This Terraform module deploys AWS Config Conformance Packs mapped to pillars in the Well-Architected Framework. A Lambda function can populate the Notes field in the Well-Architected Tool with AWS Config resource compliance check results.
Are you Well-Architected? How do you measure it, specifically?
The purpose of this Terraform module is to help you try to answer that question in the form of AWS Config Conformance Packs. For relevant pillars in the AWS Well-Architected Framework, each best practice that is specific enough to be detected will report to be COMPLIANT or NON_COMPLIANT. Some best practices are harder to measure, or up to subjective consideration if a team is happy with how things are, or if the team considers there is room for improvement:
- How a team evaluates culture and priorities.
- How satisfied a team is with insight into their workload(s) or business continuity and disaster recovery planning.
- How to practice cloud financial management.
Best practices in Operational Excellence are not straight forward to detect, as implementation of observability may have subjective opinion on room for improvement or may be performed with 3rd party tools. The main outcome of this module is to accelerate the Well-Architected Framework Review conversation, not to replace it with automation. Our hope is to shift the focus from "how did we configure this?" to "this is where we are today, what could we do to improve?", thus freeing up valuable time for busy teams.
If you can relate to some of these situations, this tool may be useful for you:
- AWS Security Hub with AWS Foundational Security Best Practices and/or CIS AWS Foundations Benchmark are not available.
- AWS Trusted Advisor checks based on AWS Business or Enterprise Support are not available.
- 3rd party tools such as Prowler and Steampipe are not approved by your company's security team.
This Terraform module provisions AWS native services based on AWS Config, incl. a dedicated AWS Config Recorder, in addition to custom Lambda checks, in a standalone AWS Account. The full list of provisioned resources can be found further down in this README.
- Security Pillar: 128 checks
- Reliability Pillar: 69 checks
- Cost Optimization Pillar: 6 checks
- Operational Excellence Pillar
- Performance Efficiency Pillar
- Sustainability Pillar
Conformance pack Well-Architected-IAM is also available, as a subset of Security, for insight into that specific area. Do note that no automation is supported for the IAM pack, as it is covered in the Security pack.
This module can also automatically update your Well-Architected Tool workload with compliance data from the AWS Config Conformance Packs.
The Lambda function will:
- Process each conformance pack (Security, Reliability, Cost Optimization).
- Loop through all rules in sequence (SEC01, SEC02, REL01, REL02, COST01, etc.).
- For each rule, list the resource type, resource ID, and compliance status in the Notes field of the corresponding best practice question of your Well-Architected Tool workload.
- Overwrite old data if triggered more than once. The notes field has a limitation of maximum 2084 characters.
- If you would like to erase all contents in all notes field, set the clean_notes input parameter to 1.
The source code for the Lambda function is located in the src/wa_tool_updater directory.
Check data is based on all resources in the current AWS account. Tagging based filtering is currently not supported. Be aware if you have multiple workloads in the same AWS account.
- At least two days before your planned review, deploy the module as suggested in examples/main.tf. Compliance checks will update on a daily basis, to reduce unncessary costs for AWS Config Evaluations.
- Right before the review, trigger the Lambda function well_architected_tool_updater to update the Well-Architected Tool workload notes sections based on AWS Config Conformance packs compliance status.
- Run the review, look to the data in the notes field for discussion. No checked/answered questions will be modified, that would be up to subjective evaluation.
Extract the Well-Architected Tool Workload ID from Properties - ARN. This example with dry_run set to 1 will find relevant compliance data and log to CloudWatch Logs. No changes or updates will be performed.
{
"workload_id": "141970ea95fd5b4329cea05202659f39",
"dry_run": 1,
"clean_notes": 0
}Flipping dry_run to 0 will perform updates of the notes field. No checked/answered questions will be modified.
{
"workload_id": "141970ea95fd5b4329cea05202659f39",
"dry_run": 0,
"clean_notes": 0
}Event JSON for Lambda function well_architected_tool_updater to clean the notes field for all questions
If you end up with a lot of mess and would like a fresh start, setting clean_notes to 1 will clean the notes field for all questions and return. No further changes to checked/answered questions or compliance data updates will be performed.
{
"workload_id": "141970ea95fd5b4329cea05202659f39",
"dry_run": 1,
"clean_notes": 1
}Navigating to AWS Config - Conformance packs will present a dashboard with packs for the Security, Reliability and Cost Optimization Pillars by default.
You can view the compliance score trend for each pillar/pack:
You can also view the compliance status for each check, prefixed with the related best practice question, mapped to the AWS Well-Architected Framework whitepaper.
To trigger the Well-Architected Tool updater, go to Well-Architected Tool and extract the Workload ID (not the full resource ARN).
Then go to AWS Lambda and find the function well_architected_tool_updater. Create test event JSON definition as follows (Console or CLI):
Expected output is as follows. Full log output is available in Cloudwatch Logs.
Back in Well-Architected Tool, the notes field will be updated with detected compliance for SEC 4. How do you detect and investigate security events?
According to the AWS Config pricing page; With AWS Config, you are charged based on the number of configuration items recorded, the number of active AWS Config rule evaluations, and the number of conformance pack evaluations in your account. A configuration item is a record of the configuration state of a resource in your AWS account. An AWS Config rule evaluation is a compliance state evaluation of a resource by an AWS Config rule in your AWS account. A conformance pack evaluation is the evaluation of a resource by an AWS Config rule within the conformance pack.
AWS Config supports Continuous recording and Daily recording. Continuous recording allows you to record configuration changes continuously whenever a change occurs.
You can choose between Daily or Continuous by setting the desired value for the variable recording_frequency, which defaults to DAILY.
| Name | Version |
|---|---|
| terraform | ~> 1.9 |
| aws | ~> 5 |
| util | ~> 0.3.0 |
| Name | Version |
|---|---|
| aws | ~> 5 |
| http | n/a |
| util | ~> 0.3.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws_config_retention_period_in_days | Number of days AWS Config stores your historical information. | number |
180 |
no |
| cost_optimization_conformance_pack_name | Name of the Cost Optimization conformance pack | string |
"Well-Architected-Cost-Optimization" |
no |
| deploy_cost_optimization_conformance_pack | Deploy AWS Config Conformance Pack for Cost Optimization. | bool |
true |
no |
| deploy_iam_conformance_pack | Deploy AWS Config Conformance Pack for IAM. | bool |
false |
no |
| deploy_reliability_conformance_pack | Deploy AWS Config Conformance Pack for Reliability. | bool |
true |
no |
| deploy_security_conformance_pack | Deploy AWS Config Conformance Pack for Security. | bool |
true |
no |
| lambda_cloudwatch_logs_retention_in_days | AWS Config Custom Lambda CloudWatch Logs retention in days. | number |
90 |
no |
| lambda_log_level | Lambda log level. Valid values [DEBUG,INFO,WARNING,ERROR]. | string |
"INFO" |
no |
| lambda_python_runtime | Runtime for AWS Config Custom Lambda. | string |
"python3.12" |
no |
| lambda_timeout | Timeout for AWS Config Custom Lambda in seconds. | number |
30 |
no |
| lambda_timezone | Timezone for Lambda functions. Uses pytz timezone names. Default is Europe/Paris (Central European Time). | string |
"Europe/Paris" |
no |
| recording_frequency | AWS Config Recording Frequency. Valid options: DAILY or CONTINUOUS. | string |
"DAILY" |
no |
| reliability_conformance_pack_name | Name of the Reliability conformance pack | string |
"Well-Architected-Reliability" |
no |
| scheduled_config_custom_lambda_periodic_trigger_interval | AWS Config Custom Lambda Periodic Trigger Interval. Default value of Twelve_Hours ensures updates within the DAILY window. Valid Values: One_Hour | Three_Hours | Six_Hours | Twelve_Hours | TwentyFour_Hours | string |
"Twelve_Hours" |
no |
| security_conformance_pack_name | Name of the Security conformance pack | string |
"Well-Architected-Security" |
no |
Note: The inputs and outputs sections are automatically generated by terraform-docs in a git pre-commit hook. This requires setup of pre-commit-terraform . Follow the install instructions to use, including the dependencies setup. pre-commit ensures correct formatting, linting and generation of documentation. It also check's for trailing whitespace, merge conflics and mixed line endings. See .pre-commit-config.yaml for more information. A full guide to the pre-commit framework can be found here.
Developed and maintained by Well-Architected enthusiasts in Sopra Steria, without official company support nor liabilities. See contributors. Accelerated by Amazon Q Developer.
MIT licensed. For licensing information and disclaimer see LICENSE.md.