Continuous Improvement for Existing Solutions
You cannot improve what you cannot measure
Assuming you know the AWS services that already run a workload, by the end of this domain you will be able to improve one in production through a measure-find-act loop (measure, let AWS's engines find the waste and risk, act with automated remediation, re-measure) and the four principles below are that loop's stages. Every later stage depends on the signal, so establish it first: Amazon CloudWatch metrics, alarms, and dashboards for the "what", AWS X-Ray traces and service maps for the "where" when latency crosses service boundaries, and Amazon RDS Performance Insights for the database tier. Only with that baseline can you tell over-provisioning from genuine demand, or a bad release from a capacity ceiling: improving a running system without measurement is guessing.
Let AWS’s recommendation engines find the opportunities
On an existing fleet you should not hunt for waste and risk by hand; AWS ships purpose-built engines that mine your own telemetry. AWS Compute Optimizer rightsizes EC2, Auto Scaling groups, EBS, Lambda, ECS-on-Fargate, and Aurora/RDS from 14 days of CloudWatch history (93 days with enhanced metrics); AWS Cost Explorer surfaces rightsizing and spend trends over up to 13 months; AWS Trusted Advisor spans cost, performance, security, fault tolerance, service limits, and operational excellence; Amazon DevOps Guru applies ML to flag anomalies with no static thresholds; AWS Security Hub aggregates security findings against FSBP/CIS; and AWS Resilience Hub scores an application against its RTO/RPO targets. Note the Trusted Advisor full check set and API require a Business, Enterprise, or Unified Operations support plan: Basic/Developer get only the Service Limits checks plus selected Security and Fault Tolerance checks.
Close the loop with automated remediation, not manual toil
A recommendation you act on once is a fix; one you act on automatically is an improvement. Turn findings into self-healing: AWS Config rules evaluate resource compliance and attach an SSM Automation document (managed or custom) to remediate non-compliant resources manually or automatically; AWS Systems Manager Automation runbooks execute the multi-step remediation or maintenance workflow; and Amazon EventBridge routes the triggering event (a finding, a state change, a schedule) to that runbook so the loop runs without a human. The same pattern applies to cost and reliability: schedule a quota-headroom alarm via Service Quotas + CloudWatch and re-converge drift instead of paging an engineer at 3 a.m.
Make Well-Architected reviews the cadence that re-runs the loop
The five subtopics here map one-to-one onto the AWS Well-Architected Framework pillars: operational excellence, security, reliability, performance efficiency, and cost optimization (sustainability is the sixth pillar). A periodic AWS Well-Architected Tool review re-runs the measure-find-act loop on a cadence: it surfaces high-risk issues (HRIs) and tracks their remediation as milestones over time, so improvement is a repeatable point-in-time review rather than a one-off. Validate reliability claims empirically with AWS Fault Injection Service experiments and AWS Backup restore testing (proving the restore meets RTO), and convert the cleaned-up steady-state baseline into commitment discounts via Savings Plans or a move to Graviton (up to 20% lower cost and up to 60% less energy): improving a running system means re-architecting in place, not redesigning from scratch.
The five improvement pillars and their primary AWS engines (SAP-C02)
| Pillar (subtopic) | Question it answers | Primary AWS discovery engine(s) | Closing-the-loop / remediation tool |
|---|---|---|---|
| Operational excellence (improve-operational-excellence) | Can I see, respond to, and predict operational issues? | CloudWatch, X-Ray, DevOps Guru, Well-Architected Tool | EventBridge → SSM Automation runbook; Config remediation |
| Security (improve-security) | Where are my misconfigurations and exposed findings? | Security Hub, GuardDuty, IAM Access Analyzer, Trusted Advisor (Security) | Config rules + SSM Automation; Firewall Manager org-wide policy |
| Performance (improve-performance) | Where is the bottleneck and is anything under-provisioned? | Compute Optimizer, Performance Insights, CloudWatch, X-Ray | Rightsize / change instance family; DynamoDB auto scaling or on-demand |
| Reliability (improve-reliability) | Does the workload meet its RTO/RPO and survive failures? | Resilience Hub, AWS Health, Trusted Advisor (Fault tolerance) | FIS experiments; AWS Backup restore testing; ARC routing controls |
| Cost (improve-cost) | Where is the waste and where can I commit on the baseline? | Cost Explorer, Compute Optimizer, Trusted Advisor (Cost), Cost Anomaly Detection | Rightsize/schedule first, then Savings Plans / Graviton on steady-state |