AWS Well-Architected Mod
Run controls across all of your AWS accounts to check if they are following AWS Well-Architected Framework best practices.
AWS provides on-demand cloud computing platforms and APIs to authenticated customers on a metered pay-as-you-go basis.
AWS Well-Architected helps cloud architects build secure, high-performing, resilient, and efficient infrastructure for a variety of applications and workloads.
Steampipe is an open source CLI to instantly query cloud APIs using SQL.
Steampipe Mods are collections of
named queries, and codified
controls that can be used to test current configuration of your cloud resources against a desired configuration.
Download and install Steampipe (https://steampipe.io/downloads). Or use Brew:
brew tap turbot/tapbrew install steampipe
Install the AWS plugin with Steampipe:
steampipe plugin install aws
git clone https://github.com/turbot/steampipe-mod-aws-well-architected.gitcd steampipe-mod-aws-well-architected
Install mod dependencies:
steampipe mod install
Before running any benchmarks, it's recommended to generate your AWS credential report:
aws iam generate-credential-report
Start your dashboard server to get started:
By default, the dashboard interface will then be launched in a new browser window at http://localhost:9194. From here, you can run benchmarks by selecting one or searching for a specific one.
Instead of running benchmarks in a dashboard, you can also run them within your
terminal with the
steampipe check command:
Run all benchmarks:
steampipe check all
Run a single benchmark:
steampipe check benchmark.well_architected_framework
Run a benchmark for a specific pillar:
steampipe check benchmark.well_architected_framework_security
Run a benchmark for a specific question:
steampipe check benchmark.well_architected_framework_sec01
Run a benchmark for a specific best practice:
steampipe check benchmark.well_architected_framework_sec01_bp01
Different output formats are also available, for more information please see Output Formats.
This mod uses the credentials configured in the Steampipe AWS plugin.
No extra configuration is required.
Common and Tag Dimensions
The benchmark queries use common properties (like
region) and tags that are defined in the dependent AWS Compliance mod. These properties can be executed in the following ways:
Copy and rename the
steampipe.spvars, and then modify the variable values inside that file
Pass in a value on the command line:steampipe check benchmark.security --var 'common_dimensions=["account_id", "connection_name", "region"]'steampipe check benchmark.security --var 'tag_dimensions=["Environment", "Owner"]'
If you have an idea for additional controls or just want to help maintain and extend this mod (or others) we would love you to join the community and start contributing.
- Join our Slack community → and hang out with other Mod developers.
Please see the contribution guidelines and our code of conduct. All contributions are subject to the Apache 2.0 open source license.
Want to help but not sure where to start? Pick up one of the
help wanted issues: