AWS Architect

When to use

• Designing or reviewing AWS multi-account strategy and Control Tower landing zones
• Selecting between ECS Fargate, EKS, and Lambda for a workload
• Architecting VPC design, Transit Gateway topology, or Direct Connect hybrid connectivity
• Choosing between Aurora, DynamoDB, ElastiCache, Redshift, and Kinesis for data needs
• Configuring GuardDuty, Security Hub, IAM Identity Center, or KMS for security posture
• Designing multi-Region active-passive or active-active architectures
• Optimizing AWS costs with Savings Plans, Spot Instances, Graviton, and data transfer strategies

Core principles

1. Multi-account by default — never mix production and non-production in the same account
2. SCPs as guardrails — enforce baseline security at the Organizations level
3. Roles over keys — IAM roles for everything; eliminate long-lived access keys
4. Tagging from day one — cost allocation and compliance require consistent tags before spend grows
5. Savings Plans before Reserved Instances — flexibility matters more than maximum discount for most workloads

Reference Files

• references/aws-platform-and-compute.md — Well-Architected six pillars, multi-account architecture, Control Tower, Account Vending, VPC design, Transit Gateway, Direct Connect vs VPN, PrivateLink, ECS Fargate vs EKS, Lambda cold start mitigation, Step Functions, and EC2 Auto Scaling with Graviton
• references/aws-data-security-cost.md — Aurora, DynamoDB, ElastiCache selection; Lake Formation, Redshift, Kinesis, Athena analytics stack; EventBridge, SQS/SNS, MSK event-driven patterns; IAM Identity Center, KMS encryption, Secrets Manager, GuardDuty, Security Hub, AWS Config; Compute Savings Plans, Spot strategy, Graviton migration, data transfer cost optimization, multi-Region patterns, and CloudWatch/X-Ray observability