7.3.3. Architecture Compliance with Best Practices
First Principle: Security doesn't end at individual resource configuration — the overall architecture must follow security best practices. The AWS Well-Architected Framework's Security Pillar provides the assessment methodology for validating architectural security.
AWS Well-Architected Tool:
- Guided assessment of your architecture against the 6 pillars (Security, Reliability, Performance, Cost, Operations, Sustainability)
- Security Pillar evaluates:
- Identity and access management
- Detection
- Infrastructure protection
- Data protection
- Incident response
- Generates improvement plan with prioritized recommendations
- Track progress over time with milestone snapshots
Architecture Review Cadence:
| Trigger | Action |
|---|---|
| New workload launch | Well-Architected Review before go-live |
| Major architecture change | Focused review on affected pillars |
| Quarterly | Full review of critical workloads |
| Post-incident | Targeted review of security pillar |
⚠️ Exam Trap: Well-Architected Tool is for architecture-level assessment. Config is for resource-level compliance. If a question asks "how to evaluate whether your overall architecture follows AWS security best practices," Well-Architected Tool is the answer.
Scenario: A security team conducts a Well-Architected Review before launching a new customer-facing application. The Security Pillar review identifies that the architecture lacks centralized logging and multi-AZ deployment. These are addressed before launch.
Reflection Question: Why does an architecture-level review (Well-Architected) provide different value than resource-level compliance (Config), and when do you need both?
