The AWS WAF (well-architected framework), is a framework designed by AWS but can also be applied to other cloud providers, the purpose of this framework is to :
- Build and deploy faster: by implementing automation, capacity planning, and reducing firefighting.
- Make justified architectural decisions: by highlighting the purpose of a change and how does it impact the current architecture
- Lower the risks: understand where your architecture is weak and address them before it impacts your business.
This is more of a theoretical concept that is often advised to be followed while thinking of the architecture of any system. The Well-Architected framework has been developed to help cloud architects build the most secure, high-performing, resilient, and efficient infrastructure possible for their applications. This framework provides a consistent approach for customers and partners to evaluate architectures, and provides guidance to help implement designs that will scale with your application needs over time. There are five pillars of the AWS Well-Architected Framework that enables customers to evaluate their existing architectures and implement scalable solutions.
Five pillars of the AWS Well-Architected Framework
- Operational Excellence
- Performance Efficiency
- Cost Optimization
One of the important pillars of the AWS Well-Architected Framework is Operational Excellence. This is about running workloads, monitoring these workloads and responding to various events efficiently generated by the workloads.
- Operations as Code – Automate the creation of different infrastructure using tools like CloudFormation.
- Automated Documentation from Annotations – We should document how different components of the system interact with each other. Whenever there are some changes in the systems, the documentation should also update automatically. This will prevent integrations from breaking apart upon some changes.
- Make frequent and reversible changes – It is a good idea to make small and reversible changes to the production environment, rather than big time changes. This helps to quickly restore to a version in case there are some issues with the changes.
- Anticipate Failure – Always design your system to anticipate and accept failures, test them to make your system more robust.
- Learn from Operational Failures – Whenever there is a failure, make a note of the root cause and take lessons.
In order to implement Operational Excellence, use services like CloudWatch, CloudTrail, X-Ray and VPC Flow Logs. Understand the health of your workload and operations, and how to manage workload and operational events.
The Security pillar throws light on the concepts of protecting your data and system from unauthorized access and threats by conducting continuous risk assessments and figuring out strategies to mitigate the risks.
- Strong Identity Foundation – Follow key principles like granting least privilege, separation of duties, appropriate authorization level, etc.
- Enable Traceability – Audit any change or action to any environment and by whom. This enables us to maintain transparency within the organization. Monitor logs and takes action when an anomaly is detected
- Security at all Layers – Apply security at multiple layers, like VPC, Load Balancers, Security Groups, EC2 instances, etc.
- Automate Security Best Practices – Implement security as code and version control all security measures for future use
- Protect Data in Transit and at Rest – Data should be protected using encryption, authorization tokens and Access Control Mechanisms
- Keep people away from data – As far as possible, data should be kept away from handling by many people by implementing proper policies and access control
Leverage the services like Identity and Access Management (IAM), Multi-Factor Authentication (MFA) and Organizations to secure your account. Enable GuardDuty and CloudTrail to monitor any unwanted access and take appropriate actions. Use VPC, Shield and WAF to define rules on who is authorized to access the applications and how. Use Data Encryption to secure data and Macie to identify unsecured data stored on S3 buckets.