that efficiency as demand changes and technology evolves.

  • What it looks like: You’re using t3.medium EC2 instances. Your ALB is configured with default settings.
  • The Well-Architected View: Are your instance types the most cost-effective for your workload? Are you leveraging caching? Is your database properly indexed? Are you using Graviton instances?
  • Deep Dive - Right-Sizing EC2: Many workloads perform better and more cost-effectively on AWS Graviton processors (ARM-based). If your application is compatible, switching from an m5.large (Intel) to an m6g.large (Graviton) can offer significant performance gains and cost savings. You’d simply change the InstanceType in your EC2 launch template or Auto Scaling group configuration:
    {
    "LaunchTemplateData": {
        "InstanceType": "m6g.large"
    }
}
    This is not just about picking a bigger instance; it’s about picking the right architecture for the job.

Cost Optimization is about avoiding unneccessary costs and maximizing the value of your cloud spend.

  • What it looks like: You have EC2 instances running 24/7. You’re using On-Demand EC2 instances.
  • The Well-Architected View: Are you using Reserved Instances or Savings Plans? Are you identifying and terminating idle resources? Are you leveraging spot instances where appropriate?
  • Deep Dive - Savings Plans: For predictable workloads, AWS Savings Plans offer a lower price compared to On-Demand prices in exchange for a commitment to a consistent amount of usage (measured in $/hour) for a 1- or 3-year term. A Compute Savings Plan, for example, automatically applies to EC2, Fargate, and Lambda usage regardless of instance family, size, OS, tenancy, or region. You can commit to a steady state of usage, say $10/hour, and AWS will automatically apply the discounted rate to your eligible compute spend, reducing your monthly bill significantly.

One subtle aspect often overlooked is the impact of network design on performance and cost. While security groups filter traffic at the instance level, Network Access Control Lists (NACLs) at the subnet level provide an additional stateless layer of defense. Misconfigured NACLs, while rare, can cause connectivity issues that are hard to diagnose because they don’t log denied traffic by default, unlike security groups.

By systematically reviewing your architecture against these pillars, you move from a functional deployment to a robust, secure, efficient, and cost-effective one.

The next logical step after a thorough Well-Architected review is to explore how to automate the remediation of identified issues using AWS Config rules and Systems Manager Automation documents.

Want structured learning?

Take the full Aws course →