iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article

🍖

Performing AWS Well-Architected Reviews with LLM

2025/07/05に公開

AWS

IaC

Bedrock

Well-Architected Framework

tech

 IntroductionI have been deploying a personal web application on AWS.

For this web application, I tried asking an LLM to perform a Well-Architected review using the "Well-Architected IaC (Infrastructure as Code) Analyzer".
I gave an LT based on this article at "JAWS Meet 2025".

Here are the LT materials.

 Target AudienceThose deploying workloads on AWS
Those who want to conduct Well-A reviews easily
Those who want to generate IaC following Well-A based on architecture diagrams
Those who want to learn about the "Well-Architected IaC (Infrastructure as Code) Analyzer"

 About Well-Architected IaC (Infrastructure as Code) Analyzer"Well-Architected IaC (Infrastructure as Code) Analyzer" is a project that reviews whether your design follows AWS Well-Architected best practices, using IaC or architecture diagrams as input.
This project is deployed as a web application. By uploading the necessary inputs to the deployed web app, Bedrock in the backend performs the review.

Bedrock is integrated with the Bedrock Knowledge Base, which is composed of AWS white papers and other resources, and it provides answers while citing the source of the information.

Furthermore, it is also capable of generating IaC from architecture diagrams or design documents.

This web application, Bedrock, and other components can be easily deployed using the CFn or CDK provided by the project.


Architecture diagram of the IaC Analyzer
For more details, please refer to the "Well-Architected IaC Analyzer" GitHub repository.

https://github.com/aws-samples/well-architected-iac-analyzer

 Actually Performing a ReviewNow, let's set up the Well-Architected IaC Analyzer and proceed with the review.

 Setting up Well-Architected IaC AnalyzerFirst, we will set up the IaC Analyzer.

There are several setup methods, but this time we will use the recommended pattern using CFn.
The procedure can be found below; please refer to it if you would like to see the original text.

https://github.com/aws-samples/well-architected-iac-analyzer?tab=readme-ov-file#option-1-using-a-cloudformation-deployment-stack-recommended

 0. Preparation: Enabling Model AccessEnable the following Bedrock models used by the IaC Analyzer:
Titan Text Embeddings V2
Claude 3.5 Sonnet v2 (Default)
(Optional) Claude 3.7 Sonnet with extended thinking
Please refer to the following procedure for enabling models:

https://docs.aws.amazon.com/ja_jp/bedrock/latest/userguide/model-access-modify.html

 1. Downloading the CFn TemplateDownload the following YAML to your local environment. This is the YAML for creating the CFn stack.

https://github.com/aws-samples/well-architected-iac-analyzer/blob/main/cfn_deployment_stacks/iac-analyzer-deployment-stack.yaml

 2. Creating the Stack with CloudFormationBuild the environment with CloudFormation using the downloaded YAML.
First, on the stack creation screen, select "Choose an existing template" and "Upload a template file," upload the downloaded YAML, and click "Next."

Next, set the arbitrary values defined in the Parameter field of the YAML.

It may seem like there are many setting items, but they can be broadly categorized as follows:
Whether to configure it to be accessible from the internet
Which Bedrock model to select
Whether authentication is required
Settings related to Cognito if you want to integrate authentication with Cognito
Settings related to OIDC if you want to integrate authentication with an arbitrary OIDC

If you allow access from the internet, use the default Bedrock model, and don't require authentication, the settings will be roughly this much.

!⚠️ Please note that if you allow access from the internet and disable authentication, anyone will be able to use it as soon as the URL is leaked.
I have machine-translated the list of parameters that can be set. Please refer to it if you would like to check them in detail.
Reference: Parameter List
 Global Settings
 Deploy with an internet-facing ALB? (PublicLoadBalancer)Enabled (Default): Deploys a load balancer accessible from the internet

Disabled: Deploys an internal load balancer accessible only from within the VPC network

About internal load balancer access settings:

To access the internal load balancer, network connectivity to the destination VPC is required via one of the following methods:

VPC Peering

VPN Connection

AWS Direct Connect

Other network connectivity solutions

⚠️ Security Warning: If "Enabled" is selected with authentication disabled, the application will be publicly available without authentication. For internet-facing deployments, enabling authentication is strongly recommended.

 Amazon Bedrock Model ID (ModelId)Default: anthropic.claude-3-5-sonnet-20241022-v2:0 (Claude 3.5 Sonnet v2)

You can also specify a different Bedrock model ID if necessary

Note: This application has been primarily tested with Claude 3.5 Sonnet v2 and Claude 3.7 Sonnet. While it may work with other Bedrock models, using different models may lead to unexpected results.

 Authentication SettingsEnable Authentication (Authentication)
Disabled (Default): No authentication is required to access the application

Enabled: Enables authentication using the selected method

 Authentication Method (AuthType)none (Default): No authentication

new-cognito: Creates a new Amazon Cognito user pool

existing-cognito: Uses an existing Amazon Cognito user pool

oidc: Uses an OpenID Connect provider (Auth0, Okta, etc.)

 SSL Certificate ARN (CertificateArn)Required only when authentication is set to "Enabled"

Format: arn:aws:acm:region:account:certificate/certificate-id

Important: Before enabling authentication, you must prepare a valid AWS Certificate Manager (ACM) certificate covering the DNS domain you plan to use for application access

 Authentication-Specific Settings
 New Cognito User Pool SettingsIf AuthType is set to "new-cognito", the following parameters are required:
Cognito Domain Prefix (CognitoDomainPrefix)
A unique prefix for the Cognito domain (e.g., wa-analyzer)

Generated domain format: your-prefix.auth.region.amazoncognito.com
Allowed Callback URLs (CallbackUrls)
A comma-separated list of URLs to which users are redirected after signing in

Must include /oauth2/idpresponse following the URL used for application access

Example: https://wa-analyzer.example.com/oauth2/idpresponse
Logout Redirect URL (LogoutUrl)
The URL to which users are redirected after logging out

Example: https://wa-analyzer.example.com

 Existing Cognito User Pool SettingsIf AuthType is set to "existing-cognito", the following parameters are required:
Existing Cognito User Pool ARN (ExistingUserPoolArn)
The ARN of an existing Cognito user pool

Format: arn:aws:cognito-idp:region:account:userpool/pool-id
Existing Cognito Client ID (ExistingUserPoolClientId)
The client ID of the existing Cognito user pool
Existing Cognito Domain (ExistingUserPoolDomain)
The domain of the existing Cognito user pool

Cognito prefix domain: your-prefix.auth.region.amazoncognito.com

Or custom domain: auth.your-domain.com
Existing Cognito Logout URL (ExistingCognitoLogoutUrl)
The URL to which users are redirected after logging out

Example: https://wa-analyzer.example.com

 OpenID Connect (OIDC) SettingsIf AuthType is set to "oidc", the following parameters are required:
OIDC Issuer URL (OidcIssuer)
The issuer URL of the OIDC provider

Example (for Auth0): https://your-tenant.us.auth0.com/authorize
OIDC Client ID (OidcClientId)
The client ID of the OIDC provider
OIDC Authorization Endpoint URL (OidcAuthorizationEndpoint)
The authorization endpoint URL of the OIDC provider

Example (for Auth0): https://your-tenant.us.auth0.com/authorize
OIDC Token Endpoint URL (OidcTokenEndpoint)
The token endpoint URL of the OIDC provider

Example (for Auth0): https://your-tenant.us.auth0.com/oauth/token
OIDC User Information Endpoint URL (OidcUserInfoEndpoint)
The user info endpoint URL of the OIDC provider

Example (for Auth0): https://your-tenant.us.auth0.com/userinfo
OIDC Logout URL (OidcLogoutUrl)
The URL for logging out users

Example (for Auth0): https://your-tenant.us.auth0.com/v2/logout?client_id=your-client-id&returnTo=https://wa-analyzer.example.com
https://github.com/aws-samples/well-architected-iac-analyzer?tab=readme-ov-file#cloudFormation-configuration-parameters
Stack creation has started.


 Accessing IaC AnalyzerIn about 10 to 20 minutes after creating the stack, the status will transition to "CREATE_COMPLETE". (In this case, it took 17 minutes.)

This completes the environment setup.

The web app link is displayed in the "Outputs" tab with the key "FrontendURL".
By clicking the link, I was able to access the IaC Analyzer.


 Changing to JapaneseYou can change the language to Japanese by selecting the ⚙ mark in the upper right corner of the screen and choosing Japanese.

The language has been changed to Japanese.

The environment preparation is now complete.


 (Bonus) Getting AWS Diagram MCP Server to Create an Architecture DiagramIn addition to IaC, architecture diagrams can also be used as input for the review.

Up until now, I've created architecture diagrams using tools like draw.io or PowerPoint, but it's surprisingly labor-intensive.

Let's ask an LLM to do this as well.

You can easily create one using the aws-diagram-mcp-server provided by awslabs.

https://awslabs.github.io/mcp/servers/aws-diagram-mcp-server/
The resulting architecture diagram is shown below.

It is quite impressive, with no noticeable hallucinations except for the missing SQS.


 Reviewing IaCNow let's actually perform a review.

First, select "Complete IaC Project" and upload the zipped Terraform code.

!There is a limit on the file size that can be uploaded, so delete unnecessary files such as the .terraform directory before zipping.
Next, select the pillars to be reviewed.

You can select all of them, or narrow them down to specific pillars to reduce input/output token costs.

This time, let's select all of them.

Finally, configure the optional settings.

You can set lenses specialized for specific industries or technology domains, and it is also possible to specify the output language, attach supplementary documents (.pdf, .txt, .png, .jpg, .jpeg), or integrate with the Well-Architected Tool.

In this case, I will select the "Serverless Lens".

Click "Start Review" and wait about 10 minutes for the review to complete.

Let's check the results.

 Analysis Results Tab38 best practices were verified, and 12 unapplied best practices were detected.

One finding that impressed me was the observation regarding disabled code signing for Lambda functions:
Lambda function code signing is disabled (CKV_AWS_272 is skipped in .checkov.yml), and runtime protection is not sufficiently implemented.
I was impressed that it pointed out the fact that I had disabled specific checkov review criteria.
Furthermore, you can use the chat tool at the bottom right for detailed explanations.

When I asked for more details regarding the suggestion, "For processes expected to run for a long time, use Step Functions instead of raw Lambda," it even generated code for Step Functions as shown below.

You could write this manually, or it seems you could implement it effectively by passing the chat history (downloaded in JSON format) to a coding agent.

Additionally, you can download these results in CSV format.


 Well-Architected Tool TabAdditionally, clicking "Complete Well-Architected Tool Review" in the Well-Architected Tool tab creates a summary for each pillar and potential risk level.



Summary output example
Furthermore, clicking "Generate Well-Architected Tool Report" outputs a report in PDF format. (Note: The output language was English.)


 Reviewing Architecture Diagrams and Generating IaCNext, let's perform a review using only an architecture diagram.

The highlight here is the "IaC Generation" feature in the optional settings.
Select the IaC template type in the optional settings and click "Start Review".

Next, click "Generate IaC Document" in the "Analysis Results" tab.

Once the IaC is generated, the previously grayed-out "IaC Document" tab becomes active.

A CloudFormation (CFn) YAML was generated according to the architecture diagram. In addition, resources not explicitly defined in the diagram, such as CloudWatch, were also included.

It seems practical to design the architecture at the start of a project and use this IaC generation feature to create a draft.

 CleanupOnce the review is finished, download necessary files such as analysis results and chat logs, and delete the stack you created.

 Reference: Costs incurred for this reviewMost of the cost was for OpenSearch.

Since there were significant periods where I forgot to delete the environment, it might be even cheaper if you set it up only when needed and delete it immediately afterward.


 SummaryI used the IaC Analyzer to have an LLM conduct a Well-A review.

It is quite easy to use and so capable that I thought, "I might lose my job!"

I want to do my best so that I can perform work that cannot be replaced.