VAF·SA — AWS Cloud Reference

← Cloud Reference Layer

VAF·SA — Cloud Reference · Amazon Web Services

VENDOR REFERENCE
VAFSA-CRL-AWS · v1.0

AMAZON
WEB SERVICES

Well-Architected Framework · Cloud Adoption Framework · Landing Zones · Control Tower

AWS Well-Architected Cloud Adoption Framework Landing Zones Control Tower

Overview

AWS Architecture Guidance

How AWS structures its architecture and adoption guidance for enterprise customers.

AWS provides a layered set of architecture and adoption guidance. The Well-Architected Framework defines what good cloud workload design looks like across six pillars. The Cloud Adoption Framework (CAF) addresses the broader organisational challenge of cloud adoption — strategy, people, process, governance, and platform readiness. Landing Zone and Control Tower provide the reference patterns and automation tooling for establishing a governed multi-account AWS environment.

These frameworks complement each other. CAF addresses adoption readiness. WAF addresses workload quality. Landing Zone addresses the platform foundation. An enterprise engagement typically requires all three to be understood and appropriately applied.

VAF·SA applies before and across all three: establishing what the organisation is actually trying to decide, surfacing the constraints the vendor frameworks do not reveal, and producing the artefacts that make platform and workload decisions traceable.

AWS Well-Architected Framework

Six Pillars

Workload design quality assessment across six dimensions.

The AWS Well-Architected Framework organises cloud workload design quality into six pillars. The Well-Architected Tool allows teams to conduct structured workload reviews against each pillar, identifying high-risk issues (HRIs) and improvement opportunities.

PILLAR 01

Operational Excellence

Running and monitoring systems to deliver business value, and continually improving processes and procedures.

PILLAR 02

Security

Protecting information, systems, and assets — identity, detection, infrastructure protection, data protection, incident response.

PILLAR 03

Reliability

Ability to perform intended functions correctly and consistently — recovery, infrastructure, change management.

PILLAR 04

Performance Efficiency

Using computing resources efficiently and maintaining that efficiency as demand changes and technology evolves.

PILLAR 05

Cost Optimisation

Avoiding unnecessary costs — understanding expenditure, selecting appropriate resource types, scaling to meet business needs.

PILLAR 06

Sustainability

Minimising the environmental impact of running cloud workloads — understanding impacts, establishing targets, improving over time.

AWS Cloud Adoption Framework

Six Perspectives

Organisational and technical readiness for cloud adoption at scale.

The AWS CAF provides a structured approach to cloud adoption across six perspectives: Business, People, Governance, Platform, Security, and Operations. Each perspective identifies capabilities that the organisation needs to build or improve to support cloud adoption at enterprise scale.

Business

Cloud strategy alignment, stakeholder commitment, business case validation, investment and value tracking.

People

Organisational change management, cloud skills development, workforce transformation, culture and leadership.

Governance

Risk management, cloud financial management, portfolio and programme governance, data governance.

Platform

Architecture practices, data architecture, network design, provisioning and orchestration, modern application development.

Security

Governance and assurance, identity and access management, threat detection, vulnerability management, data protection, application security, incident response.

Operations

Observability, event management, incident and problem management, change and release management, performance and capacity management, configuration management.

AWS Landing Zone and Control Tower

Enterprise Foundation

Multi-account strategy, governance automation, and baseline controls.

AWS Landing Zone defines the reference architecture for a governed multi-account AWS environment. AWS Control Tower automates the deployment and ongoing governance of that environment, applying guardrails — detective and preventive controls — across accounts and organisational units (OUs).

Multi-account strategy

Separating environments (production, non-production), workload domains, security tooling, and log archive accounts into a structured AWS Organizations hierarchy. Isolation reduces blast radius and simplifies policy application.

Identity baseline

Centralised identity using AWS IAM Identity Center (formerly SSO). Federated authentication from an enterprise identity provider. Role-based access with least privilege, cross-account role assumption patterns.

Network baseline

Hub-and-spoke network topology using AWS Transit Gateway or equivalent. Centralised egress, inspection, and DNS. Network account isolation. VPC design standards — subnetting, routing, endpoint policies.

Security baseline

AWS Security Hub aggregating findings across accounts. Amazon GuardDuty for threat detection. AWS Config for configuration compliance. CloudTrail for audit logging. Detective controls via Service Control Policies (SCPs).

Logging and monitoring

Centralised log archive account. CloudTrail enabled across all accounts and regions. AWS Config recording enabled. Log retention and access controls defined. Security event routing to SIEM or Security Hub.

Workload review checklist

Pre-onboarding checklist for new workloads entering the landing zone: account vending, tagging standards, workload WAF review, connectivity approval, security exception register, cost allocation tags.

VAF·SA Usage Notes

Applying VAF·SA in AWS Engagements

Where the practitioner method adds value in an AWS-heavy environment.

VAF·SA Practitioner Notes — AWS

Ownership ambiguity is common. AWS environments with multiple teams often have unclear boundaries between account owners, platform teams, and workload teams. Module 01 (Orientation) surfaces who actually owns the landing zone, who approves account vending, and who controls SCP policy — before assuming the vendor documentation reflects the real operating model.
Control Tower configuration drift. Module 02 (Intelligence) surfaces whether Control Tower guardrails are actually enforced — or whether exceptions have been approved informally and not recorded. The governance gap is often between what Control Tower shows and what is actually in production.
WAF review as an engagement instrument. A Well-Architected Review is a structured discovery tool. In Module 03 (Design), a WAF review of the target workload is used to surface architecture trade-offs and generate the evidence base for the Architecture Decision Record.
The landing zone decision pack. Module 04 (Artefacts) produces a landing-zone decision pack: account structure decisions, identity integration decisions, network topology decisions, security baseline decisions — each as an ADR with options evaluated and rationale recorded.
Multi-stakeholder communication. AWS environments often have security, finance, platform, and workload teams with competing priorities. Module 05 (Communication) frames the architecture recommendation for each audience — not a single document that tries to serve all of them at once.

Official References

AWS Documentation

Official vendor sources — not affiliated with AWS or Amazon.

WAF

AWS Well-Architected Framework

aws.amazon.com/architecture/well-architected/

CAF

AWS Cloud Adoption Framework

aws.amazon.com/cloud-adoption-framework/

Control Tower

AWS Control Tower User Guide

docs.aws.amazon.com/controltower/

Landing Zone

AWS Landing Zone Guidance

docs.aws.amazon.com/prescriptive-guidance/ — landing zone

Organizations

AWS Organizations — multi-account management

docs.aws.amazon.com/organizations/

← Cloud Reference Overview Azure Reference →