Many people have seen the Well-Architected Framework once for the SAA exam, but viewed through Professional DevOps eyes it becomes an entirely different tool. Today's topic is how to use the 6 Pillars not as "items to memorize" but as "a thinking framework that instantly classifies any scenario."
The reason DOP-C02 scenario questions are hard is that 2-3 of the answer options all technically work. To find "the most suitable one" among them, you must first pin down which Pillar the scenario is asking about. This classification ability is precisely the passing threshold.
In 2012, AWS solutions architects began compiling "the same questions customers keep asking." Giving a different answer every time to "how should we design this well?" was inefficient, so they consolidated it into an internal best-practice document. It was published externally in 2015, the 5 Pillars were established in 2016, and Sustainability was added in 2021, completing the 6 Pillars. This evolution itself reflects shifting priorities in cloud design — at first only stability and performance mattered, Cost Optimization was strengthened as cost pressure arrived, and Sustainability entered with the ESG era.
What makes the W-AF special from a DevOps perspective is that DevOps Guidance was published separately as one of the W-AF's lenses (2023). In other words, AWS views "DevOps as a cross-cutting concern spanning every Pillar of the W-AF." It is not a matter of Operational Excellence alone.
💡 Related theory: The W-AF is close to a cloud version of ISO 9126 (the software quality model). ISO 9126 classified software quality along 6 axes — functionality, reliability, usability, efficiency, maintainability, portability — and the W-AF is its cloud version. It also interlocks with ITIL v4's "Service Value System" — ITIL's Continual Improvement principle is reflected in the W-AF's review cycle.
"Run and monitor systems to deliver business value, and continually improve processes and procedures." This is almost identical to the definition of DevOps itself.
Click a choice to reveal the answer and explanation.
Question 1
A company demands "guarantee user response times of 50ms or less, while simultaneously minimizing cost." Which is the most accurate analysis of the W-AF Pillar trade-off in this scenario?
Question 2
Which is the most accurate difference between Trusted Advisor and AWS Config Rules?
Question 3
Which of the W-AF's 6 Pillars explicitly lists "Make frequent, small, reversible changes" as a design principle?
Question 4
A company ran the W-AF Tool on its environment and got 5 HIGH risks and 12 MEDIUM risks. What is the most appropriate order of prioritization?
Question 5
Which is the most accurate description of the significance of the DevOps Guidance lens being added to the W-AF in 2023?
Question 6
A company operates a service for EU users where both GDPR compliance and response-time reduction matter. Which is the most suitable design?
Question 7
Which AWS tool combination best fits the Cost Optimization Pillar's "Adopt a consumption model" principle?
Key design principles:
AWS tool mapping:
🔍 Going deeper: "Operations as code" is not just IaC. It includes Runbook as code as well. An SSM Automation Document is defined in YAML/JSON and lives in git, so procedures a human would click through in the console are expressed as code. As a result, when the same incident recurs, the identical recovery procedure runs automatically. This is the decisive mechanism behind "MTTR from 1 hour → 5 minutes."
Traditional security was "the security team inspects after deployment," but DevSecOps is "shift left" — pull security to the left of the pipeline (the development stage). SAST (static analysis) becomes a phase in CodeBuild, DAST (dynamic analysis) runs automatically in the staging environment, and container image scanning (ECR Scan, Inspector) runs at build time.
AWS tool mapping:
📚 Case study: The 2019 Capital One incident (data breach affecting 106 million customers) shows what happens when security's shift left is absent. A WAF with an SSRF vulnerability + IMDSv1 + overly broad IAM permissions combined to cause the incident — and every one of these elements could have been automatically detected in the CI/CD stage. AWS released IMDSv2 right after this incident and added automatic IMDSv1 detection rules to Inspector v2 (2021).
💡 Related theory: The 5 functions of the NIST CSF (Cybersecurity Framework) — Identify, Protect, Detect, Respond, Recover — map almost 1:1 to the best practices of the W-AF Security Pillar. DOP-C02 doesn't ask about NIST terminology directly, but classifications like "Detective control vs Preventive control" appear frequently.
"Workload performs its intended function correctly and consistently when expected." The core is twofold — prevent failures from happening (prevention) and recover automatically even when they do (self-healing).
Key design principles:
AWS tool mapping:
🔍 Going deeper: AWS's Reliability philosophy is evolving toward "cell-based architecture." A region is divided into multiple independent cells, and a failure in one cell is isolated so it doesn't propagate to others. AWS has been applying this gradually internally since the 2017 S3 us-east-1 outage. It doesn't appear directly on the exam, but the same concept shows up under the keyword "minimizing blast radius."
"Use computing resources efficiently to meet system requirements." The core is not simply "fast" but "only as much as needed, efficiently."
Key design principles:
What matters from a DevOps perspective is "experimentation infrastructure." Define A/B tests as code with AWS Evidently, do gradual rollouts with AppConfig, and measure real-user performance with CloudWatch RUM.
💡 Related theory: "Mechanical sympathy" is a term coined by Martin Thompson in 2011, meaning "understand hardware characteristics and write code that fits them." On AWS, choosing an instance family per workload (C5: compute-intensive, R5: memory, M5: balanced, X1: in-memory DB) is exactly this concept. With the arrival of Graviton (ARM), the price-performance trade-off re-emerged.
"Run systems to deliver business value at the lowest price point." The part directly connected to DevOps is "automated cost governance."
Key design principles:
AWS tool mapping:
🎯 Scenario: If a company presents a scenario like "an analytics workload used only at night," the answer lies on the Cost Optimization side. The pattern: ① switch EC2 → Spot instances ② turn it on only at night with Scheduled Scaling ③ move cold data S3 → IA/Glacier ④ eliminate idle cost with Lambda or Fargate.
Minimizing carbon footprint. From a DevOps perspective:
AWS has committed to 100% renewable energy by 2025 and net-zero carbon by 2040. Its direct weight on the exam is low, but options like "which region is the most eco-friendly" occasionally appear.
The truly hard part of the W-AF is that the 6 Pillars conflict with each other. Strengthening one weakens another.
| Conflict | Description | Example |
|---|---|---|
| Reliability ↔ Cost | Multi-AZ/Region increases stability but costs 2-3x | RDS Multi-AZ vs Single-AZ |
| Security ↔ Operational Excellence | Strong security makes automation harder | Cross-account automated deployment vs IAM separation |
| Performance ↔ Cost | High-performance instances are expensive | C5n vs C5 |
| Reliability ↔ Performance | Synchronous replication increases stability but also latency | RDS Multi-AZ sync replication |
| Sustainability ↔ Performance | Eco-friendly regions can be far from users | Stockholm region vs users in Seoul |
This trade-off is the essence of exam scenarios. For example, when "RTO of 5 minutes AND cost minimization" are demanded simultaneously, the Pilot Light DR pattern (minimal resources normally, rapid expansion during an incident) is the correct answer. Take either one to the extreme and you ruin both.
⚠️ Pitfall: If an option on the exam claims to be "a solution that satisfies all Pillars simultaneously," it's almost always a trap. No such thing exists in reality. Identify the priority stated in the scenario (e.g., "stability over cost") and pick the answer that matches that priority.
In 2023, AWS published DevOps Guidance as one of the W-AF's lenses. It is not a new addition to the 6 Pillars, but guidance added from a DevOps perspective across all 6 Pillars.
The 4 areas of DevOps Guidance:
The significance of this lens's appearance is large — AWS has officially acknowledged that "DevOps is a cross-cutting concern important enough to need its own lens within the W-AF." The DOP-C02 exam doesn't ask about this lens's content directly, but it underlies the background thinking of its scenarios.
📚 Case study: When a global fintech ran a self-assessment with the DevOps Guidance lens, its lowest score came in the "Organizational Adoption" area. All the tools were there (CodePipeline, X-Ray, GuardDuty), but team responsibilities weren't clear, so every incident wasted time on "whose turn is it to answer." The solution: unify SLO + Error Budget + Incident Manager runbooks. Six months later, MTTR dropped from 4 hours → 30 minutes.
The tool that automatically diagnoses the 6 Pillars from the console is Trusted Advisor. Its 250+ checks are classified into 5 categories (Cost, Performance, Security, Fault Tolerance, Service Limits).
| Category | W-AF Pillar mapping | Example checks |
|---|---|---|
| Cost Optimization | Cost Optimization | Unused EIPs, low-utilization EC2 |
| Performance | Performance Efficiency | High-CPU instances, EBS utilization |
| Security | Security | Root without MFA, 0.0.0.0/0 SGs |
| Fault Tolerance | Reliability | Single-AZ RDS, missing ASG |
| Service Limits | Reliability + Cost | Approaching API rate limits |
The full set of checks is enabled on Business/Enterprise Support plans; the Developer plan provides only the basic 7. Through EventBridge integration, check results can be wired into automation workflows (e.g., on discovering a 0.0.0.0/0 SG, send a Slack alert + auto-fix via Lambda).
🔍 Going deeper: AWS Trusted Advisor and AWS Config Rules look similar but differ. Trusted Advisor checks 250+ best practices defined by AWS; Config Rules check arbitrary rules defined by the customer. On the exam, if the keyword is "AWS-managed best practice check," it's Trusted Advisor; if it's "custom compliance rule," it's Config.
The AWS Well-Architected Tool in the console lets you register a workload, answer the 6 Pillars' questions, and get a risk score. It's also available via CLI:
# Create a workload
aws wellarchitected create-workload \
--workload-name "prod-payment-api" \
--description "Payment processing API" \
--environment PRODUCTION \
--aws-regions ap-northeast-2 us-east-1 \
--lenses wellarchitected serverless devops
# Proceed with the review
aws wellarchitected list-answers \
--workload-id $WORKLOAD_ID \
--lens-alias wellarchitected
# Automation: extract the improvement plan
aws wellarchitected get-workload --workload-id $WORKLOAD_ID \
| jq '.Workload.RiskCounts'
# Example output: {"UNANSWERED": 0, "HIGH": 3, "MEDIUM": 7, "NONE": 21, "NOT_APPLICABLE": 5}Here the 3 HIGH risks are the priority. Clicking each HIGH in the AWS Console shows a concrete improvement plan (e.g., "Enable Multi-AZ for RDS").
When you receive a scenario in the exam room, classify it like this:
Once these 4 steps become familiar, scenario questions become a simple pattern-recognition task.
In the next article, we lay out the full map of AWS's DevOps tools — the Code* series, CDK, SSM, CloudWatch, X-Ray, and more — at a glance, to get a feel for which tool is used where.