An AWS architecture assessment is easy to sell and hard to verify — which is why so many of them end as slide decks. A maturity spider chart, a page of "strategic opportunities," a proposal for phase two. Nothing you can hand to an engineer. Nothing you can check.
Here is what the deliverable should contain instead, section by section. We published a full sample report so you can inspect every part in a real document. It was produced against a demonstration environment — the company in it is fictional, and page one says so — but the structure, scoring, and depth are exactly what a paid review produces.
An executive summary written for the budget owner
The person who approves the invoice will read one page. That page has to answer three questions in plain English: what shape is the environment in, where does risk concentrate, and what should happen this quarter.
In the sample, the answers are specific. The environment is sound at its core. Risk concentrates in three places — blast radius, untested recovery, untended spend. The recommendation is seven "Now" items: two to three engineer-weeks of work, none requiring downtime, concentrated on the highest-scoring findings; the structural work they set up — account separation above all — is sequenced in the weeks immediately after. Dollar figures appear where they exist — about $11,300 a month of the fictional company's bill traces to idle, oversized, or legacy-generation resources with no workload justification.
Test any assessment's summary the same way: if it could describe any company, it was not written about yours.
Findings scored impact × likelihood, across six pillars
The core of the report is a findings register covering all six Well-Architected pillars — Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability. Each finding has four parts:
- Observation. What is true right now, with the evidence source named. "Nine IAM users hold long-lived access keys; three unused for 90+ days; one belongs to a departed contractor" is checkable in the console in five minutes. "IAM hygiene needs improvement" is not.
- Risk. What actually goes wrong, scored Impact (1–5) × Likelihood (1–5). The score is a triage tool, not a grade — it forces the reviewer to commit. A 20 means this quarter. A 6 means noted.
- Recommendation. The mechanism, not the aspiration: an organization-wide CloudTrail to a locked S3 bucket; short-lived credentials — IAM Identity Center for humans, OIDC federation for CI; an AWS Config rule to catch recurrence.
- Effort. S (a day or less), M (a week or less), L (multi-week) — so remediation can be ranked by risk closed per engineer-week.
Scoring matters because a flat list of findings is homework. A scored list is a plan.
Evidence, not impressions
Every observation should trace to a source your own team could pull: CloudTrail, AWS Config, the Cost and Usage Report, Trusted Advisor, VPC flow logs, plus interviews with the engineers who run the platform. The review runs entirely on read-only access — ReadOnlyAccess plus billing read, nothing more. An assessment does not need write access to your environment; be wary of one that asks for it.
The register ships as a CSV with resource IDs. A claimed $6,100 a month of idle capacity is not an estimate to take on faith — it is a list your team can verify line by line, then delete.
A Now/Next/Later roadmap with dependencies
Findings that are not sequenced die in the backlog. The roadmap sorts every remediation into three phases:
- Now (weeks 1–3): small-effort items that close the most risk — deleting dormant credentials, closing 0.0.0.0/0 rules on management ports, running the first timed database restore drill.
- Next (weeks 4–8): structural work — account separation under AWS Organizations, moving Terraform applies into a pipeline with a plan-approval gate.
- Later (next quarter): optimizations — instance-family upgrades, caching the hottest read path.
Dependencies are stated in writing. Commit to Savings Plans after right-sizing lands, not before, or you lock in the waste at a discount. An interim IAM fix is marked superseded if the structural fix ships this quarter. Sequencing is where most assessments quietly stop being useful — insist on it.
The 90-day recheck
A report is a snapshot, and it starts aging the day it lands. The engagement should include a scheduled re-check against the same register: what closed, what moved, what new risk appeared since. Two details worth confirming before you sign: the register belongs to your team and lives in your backlog tooling, and the reviewer's access ends when the review ends — nothing about the follow-up requires access to be retained in the interim.
What a paid engagement adds
The sample shows the structure and depth. A paid engagement's report adds an evidence appendix and a SOC 2 / security-questionnaire mapping worksheet, because a common trigger for an assessment is an enterprise customer's security review — and the deliverable should produce those answers, not gesture at them.
Use the sample as your checklist
None of this requires trust. Download the sample and hold any proposal — including ours — against four questions. Does the executive summary name dollars and a this-quarter plan? Is every finding scored and traceable to evidence? Is the roadmap sequenced, with dependencies? Is there a recheck? Our version is fixed-price from $8,500, runs over a four-week window, and stays read-only throughout.
Download the sample Well-Architected report (PDF), then see the full scope and pricing at /well-architected-review/.