How I Cut the Time to Complete a Well-Architected Review from Hours to Minutes
Using AWS Bedrock..
Ebrahim (EB) Khiyami
Amazon Employee
Published Sep 19, 2024
Last Modified Sep 20, 2024
In this blog post, I will show you how I used Amazon Bedrock to complete the first round (aka milestone) of an AWS Well-Architected Review in seconds for a workload written in AWS CloudFormation. Bedrock created a starting point for me by detecting the best practices in my workload and answering the related questions in the review (34 out of 57 questions in my example below), updating the AWS Well-Architected Tool, and identifying risks. This gives me a head start with about 50% of the best practices identified and updated in the AWS Well-Architected Tool.
Here is how you can try it yourself
- Watch the demo below
- Use this sample 3-tier CloudFormation template to try the app here:
- Alternatively, you can clone the app, and run it locally in your environment
The AWS Well-Architected Framework (WAF) is a collection of 308 best practices designed to help customers measure their architecture for operational excellence, reliability, performance, cost-effectiveness, and sustainability in the cloud. To do this, I typically guide my customers to run a workshop-format session called a Well-Architected Review, where we use the AWS Well-Architected Tool to answer 57 questions across the six pillars. Based on their answers, the AWS Well-Architected Tool identifies risks (low, medium, high) and recommends actions to remediate them. The time needed to complete such an exercise varies based on different factors, but it usually takes between 4-6 hours to cover the six pillars.
During my tenure at AWS, I worked with hundreds of customers, and I don't recall one who didn't employ some sort of Infrastructure as Code (IaC) template that they use to create cloud resources. This could be AWS CloudFormation, Terraform, or any other IaC tool. If you are one of them, then you are my primary audience for this fast-track Well-Architected Review.
The solution is built using a frontend deployed with Streamlit, and the logic is handled by Amazon Bedrock and Python (assisted by Amazon Q for lazy coding experience). It analyzes the IaC-based workload as follows:
- An Amazon S3 bucket has a file with Well-Architected Framework content, including best practices, pillars, etc. You can get it here.
- Users upload their application (workload) written as an IaC template to Amazon S3.
- Amazon Bedrock performs a detailed analysis of the template, detecting the best practices from [2] that are used in your workload. It also provides reasoning for why it thinks a particular best practice is in place.
- Python logic takes the list of best practices identified from [3] and iterates through the 57 questions of the Well-Architected Framework, answering them accordingly using the AWS Well-Architected Tool APIs. It then identifies the risks and completes the first iteration of the review by creating a milestone.
- This milestone will have all best practices as long as they appear in the template.
- The user now has a milestone of the review completed in seconds (vs. hours). They need to review it, validate it, and complete the questions that are not answered by Amazon Bedrock. Usually, these questions are related to non-technical best practices, more on the process and people side.
1. I have a classic three-tier application written in a CloudFormation template. I intentionally added some best practices and left some missing for testing purposes.
2. I launch the web app and upload my template, then click "AWS best practices I'm using."
3. The app sends a specific prompt to Amazon Bedrock and asks it to check the workload against a list of AWS best practices that I have already stored in JSON format in an S3 bucket.
4. After reviewing the best practices that Bedrock identified I'm using in my workload, I can ask the app to create and complete a Well-Architected Review for me using the identified best practices. This action will trigger code to iterate through all the best practices and compare them with the best practices identified in [3]. It then identifies the associated questions and marks the best practices as compliant.
[Optional] If you're testing this app from the link you I provided above and you'd like to get a detailed reports of the risks identified, and actions plans to remediate them, then you can click "Show me details report". Otherwise, if you're testing the app in your own AWS Account you can skip this steps and generate the same report from inside the AWS WA Tool.
It finally creates and saves a milestone and gives me a summary of the identified risks (all programmatically by calling the AWS Well-Architected Tool API).
This solution helps detect and answer the technical aspects of the review.
Do you use encryption? Do you use layered security? Do you have backups? Do you use auto-scaling?
These questions usually require technical individuals from the customer's team to answer because they are likely handled by different teams, and therefore, this solution saves time and human engagement. It also likely leaves people and process-related questions unanswered, so you need to validate the answers and answer them accordingly.
People and process questions can usually be answered by a single or just a few senior leaders in the organization and don't necessarily require technical individuals, which is another reason why this streamlines the process.
In conclusion, this solution streamlines the Well-Architected Review process by leveraging generative AI through AWS Bedrock. It automatically analyzes customers' Infrastructure as Code (IaC) templates, identifies the implementation of AWS Well-Architected best practices, and pre-populates answers to technical and infrastructure-related questions in the AWS Well-Architected Tool. This automation saves time, minimizes human error, ensures consistency and accuracy, and allows customers to focus on organizational and cultural aspects that cannot be directly reflected in code, thereby optimizing the overall review process.
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.