# Getting started with AWS Well-Architected Tool
<a name="getting-started"></a>

To get started using AWS Well-Architected Tool, you first provide the appropriate permissions to the your users, groups, and roles, and activate support for the AWS services you want use with AWS WA Tool. Next, you define and document a workload. You can also save a *milestone* of the current state of a workload.

The following topics explain how to get started using AWS WA Tool. For a step-by-step tutorial showing how to use AWS Well-Architected Tool, see [Tutorial: Document an AWS Well-Architected Tool workload](https://docs.aws.amazon.com/wellarchitected/latest/userguide/tutorial.html).

**Topics**
+ [Providing users, groups, or roles access to AWS WA Tool](iam-auth-access.md)
+ [Activating support in AWS WA Tool for other AWS services](activate-integrations.md)
+ [Defining a workload in AWS WA Tool](define-workload.md)
+ [Documenting a workload in AWS WA Tool](start-workflow-review.md)
+ [Reviewing a workload with AWS Well-Architected Framework](continue-workflow-review.md)
+ [Viewing Trusted Advisor checks for your workload](ta-checks-page.md)
+ [Saving a milestone for a workload in AWS WA Tool](save-milestone.md)

# Providing users, groups, or roles access to AWS WA Tool
<a name="iam-auth-access"></a>

You can grant users, groups, or roles full control or read-only access to AWS Well-Architected Tool.

**Provide access to AWS WA Tool**

1. To provide access, add permissions to your users, groups, or roles:
   + Users and groups in AWS IAM Identity Center:

     Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
   + Users managed in IAM through an identity provider:

     Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
   + IAM users:
     + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
     + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.

1. To grant full control, apply the **WellArchitectedConsoleFullAccess** managed policy to the permission set or role.

   Full access allows the principal to perform all actions in AWS WA Tool. This access is required to define workloads, delete workloads, view workloads, update workloads, share workloads, create custom lenses, and share custom lenses.

1. To grant read-only access, apply the ** WellArchitectedConsoleReadOnlyAccess** managed policy to the permission set or role. Principals with this role can only view resources.

For more information on these policies, see [AWS managed policies for AWS Well-Architected Tool](security-iam-awsmanpol.md).

# Activating support in AWS WA Tool for other AWS services
<a name="activate-integrations"></a>

Activating Organization access permits AWS Well-Architected Tool to gather information about your organization's structure to share resources more easily (see [Activate resource sharing within AWS Organizations](sharing.md#getting-started-sharing-orgs) for more information). Activating Discovery support gathers information from [AWS Trusted Advisor](https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor.html), [AWS Service Catalog AppRegistry](https://docs.aws.amazon.com/servicecatalog/latest/arguide/intro-app-registry.html), and related resources (such as CloudFormation stacks in AppRegistry resource collections) to help you more easily discover the information needed to answer Well-Architected review questions, and tailor the Trusted Advisor checks for a workload. 

Activating support for AWS Organizations, or activating Discovery support automatically creates a service-linked role for your account. 

**To turn on support for other services that AWS WA Tool can interact with, navigate to Settings.**

1. To gather information from AWS Organizations, turn on **Activate AWS Organizations support**. 

1. Turn on **Activate Discovery support** to gather information from other AWS services and resources.

1. Select **View role permissions** to view the service-linked role permissions or trust relationship policies.

1. Select **Save settings**.

# Activating AppRegistry for a workload
<a name="activate-appregistry"></a>

Using AppRegistry is optional, and AWS Business and Enterprise Support customers can activate it on a per-workload basis.

Whenever Discovery support is turned on and AppRegistry is associated with a new or existing workload, AWS Well-Architected Tool creates a service-managed attribute group. The attribute group **Metadata** in AppRegistry contains the workload ARN, the workload name, and the risks associated with the workload. 
+  When Discovery support is turned on, any time there is a change to the workload, the attribute group is updated.
+  When Discovery support is turned off or the application is removed from the workload, the workload information is removed from AWS Service Catalog.

If you want an AppRegistry application to drive the data fetched from Trusted Advisor, set your workload **Resource definition** as **AppRegistry** or **All**. Create roles for all accounts that own resources in your application following the guidelines in [Activating Trusted Advisor for a workload in IAM](activate-ta-in-iam.md). 

# Activating AWS Trusted Advisor for a workload
<a name="activate-ta-for-workload"></a>

You can optionally integrate AWS Trusted Advisor and activate it on a per-workload basis for AWS Business and Enterprise Support customers. There is no cost to integrate Trusted Advisor with AWS WA Tool, but for Trusted Advisor pricing details, see [AWS Support Plans](https://docs.aws.amazon.com/awssupport/latest/user/aws-support-plans.html). Activating Trusted Advisor for workloads can provide you a more comprehensive, automated, and monitored approach to reviewing and optimizing your AWS workloads. This can help you improve the reliability, security, performance, and cost optimization for your workloads.

**To activate Trusted Advisor for a workload**

1. To activate Trusted Advisor, workload owners can use AWS WA Tool to update an existing workload, or create a new workload by choosing **Define workload**. 

1. Enter an account ID used by Trusted Advisor in the **Account IDs** field, select an application ARN in the **Application** field, or both to activate Trusted Advisor. 

1. In the **AWS Trusted Advisor** section, select **Activate Trusted Advisor**.  
![\[Screenshot of the Activate Trusted Advisor section when defining a workload.\]](http://docs.aws.amazon.com/wellarchitected/latest/userguide/images/defining-workload-activate-ta-support.png)

1. A notification that the **IAM service role will be created** displays the first time Trusted Advisor is activated for a workload. Choosing **View permissions** displays the IAM role permissions. You can view the **Role name**, as well as the **Permissions** and **Trust relationships** JSON automatically created for you in IAM. After the role is created, for subsequent workloads activating** Trusted Advisor**, only the notification for **Additional setup needed** is shown. 

1. In the **Resource definition** dropdown, you can select **Workload Metadata**, **AppRegistry**, or **All**. The **Resource definition** selection defines what data AWS WA Tool fetches from Trusted Advisor to provide the status checks in the workload review that map to Well-Architected best practices.

   **Workload Metadata** – the workload is defined by account IDs and AWS Regions specified in the workload.

   **AppRegistry** – the workload is defined by resources (such as CloudFormation stacks) that are present in the AppRegistry application associated with the workload.

   **All** – the workload is defined by both the workload metadata and AppRegistry resources.

1. Choose **Next**. 

1. Apply the **AWS Well-Architected Framework** to your workload, and choose **Define workload**. Trusted Advisor checks are only linked to the AWS Well-Architected Framework, and not other lenses.

The AWS WA Tool periodically gets data from Trusted Advisor using the roles created in IAM. The IAM role is automatically created for the workload owner. However, to view Trusted Advisor information, the owners of any associated accounts on the workload must go to IAM and create a role, see [Activating Trusted Advisor for a workload in IAM](activate-ta-in-iam.md) for more details. If this role does not exist, AWS WA Tool cannot obtain Trusted Advisor information for that account and displays an error. 

For more information about creating a role in AWS Identity and Access Management (IAM), see [Creating a role for an AWS service (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html#roles-creatingrole-service-console) in the *IAM User Guide*.

# Activating Trusted Advisor for a workload in IAM
<a name="activate-ta-in-iam"></a>

**Note**  
Workload owners should **Activate Discovery support** for their account before creating a Trusted Advisor workload. Choosing to **Activate Discovery support** creates the role required for the workload owner. Use the following steps for all other associated accounts. 

The owners of associated accounts for workloads that have activated Trusted Advisor must create a role in IAM to see Trusted Advisor information in AWS Well-Architected Tool.

**To create a role in IAM for AWS WA Tool to get information from Trusted Advisor**

1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane of the **IAM** console, choose **Roles**, and then choose **Create role**.

1. Under **Trusted entity type** choose **Custom trust policy**. 

1. Copy and paste the following **Custom trust policy** into the JSON field in the **IAM** console, as shown in the following image. Replace *`WORKLOAD_OWNER_ACCOUNT_ID`* with the workload owner's account ID, and choose **Next**. 

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "Service": "wellarchitected.amazonaws.com"
               },
               "Action": "sts:AssumeRole",
               "Condition": {
                   "StringEquals": {
                       "aws:SourceAccount": "WORKLOAD_OWNER_ACCOUNT_ID"
                   },
                   "ArnEquals": {
                       "aws:SourceArn": "arn:aws:wellarchitected:*:111122223333:workload/*"
                   }
               }
           }
       ]
   }
   ```

------  
![\[Screenshot of the Custom trust policy in the IAM console.\]](http://docs.aws.amazon.com/wellarchitected/latest/userguide/images/custom-trust-policy.png)
**Note**  
The `aws:sourceArn` in the condition block of the preceeding custom trust policy is `"arn:aws:wellarchitected:*:WORKLOAD_OWNER_ACCOUNT_ID:workload/*"`, which is a generic condition stating this role can be used by AWS WA Tool for all of the workload owner's workloads. However, access can be narrowed to a specific workload ARN, or set of workload ARNs. To specify multiple ARNs, see the following example trust policy.  

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "Service": "wellarchitected.amazonaws.com"
               },
               "Action": "sts:AssumeRole",
               "Condition": {
                   "StringEquals": {
                   "aws:SourceAccount": "111122223333"
                   },
                   "ArnEquals": {
                       "aws:SourceArn": [
                       "arn:aws:wellarchitected:us-east-1:111122223333:workload/WORKLOAD_ID_1",
       "arn:aws:wellarchitected:us-east-1:111122223333:workload/WORKLOAD_ID_2"
                       ]
                   }
               }
           }
       ]
   }
   ```

1. On the **Add permissions** page, for **Permissions policies** choose **Create policy** to give AWS WA Tool access to read data from Trusted Advisor. Selecting **Create policy** opens a new window.
**Note**  
Additionally, you have the option to skip creating the permissions during the role creation and create an inline policy after creating the role. Choose **View role** in the successful role creation message and select **Create inline policy** from the **Add permissions** dropdown in the **Permissions** tab.

1. Copy and paste the following **Permissions policy** into the JSON field. In the `Resource` ARN, replace *`YOUR_ACCOUNT_ID`* with your own account ID, specify the Region or an asterisk (`*`), and choose **Next:Tags**.

   For details about ARN formats, see [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference Guide*.

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "trustedadvisor:DescribeCheckRefreshStatuses",
                   "trustedadvisor:DescribeCheckSummaries",
                   "trustedadvisor:DescribeRiskResources",
                   "trustedadvisor:DescribeAccount",
                   "trustedadvisor:DescribeRisk",
                   "trustedadvisor:DescribeAccountAccess",
                   "trustedadvisor:DescribeRisks",
                   "trustedadvisor:DescribeCheckItems"
               ],
               "Resource": [
                   "arn:aws:trustedadvisor:*:111122223333:checks/*"
               ]
           }
       ]
   }
   ```

------

1. If Trusted Advisor is activated for a workload and the **Resource definition** is set to **AppRegistry** or **All**, all of the accounts that own a resource in the AppRegistry application attached to the workload must add the following permission to their Trusted Advisor role's **Permissions policy**.

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Sid": "DiscoveryPermissions",
               "Effect": "Allow",
               "Action": [
                   "servicecatalog:ListAssociatedResources",
                   "tag:GetResources",
                   "servicecatalog:GetApplication",
                   "resource-groups:ListGroupResources",
                   "cloudformation:DescribeStacks",
                   "cloudformation:ListStackResources"
               ],
               "Resource": "*"
           }
       ]
   }
   ```

------

1. (Optional) Add tags. Choose **Next: Review**.

1. Review the policy, give it a name, and select **Create policy**.

1. On the **Add permissions** page for the role, select the policy name you just created, and select **Next**. 

1. Enter the **Role name**, which must use the following syntax: `WellArchitectedRoleForTrustedAdvisor-WORKLOAD_OWNER_ACCOUNT_ID` and choose **Create role**. Replace *`WORKLOAD_OWNER_ACCOUNT_ID`* with the workload owner's account ID.

   You should get a success message at the top of the page notifying you that the role has been created. 

1. To view the role and associated permissions policy, in the left navigation pane under **Access management**, choose **Roles** and search for the `WellArchitectedRoleForTrustedAdvisor-WORKLOAD_OWNER_ACCOUNT_ID` name. Select the name of the role to verify that the **Permissions** and **Trust relationships** are correct.

# Deactivating Trusted Advisor for a workload
<a name="deactivate-ta-for-workload"></a>

**To deactivate Trusted Advisor for a workload**

You can deactivate Trusted Advisor for any workload from the AWS Well-Architected Tool by editing your workload and deselecting **Activate Trusted Advisor**. For more information on editing workloads, see [Edit a workload in AWS Well-Architected Tool](workloads-edit.md). 

Deactivating Trusted Advisor from the AWS WA Tool does not delete the roles created in IAM. Deleting roles from IAM requires a separate cleanup measure. Workload owners or owners of associated accounts should delete the IAM roles created when Trusted Advisor is deactivated in AWS WA Tool, or to stop AWS WA Tool from collecting Trusted Advisor data for the workload. 

**To delete the `WellArchitectedRoleForTrustedAdvisor` in IAM**

1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane of the **IAM** console, choose **Roles**.

1. Search for `WellArchitectedRoleForTrustedAdvisor-WORKLOAD_OWNER_ACCOUNT_ID` and select the role name.

1. Choose **Delete**. In the pop-up window, type the name of the role to confirm deletion, and select **Delete** again.

For more information about deleting a role from IAM, see [Deleting an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html#roles-managingrole-deleting-console) in the *IAM User Guide*.

# Defining a workload in AWS WA Tool
<a name="define-workload"></a>

A workload is a set of components that deliver business value. For example, workloads can be marketing websites, ecommerce websites, the backend for a mobile app, and analytic platforms. Accurately defining a workload helps ensure a comprehensive review against the AWS Well-Architected Framework pillars. 

**To define a workload**

1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at [https://console.aws.amazon.com/wellarchitected/](https://console.aws.amazon.com/wellarchitected/).

1. If this is your first time using AWS WA Tool, you see a page that introduces you to the features of the service. In the **Define a workload** section, choose **Define workload**.

   Alternately, in the left navigation pane, choose **Workloads** and choose **Define workload**.

   For details on how AWS uses your workload data, choose **Why does AWS need this data, and how will it be used?**

1. In the **Name** box, enter a name for your workload.
**Note**  
The name must be between 3 and 100 characters. At least three characters must not be spaces. Workload names must be unique. Spaces and capitalization are ignored when checking for uniqueness.

1. In the **Description** box, enter a description of the workload. The description must be between 3 and 250 characters.

1. In the **Review owner** box, enter the name, email address, or identifier for the primary group or individual that owns the workload review process.

1. In the **Environment** box, choose the environment for your workload:
   + **Production** – Workload runs in a production environment.
   + **Pre-production** – Workload runs in a pre-production environment.

1. In the **Regions** section, choose the Regions for your workload:
   + **AWS Regions** – Choose the AWS Regions where your workload runs, one at a time.
   + **Non-AWS regions** – Enter the names of the Regions outside of AWS where your workload runs. You can specify up to five unique Regions, separated by commas.

   Use both options if appropriate for your workload.

1. (Optional) In the **Account IDs** box, enter the IDs of the AWS accounts associated with your workload. You can specify up to 100 unique account IDs, separated by commas. 

   If Trusted Advisor is activated, any account IDs specified are used to get data from Trusted Advisor. See [Activating AWS Trusted Advisor for a workload](https://docs.aws.amazon.com/wellarchitected/latest/userguide/activate-ta-for-workload.html) to grant AWS WA Tool permissions to get Trusted Advisor data on your behalf within IAM. 

1. (Optional) In the **Application** box, enter the application ARN of an application from the [AWS Service Catalog AppRegistry](https://docs.aws.amazon.com/servicecatalog/latest/arguide/intro-app-registry.html) that you want to associate with this workload. Only one ARN can be specified per workload, and the application and workload must be in the same Region.

1. (Optional) In the **Architectural design** box, enter the URL for your architectural design.

1. (Optional) In the **Industry type** box, choose the type of industry associated with your workload.

1. (Optional) In the **Industry** box, choose the industry that best matches your workload.

1. (Optional) In the **Trusted Advisor** section, to turn on Trusted Advisor checks for your workload, select **Activate Trusted Advisor**. Additional setup might be needed for accounts associated with your workload. See [Activating AWS Trusted Advisor for a workload](activate-ta-for-workload.md) to grant AWS WA Tool permissions to get Trusted Advisor data on your behalf. Select from **Workload Metadata**, **AppRegistry**, or **All** under **Resource definition** to define what resources AWS WA Tool uses to run Trusted Advisor checks.

1.  (Optional) In the **Jira** section, to turn on workload-level Jira sync settings for the workload, select **Override account level settings**. Additional setup might be needed for accounts associated with your workload. See [AWS Well-Architected Tool Connector for Jira](jira.md) to get started with setting up and configuring the connector. Select from **Do not sync workload**, **Sync workload - Manual**, and **Sync workload - Automatic**, and optionally enter a **Jira project key** to sync to. 
**Note**  
 If you do not override account-level settings, workloads will default to the account-level Jira sync setting. 

1. (Optional) In the **Tags** section, add any tags you want to associate with the workload.

   For more information on tags, see [Tagging your AWS WA Tool resources](tagging.md).

1. Choose **Next**.

   If a required box is blank or if a specified value is not valid, you must correct the issue before you can continue.

1. (Optional) In the **Apply Profile** step, associate a profile with the workload by selecting an existing profile, searching for the profile name, or choosing **Create profile** to [create a profile](creating-a-profile.md). Choose **Next**.

1. Choose the lenses that apply to this workload. Up to 20 lenses can be added to a workload. For descriptions of official AWS lenses, see [Lenses](lenses.md).

    Lenses can be selected from **[Custom lenses](lenses-custom.md)** (lenses that you created or that were shared with your AWS account), **[Lens Catalog](lens-catalog.md)** (AWS official lenses available to all users), or both. 
**Note**  
 The **Custom lenses** section is empty if you have not created a custom lens or had a custom lens shared with you. 
**Disclaimer**  
By accessing and/or applying custom lenses created by another AWS user or account, you acknowledge that custom lenses created by other users and shared with you are Third Party Content as defined in the AWS Customer Agreement.

1. Choose **Define workload**.

   If a required box is blank or if a specified value is not valid, you must correct the issue before your workload is defined.

# Documenting a workload in AWS WA Tool
<a name="start-workflow-review"></a>

After you've defined a workload in AWS Well-Architected Tool, you can document its state by opening the Review workload page. This helps you assess your workload and track its progress over time. 

**To document the state of a workload**

1. After you initially define a workload, you see a page that shows the current details of your workload. Choose **Start reviewing** to begin.

   Otherwise, in the left navigation pane, choose **Workloads** and select the name of the workload to open the workload details page. Choose **Continue reviewing**.

   (Optional) If a profile is associated with your workload, then the left navigation pane contains a list of **Prioritized** workload review questions you can use to speed up the workload review process.

1. You are now presented with the first question. For each question:

   1. Read the question and determine if the question applies to your workload.

      For additional guidance, choose **Info** and view the information in the help pane.
      + If the question does not apply to your workload, choose **Question does not apply to this workload**.
      + Otherwise, select the best practices that you are currently following from the list.

        If you are currently not following any of the best practices, choose **None of these**.

      For additional guidance on any item, choose **Info** and view the information in the help pane.

   1. (Optional) If one or more best practices do not apply to your workload, choose **Mark best practice(s) that don't apply to this workload** and select them. For each selected best practice, you can optionally select a reason and provide additional details. 

   1. (Optional) Use the **Notes** box to record information related to the question.

      For example, you might describe why the question does not apply or provide additional details about the best practices selected.

   1. Choose **Next** to continue to the next question.

   Repeat these steps for each question in each pillar.

1. Choose **Save and exit** at any time to save your changes and pause documenting your workload.

After you've documented your workload, you can return to the questions to continuing reviewing it at anytime. For more information, see [Reviewing a workload with AWS Well-Architected Framework](continue-workflow-review.md).

# Reviewing a workload with AWS Well-Architected Framework
<a name="continue-workflow-review"></a>

You can review your workload in the console on the Review workload page. This page provides best practices and helpful resources for your workload's performance.

![\[The Review workload page showing a question and best practices.\]](http://docs.aws.amazon.com/wellarchitected/latest/userguide/images/gs-qacallouts-console.png)


1. To open the Review workload page, from the workload details page, choose **Continue reviewing**. The left navigation pane shows the questions for each pillar. Questions that you have answered are marked **Done**. The number of questions answered in each pillar is shown next to the pillar name.

   You can navigate to questions in other pillars by choosing the pillar name and then choosing the question you want to answer. 

   (Optional) If a profile is associated with your workload, then AWS WA Tool uses the information in the profile to determine which questions in the workload review are **Prioritized** and which questions are not applicable for your business. In the left navigation pane you can use the **Prioritized** questions to help speed up the workload review process. A notification icon appears next to questions that are newly added to the list of **Prioritized** questions. 

1. The middle pane displays the current question. Select the best practices that you are following. Choose **Info** to get additional information about the question or a best practice. Choose **Ask an expert** to access the AWS re:Post community dedicated to [AWS Well-Architected](https://repost.aws/topics/TA5g9gZfzuQoWLsZ3wxihrgw/well-architected-framework?trk=1053da05-d131-4bfd-8d08-01af135ae52a&sc_channel=el). AWS re:Post is a topic-based question-and-answer community replacement for AWS Forums. With re:Post, you can find answers, answer questions, join a group, follow popular topics, and vote on your favorite questions and answers. 

   (Optional) To mark one or more best practices as not applicable, choose **Mark best practice(s) that don't apply to this workload** and select them.

   Use the buttons at the bottom of this pane to go to the next question, return to the previous question, or save your changes and exit.

1. The right help pane displays additional information and helpful resources. Choose **Ask an expert** to access the AWS re:Post community dedicated to [AWS Well-Architected](https://repost.aws/topics/TA5g9gZfzuQoWLsZ3wxihrgw/well-architected-framework?trk=1053da05-d131-4bfd-8d08-01af135ae52a&sc_channel=el). In this community, you can ask questions related to designing, building, deploying, and operating workloads on AWS.

# Viewing Trusted Advisor checks for your workload
<a name="ta-checks-page"></a>

If Trusted Advisor is activated for your workload, a **Trusted Advisor checks** tab is displayed next to **Question**. If there are any checks available for the best practice, a notification that there are Trusted Advisor checks available is displayed following the question selection. Selecting **View checks** takes you to the **Trusted Advisor checks** tab. 

![\[Screenshot of the Trusted Advisor checks available notification on the Question page.\]](http://docs.aws.amazon.com/wellarchitected/latest/userguide/images/documenting-workload-ta-checks-available-view-checks.png)


On the **Trusted Advisor checks** tab, you can view more detailed information about the best practice checks from Trusted Advisor, view links to the Trusted Advisor documentation in the **Help resources** pane, or **Download check details**, which provides a report of the Trusted Advisor checks and statuses for each best practice in a CSV file.

![\[Screenshot of the Trusted Advisor checks page.\]](http://docs.aws.amazon.com/wellarchitected/latest/userguide/images/documenting-workload-ta-checks-page.png)


The check categories from Trusted Advisor are displayed as colored icons, and the number next to each icon shows the number of accounts in that status.
+ **Action recommended (red) **– Trusted Advisor recommends an action for the check.
+ **Investigation recommended (yellow)** – Trusted Advisor detects a possible issue for the check.
+ **No problems detected (green)** – Trusted Advisor doesn't detect an issue for the check.
+ **Excluded items (gray)** – The number of checks that have excluded items, such as resources that you want a check to ignore.

For more information on the checks Trusted Advisor provides, see [View check categories](https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor.html#view-check-categories) in the *Support User Guide*.

Selecting the **Info** link next to each Trusted Advisor check displays information about the check in the **Help resources** pane. For more information, see [AWS Trusted Advisor check reference](https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor-check-reference.html) in the *Support User Guide*.

# Saving a milestone for a workload in AWS WA Tool
<a name="save-milestone"></a>

You can save a milestone for a workload at any time. A milestone records the current state of the workload.

**To save a milestone**

1. From the workload details page, choose **Save milestone**.

1. In the **Milestone name** box, enter a name for your milestone.
**Note**  
The name must be between 3 and 100 characters. At least three characters must not be spaces. Milestone names associated with a workload must be unique. Spaces and capitalization are ignored when checking for uniqueness.

1. Choose **Save**.

After a milestone is saved, you can't change the workload data that was captured in that milestone.

For more information, see [Milestones](milestones.md).