Well-Architected Guardrails

This skill generates preventive and detective controls that keep a workload Well-Architected over time. Unlike the assessment skills (which find gaps) or remediation (which fixes a specific finding once), guardrails codify best practices so non-compliant changes are blocked or flagged automatically — in CI, at deploy time, and continuously in the account.

What you'll produce: ready-to-commit control files (Config rules, SCPs, CI policy checks, alarms), each tied to the WA Question/Best Practice ID it enforces, with a note on whether the control is preventive (blocks the bad change) or detective (flags it after the fact).

Step 1: Gather context

Ask the user (skip any already provided or inferable from the codebase):

I can generate guardrails to keep your workload Well-Architected. Let me know:

• Workload name and code packages/directories (IaC, CI/CD configs)
• IaC dialect: CDK (which language), CloudFormation, Terraform, SAM, or mixed
• Source of controls: a prior /wa-review or assessment output, specific concerns, or "scan and propose"
• Enforcement points available: CI pipeline (which one), AWS Organizations/SCPs, AWS Config, account-level admin — so controls target what you can actually deploy
• Pillars to prioritize (optional; default: Security and Reliability)

If you are in a codebase, proceed directly and infer the IaC dialect and CI system from the files present.