Check for Medium and High Risks in AWS Well-Architected Workloads

Overview

This check identifies workloads in the AWS Well-Architected Tool that have unresolved high or medium risk issues. The Well-Architected Tool evaluates your cloud workloads against AWS best practices across five pillars: Security, Reliability, Performance Efficiency, Operational Excellence, and Cost Optimization.

When the tool identifies gaps between your current architecture and best practices, it flags them as risks. High and medium risks indicate significant areas where your workload may not meet recommended standards.

Risk

Unaddressed high and medium risks can lead to:

• Security vulnerabilities - excessive access permissions, unencrypted data, or publicly exposed resources
• Reliability failures - insufficient fault tolerance, poor disaster recovery, or fragile architectures
• Performance issues - bottlenecks, inefficient resource usage, or scaling limitations
• Operational gaps - inadequate monitoring, alerting, or incident response procedures
• Cost inefficiencies - over-provisioned resources or missed optimization opportunities

These architectural weaknesses can be exploited by attackers or cause service disruptions that impact your business.

Remediation Steps

Prerequisites

You need:

• AWS Console access with permissions to view and edit Well-Architected Tool workloads
• Familiarity with the workload being reviewed (its architecture, dependencies, and business requirements)

AWS Console Method

1. Sign in to the AWS Management Console
2. Navigate to Services > Well-Architected Tool (or search for "Well-Architected" in the search bar)
3. In the left navigation, click Workloads
4. Select the workload that has high or medium risks
5. Click the Improvement plan tab
6. Use the Risk filter to show only High and Medium risk items
7. For each risk item:
   • Click on the question to see the details
   • Review the current answers and understand why this is flagged as a risk
   • Update your answers to reflect best practices you have implemented (or plan to implement)
   • Add notes explaining your remediation actions or planned improvements
8. Click Save after updating each question
9. Repeat until no high or medium risks remain

Tip: Some risks may require actual infrastructure changes before you can truthfully update your answers. Create a remediation plan for those items.

AWS CLI (optional)

List all workloads:

aws wellarchitected list-workloads \
    --region us-east-1

Get the lens review for a workload to see risk counts:

aws wellarchitected get-lens-review \
    --workload-id <your-workload-id> \
    --lens-alias wellarchitected \
    --region us-east-1

The response includes RiskCounts showing the number of high, medium, and other risks.

List answers with high risk for a specific pillar:

aws wellarchitected list-answers \
    --workload-id <your-workload-id> \
    --lens-alias wellarchitected \
    --pillar-id security \
    --region us-east-1 \
    --query "AnswerSummaries[?Risk=='HIGH']"

Replace security with other pillar IDs as needed: reliability, performance, operationalExcellence, costOptimization.

Update an answer to reduce risk:

aws wellarchitected update-answer \
    --workload-id <your-workload-id> \
    --lens-alias wellarchitected \
    --question-id <question-id> \
    --selected-choices "<choice-id-1>" "<choice-id-2>" \
    --notes "Implemented encryption at rest and in transit" \
    --region us-east-1

Understanding the Five Pillars

The Well-Architected Framework evaluates workloads across these pillars:

Pillar	Focus Area	Common High-Risk Issues
Security	Protecting data and systems	Missing encryption, overly permissive IAM, public resources
Reliability	Recovering from failures	Single points of failure, no backups, untested recovery
Performance Efficiency	Using resources efficiently	Wrong instance types, no scaling, bottlenecks
Operational Excellence	Running and monitoring workloads	No monitoring, manual processes, poor documentation
Cost Optimization	Avoiding unnecessary costs	Over-provisioned resources, unused capacity

When addressing risks, prioritize security issues first, then reliability, as these have the most significant impact on your workload's safety and availability.

Creating an Improvement Plan

For risks that require infrastructure changes:

1. Document the current state - Note what is currently in place
2. Identify the gap - Understand what best practice is missing
3. Plan the remediation - Create tickets or tasks to address the gap
4. Set a timeline - Establish realistic deadlines for implementation
5. Track progress - Use milestones in the Well-Architected Tool to track improvements over time

You can create a milestone before making changes:

aws wellarchitected create-milestone \
    --workload-id <your-workload-id> \
    --milestone-name "Pre-remediation baseline" \
    --region us-east-1

This preserves a snapshot of your current risk state for comparison after improvements.

Verification

After addressing all identified risks:

1. Return to the Well-Architected Tool in the AWS Console
2. Open your workload and check the Overview tab
3. Confirm that High risk issues shows 0 and Medium risk issues shows 0
4. The workload dashboard should show all pillars with improved or resolved status

CLI Verification

aws wellarchitected get-lens-review \
    --workload-id <your-workload-id> \
    --lens-alias wellarchitected \
    --region us-east-1 \
    --query "LensReview.RiskCounts"

Expected output for a fully remediated workload:

{
    "HIGH": 0,
    "MEDIUM": 0,
    "NONE": 15,
    "NOT_APPLICABLE": 3,
    "UNANSWERED": 0
}

Additional Resources

• AWS Well-Architected Framework
• AWS Well-Architected Tool User Guide
• Well-Architected Framework Pillars
• AWS Well-Architected Labs

Notes

• Honest assessments matter: Only mark best practices as implemented if they truly are. The tool is most valuable when answers accurately reflect your architecture.
• Iterative process: You do not need to resolve all risks at once. Use milestones to track progress over time.
• Multiple lenses: Beyond the default Well-Architected lens, you can apply specialized lenses (Serverless, SaaS, etc.) that may identify additional risks specific to your workload type.
• Shared responsibility: Some best practices require coordination across teams (security, operations, development). Involve stakeholders early in the remediation process.
• Regular reviews: Schedule periodic reviews (quarterly recommended) to reassess your workload as it evolves and new best practices emerge.