Step 1: Define a workload
You begin by defining a workload.
To define a workload
1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at https://console.aws.amazon.com/wellarchitected/.
NoteThe IAM user who documents the workload state must have full access permissions (p. 4) to AWS WA Tool.
2. In the Define a workload section, choose Define workload.
3. In the Name box, enter Retail Website - North America as the workload name.
4. In the Description box, we enter a description for the workload.
5. In the Review owner box, we enter the name of the person responsible for the workload review process.
6. In the Environment box, we indicate that the workload is in a production environment.
7. Our workload runs on both AWS and at our local data center:
a. We select AWS Regions, and choose the two Regions in North America where the workload runs.
b. We also select Non-AWS regions, and enter a name for our local data center.
8. The Account IDs box is optional, and we chose not to associate any AWS accounts with this workload.
9. The Architectural diagram box is optional, and we chose not to associate an architectural diagram with this workload.
10. The Industry type and Industry boxes are optional and are not specified for this workload.
11. For this example, we are not applying any tags to the workload. Choose Next.
12. For this example, we apply the AWS Well-Architected Framework lens, which is automatically selected. Choose Define workload to save these values and define the workload.
Step 2: Document the workload state
13. After the workload is defined, choose Start reviewing to begin documenting the state of the workload.
Step 2: Document the workload state
To document the state of the workload, you are presented with questions for the selected lens that span the pillars of the AWS Well-Architected Framework: operational excellence, security, reliability, performance efficiency, and cost optimization.
For each question, choose the best practices that you are following from the list provided. If you need details about a best practice, choose Info and view the additional information and resources in the right panel.
Choose Next to proceed to the next question. You can use the left panel to navigate to a different question in the same pillar or to a question in a different pillar.
If you choose Question does not apply to this workload or None of these, AWS recommends that you include the reason in the Notes box. These notes are included as part of the workload report and can be helpful in the future as changes are made to the workload.
Optionally, you can mark one or more individual best practices as not applicable. Choose Mark best practice(s) that don't apply to this workload and select the best practice that does not apply. You can optionally select a reason and provide additional details. Repeat for each best practice that does not apply.
Step 2: Document the workload state
You can pause this process at any time by choosing Save and exit. To resume later, open the AWS WA Tool console and choose Workloads in the left navigation pane. Select the name of the workload to open the workload details page. Choose Continue reviewing and then navigate to where you left off.
After you complete all of the questions, an overview page for the workload appears. You can review these details now or navigate to them later by choosing Workloads in the left navigation pane and selecting the workload name.
After documenting the state of your workload for the first time, you should save a milestone and generate a workload report.
A milestone captures the current state of the workload and enables you to measure progress as you make changes based on your improvement plan.
From the workload details page, choose Save milestone, enter Version 1.0 - initial review as the Milestone name, and choose Save.
To generate a workload report, select the desired lens and choose Generate report and a PDF file is created. This file contains the state of the workload, the number of risks identified, and a list of suggested improvements.
Step 3: Review the improvement plan
Step 3: Review the improvement plan
Based on the best practices selected, AWS WA Tool identifies areas of high and medium risk as measured against the AWS Well-Architected Framework Lens.
To review the improvement plan, choose AWS Well-Architected Framework from the Lenses section of the Overview page. Then choose Improvement plan.
For this particular example workload, three high risk issues and one medium risk issue were identified by the AWS Well-Architected Framework Lens.
Update the Improvement status for the workload to indicate that improvements to the workload have not been started yet.
The Improvement items section shows the recommended improvement items identified in the workload.
The questions are ordered based on the pillar priority that is set, with any high risk issues listed first followed by any medium risk issues.
Expand Recommended improvement items to show the best practices for a question. Each
recommended improvement action links to detailed expert guidance to help you eliminate, or at least mitigate, the risks identified.
Step 4: Make improvements and measure progress
After deciding what improvement actions to take, update the Improvement status to indicate that improvements are in progress.
As part of this improvement plan, one of the high risk issues was addressed by adding Amazon CloudWatch and AWS Auto Scaling support to the workload.
From the Improvement items section, choose the pertinent question and update the selected best practices to reflect the changes. Notes are added to record the improvements, and then choose Save and exit to update the state of the workload.
Step 4: Make improvements and measure progress
After making changes, you can return to the Improvement plan and see the effect those changes had on the workload. In this example, those actions have improved the risk profile — reducing the number of high risk issues from three to only one.
You can save a milestone at this point, and then go to Milestones to see how the workload has improved.
Workloads
A workload is a collection of resources and code that delivers business value, such as a customer-facing application or a backend process.
A workload might consist of a subset of resources in a single AWS account or be a collection of multiple resources spanning multiple AWS accounts. A small business might have only a few workloads while a large enterprise might have thousands.
The Workloads page, available from the left navigation, provides information about your workloads and any workloads that have been shared with you.
The following information is displayed for each workload:
Name
The name of the workload.
Owner
The AWS account ID that owns the workload.
Questions answered
The number of questions answered.
High risks
The number of high risk issues (HRIs) identified.
Medium risks
The number of medium risk issues (MRIs) identified.
Improvement status
The improvement status that you have set for the workload:
• None
• Not Started
• In Progress
• Complete
• Risk Acknowledged Last updated
Date and time that the workload was last updated.
After you choose a workload from the list:
• To review the details of the workload, choose View details.
• To change the properties of the workload, choose Edit.
• To manage sharing of the workload with other AWS accounts and IAM users, choose View details and then Shares.
• To delete the workload and all of its milestones, choose Delete. Only the owner of the workload can delete it.
Warning
Deleting a workload cannot be undone. All data associated with the workload is deleted.
High Risk Issues (HRIs) and Medium Risk Issues (MRIs)
To define a new workload, choose Define workload. For details, see Defining a workload (p. 5).
High Risk Issues (HRIs) and Medium Risk Issues (MRIs)
High risk issues (HRIs) identified in the AWS Well-Architected Tool are architectural and operational choices that AWS has found might result in significant negative impact to a business. These HRIs might affect organizational operations, assets, and individuals. Medium risk issues (MRIs) also might negatively impact business, but to a lesser extent. These issues are based on your responses in the AWS Well-Architected Tool. The corresponding best practices are widely applied by AWS and AWS customers.
These best practices are the guidance defined by the AWS Well-Architected Framework and lenses.
NoteThese are guidelines only and customers should evaluate and measure what impact not implementing the best practice would have on their business. If there are specific technical or business reasons that prevent applying a best practice to the workload, then the risk might be lower than indicated. AWS suggests that customers document these reasons, and how they affect the best practice, in the workload notes. For all identified HRIs and MRIs, AWS suggests customers implement the best practice as defined in the AWS Well-Architected Tool. If the best practice is implemented, indicate that the issue has been resolved by marking the best practice as met in the AWS Well-Architected Tool. If customers choose not to implement the best practice, AWS suggests that they document the applicable business level approval and reasons for not implementing it.
Viewing a workload
You can view the details of workloads that you own and workloads that have been shared with you.
To view a workload
1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at https://console.aws.amazon.com/wellarchitected/.
2. In the left navigation pane, choose Workloads.
3. Select the workload to view in one of the following ways:
• Choose the name of the workload.
• Select the workload and choose View details.
The workload details page is displayed.
NoteA required field, Review owner, was added to allow you to easily identify the primary person or group that is responsible for the review process.
The first time you view a workload that was defined before this field was added, you are notified of this change. Choose Edit to set the Review owner field and no further action is required.
Choose Acknowledge to defer setting the Review owner field. For the next 60 days, a banner is displayed to remind you that the field is blank. To remove the banner, edit your workload and specify a Review owner.
If you do not set the field by the specified date, your access to the workload is restricted. You can continue to view the workload and delete it, but you cannot edit it, except to set the Review owner field. Shared access to the workload is not affected while your access is limited.
Editing a workload
Editing a workload
You can edit the details of a workload that you own.
To edit a workload
1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at https://console.aws.amazon.com/wellarchitected/.
2. In the left navigation pane, choose Workloads.
3. Select the workload that you want to edit and choose Edit.
4. Make your changes to the workload.
For a description of each of the fields, see Defining a workload (p. 5).
5. Choose Save to save your changes to the workload.
If a required field is blank or if a specified value is not valid, you must correct the issue before your updates to the workload are saved.
Sharing a workload
You can share a workload that you own with other AWS accounts and IAM users in the same AWS Region.
NoteYou can only share workloads within the same AWS Region.
To share a workload
1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at https://console.aws.amazon.com/wellarchitected/.
2. In the left navigation pane, choose Workloads.
3. Select a workload that you own in one of the following ways:
• Choose the name of the workload.
• Select the workload and choose View details.
4. Choose Shares and choose Create to create a workload invitation.
5. Enter the 12-digit AWS account ID or the ARN of the IAM user that you want to share the workload with.
6. Choose the permission that you want to grant.
Read-Only
Provides read-only access to the workload.
Contributor
Provides update access to answers and their notes, and read-only access to the rest of the workload.
7. Choose Create to send a workload invitation to the specified AWS account or IAM user.
If the workload invitation is not accepted within seven days, the invitation is automatically expired.
If an IAM user and the user's AWS account both have workload invitations, the workload invitation for the IAM user determines the user's permission to the workload.
Sharing considerations
To see who has shared access to a workload, choose Shares from the Workload details (p. 19) page.
To prevent an entity from sharing workloads, attach a policy that denies wellarchitected:CreateWorkloadShare actions.
You can also share custom lenses that you own with other AWS accounts and IAM users in the same AWS Region. For details, refer to Sharing a custom lens (p. 26).
Sharing considerations
A workload can be shared with up to 20 different AWS accounts and IAM users. A workload can only be shared with accounts and users that are in the same AWS Region as the workload.
To share a workload in a Region introduced after March 20, 2019, both you and the shared AWS account must enable the Region in the AWS Management Console. For more information, refer to AWS Global Infrastructure.
You can share a workload with an AWS account, individual IAM users in an account, or both. When you share a workload with an AWS account, all IAM users in that account are given access to the workload. If only specific users in an account require access, follow the best practice of granting least privilege and share the workload individually with those IAM users.
If both an AWS account and an IAM user in the account have workload invitations, the workload
invitation for the IAM user determines the user's permission to the workload. If you delete the workload invitation for the IAM user, the user's access is determined by the workload invitation for the AWS account. Delete both workload invitations to remove the user's access to the workload.
Deleting shared access
You can delete a workload invitation. Deleting a workload invitation removes shared access to the workload.
To delete shared access to a workload
1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at https://console.aws.amazon.com/wellarchitected/.
2. In the left navigation pane, choose Workloads.
3. Select the workload in one of the following ways:
• Choose the name of the workload.
• Select the workload and choose View details.
4. Choose Shares.
5. Select the workload invitation to delete and choose Delete.
6. Choose Delete to confirm.
If an IAM user and the user's AWS account have workload invitations, you must delete both workload invitations to remove the user's permission to the workload.
Modifying shared access
You can modify a pending or accepted workload invitation.
To modify shared access to a workload
1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at https://console.aws.amazon.com/wellarchitected/.
Accepting and rejecting workload invitations
2. In the left navigation pane, choose Workloads.
3. Select a workload that you own in one of the following ways:
• Choose the name of the workload.
• Select the workload and choose View details.
4. Choose Shares.
5. Select the workload invitation to modify and choose Edit.
6. Choose the new permission that you want to grant to the AWS account or IAM user.
Read-Only
Provides read-only access to the workload.
Contributor
Provides update access to answers and their notes, and read-only access to the rest of the workload.
7. Choose Save.
If the modified workload invitation is not accepted within seven days, it's automatically expired.
Accepting and rejecting workload invitations
A workload invitation is a request to share a workload that is owned by another AWS account. If you accept the workload invitation, the workload is added to your Workloads and Dashboard pages. If you reject the workload invitation, it's removed from the workload invitation list.
You have seven days to accept a workload invitation. If you do not accept the invitation within seven days, it's automatically expired.
NoteWorkloads can only be shared within the same AWS Region.
To accept or reject a workload invitation
1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at https://console.aws.amazon.com/wellarchitected/.
2. In the left navigation pane, choose Workload invitations.
3. Select the workload invitation to accept or reject.
• To accept the workload invitation, choose Accept.
The workload is added to the Workloads and Dashboard pages.
• To reject the workload invitation, choose Reject.
The workload invitation is removed from the list.
To reject shared access after a workload invitation has been accepted, choose Reject share from the Workload details (p. 19) page for the workload.
Deleting a workload
You can delete a workload when it's no longer needed. Deleting a workload removes all data associated with the workload including any milestones and workload share invitations. Only the owner of a workload can delete it.
Generating a workload report
Warning
Deleting a workload cannot be undone. All data associated with the workload is permanently removed.
To delete a workload
1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at https://console.aws.amazon.com/wellarchitected/.
2. In the left navigation pane, choose Workloads.
3. Select the workload you want to delete and choose Delete.
4. In the Delete window, choose Delete to confirm the deletion of the workload and its milestones.
To prevent an entity from deleting workloads, attach a policy that denies wellarchitected:DeleteWorkload actions.
Generating a workload report
You can generate a workload report for a lens. The report contains your responses to the workload questions, your notes, and the current number of high and medium risks identified. If a question has one or more risks identified, the improvement plan for that question lists actions to take to mitigate those risks.
A report enables you to share details about your workload with others who do not have access to AWS Well-Architected Tool.
To generate a workload report
1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at https://console.aws.amazon.com/wellarchitected/.
2. In the left navigation pane, choose Workloads.
3. Select the desired workload and choose View details.
4. Select the lens you want to generate a report for and choose Generate report.
The report is generated and you can download or view it.
Workload details
The workload details page provides information about your workload including its milestones, improvement plan, and any workload shares. Use the tabs at the top of the page to navigate to the different detail sections.
To delete the workload, choose Delete workload. Only the owner of a workload can delete it.
To delete the workload, choose Delete workload. Only the owner of a workload can delete it.