TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/aws-samples/sample-well-architected-skills-and-steering/llms.txt
Use this file to discover all available pages before exploring further.
wa-guardrails skill teaches your AI coding agent to generate ready-to-commit preventive and detective controls that keep a workload Well-Architected over time. Where assessment skills find gaps and remediation fixes them once, guardrails codify best practices so non-compliant configurations are blocked or flagged automatically — in CI/CD pipelines, at deploy time, and continuously across the account.
What it does
CI/CD Policy Checks
CDK Aspects that fail
cdk synth, cfn-guard rules for CloudFormation, and OPA/Sentinel policies for Terraform — catching misconfigurations before they ever deploy. Strongest and cheapest enforcement point.AWS Config Rules
Managed and custom Config rules for continuous compliance checking of live resources — detecting drift, unencrypted buckets, disabled backups, and missing Multi-AZ configurations.
Service Control Policies
SCPs that prevent non-compliant resource creation org-wide — blocking public S3 bucket creation, disabling of CloudTrail, or unencrypted RDS instance launches regardless of who deploys.
CloudWatch Alarms
Individual and composite alarms for operational guardrails — DLQ depth, error rates, latency thresholds, and cost anomalies — each tied to the WA Best Practice ID it enforces.
Preventive vs detective controls
The skill always selects the strongest control your enforcement points allow, preferring preventive over detective:CI/CD policy check (strongest — preventive)
Can the misconfiguration be caught in IaC before deploy? If yes, the skill generates a CDK Aspect,
cfn-guard rule, or Terraform OPA policy. This stops the bad configuration from ever reaching AWS.SCP or permission boundary (preventive, org-wide)
Must the control apply across the entire AWS Organization regardless of who deploys? SCPs and permission boundaries are generated for hard-line controls like “never allow public S3 buckets” or “never disable CloudTrail.”
AWS Config rule (detective)
Is the issue only visible on a live resource — drift, runtime state, or configurations that can’t be validated in IaC? Config rules are generated as detective controls, with auto-remediation offered only on explicit request.
Coverage across all 6 WA pillars
- Security
- Reliability
- Operational Excellence
- Cost Optimization
- Performance & Sustainability
Config rules:
s3-bucket-server-side-encryption-enabled, s3-bucket-public-read-prohibited, iam-policy-no-statements-with-admin-access, cloudtrail-enabledSCPs: Deny creation of unencrypted S3 buckets; deny disabling of CloudTrail; deny creation of IAM users with console accessCDK Aspects: Fail synth on security groups open to 0.0.0.0/0 on non-web ports; fail synth on KMS keys without key rotation enabledWA questions covered: SEC 1, SEC 2, SEC 5, SEC 7, SEC 8How to invoke it
Generated control examples
Every control is produced as ready-to-commit code in your workload’s existing dialect, labeled preventive or detective, and tied to a WA BP ID.Example guardrails plan output
Governance steering doc
After generating machine-enforced controls, the skill offers to produce a companion governance document — a human- and agent-readable steering file that covers standards no control can fully express..kiro/steering/), Claude Code (CLAUDE.md), Cursor (.cursor/rules/), or any supported tool — giving your AI coding agent always-on awareness of the standards.
Rollout guidance
Auto-remediation on Config rules is destructive — it modifies live resources automatically. The skill only generates auto-remediation code when you explicitly request it, and always includes a safety review and rollback note.
Effectiveness
Evaluated using an automated LLM-as-judge framework with paired comparison (same prompt, with and without skill context) using Claude Opus 4.8.
| Baseline | With skill | Delta | |
|---|---|---|---|
| Score | 76% | 99% | +23% |
Follow-up actions the agent offers
After delivering the guardrails plan, the agent offers to:- Generate the CI workflow wiring (GitHub Actions step or CodePipeline action) to run the policy checks
- Produce a governance steering doc for your AI agent (CLAUDE.md,
.cursor/rules/,.kiro/steering/) - Add auto-remediation to a detective Config rule (with a full safety review)
- Fix the existing violations that these guardrails would block (remediate the current code)
- Tighten a control from warn mode to block mode after confirming zero false positives
Related skills
| Skill | When to use instead |
|---|---|
wa-review | Find gaps first — then use wa-guardrails to prevent them from recurring |
security-assessment | Deep-dive into IAM, detection controls, and incident response rather than generating enforcement code |
operational-excellence | Assess CI/CD and observability configuration before codifying it as guardrails |
