# Workloads Workloads in AWS Well-Architected Tool A workload is a collection of resources and code that delivers business value, such as a customer-facing application or a backend process. A workload might consist of a subset of resources in a single AWS account or be a collection of multiple resources spanning multiple AWS accounts. A small business might have only a few workloads while a large enterprise might have thousands. The **Workloads** page, available from the left navigation, provides information about your workloads and any workloads that have been shared with you. The following information is displayed for each workload: **Name** The name of the workload. **Owner** The AWS account ID that owns the workload. **Questions answered** The number of questions answered. **High risks** The number of high risk issues (HRIs) identified. **Medium risks** The number of medium risk issues (MRIs) identified. **Improvement status** The improvement status that you have set for the workload: + None + Not Started + In Progress + Complete + Risk Acknowledged **Last updated** Date and time that the workload was last updated. After you choose a workload from the list: + To review the details of the workload, choose **View details**. + To change the properties of the workload, choose **Edit**. + To manage sharing of the workload with other AWS accounts, users, AWS Organizations, or organization units (OUs), choose **View details** and then **Shares**. + To delete the workload and all of its milestones, choose **Delete**. Only the owner of the workload can delete it. **Warning** Deleting a workload cannot be undone. All data associated with the workload is deleted. ## High Risk Issues (HRIs) and Medium Risk Issues (MRIs) Content update Definitions for high risk issues (HRIs) and medium risk issues (MRIs) added. **High risk issues (HRIs)** identified in the AWS Well-Architected Tool are architectural and operational choices that AWS has found might result in significant negative impact to a business. These HRIs might affect organizational operations, assets, and individuals. **Medium risk issues (MRIs)** also might negatively impact business, but to a lesser extent. These issues are based on your responses in the AWS Well-Architected Tool. The corresponding best practices are widely applied by AWS and AWS customers. These best practices are the guidance defined by the AWS Well-Architected Framework and lenses. **Note** These are guidelines only and customers should evaluate and measure what impact not implementing the best practice would have on their business. If there are specific technical or business reasons that prevent applying a best practice to the workload, then the risk might be lower than indicated. AWS suggests that customers document these reasons, and how they affect the best practice, in the workload notes. For all identified HRIs and MRIs, AWS suggests customers implement the best practice as defined in the AWS Well-Architected Tool. If the best practice is implemented, indicate that the issue has been resolved by marking the best practice as met in the AWS Well-Architected Tool. If customers choose not to implement the best practice, AWS suggests that they document the applicable business level approval and reasons for not implementing it. # Define a workload in AWS Well-Architected Tool Define a workload There are two ways to define a workload. On the **Workloads** page in AWS WA Tool you can define a workload without a template. Or, on the **Review templates** page, you can use an existing review template or create a new template to define a workload. **To define a workload from the Workloads page** 1. Select **Workloads** in the left navigation pane. 1. Select the **Define workload** dropdown. 1. Choose **Define workload**. Or, if you have created a review template and want to define a workload from it, choose **Define from review template**. 1. Follow the instructions in [Defining a workload in AWS WA Tool](define-workload.md) to specify the workload properties, or (optionally) apply profiles and lenses. **To define a workload from the Review templates page** 1. Select **Review templates** in the left navigation pane. 1. Select the name of an existing review template, or follow the instructions in [Creating a review template in AWS WA Tool](creating-a-review-template.md) to create a new review template. 1. Choose **Define workload from template**. 1. Follow the instructions in [Defining a workload from a template in AWS WA Tool](define-workload-from-template.md) to create the workload from your review template. # View a workload in AWS Well-Architected Tool View a workload You can view the details of workloads that you own and workloads that have been shared with you. **To view a workload** 1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at [https://console.aws.amazon.com/wellarchitected/](https://console.aws.amazon.com/wellarchitected/). 1. In the left navigation pane, choose **Workloads**. 1. Select the workload to view in one of the following ways: + Choose the name of the workload. + Select the workload and choose **View details**. The workload details page is displayed. **Note** A required field, **Review owner**, was added to allow you to easily identify the primary person or group that is responsible for the review process. The first time you view a workload that was defined before this field was added, you are notified of this change. Choose **Edit** to set the **Review owner** field and no further action is required. Choose **Acknowledge** to defer setting the **Review owner** field. For the next 60 days, a banner is displayed to remind you that the field is blank. To remove the banner, edit your workload and specify a **Review owner**. If you do not set the field by the specified date, your access to the workload is restricted. You can continue to view the workload and delete it, but you cannot edit it, except to set the **Review owner** field. Shared access to the workload is not affected while your access is limited. # Edit a workload in AWS Well-Architected Tool Edit a workload You can edit the details of a workload that you own. **To edit a workload** 1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at [https://console.aws.amazon.com/wellarchitected/](https://console.aws.amazon.com/wellarchitected/). 1. In the left navigation pane, choose **Workloads**. 1. Select the workload that you want to edit and choose **Edit**. 1. Make your changes to the workload. For a description of each of the fields, see [Defining a workload in AWS WA Tool](define-workload.md). **Note** When updating an existing workload, you can **Activate Trusted Advisor**, which automatically creates the IAM role for the workload owner. The owners of associated accounts for workloads with Trusted Advisor activated need to create a role in IAM. For details, see [Activating Trusted Advisor for a workload in IAM](activate-ta-in-iam.md). 1. Choose **Save** to save your changes to the workload. If a required field is blank or if a specified value is not valid, you must correct the issue before your updates to the workload are saved. # Share a workload in AWS Well-Architected Tool Share a workload You can share a workload that you own with other AWS accounts, users, an organization, and organization units (OUs) in the same AWS Region. **Note** You can only share workloads within the same AWS Region. When sharing a workload with another AWS account, if the recipient does not have the `wellarchitected:UpdateShareInvitation` permission, they cannot accept the share invitation. See [Providing users, groups, or roles access to AWS WA Tool](iam-auth-access.md) for permission policy examples. **To share a workload with other AWS accounts and users** 1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at [https://console.aws.amazon.com/wellarchitected/](https://console.aws.amazon.com/wellarchitected/). 1. In the left navigation pane, choose **Workloads**. 1. Select a workload that you own in one of the following ways: + Choose the name of the workload. + Select the workload and choose **View details**. 1. Choose **Shares**. Then choose **Create** and **Create shares to users or accounts** to create a workload invitation. 1. Enter the 12-digit AWS account ID or the ARN of the user that you want to share the workload with. 1. Choose the permission that you want to grant. **Read-Only** Provides read-only access to the workload. **Contributor** Provides update access to answers and their notes, and read-only access to the rest of the workload. 1. Choose **Create** to send a workload invitation to the specified AWS account or user. If the workload invitation is not accepted within seven days, the invitation is automatically expired. If a user and the user's AWS account both have workload invitations, the workload invitation with the highest level permission is applied to the user. **Important** Before sharing a workload with an organization or organization units (OUs), you must [enable AWS Organizations access](sharing.md#getting-started-sharing-orgs). **To share a workload with your organization or OUs** 1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at [https://console.aws.amazon.com/wellarchitected/](https://console.aws.amazon.com/wellarchitected/). 1. In the left navigation pane, choose **Workloads**. 1. Select a workload that you own in one of the following ways: + Choose the name of the workload. + Select the workload and choose **View details**. 1. Choose **Shares**. Then choose **Create** and **Create shares to Organizations**. 1. On the **Create workload share** page, choose whether to grant permissions to the entire organization, or to one or more OUs. 1. Choose the permission that you want to grant. **Read-Only** Provides read-only access to the workload. **Contributor** Provides update access to answers and their notes, and read-only access to the rest of the workload. 1. Choose **Create** to share the workload. To see who has shared access to a workload, choose **Shares** from the [View workload details in AWS Well-Architected Tool](workload-details.md) page. To prevent an entity from sharing workloads, attach a policy that denies `wellarchitected:CreateWorkloadShare` actions. You can also share custom lenses that you own with other AWS accounts, users, your organization, and OUs in the same AWS Region. For details, refer to [Sharing a custom lens in AWS WA Tool](lenses-sharing.md). # Considerations when sharing AWS Well-Architected Tool workloads Sharing considerations A workload can be shared with up to 20 different AWS accounts and users. A workload can only be shared with accounts and users that are in the same AWS Region as the workload. To share a workload in a Region introduced after March 20, 2019, both you and the shared AWS account must enable the Region in the AWS Management Console. For more information, refer to [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/). You can share a workload with an AWS account, individual users in an account, or both. When you share a workload with an AWS account, all users in that account are given access to the workload. If only specific users in an account require access, follow the best practice of granting least privilege and share the workload individually with those users. If both an AWS account and a user in the account have workload invitations, the workload invitation with the highest level permissions determines the user's permission to the workload. If you delete the workload invitation for the user, the user's access is determined by the workload invitation for the AWS account. Delete both workload invitations to remove the user's access to the workload. Before sharing a workload with an organization or one or more organization units (OUs), you must enable AWS Organizations access. If you share a workload with both an organization and one or more OUs, the workload invitation with the highest level permissions determines the account's permission to the workload. **To enable AWS Organizations sharing** 1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at [https://console.aws.amazon.com/wellarchitected/](https://console.aws.amazon.com/wellarchitected/). 1. In the left navigation pane, choose **Settings**. 1. Choose **Enable AWS Organizations support**. 1. Choose **Save settings**. # Delete shared access in AWS Well-Architected Tool Delete shared access You can delete a workload invitation. Deleting a workload invitation removes shared access to the workload. **To delete shared access to a workload** 1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at [https://console.aws.amazon.com/wellarchitected/](https://console.aws.amazon.com/wellarchitected/). 1. In the left navigation pane, choose **Workloads**. 1. Select the workload in one of the following ways: + Choose the name of the workload. + Select the workload and choose **View details**. 1. Choose **Shares**. 1. Select the workload invitation to delete and choose **Delete**. 1. Choose **Delete** to confirm. If a user and the user's AWS account have workload invitations, you must delete both workload invitations to remove the user's permission to the workload. # Modify shared access in AWS Well-Architected Tool Modify shared access You can modify a pending or accepted workload invitation. **To modify shared access to a workload** 1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at [https://console.aws.amazon.com/wellarchitected/](https://console.aws.amazon.com/wellarchitected/). 1. In the left navigation pane, choose **Workloads**. 1. Select a workload that you own in one of the following ways: + Choose the name of the workload. + Select the workload and choose **View details**. 1. Choose **Shares**. 1. Select the workload invitation to modify and choose **Edit**. 1. Choose the new permission that you want to grant to the AWS account or user. **Read-Only** Provides read-only access to the workload. **Contributor** Provides update access to answers and their notes, and read-only access to the rest of the workload. 1. Choose **Save**. If the modified workload invitation is not accepted within seven days, it's automatically expired. # Accept and reject workload invitations in AWS Well-Architected Tool Accept and reject invitations A workload invitation is a request to share a workload that is owned by another AWS account. If you accept the workload invitation, the workload is added to your **Workloads** and **Dashboard** pages. If you reject the workload invitation, it's removed from the workload invitation list. You have seven days to accept a workload invitation. If you do not accept the invitation within seven days, it's automatically expired. **Note** Workloads can only be shared within the same AWS Region. **To accept or reject a workload invitation** 1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at [https://console.aws.amazon.com/wellarchitected/](https://console.aws.amazon.com/wellarchitected/). 1. In the left navigation pane, choose **Workload invitations**. 1. Select the workload invitation to accept or reject. + To accept the workload invitation, choose **Accept**. The workload is added to the **Workloads** and **Dashboard** pages. + To reject the workload invitation, choose **Reject**. The workload invitation is removed from the list. To reject shared access after a workload invitation has been accepted, choose **Reject share** from the [View workload details in AWS Well-Architected Tool](workload-details.md) page for the workload. # Delete a workload in AWS Well-Architected Tool Delete a workload You can delete a workload when it's no longer needed. Deleting a workload removes all data associated with the workload including any milestones and workload share invitations. Only the owner of a workload can delete it. **Warning** Deleting a workload cannot be undone. All data associated with the workload is permanently removed. **To delete a workload** 1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at [https://console.aws.amazon.com/wellarchitected/](https://console.aws.amazon.com/wellarchitected/). 1. In the left navigation pane, choose **Workloads**. 1. Select the workload you want to delete and choose **Delete**. 1. In the **Delete** window, choose **Delete** to confirm the deletion of the workload and its milestones. To prevent an entity from deleting workloads, attach a policy that denies `wellarchitected:DeleteWorkload` actions. # Generate a workload report in AWS Well-Architected Tool Generate a workload report You can generate a workload report for a lens. The report contains your responses to the workload questions, your notes, and the current number of high and medium risks identified. If a question has one or more risks identified, the improvement plan for that question lists actions to take to mitigate those risks. If your workload has an associated profile, the profile overview information and the prioritized risks are displayed on the workload report. A report enables you to share details about your workload with others who do not have access to AWS Well-Architected Tool. **To generate a workload report** 1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at [https://console.aws.amazon.com/wellarchitected/](https://console.aws.amazon.com/wellarchitected/). 1. In the left navigation pane, choose **Workloads**. 1. Select the desired workload and choose **View details**. 1. Select the lens you want to generate a report for and choose **Generate report**. The report is generated and you can download or view it. # View workload details in AWS Well-Architected Tool View workload details The workload details page provides information about your workload including its milestones, improvement plan, and any workload shares. Use the tabs at the top of the page to navigate to the different detail sections. To delete the workload, choose **Delete workload**. Only the owner of a workload can delete it. To remove your access to a shared workload, choose **Reject share**. **Topics** + [ # The AWS Well-Architected Tool Overview tab ](details-review.md) + [ # The AWS Well-Architected Tool Milestones tab ](details-milestones.md) + [ # The AWS Well-Architected Tool Properties tab ](details-properties.md) + [ # The AWS Well-Architected Tool Shares tab ](details-permissions.md) # The AWS Well-Architected Tool Overview tab Overview tab When you initially view a workload, the **Overview** tab is the first information displayed. This tab provides the overall state of your workload followed by the state of each lens. If you have not completed all of the questions, a banner appears to remind you to start or continue documenting your workload. The **Workload overview** section shows the current overall state of the workload and any **Workload notes** that you have entered. Choose **Edit** to update the state or notes. To capture the current state of the workload, choose **Save milestone**. Milestones are immutable and cannot be changed after they are saved. To continue documenting the state of the workload, choose **Start reviewing** and select the desired lens. # The AWS Well-Architected Tool Milestones tab Milestones tab To display the milestones for your workload, choose the **Milestones** tab. After you select a milestone, choose **Generate report** to create the workload report associated with the milestone. The report contains the responses to the workload questions, your notes, and the number of high and medium risks in the workload at the time that the milestone was saved. You can view details about the state of your workload at the time of a specific milestone by either: + Choosing the name of the milestone. + Selecting the milestone and choosing **View milestone**. # The AWS Well-Architected Tool Properties tab Properties tab To display the properties of your workload, choose the **Properties** tab. Initially, these properties are the values that were specified when the workload was defined. Choose **Edit** to make changes. Only the owner of the workload can make changes. For descriptions of the properties, see [Defining a workload in AWS WA Tool](define-workload.md). # The AWS Well-Architected Tool Shares tab Shares tab To display or modify your workload invitations, choose the **Shares** tab. This tab is only displayed for the owner of a workload. The following information is displayed for each AWS account and user that has shared access to the workload: **Principal** The AWS account ID or user ARN with shared access to the workload. **Status** The status of the workload invitation. + Pending The invitation is waiting to be accepted or rejected. If a workload invitation is not accepted within seven days, it's automatically expired. + Accepted The invitation was accepted. + Rejected The invitation was rejected. + Expired The invitation was not accepted or rejected within seven days. **Permission** The permission granted to the AWS account or user. + Read-Only The principal has read-only access to the workload. + Contributor The principal can update answers and their notes, and has read-only access to the rest of the workload. **Permission details** Detailed description of the permission. To share the workload with another AWS account or user in the same AWS Region, choose **Create**. A workload can be shared with up to 20 different AWS accounts and users. To delete a workload invitation, select the invitation and choose **Delete**. To modify a workload invitation, select the invitation and choose **Edit**.