AWS Well-Architected Workload Recommendations in Splunk

The Well-Architected Tool is a new AWS service that compares the state of your workloads with AWS architectural best practices. Splunking your workload state and improvement recommendations will give you better insights into your applications as well as best practices to follow along your cloud journey.

The Well-Architected integration in Grand Central will give you workload insights broken down by the following 5 pillars:

  • Reliability
  • Operational Excellence
  • Performance Efficiency
  • Cost Optimization
  • Security

Getting Started

Let's get started by setting up an account in AWS with the following IAM Policy:

   "Version": "2012-10-17",
   "Statement": [
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": "wellarchitected:*",
           "Resource": "*"

Next ensure that you have at least one workload and associated milestone created in the AWS-Well Architected Console.

Splunk Setup Overview

  1. Download the Grand Central App for Splunk from Splunkbase.
  2. Add your AWS Organizations Master Account to Grand Central.
  3. List Workloads.
  4. List Lens Review Improvements.
  5. Send to Splunk.
  6. Search.
  7. Well Architected Reports Dashboard.

Downloading from Splunkbase

Grand Central can be found here.

Adding a Master Account

Let’s start by adding your master account that you just created. Navigate to Amazon Web Services > Grand Central Accounts, under the "Configure Data Sources" tab.

Make sure to put your AWS Account ID (Numbers only) in the first field. The second field can be a string that you will use to identify the account. Finally, select your Cloud Account Type, the Access and Secret Key. 

With your Master listing account added, your console should look something like this:

List Workloads

Now that our AWS account is setup, we can move to Workloads under the "Well Architected Tool" tab:

Click on the "Update Workloads from AWS" button. This will display your workloads in the table:

List Lens Review Improvements

Click the "List Lens Review Improvements" button in the actions dropdown for your desired workload:

Select your desired lens and click submit. You will now be redirected to the Improvement Summaries Analyzer page where you can view your improvement summaries and risk level by pillar: 

Send to Splunk

We can now view our improvement summaries in Splunk. One of the last steps is to send our improvements data to a Splunk index. On the top right of the page click Ingest into Splunk. Select your desired Index and click Ingest into Splunk. If you got a success notification, you can now view your data in search. 


After moving to the Search tab, you can validate your data made it to the desired index by filtering by index and sourcetype:

index=main sourcetype="aws:wellarchitected:lensreview:improvementsummaries"


Grand Central comes with a Well Architected Reports Dashboard (found under the Well Architected Tool tab) as a way to better understand your data. It consists of visualizations breaking down the risk levels by pillar, risk trends over time, and links to improvement plans. Now that your improvement summary data is in Splunk, we encourage you to make your own dashboards tailored to your needs. 


Happy Splunking!

Skyler Taylor

Posted by