AWS
Well-Architected Labs
Operational Excellence
100 Labs
100 - Inventory and Patch Management
1.
Intro
2.
Setup
3.
Deploy an Environment
4.
Inventory Management
5.
Patch Management
6.
Maintenance Windows
7.
Creating SNS topic
8.
Teardown
100 - Dependency Monitoring
1.
Deploy Infrastructure
2.
Understanding Metrics
3.
Create Alarm
4.
Test Fail Condition
5.
Bonus Content
6.
Tear down this lab
200 Labs
200 - Build AWS Health Aware Operation Change Process
1.
Deploy the lab environment
2.
Create Systems Manager Change Template
3.
Test the Change Process
4.
Test the Change Process with Simulated Service Event
5.
Teardown
200 - Automating operations with Playbooks and Runbooks
1.
Deploy the sample application environment
2.
Simulate an Application Issue
3.
Build & Run an Investigative Playbook
4.
Build & Run Remediation Runbook
5.
Teardown
Security
100 Level Foundational Labs
Account Setup and Root User
1.
Account Settings & Root User Security
2.
Tear down
Identity and Access Management User, Group, Role
CloudFront with S3 Bucket Origin
1.
Create S3 bucket
2.
Upload example index.html file
3.
Configure Amazon CloudFront
4.
Tear down
Enable Security Hub
1.
Enable AWS Security Hub
2.
Tear Down
Create a Data Bunker Account
1.
Creating data bunker account in console
200 Level Intermediate Labs
Automated Deployment of Detective Controls
1.
Create Stack
2.
Knowledge Check
3.
Tear down
Automated Deployment of EC2 Web Application
1.
Create Web Stack
2.
Tear down this lab
Automated Deployment of IAM Groups and Roles
1.
AWS CloudFormation to Create Groups, Policies and Roles with MFA Enforced
2.
Assume Roles from an IAM user
3.
Tear down
Automated Deployment of VPC
1.
Create VPC Stack
2.
Tear Down
Automated Deployment of Web Application Firewall
1.
Configure AWS WAF
2.
Configure Amazon CloudFront
3.
Tear down
Automated IAM User Cleanup
1.
Deploying IAM Lambda Cleanup with AWS SAM
4.
Tear down
Basic EC2 WAF Protection
1.
Launch Instance
2.
Create AWS WAF Rules
3.
Create Application Load Balancer with WAF integration
4.
Tear down
AWS Certificate Manager Request Public Certificate
1.
Requesting a public certificate using the console
2.
Tear down
CloudFront for Web Application
1.
Configure CloudFront - EC2 or Load Balancer
2.
Tear down
CloudFront with WAF Protection
1.
Launch Instance
2.
Configure AWS WAF
3.
Configure Amazon CloudFront
4.
Tear down this lab
Remotely Configuring, Installing, and Viewing CloudWatch logs
1.
Deploy the CloudFormation Stack
2.
Install the CloudWatch Agent
3.
Store the CloudWatch Config File in Parameter Store
4.
Start the CloudWatch Agent
5.
Generate Logs
6.
View your CloudWatch Logs
7.
Export Logs to S3
8.
Query logs from S3 using Athena
9.
Create a QuickSight Visualization
10.
Lab Recap
11.
Lab Teardown
300 Level Advanced Labs
Multilayered API Security with Cognito and WAF
1.
Deploy the lab base infrastructure
2.
Use Secrets Securely
3.
Prevent requests from accessing API directly
4.
Application layer defence
5.
Control access to API
6.
Tear down
Autonomous Monitoring Of Cryptographic Activity With KMS
1.
Deploy The Lab Base Infrastructure
2.
Configure ECS Respository and Deploy The Application Stack
3.
Configure CloudTrail
4.
Configure The Workload Logging and Alarm
5.
Testing the Workload Functionality
6.
Teardown
Autonomous Patching with EC2 Image Builder and Systems Manager
1.
Deploy The Lab Base Infrastructure
2.
Deploy The Application Infrastructure
3.
Deploy The AMI Builder Pipeline
4.
Deploy The Build Automation With SSM
5.
Teardown
IAM Permission Boundaries Delegating Role Creation
1.
Create IAM policies
2.
Create and Test Developer Role
3.
Create and Test User Role
4.
Knowledge Check
5.
Tear down
IAM Tag Based Access Control for EC2
1.
Create IAM policies
2.
Create Role
3.
Test Role
4.
Knowledge Check
5.
Tear down
Incident Response Playbook with Jupyter - AWS IAM
1.
Install Python & AWS CLI
2.
Playbook Run
Incident Response with AWS Console and CLI
1.
Getting Started
2.
Identity & Access Management
3.
Amazon VPC
Lambda Cross Account Using Bucket Policy
1.
Identify (or create) S3 bucket in account 2
2.
Create role for Lambda in account 1
3.
Create bucket policy for the S3 bucket in account 2
4.
Create Lambda in account 1
5.
Tear down
Lambda Cross Account IAM Role Assumption
1.
Create role for Lambda in account 2
2.
Create role for Lambda in account 1
3.
Create Lambda in account 1
4.
Tear down
VPC Flow Logs Analysis Dashboard
1.
Enable VPC Flow Logs
2.
Create Athena Resources
3.
Create VPC Flow Logs QuickSight Dashboard
4.
Teardown
Quests
Introduction to Security
1.
New AWS Account Setup and Securing Root User
2.
Basic Identity and Access Management User, Group, Role
3.
CloudFront with WAF Protection
4.
Automated Deployment of Detective Controls
Simplest Security Steps
1.
Step 1 - Protect privileged credentials
2.
Step 2 - Use temporary credentials
3.
Step 3 - Replace hardcoded credentials
4.
Step 4 - Limit Network Access
5.
Step 5 - Apply patches
6.
Step 6 - Restrict public storage
Quick Steps to Security Success
1.
Control Tower
2.
Centralize Identities
3.
Enable Additional Guardrails
4.
Monitoring and Alerting
5.
Operating
IR - Credential Misuse
Reviewing Security Essential Best Practice
AWS Incident Response Day
Automate The Well-Architected Way With WeInvest
AWS Security Best Practices Workshop
Security Best Practices Day
Managing Credentials & Authentication
Control Human Access
Control Programmatic Access
Detect & Investigate Events
Defend Against New Threats
Protect Networks
Protect Compute
Classify Data
Protect Data at Rest
Protect Data in Transit
Incident Response
Reliability
100 Labs
Deploy using CloudFormation
1.
Deploy Infrastructure
2.
Deploy Application
3.
Explore Web Application
4.
Explore CloudFormation
5.
Tear down this lab
200 Labs
S3 Bi-Directional Replication
1.
Deploy Infrastructure
2.
Configure CRR
3.
Test CRR
4.
Tear down this lab
5.
Resources
Update CloudFormation
1.
Deploy Infrastructure
2.
Explore Deployment
3.
Use Parameters
4.
Add S3 Bucket
5.
Add EC2 Instance
6.
Multi-region Deployment
7.
Tear down this lab
Testing Backup and Restore
1.
Deploy Infrastructure
2.
Create Backup Plan
3.
Enable Notifications
4.
Test Restore
5.
Teardown
Understand resilience with Resilience Hub
Test Resiliency of EC2
1.
Deploy Application
2.
Execution Environment
3.
EC2 Failure Injection
4.
Tear down this lab
Backup and Restore for Analytics Workload
1.
Getting Started
Prerequisites
Architecture
2.
Setting Up
Backup Region
Primary Region
Test Workload
3.
Failover
Backup Region Infrastructure
Endpoint Switch
Verify Failover
4.
Failback
Recreate DynamoDB
Redirect Traffic
Remove Redundant Infrastructure
Resync Data
5.
Next Steps
Cleanup
300 Labs
Health Checks & Dependencies
1.
Deploy Application
2.
Dependency failure
3.
Deep health checks
4.
Fail open
5.
Tear down this lab
Test Resiliency EC2, RDS, & AZ
1.
Deploy Application
2.
Execution Environment
3.
Failure Injection Prep
4.
EC2 Failure Injection
5.
RDS Failure Injection
6.
Application Failure Injection
7.
AZ Failure Injection
8.
Failure Injection - optional
9.
Tear down this lab
Fault isolation with shuffle sharding
1.
Deploy workload
2.
Impact of failures
3.
Implement sharding
4.
Impact of failures - Sharding
5.
Implement shuffle sharding
6.
Impact of failures - Shuffle Sharding
7.
Teardown
8.
Resources
Disaster Recovery
Introduction
Agenda
Module 1: Backup and Restore
Pre-requisites
Account Setup
Primary Region
Secondary Region
IAM Role
S3 Cross-Region Replication
Verify Primary Region
Prepare Secondary Region
Backup
Copy
Failover
Restore
Verify Secondary Region
Cleanup
Module 2: Pilot Light
Pre-requisites
Account Setup
Primary Region
Secondary Region
Verify Websites
Prepare Secondary Region
EC2
Failover
Aurora
EC2
Verify Failover
Cleanup
Module 3: Warm Standby
Pre-requisites
Account Setup
Primary Region
Secondary Region
Verify Websites
Failover
Aurora
EC2
Verify Failover
Cleanup
Module 4: Hot Standby
Pre-requisites
Account Setup
Primary Region
Secondary Region
DynamoDB
Verify Websites
CloudFront
Failover
Aurora
EC2
Verify Failover
Cleanup
Module 5: Multi-Region Resiliency with Route 53 ARC
Pre-requisites
Account Setup
Primary Region
Secondary Region
DynamoDB
Verify Websites
Readiness checks
Create recovery group and cells
Readiness checks - DynamoDB
Readiness checks - website
Routing Controls
Create Hosted Zone
Controlling Traffic
Simulate Failure
Maintenance Mode
Cleanup
AWS Elastic Disaster Recovery
Performance Efficiency
100 Labs
Monitoring with CloudWatch Dashboards
1.
View Amazon CloudWatch Automatic Dashboards
2.
Teardown
Calculating differences in clock source
1.
Deploy
2.
Test performance
3.
Change clock type
4.
Teardown
Monitoring Windows EC2 with CloudWatch Dashboards
1.
Deploy Infrastructure
2.
Deploy Instance
3.
Create CloudWatch Dashboard
4.
Add metrics to Dashboard
5.
Generate load
6.
Teardown
Monitoring Linux EC2 with CloudWatch Dashboards
1.
Deploy Infrastructure
2.
Deploy Instance
3.
Create CloudWatch Dashboard
4.
Add metrics to Dashboard
5.
Generate load
6.
Teardown
Cost Optimization
Fundamentals
Expenditure Awareness
Cost Effective Resources
100 Labs
Level 100: AWS Account Setup: Lab Guide
1.
Configure IAM access
2.
Create an account structure
3.
Configure Cost and Usage reports
4.
Enable Single Sign On (SSO)
5.
Configure account settings
6.
Setup Amazon QuickSight
7.
Enable AWS Cost Explorer
8.
Enable AWS-Generated Cost Allocation Tags
9.
Configure Monthly Reports (Optional)
10.
Tear down
Level 100: Cost and Usage Governance
1.
Create and implement an AWS Budget for monthly forecasted cost
2.
Create and Implement an AWS Budget for EC2 Actual Cost
3.
Create and implement an AWS Budget for EC2 Savings Plan coverage
4.
Create and implement an AWS Budget Report
5.
Tear down
Level 100: Pricing Models
1.
View your Savings Plan recommendations
2.
Understand your usage trend
3.
Analyze your Savings Plan recommendations
4.
Visualize your Savings Plan recommendations
5.
Tear down
Level 100: Cost and Usage Analysis
1.
View your AWS Invoices
2.
View your cost and usage in detail
3.
Download your Monthly Report CSV
4.
Teardown
Level 100: Cost Visualization
1.
View your cost and usage by service
2.
View your cost and usage by account
3.
View your Savings Plan coverage
4.
View your Elasticity
5.
View your Reserved Instance coverage
6.
Create custom EC2 reports
7.
Tear down
Level 100: Rightsizing Recommendations
1.
Intro to Rightsizing on AWS
2.
Using AWS Cost Management Rightsizing Recommendations
3.
Prioritizing Rightsizing Recommendations
4.
Other Rightsizing Tools
5.
Tear down
Level 100: Cost Estimation
1.
Launch AWS Pricing Calculator
2.
Add & Configure Services
3.
Review Estimate
4.
Export Estimate
5.
Save and Share
Level 100: Goals & Targets
1.
Cloud Financial Management
2.
Govern Usage
3.
Monitor Cost and Usage
4.
Decommission Resources
5.
Service Selection
6.
Resource Type, Size & Number
7.
Pricing Models
8.
Data Transfer
9.
Manage Demand & Supply Resources
10.
Evaluate New Services
Level 100: Tag Policies
1.
Create a Tag Policy
2.
Attach the Tag Policy to an account
3.
Check for non-compliant resources
4.
Teardown
200 Labs
Level 200: EC2 Scheduling at Scale
1.
Deploy lab environment and Scheduler solution
2.
Verify Instance Scheduler Configuration
3.
Scheduling at scale
4.
Teardown
Level 200: Cost and Usage Governance
1.
Create a group of users for testing
2.
Create an IAM Policy to restrict service usage by region
3.
Create an IAM Policy to restrict EC2 usage by family
4.
Extend an IAM Policy to restrict EC2 usage by instance size
5.
Create an IAM policy to restrict EBS Volume creation by volume type
6.
Teardown
Level 200: Pricing Models
1.
View an RI report
2.
Download and prepare the RI CSV files
3.
Sort and filter the RI CSV files
4.
Tear down
Level 200: Cost and Usage Analysis
1.
Verify your CUR files are being delivered
2.
Use AWS Glue to enable access to CUR files via Amazon Athena
3.
Cost and Usage analysis
4.
Tear down
Level 200: Cost Categories
1.
Configure Lab Environment
2.
Apply Tags using Tag Editor
3.
Configure Cost Allocation Tags
4.
Create Cost Categories
5.
Visualize in Cost Explorer
6.
Teardown
Level 200: Cost Visualization
1.
Create a data set
2.
Create visualizations
3.
Share your Analysis and Dashboard
4.
Tear down
Level 200: Rightsizing with Compute Optimizer
1.
Getting to know Amazon Cloudwatch
2.
Create an IAM Role to use with Amazon CloudWatch Agent
3.
Attach CloudWatch IAM role to selected EC2 Instances
4.
CloudWatch Agent Manual Install
5.
Rightsizing with AWS Compute Optimizer and Memory Utilization Enabled
6.
Tear down
Level 200: Pricing Model Analysis
1.
Create Pricing Data Sources
2.
Create the Usage Data Source
3.
Setup QuickSight Dashboard
4.
Create the Recommendation Dashboard
5.
Format the Recommendation Dashboard
6.
Teardown
Level 200: Cost Anomaly Detection
1.
Getting to know AWS Cost Anomaly Detection
2.
Create A Cost Monitor
3.
Dive deep into detected cost anomaly
4.
Creating additional alert subscription for individual alerts
5.
Teardown
Level 200: Cloud Intelligence Dashboards
CUDOS, KPI and Cost Intelligence Dashboard
1
Deploy Dashboards
2
Post Deployment Steps
3
Alternative Deployment Methods
4
Additional Dashboards
Compute Optimizer Dashboard (COD)
1.
Prerequisites
2.
COD Deployment
3.
Optional Steps
Trusted Advisor Organizational (TAO) Dashboard
1.
Prerequisites
2.
Create & Upload Trusted Advisor Report
3.
TAO Dashboard Deployment
4.
Optional Steps
Post Deployment Steps
Share Dashboards
Update Dashboards
Customizations
1.
Adding Tags
2.
Filtering Visuals by Cost Allocation Tags
3.
SaaS Unit Metrics
4.
Row Level Security
4.
SSO Application
Teardown
FAQ
Level 200: Workload Efficiency
1.
Create the Data Sources
2.
Create the efficiency data source
3.
Create the Visualizations
4.
Teardown
Level 200: Licensing
1.
Create Pricing Data Source
2.
Analyze and Understand Licensing
3.
Teardown
Level 200: Cost Journey
1.
Configure Services
2.
Create Journey
3.
Teardown
Level 200: Amazon S3 Intelligent Tiering
1.
Amazon S3 Intelligent-Tiering Overview
2.
Upload new object to S3 Intelligent-Tiering
3.
Transition existing objects to S3 Intelligent-Tiering
4.
Automate Lifecycle rule creation using Lambda
5.
Configure Opt-in Archive Access Tier
6.
Restoring archived data
7.
Teardown
300 Labs
Level 300: Automated Athena CUR Query and E-mail Delivery
1.
Overview architecture
2.
Create S3 Bucket
3.
Create an IAM policy and role for Lambda function
4.
Configure parameters of function code and upload code to S3
5.
Create a Lambda function
6.
Customize query strings and create scheduled CloudWatch event
7.
Teardown
Level 300: Automated CUR Updates and Ingestion
1.
Create the CloudFormation Stack
2.
Multiple CURs
3.
Teardown
Level 300: AWS CUR Query Library
Analytics
Application Integration
AWS Cost Management
Compute
Cost Efficiency
Container
Cost Optimization
Customer Engagement
Database
End User Computing
Global Queries
Machine Learning
Management & Governance
Networking & Content Delivery
Developer Tools
Security, Identity, & Compliance
Storage
CUR Query Library Help
CUR Query Building
Library Contribution Guide
CUR Query Library Contributors
Level 300: Splitting the CUR and Sharing Access
1.
Setup Output S3 Bucket
2.
Perform one off Fill of Member/Linked Data
3.
Create Athena Saved Queries to Write new Data
4.
Create Lambda function to run the Saved Queries
5.
Trigger the Lambda When a CUR is Delivered
6.
Sub Account Crawler Setup
7.
Tear Down
Level 300: Add Organization Data to CUR - REMOVED
Level 300: Optimization Data Collection
1.
Grant permissions to your accounts in your AWS Organization
2.
Deploy core infrastructure for data retrieval
3.
Testing Deployment
4.
Utilize Data
5.
Teardown
Create Custom Data Collection Module (Optional)
FAQ
Modules
Sustainability
Well-Architected Tool
100 Labs
Level 100: Walkthrough of the Well-Architected Tool
1.
Navigating to the console
2.
Creating a workload
3.
Performing a review
4.
Saving a milestone
5.
Viewing and downloading the report
6.
Tear down this lab
Level 100: Custom Lenses on AWS Well-Architected Tool
1.
Structure of a custom lens - Pillars, Questions and Best Practices
2.
Structure of a custom lens - Questions
3.
Structure of a custom lens - Risk and Rule
4.
Publish my Custom Lens on WA Tool
5.
Share my Custom Lens
6.
Tear down this lab
200 Labs
Level 200: Integration with AWS Compute Optimizer and AWS Trusted Advisor
1.
Prerequisites
2.
Configure Lab Environment
3.
Create a Well-Architected Workload with Tags
4.
Performing a data-driven review
5.
(Optional Step) Integrate AWS Compute Optimizer and Trusted Advisor to Another Question
6.
Teardown
Level 200: Using AWSCLI to Manage WA Reviews
1.
Configure Environment
2.
Create a Well-Architected Workload
3.
Performing a review
4.
Saving a milestone
5.
Viewing and downloading the report
6.
Programmatic access via API
7.
Teardown
Level 200: Manage Workload Risks with OpsCenter
1.
Deploy infrastructure
2.
Configure risk tracking
3.
Configure workload updates
4.
Teardown
300 Labs
Using custom resource in AWS CloudFormation to create and update Well-Architected Reviews
1.
Deploy Infrastructure
2.
Explore Lambda code
3.
Use Lambda in CloudFormation
4.
Deploy Sample Application
5.
Explore WA Review
6.
Teardown
Level 300: Build custom reports of AWS Well-Architected Reviews
1.
Extract workload data
2.
Catalog the workload data
3.
Query the workload data
4.
Visualize the workload data
5.
Clean up the deployment
Helpful Resources
Copying a WA Workload
1.
Configure Environment
2.
Python Code
3.
Script usage examples
Custom WAF Report
1.
Configure Environment
2.
Python Code
3.
Script usage examples
Export to XLSX
1.
Configure Environment
2.
Python Code
3.
Script usage examples
Export Import Utility
1.
Configure Environment
2.
Python Code
3.
Script usage examples
Well-Architected Partners
100 Labs
Level 100: Automating Serverless Best Practices with Dashbird
1.
Deploy The Blue Car Application
2.
Well-Architected Insights
3.
Modern Load Test
4.
Tear down
Contributing Guide
General
Reporting Bugs & Feature Requests
Creating a Fork
Updating an Existing Lab
Creating a New lab
Creating a Pull Request
Contributing (GitHub)
Labs RSS Feed
Amazon Free Tier
English
Clear History
License
Documentation License
Licensed under the
Creative Commons Share Alike 4.0
license.
Code License
Licensed under the Apache 2.0 and MITnoAttr License.
© 2023 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at
https://aws.amazon.com/apache2.0/
or in the license accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Edit this page
AWS Well-Architected Labs
>
Security
>
300 Level Advanced Labs
>
Level 300: IAM Permission Boundaries Delegating Role Creation
> Knowledge Check
Knowledge Check
The security best practices followed in this lab are:
Manage credentials and authentication
Use of MFA for access to provide additional access control.
Grant access through roles or federation:
Roles with associated policies have been used to define appropriate permission boundaries.
Grant least privileges:
The roles are scoped with minimum privileges to accomplish the task.