AWS Well-Architected Templates

Production-ready CloudFormation and CDK templates that implement all five pillars of the AWS Well-Architected Framework. Stop guessing at best practices — deploy infrastructure that's been designed from day one for operational excellence, security, reliability, performance efficiency, and cost optimization. Each template includes inline documentation explaining the architectural decisions and trade-offs.

Key Features

• All Five Pillars Covered — Templates organized by pillar with cross-pillar integration patterns
• CloudFormation + CDK — Every pattern available in both YAML templates and TypeScript CDK constructs
• Environment-Aware Configs — Development, staging, and production configurations with appropriate guardrails
• Cost Tagging Strategy — Automatic cost allocation tags on every resource for chargeback and optimization
• Security by Default — Encryption at rest/in-transit, least-privilege IAM, VPC flow logs enabled out of the box
• Monitoring Built-In — CloudWatch dashboards, alarms, and SNS notification channels pre-configured
• Compliance Mappings — Comments mapping each control to SOC2, HIPAA, and PCI-DSS requirements
• Drift Detection — Config rules that alert when deployed resources drift from template definitions

Quick Start

# Clone and configure
cp configs/production.yaml configs/my-environment.yaml

# Deploy the foundation stack (VPC + IAM + Logging)
aws cloudformation deploy \
  --template-file src/foundation/vpc-network.yaml \
  --stack-name acme-foundation \
  --parameter-overrides file://configs/my-environment.yaml \
  --capabilities CAPABILITY_NAMED_IAM

# Or use CDK
cd src/cdk/
npm install
cdk synth AcmeFoundationStack
cdk deploy AcmeFoundationStack

Architecture

┌─────────────────────────────────────────────────────────┐
│                    AWS Account                          │
│  ┌──────────────────────────────────────────────────┐   │
│  │  Foundation Layer (deploy first)                 │   │
│  │  ┌─────────┐ ┌──────────┐ ┌──────────────────┐  │   │
│  │  │   VPC   │ │ IAM Base │ │ CloudTrail + S3  │  │   │
│  │  │ 3-tier  │ │  Roles   │ │  Logging Bucket  │  │   │
│  │  └────┬────┘ └─────┬────┘ └────────┬─────────┘  │   │
│  └───────┼────────────┼───────────────┼─────────────┘   │
│  ┌───────▼────────────▼───────────────▼─────────────┐   │
│  │  Pillar Stacks (deploy per workload)             │   │
│  │  ┌────────┐ ┌────────┐ ┌──────┐ ┌────────────┐  │   │
│  │  │Security│ │Reliab. │ │Perf. │ │Cost Optim. │  │   │
│  │  │ GuardD │ │Multi-AZ│ │Auto  │ │ Budgets +  │  │   │
│  │  │ Config │ │Backups │ │Scale │ │ Savings    │  │   │
│  │  └────────┘ └────────┘ └──────┘ └────────────┘  │   │
│  └──────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────┘

Usage Examples

Operational Excellence — Automated Runbooks

# src/operational-excellence/ssm-runbook.yaml
AWSTemplateFormatVersion: '2010-09-09'
Description: SSM Automation runbook for incident response

Resources:
  IncidentRunbook:
    Type: AWS::SSM::Document
    Properties:
      DocumentType: Automation
      Content:
        schemaVersion: '0.3'
        description: Automated incident triage and escalation
        mainSteps:
          - name: CheckInstanceHealth
            action: aws:executeAwsApi
            inputs:
              Service: ec2
              Api: DescribeInstanceStatus
              InstanceIds:
                - '{{ InstanceId }}'
          - name: NotifyOnCall
            action: aws:publish
            inputs:
              TopicArn: !Ref IncidentTopic
              Message: 'Instance {{ InstanceId }} health check failed'

Security — Least-Privilege IAM with Conditions

# src/security/developer-role.yaml
DeveloperRole:
  Type: AWS::IAM::Role
  Properties:
    RoleName: acme-developer
    AssumeRolePolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Effect: Allow
          Principal:
            Federated: !Sub 'arn:aws:iam::${AWS::AccountId}:saml-provider/AcmeIdP'
          Action: 'sts:AssumeRoleWithSAML'
          Condition:
            StringEquals:
              'SAML:aud': 'https://signin.aws.amazon.com/saml'
    ManagedPolicyArns:
      - arn:aws:iam::aws:policy/ReadOnlyAccess
    Policies:
      - PolicyName: DenyProductionWrites
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Deny
              Action: ['s3:Delete*', 's3:Put*']
              Resource: 'arn:aws:s3:::acme-prod-*'

Reliability — Multi-AZ RDS with Automated Backups

# src/reliability/rds-multi-az.yaml
ProductionDatabase:
  Type: AWS::RDS::DBInstance
  DeletionPolicy: Snapshot
  Properties:
    Engine: postgres
    EngineVersion: '15.4'
    DBInstanceClass: db.r6g.large
    MultiAZ: true
    StorageEncrypted: true
    BackupRetentionPeriod: 35
    CopyTagsToSnapshot: true
    EnablePerformanceInsights: true
    MonitoringInterval: 60
    MonitoringRoleArn: !GetAtt RDSMonitoringRole.Arn

Configuration

# configs/production.yaml
Environment: production
Region: us-east-1

# Networking
VpcCidr: 10.0.0.0/16
AvailabilityZones: 3
NATGatewayCount: 3        # One per AZ for HA (use 1 for dev to save cost)
EnableFlowLogs: true

# Security
EnableGuardDuty: true
EnableSecurityHub: true
EnableConfigRules: true
RequireMFA: true

# Cost Management
BudgetAmount: 5000         # Monthly USD budget
BudgetAlertThresholds:     # Alert at these percentages
  - 50
  - 80
  - 100

# Tagging
RequiredTags:
  - Environment
  - Team
  - CostCenter

Best Practices

• Deploy foundation first — VPC, IAM, and logging stacks are prerequisites for all pillar stacks
• Use parameter overrides per environment — Never hardcode account IDs or region-specific values
• Enable drift detection — Run aws cloudformation detect-stack-drift weekly via scheduled Lambda
• Layer your stacks — Use CloudFormation exports/imports to create dependency chains without monolithic templates
• Tag everything — The cost allocation tags in these templates are essential for right-sizing later
• Review before deploying — Always run aws cloudformation deploy --no-execute-changeset first in production

Troubleshooting

Issue	Cause	Fix
CAPABILITY_NAMED_IAM error	Stack creates IAM resources	Add --capabilities CAPABILITY_NAMED_IAM to deploy command
Circular dependency error	Two resources reference each other	Use DependsOn and break the cycle with a third resource
Stack stuck in UPDATE_ROLLBACK_FAILED	A resource can't be rolled back	Use continue-update-rollback with resources to skip
CDK synth fails with context errors	Missing runtime context values	Run cdk context --clear then cdk synth again

---

This is 1 of 11 resources in the Cloud Architecture Pro toolkit. Get the complete [AWS Well-Architected Templates] with all files, templates, and documentation for $49.

Get the Full Kit →

Or grab the entire Cloud Architecture Pro bundle (11 products) for $149 — save 30%.

Get the Complete Bundle →

---

Related Articles

• Azure Landing Zone Kit
• Cloud Cost Optimization Toolkit
• Cloud Data Platform Blueprint