Well-Architected Framework Audit

Read-only describe / list APIs only. We use a read-only IAM Role (AWS), App Registration (Azure), or Service Account (GCP) scoped strictly to describe / list calls plus posture-tool read APIs (Trusted Advisor, Well-Architected Tool, Advisor, Defender for Cloud, Recommender, Security Command Center). The role explicitly cannot create, modify, or delete any resource, cannot trigger failover, and cannot read application data. Every recommendation is delivered as commands and Terraform / CDK / Bicep snippets for your team to execute.

The AWS Well-Architected Tool, Azure Advisor, and GCP Recommender produce raw findings - this audit interprets them. Native tools flag issues but do not score lens-specific design principles, do not combine signal across CSPM tools, do not validate findings against your specific architecture and team capacity, and do not produce a prioritised, copy-pasteable 30 / 60 / 90-day roadmap. A senior cloud architect with hyperscale experience triages every finding, removes false positives, combines AWS Trusted Advisor, Compute Optimizer, Cost Optimization Hub, Security Hub, GuardDuty, Inspector, Resilience Hub, Azure Advisor, Defender for Cloud, GCP Recommender, SCC, Prowler, ScoutSuite, and Cloud Custodian into one coherent report.

Yes - the AWS Generative AI Lens, SaaS Lens, Financial Services Lens, Healthcare Industry Lens, Government Lens, IoT Lens, Machine Learning Lens, Serverless Applications Lens, Container Build Lens, Streaming Media Lens, Hybrid Networking Lens, and Data Analytics Lens are all in scope. The Generative AI Lens specifically covers RAG architecture, prompt engineering operationalisation, model evaluation, cost / latency / quality trade-offs, responsible AI controls, and AI-specific security considerations - alongside the OWASP LLM Top 10. Azure equivalents (AI/ML workload, Mission-Critical, SAP, AVS) and GCP-specific guidance are also covered where applicable.

Yes. The Cost Optimization pillar is one of the deliverables and typically returns 15-35% savings. We combine AWS Compute Optimizer + Cost Optimization Hub, Azure Advisor cost recommendations, and GCP Recommender output with senior-architect review of architectural cost drivers - rightsizing, idle resource removal, Savings Plans / Reserved Instances / Committed Use Discounts coverage, Spot / Preemptible adoption, S3 / Blob / GCS storage tier right-sizing, egress optimisation, and database engine fit (Aurora vs RDS vs DynamoDB, Cosmos DB vs Azure SQL, Spanner vs AlloyDB vs Cloud SQL). Each recommendation is quantified in $/month.

No. The audit is fully read-only against describe / list APIs at a controlled rate. We never modify any resource, never trigger failover, and never connect to any database. Where your CSPM / SIEM (Wiz, Orca, Prisma Cloud, Lacework, Defender for Cloud, Sentinel, Security Hub, Chronicle) might flag the read activity we can pre-coordinate with your detection team, but in practice the API calls look identical to a normal admin running aws ec2 describe-instances.

Yes. Every finding is mapped to specific controls in SOC 2 (CC1-CC9), HIPAA Security Rule §164.308 / 164.310 / 164.312, PCI-DSS v4 requirements, GDPR Article 32, ISO 27001:2022 Annex A, FedRAMP Moderate / High baselines, NIST 800-53 control families, the EU Digital Operational Resilience Act (DORA), and CIS Benchmarks for AWS / Azure / GCP. The report drops directly into your compliance evidence pack alongside your SOC 2, ISO 27001, HIPAA, PCI, or DORA audit.

Yes. We audit AWS, Azure, GCP, and Oracle Cloud Infrastructure individually against their respective frameworks, then add cross-cloud reviews for shared concerns (multi-cloud networking, identity federation across IAM Identity Center / Entra ID / Cloud IAM, multi-cloud cost allocation, multi-cloud DR, regulatory data residency). Hybrid scenarios with on-premise components are also in scope.

Typical turnaround is 5-7 business days from the moment read-only access is granted, plus a 45-minute live findings walkthrough at a time that suits your platform, security, and engineering leads. Enterprise estates with 100+ workloads, multiple lenses, and complex regulatory drivers can take a little longer; we confirm the timeline as soon as we see the scope.