This Terraform module deploys AWS Config Conformance Packs mapped to pillars in the Well-Architected Framework. A Lambda function can populate the Notes field in the Well-Architected Tool with AWS Config resource compliance check results. Another Lambda function can generate HTML reports of compliance data and store them in an S3 bucket.
Are you Well-Architected? How do you measure it, specifically?
The purpose of this Terraform module is to help you try to answer that question in the form of AWS Config Conformance Packs. For relevant pillars in the AWS Well-Architected Framework, each best practice that is specific enough to be detected will report to be COMPLIANT or NON_COMPLIANT. Some best practices are harder to measure, or up to subjective consideration if a team is happy with how things are, or if the team considers there is room for improvement:
- How a team evaluates culture and priorities.
- How satisfied a team is with insight into their workload(s) or business continuity and disaster recovery planning.
- How to practice cloud financial management.
Best practices in Operational Excellence are not straight forward to detect, as implementation of observability may have subjective opinion on room for improvement or may be performed with 3rd party tools. The main outcome of this module is to accelerate the Well-Architected Framework Review conversation, not to replace it with automation. Our hope is to shift the focus from "how did we configure this?" to "this is where we are today, what could we do to improve?", thus freeing up valuable time for busy teams.
If you can relate to some of these situations, this tool may be useful for you:
- AWS Security Hub with AWS Foundational Security Best Practices and/or CIS AWS Foundations Benchmark are not available.
- AWS Trusted Advisor checks based on AWS Business or Enterprise Support are not available.
- 3rd party tools such as Prowler and Steampipe are not approved by your company's security team.
This Terraform module provisions AWS native services based on AWS Config, incl. a dedicated AWS Config Recorder, in addition to custom Lambda checks, in a standalone AWS Account. The full list of provisioned resources can be found further down in this README.
- Security Pillar: 128 checks
- Reliability Pillar: 69 checks
- Cost Optimization Pillar: 6 checks
- Operational Excellence Pillar
- Performance Efficiency Pillar
- Sustainability Pillar
Conformance pack Well-Architected-IAM is also available, as a subset of Security, for insight into that specific area. Do note that no automation is supported for the IAM pack, as it is covered in the Security pack.
This module provides two Lambda functions for integrating with the Well-Architected Tool:
This Lambda function updates your Well-Architected Tool workload with compliance data from the AWS Config Conformance Packs.
The Lambda function will:
- Process each conformance pack (Security, Reliability, Cost Optimization).
- Loop through all rules in sequence (SEC01, SEC02, REL01, REL02, COST01, etc.).
- For each rule, list the resource type, resource ID, and compliance status in the Notes field of the corresponding best practice question of your Well-Architected Tool workload.
- Overwrite old data if triggered more than once. The notes field has a limitation of maximum 2084 characters.
- If you would like to erase all contents in all notes field, set the clean_notes input parameter to 1.
The source code for the Lambda function is located in the src/wa_tool_updater directory.
This Lambda function generates HTML reports from AWS Config compliance data and stores them in a dedicated S3 bucket.
The Lambda function will:
- Process each conformance pack (Security, Reliability, Cost Optimization).
- Retrieve question titles from the Well-Architected Tool API for more descriptive reports.
- Collect compliance data for all rules (SEC01, SEC02, REL01, COST01, etc.).
- Generate an HTML report with compliance scores, resource details, and visual progress bars.
- Upload the report to a dedicated S3 bucket in the "Reports" folder.
The source code for the Lambda function is located in the src/wa_report_generator directory.
Check data is based on all resources in the current AWS account. Tagging based filtering is currently not supported. Be aware if you have multiple workloads in the same AWS account.
- At least two days before your planned review, deploy the module as suggested in examples/main.tf. Compliance checks will update on a daily basis, to reduce unncessary costs for AWS Config Evaluations.
- Right before the review, trigger the Lambda functions manually through the AWS Console or CLI:
Extract the Well-Architected Tool Workload ID from Properties - ARN. This example with dry_run set to 1 will find relevant compliance data and log to CloudWatch Logs. No changes or updates will be performed.
{
"workload_id": "141970ea95fd5b4329cea05202659f39",
"dry_run": 1,
"clean_notes": 0
}Flipping dry_run to 0 will perform updates of the notes field. No checked/answered questions will be modified.
{
"workload_id": "141970ea95fd5b4329cea05202659f39",
"dry_run": 0,
"clean_notes": 0
}To clean the notes field for all questions, set clean_notes to 1:
{
"workload_id": "141970ea95fd5b4329cea05202659f39",
"dry_run": 1,
"clean_notes": 1
}To generate an HTML report with compliance data, invoke the Lambda function with:
{
"workload_id": "141970ea95fd5b4329cea05202659f39",
"dry_run": 0
}The workload_id parameter is used to retrieve question titles from the Well-Architected Tool API, making the report more descriptive.
Setting dry_run to 1 will simulate the report generation without uploading to S3.
Navigating to AWS Config - Conformance packs will present a dashboard with packs for the Security, Reliability and Cost Optimization Pillars by default.
You can view the compliance score trend for each pillar/pack:
You can also view the compliance status for each check, prefixed with the related best practice question, mapped to the AWS Well-Architected Framework whitepaper.
To trigger the Well-Architected Tool updater, go to Well-Architected Tool and extract the Workload ID (not the full resource ARN).
Then go to AWS Lambda and find the function well_architected_tool_updater. Create test event JSON definition as follows (Console or CLI):
Expected output is as follows. Full log output is available in Cloudwatch Logs.
Back in Well-Architected Tool, the notes field will be updated with detected compliance for SEC 4. How do you detect and investigate security events?
You can also invoke the AWS Lambda function well_architected_report_generator by supplying the same JSON payload with the workload id. An extensive report will then be generated and uploaded to Amazon S3. The log out of the invocation will tell you where to find the report, which you can open directly in your browser in the AWS Console.
According to the AWS Config pricing page; With AWS Config, you are charged based on the number of configuration items recorded, the number of active AWS Config rule evaluations, and the number of conformance pack evaluations in your account. A configuration item is a record of the configuration state of a resource in your AWS account. An AWS Config rule evaluation is a compliance state evaluation of a resource by an AWS Config rule in your AWS account. A conformance pack evaluation is the evaluation of a resource by an AWS Config rule within the conformance pack.
AWS Config supports Continuous recording and Daily recording. Continuous recording allows you to record configuration changes continuously whenever a change occurs.
You can choose between Daily or Continuous by setting the desired value for the variable recording_frequency, which defaults to DAILY.
| Name | Version |
|---|---|
| terraform | ~> 1.9 |
| aws | ~> 5 |
| util | ~> 0.3.0 |
| Name | Version |
|---|---|
| aws | ~> 5 |
| http | n/a |
| util | ~> 0.3.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws_config_retention_period_in_days | Number of days AWS Config stores your historical information. | number |
180 |
no |
| cost_optimization_conformance_pack_name | Name of the Cost Optimization conformance pack | string |
"Well-Architected-Cost-Optimization" |
no |
| deploy_aws_config_recorder | Set to true to deploy an AWS Config Recorder. If you already have a customer managed AWS Config recorder in the desired region, set to false. AWS supports only one customer managed configuration recorder for each account for each AWS Region. | bool |
true |
no |
| deploy_cost_optimization_conformance_pack | Deploy AWS Config Conformance Pack for Cost Optimization. | bool |
true |
no |
| deploy_iam_conformance_pack | Deploy AWS Config Conformance Pack for IAM. | bool |
false |
no |
| deploy_reliability_conformance_pack | Deploy AWS Config Conformance Pack for Reliability. | bool |
true |
no |
| deploy_security_conformance_pack | Deploy AWS Config Conformance Pack for Security. | bool |
true |
no |
| lambda_cloudwatch_logs_retention_in_days | AWS Config Custom Lambda CloudWatch Logs retention in days. | number |
90 |
no |
| lambda_log_level | Lambda log level. Valid values [DEBUG,INFO,WARNING,ERROR]. | string |
"INFO" |
no |
| lambda_python_runtime | Runtime for AWS Config Custom Lambda. | string |
"python3.12" |
no |
| lambda_timeout | Timeout for AWS Config Custom Lambda in seconds. | number |
300 |
no |
| lambda_timezone | Timezone for Lambda functions. Uses pytz timezone names. Default is Europe/Paris (Central European Time). | string |
"Europe/Paris" |
no |
| recording_frequency | AWS Config Recording Frequency. Valid options: DAILY or CONTINUOUS. | string |
"DAILY" |
no |
| reliability_conformance_pack_name | Name of the Reliability conformance pack | string |
"Well-Architected-Reliability" |
no |
| reports_bucket_name_prefix | Prefix for the S3 bucket name that stores Well-Architected compliance reports | string |
"well-architected-compliance-reports" |
no |
| reports_retention_days | Number of days to retain non-current versions of reports in the S3 bucket | number |
90 |
no |
| scheduled_config_custom_lambda_periodic_trigger_interval | AWS Config Custom Lambda Periodic Trigger Interval. Default value of Twelve_Hours ensures updates within the DAILY window. Valid Values: One_Hour | Three_Hours | Six_Hours | Twelve_Hours | TwentyFour_Hours | string |
"Twelve_Hours" |
no |
| security_conformance_pack_name | Name of the Security conformance pack | string |
"Well-Architected-Security" |
no |
| Name | Description |
|---|---|
| well_architected_conformance_pack_cost_optimization_arn | n/a |
| well_architected_conformance_pack_iam_arn | n/a |
| well_architected_conformance_pack_reliability_arn | n/a |
| well_architected_conformance_pack_security_arn | n/a |
| well_architected_report_generator_lambda_function_arn | ARN of the Well-Architected Report Generator Lambda function |
| well_architected_report_generator_lambda_function_name | Name of the Well-Architected Report Generator Lambda function |
| well_architected_reports_s3_bucket_arn | ARN of the S3 bucket for Well-Architected compliance reports |
| well_architected_reports_s3_bucket_name | Name of the S3 bucket for Well-Architected compliance reports |
Note: The inputs and outputs sections are automatically generated by terraform-docs in a git pre-commit hook. This requires setup of pre-commit-terraform . Follow the install instructions to use, including the dependencies setup. pre-commit ensures correct formatting, linting and generation of documentation. It also check's for trailing whitespace, merge conflics and mixed line endings. See .pre-commit-config.yaml for more information. A full guide to the pre-commit framework can be found here.
Developed and maintained by Well-Architected enthusiasts in Sopra Steria, without official company support nor liabilities. See contributors. Accelerated by Amazon Q Developer.
MIT licensed. For licensing information and disclaimer see LICENSE.md.