Create a new workload in the AWS Well-Architected Tool. Work with the development team to answer security questions based on the team’s current state. Use the save milestone feature to track improvements against identified high-risk items.

Use the cost recommendations in AWS Cost Explorer. Analyze the cost implications of security misconfigurations. Prioritize architectural changes based on potential cost savings as a result of implementing AWS security best practices.

Enable AWS Security Hub CSPM. Create a Security Hub CSPM automation rule to map existing services to approved architecture patterns. Use the data to identify non-compliance against AWS best practices and generate a compliance report.

Enable Amazon Detective. Create a Detective investigation for AWS security best practices. Use a behavior graph to visualize the data. Analyze the entities to identify architectural components that do not follow AWS security best practices.