Why a Unified Lens Matters

If you run Snowflake on AWS, you've likely felt the pain of juggling two separate sets of best practices. The AWS Well-Architected Framework gives you infrastructure guidance, while Snowflake's own framework covers compute, data organization, and governance. Without a single review process, security gaps appear, compliance audits become messy, and production readiness stretches out.

The new Snowflake and AWS Custom Well-Architected Framework Lens solves this. It merges both frameworks into one review experience, covering all seven AWS pillars: security, reliability, performance, cost, operational excellence, and sustainability. It even adds sustainability as a first-class pillar—something no other ISV lens has done.

Let's break down what's inside and how you can use it.

Source: This article is based on the official AWS Architecture Blog post.

Architecture diagram of Snowflake on AWS with Well-Architected pillars Technical Structure Concept

The Seven Pillars: Where AWS and Snowflake Align

1. Security & Identity

Security requires coordinated controls across two planes. On AWS, you manage VPCs, IAM roles, and KMS keys. On Snowflake, you handle network policies, RBAC, and authentication. The lens maps these together.

Key integration: Use AWS PrivateLink between your VPC and Snowflake. Then layer Snowflake network policies on top of EC2 security groups for defense-in-depth. For authentication, federate through AWS IAM Identity Center and map IdP groups to Snowflake database roles.

2. Data Governance & Compliance

Data protection spans dynamic masking on Snowflake and encryption on AWS. The lens recommends using AWS KMS with Snowflake Tri-Secret Secure for dual-custody encryption. Stream Snowflake audit logs to Amazon CloudWatch or OpenSearch via S3 and EventBridge for unified compliance monitoring.

3. Reliability

Disaster recovery requires coordination. Configure Snowflake cross-Region replication to a secondary AWS Region, and use Snowflake client redirect for automated failover. Align Snowflake Time Travel retention with S3 versioning policies.

4. Performance Optimization

Right-size Snowflake warehouses based on query profiling. Use multi-cluster warehouses for concurrency scaling. Optimize S3 staging file sizes for Snowpipe ingestion. A specific tip: when defining clustering keys, order columns from lowest to highest cardinality—this is unique to Snowflake's micro-partition architecture.

5. Cost Optimization & FinOps

Combine AWS Cost Explorer data with Snowflake credit consumption in an integrated FinOps dashboard. Pair AWS Savings Plans with Snowflake capacity commitments for predictable baseline costs. Aggressively use auto-suspend for development warehouses.

6. Operational Excellence

Export Snowflake metrics to Amazon CloudWatch using S3 integration. Manage both AWS and Snowflake objects in the same Terraform state. Trigger Lambda auto-remediation from Snowflake resource monitor alerts via SNS.

7. Sustainability

This is the first joint lens to include sustainability. Select AWS Regions with high renewable energy for non-latency-sensitive workloads. Enforce aggressive auto-suspend for development and batch workloads. Replace full data copies with zero-copy clones.

Three Ways to Run the Review

You can access the lens in three environments:

  1. AWS Well-Architected Tool Console – Upload the custom lens JSON and run a structured questionnaire with risk ratings.
  2. Kiro (AWS IDE) – An AI-assisted conversational review inside the IDE, with findings classified as Red/Yellow/Green.
  3. Snowflake Cortex Code – Available as both a CLI and within Snowsight. The Cortex Code skill guides you through the review interactively.

Related: For more on how AI-driven testing is changing QA, check out Beyond Static Suites: Just-in-Time Testing for the Agentic Era.

Limitations & Caveats

  • The lens is a starting point, not a replacement for deep architecture reviews. It flags risks but doesn't auto-fix them.
  • Some recommendations (e.g., region selection for sustainability) depend on your specific workload latency requirements.
  • The Cortex Code skill requires downloading and installing a zip file—it's not a built-in Snowflake feature yet.

Security controls mapping between AWS IAM and Snowflake RBAC IT Technology Image

Practical Tips for Your First Review

  • Start with Security and Reliability pillars. These surface the highest-impact findings for most production workloads.
  • Use the improvement plan output to prioritize actions across your team. Export as PDF or JSON for stakeholder reporting.
  • If you're new to Well-Architected reviews, begin with the AWS Management Console path—it's the most structured.
  • For teams already using Terraform, the operational excellence pillar shows how to manage Snowflake objects in the same state as AWS resources.

Next Steps

This is the first release of the lens, and AWS and Snowflake are actively expanding coverage. To get started:

  1. Download the custom lens JSON from the AWS blog.
  2. Upload it to the AWS Well-Architected Tool or use the Kiro/Cortex Code paths.
  3. Run your first review on a non-production workload.

For a deeper dive into scalable architectures, see Building a Scalable AI Diagnostics Platform on AWS.

Dashboard showing FinOps metrics for Snowflake and AWS costs Coding Session Visual

Conclusion

The Snowflake and AWS WAF Lens is a practical tool for teams tired of reconciling two separate review processes. It doesn't add complexity—it removes it. By integrating security, cost, and reliability guidance into a single framework, it helps you build a more coherent, auditable, and efficient Snowflake-on-AWS architecture.

Start your first review today, or reach out to your AWS or Snowflake account team for a guided workshop.

This content was drafted using AI tools based on reliable sources, and has been reviewed by our editorial team before publication. It is not intended to replace professional advice.