How to Perform a Well-Architected Framework Review with nOps

Getting Started

AWS Well-Architected helps cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications and workloads. Based on five pillars — operational excellence, security, reliability, performance efficiency, and cost optimization — AWS Well-Architected provides a consistent approach for customers and partners to evaluate architectures and implement designs that can scale over time.

PREPARATION CHECKLIST: Before you begin, you will need to gather the following:

  • Access to the master payer account if you are using AWS Organizations.
  • Permission to create and run an AWS CloudFormation stack.
  • Permission to create AWS Identity and Access Management (IAM) roles in your account.
  • Friendly account name.
  • The name of an Amazon S3 bucket where your AWS Cost and Usage Reports (CURs) will be written. (We will create one if one does not exist.)
  • CURs enabled in the account.

Adding Clients

nOps starts with a default client that is equivalent to your partner account. Use this client for your internal AWS accounts. To add a new client, from the client dashboard, select Clients and then + New Client.

Note: Selecting Create a new client will allow you to create clients of multiple types. Using the Invite option will auto-generate an email to your client and default them to Well-Architected Review Access.

  • Select Create a new client.

  • If you are conducting a Well-Architected Framework Review (WAFR) for a client, choose Well-Architected Review Access.
  • If you are adding a client to manage their AWS accounts continuously, select Full Access.
  • You are also given the option to put a client through a 14-day trial.

Adding an AWS Account

Connect your AWS account(s) where the resources in your workload live.

Note: You will need to have access to the master payer account if you are using AWS Organizations. Additionally, you will need permissions to create and run a CloudFormation stack and create IAM roles in your account.

Click + Add AWS Account on the right.

Or, click on your username in the top right and go to:

Settings > AWS Accounts. Then click “Add a new AWS account.”

nOps has two setup options:

  • nOps Wizard Setup (recommended) - nOps will create a CloudFormation stack using your AWS credentials.
  • Manual Setup - Used to reconfigure specific AWS accounts.

When adding a new AWS account, nOps will ask for the friendly account name and the name of an S3 bucket where your CURs will be written. If you already have an S3 bucket for your CURs, you can add it here. Otherwise, nOps will attempt to create an S3 bucket.

Click “Setup Account” to be redirected to your AWS account.

Note: Please remember to log in to the AWS account from which you want nOps to collect data.

Agree to the CloudFormation template being able to create an IAM role and then click Create Stack.

Once you have successfully added your AWS account to nOps, it will begin the data ingestion process.

This process can take two to four hours, depending on the size of your AWS account. You should be able to see your AWS account in Settings > AWS Accounts > Active AWS Accounts.

AWS Accounts are now synced when this screen appears:


A workload in nOps is a dynamic collection of AWS resources. Workloads allow you to group and manage only the resources that match a particular query. Click “Workloads” in the top nav bar to be taken to the Workloads view.

Creating Your First Workload

If this is the first time you have created a workload, you will click “Create new Workload” in the middle of the screen. After that, the Create new Workload button will move to the top right of the window.

When you click “Create new Workload” the workload creation pane will slide into view.

  • Select Client - Choose the client for which you want to create the workload.
  • Workload Name - This is the unique identifier for your workload.
  • Well-Architected Tool Integration - Clicking this toggle allows you to sync your workload to the AWS Well-Architected Tool.
  • AWS account to save WAR Progress - If you selected the toggle switch, this determines which AWS account the workload is written to.
  • AWS Account(s) - The AWS Account(s) where the resources for your workload live.
  • Workload Type - Defines the overall workload type. Please select “Well-Architected.”
  • Lens - nOps supports the AWS lens concept. Please select Well-Architected for the lens type.
  • Environment - This defaults to production and defines the environment from an AWS perspective. Note: Sanctioned Well-Architected Framework Reviews should always be performed on a production workload.
  • Jira project - If you are using the built-in Jira integration, you can select a Jira project to integrate with.
  • Description - A text description of your workload.

Defining the Workload Query

After you have filled out the metadata for your workload, you can click the gray bar that says, “**Specify Workload Resource”** causing the query builder to slide into view. nOps allows you to specify rules that define which resources will be added to the workload.

  • Regions - The regions that nOps will pull resources from. This setting defaults to All.
  • AWS Managed Services - The AWS services that nOps will include in your workload. This setting defaults to All.
  • VPC - The VPCs that contain the resources that nOps will include in your workload. This setting defaults to All.
  • Tags - Select tags to be assigned to the resources you want to include, e.g., “ApplicationA.”

Click “Save” to create your workload.

Workload Summary View

After you have created your workload, you will see the Workloads view. Here you can see a list of all workloads you’ve created, edit the query that builds your workload, and delete your workload.

Assessment Status:

• Pending - Waiting to Start Assessment

• In Progress - Started the Assessment, partially completed or waiting to review

• Submitted - Submitted the Workload to AWS, or marked as complete

Click on the workload to be taken to the Workload Summary view. In the Workload Summary view, you will see two sections.

  • Assessment Summary - An overview of how far into the assessment you are.
  • Workload Attachments - Any files and/or links attached to the workload are added to the report generated by nOps when the assessment is completed.
  • Well-Architected Summary - A summary of violations across the five pillars of the Framework.
  • Budgets - A view of the budget you have set for this particular workload.

Running the Well-Architected Framework Review (WAFR)

You might notice that the assessment is at a completion percentage greater than 0. This is due to the fact that nOps uses its rules engine to discover information about the workload automatically. Click “Start Assessment” to begin the WAFR.

For each question in the WAFR, nOps will either automatically detect the answer to the question or allow you to answer it manually. Clicking on the box(es) in each section will designate that your workload meets or exceeds the particular requirements. You can add notes to a particular question by clicking “Add Note.” Hovering the mouse over the question will raise a context menu that gives you several options.

  • Autodiscovery Details - Information about what nOps was able to detect in your account.
  • Attach Resources - Allows you to attach specific resources to a question. These resources will be included in the report generated by nOps.
  • Create Jira Ticket - If you have integrated an instance of Jira Cloud, you can open Jira issues from nOps. Use this option to assign tasks while completing your WAFR.
  • Show Description - Shows a description of the question.

After you have answered each question, you can click “Submit Report” enabling you to export the report to AWS as part of the WAFR. Clicking “Exit Assessment” will return you to the summary screen where you can upload any additional documentation, see the assessment completion percentage, and export the report of the assessment.

AWS Well-Architected Tool Integration

When you synchronize a workload to the AWS Well-Architected Tool, each workload will be listed as if you had created it from the tool itself.

Changes made from nOps can be synchronized to the AWS Well-Architected Tool by clicking Update Report.

IAM Role Updates

If you are using an existing nOps account, you will receive notifications that nOps has added new AWS IAM policies to enable AWS Well-Architected Tool integration. Please update your IAM policies to allow nOps to access the AWS Well-Architected Tool in your account. For more information, you can watch this short video.

Get notified about new AWS IAM policies on nOps - YouTube

Did this answer your question?