AWS Well-Architected Framework: Hands-On Lab

Welcome to this guided lab on the AWS Well-Architected Framework. While the framework provides a set of theoretical best practices spanning six core pillars, AWS also provides the AWS Well-Architected Tool—a practical service to help you measure your workloads against these principles.

In this 30-minute lab, you will define a workload, apply the Well-Architected lens, and conduct a baseline architectural review.

Prerequisites

Before beginning this lab, ensure you have the following:

An active AWS Account with Administrator or WellArchitectedConsoleFullAccess IAM permissions.
AWS CLI installed and configured locally (e.g., via aws configure).
Familiarity with the six pillars of the framework: Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability.

[!NOTE] The AWS Well-Architected Tool is available at no additional charge. You only pay for any underlying AWS resources you choose to provision based on the tool's recommendations. In this lab, we will not provision any paid infrastructure.

Learning Objectives

By completing this lab, you will be able to:

Define an AWS workload programmatically and via the console.
Navigate the six pillars of the AWS Well-Architected Framework.
Conduct an architectural review using the AWS Well-Architected Tool.
Save a workload milestone to track architectural improvements over time.

Architecture Overview

The following diagrams illustrate the conceptual structure of the framework and the workflow we will perform in the AWS Well-Architected Tool.

The 6 Pillars of the Framework

Loading Diagram...

Lab Workflow

Loading Diagram...

Step-by-Step Instructions

Step 1: Create a New Workload

First, we need to create a workload profile in the AWS Well-Architected Tool. This profile represents the application or infrastructure you are assessing.

bash

aws wellarchitected create-workload \
  --workload-name "brainybee-lab-workload" \
  --description "Lab workload to explore the 6 pillars" \
  --review-owner "LabUser" \
  --environment "PRODUCTION" \
  --lenses "wellarchitected"

[!TIP] Notice the --lenses parameter. You can apply multiple lenses (like Serverless, SaaS, or FTR) to a single workload. Here, we are using the default foundational framework.

▶Console alternative

Log in to the AWS Management Console.
Navigate to AWS Well-Architected Tool.
Click Define workload.
Enter the Name, Description, and Review owner.
Select Production for the Environment.
Click Next, select the AWS Well-Architected Framework lens, and click Define workload.

📸 Screenshot: The "Define workload" form filled out with lab details.

Step 2: Retrieve Your Workload ID

To interact with your newly created workload via the CLI, you need its unique WorkloadId.

bash

aws wellarchitected list-workloads

Look through the JSON output and copy the WorkloadId for brainybee-lab-workload. Keep this handy for the next steps, replacing <YOUR_WORKLOAD_ID> where necessary.

▶Console alternative

In the Well-Architected Tool dashboard, click on Workloads in the left navigation pane.
Click on brainybee-lab-workload.
The Workload ID is displayed at the top of the Properties tab.

Step 3: Answer a Pillar Question (Security)

Now, let's simulate updating an answer during our architectural review. We will address the first Security pillar question regarding secure account access.

bash

aws wellarchitected update-answer \
  --workload-id <YOUR_WORKLOAD_ID> \
  --lens-alias wellarchitected \
  --question-id sec1 \
  --selected-choices "NONE_OF_THESE" \
  --notes "Currently relying on default IAM settings. Need to implement MFA."

▶Console alternative

Open your workload in the console and click Continue reviewing.
Expand the Security pillar and select the first question: How do you securely operate your workload?
Check the box for None of these.
In the Notes box, type: "Currently relying on default IAM settings. Need to implement MFA."
Click Save and exit.

Step 4: Create a Baseline Milestone

A milestone is a snapshot of your workload's current state. It is crucial for tracking how your architecture evolves and improves over time.

bash

aws wellarchitected create-milestone \
  --workload-id <YOUR_WORKLOAD_ID> \
  --milestone-name "BaselineReview"

▶Console alternative

Navigate to the detail page of brainybee-lab-workload.
Click the Save milestone button in the upper right corner.
Enter BaselineReview as the milestone name.
Click Save.

Checkpoints

To verify that you have successfully completed the steps above, run the following verification command:

Verify Milestone Creation

bash

aws wellarchitected list-milestones --workload-id <YOUR_WORKLOAD_ID>

Expected Result: You should see a JSON array returning your newly created milestone:

json

{
    "MilestoneSummaries": [
        {
            "MilestoneNumber": 1,
            "MilestoneName": "BaselineReview",
            "RecordedAt": 1690000000.0,
            "WorkloadSummary": { ... }
        }
    ]
}

Teardown

[!WARNING] Remember to run the teardown commands to maintain a clean environment, even though the Well-Architected Tool does not incur hourly charges.

To delete the workload and all associated reviews and milestones, execute the following command:

bash

aws wellarchitected delete-workload \
  --workload-id <YOUR_WORKLOAD_ID>

▶Console alternative

Navigate to Workloads in the Well-Architected Tool.
Select the radio button next to brainybee-lab-workload.
Click the Delete button at the top.
Confirm the deletion by typing the workload name in the prompt.

Troubleshooting

Encountering issues? Review this table of common errors and their solutions:

Error Message	Potential Cause	How to Fix
`ValidationException` on workload creation	The workload name contains invalid characters.	Ensure the name only contains alphanumeric characters and hyphens.
`ResourceNotFoundException`	Incorrect `WorkloadId` provided in the CLI command.	Run `list-workloads` again to verify you copied the exact alphanumeric ID string.
`AccessDeniedException`	Your IAM user lacks permissions for the WA Tool.	Attach the `WellArchitectedConsoleFullAccess` managed policy to your IAM identity.
Cannot find workload in console	You are in the wrong AWS Region.	Verify your CLI default region (`aws configure get region`) matches the console region in the top right corner.