WAF-PERF-010 – Compute Instance Type & Sizing Validated

Pillar: Performance Efficiency | Severity: High | Category: Compute Sizing | Automatable: High

Description

All compute resources MUST use current instance generations. Sizing decisions MUST be based on measured CPU/memory/network baselines, not on intuition. Over-provisioned resources (CPU avg < 20% sustained) and under-provisioned resources (CPU P95 > 80% for non-auto-scaling workloads) MUST be reviewed quarterly.

No instance type upgrade without performance measurement. No instance type downgrade without risk analysis.

Rationale

Incorrectly sized instances are the most common cause of simultaneous performance problems and cost waste. Over-provisioned instances waste budget; under-provisioned instances cause latency spikes under load. Previous-generation instances (t2, m4, c4) offer up to 30% worse price-performance than current generations and should be migrated.

Cloud provider sizing recommendations (Compute Optimizer, Azure Advisor, GCP Recommender) provide data-driven rightsizing recommendations. These MUST be included in the quarterly review.

Threat Context

Risk	Description
Performance Degradation Under Load	Under-provisioned instances saturate CPU/memory during load spikes – timeouts and errors cascade.
Cost Waste	Over-provisioned instances with < 10% CPU utilization pay for unused capacity.
Previous-Generation Risk	t2/m4 instances have burst mechanics and worse baseline performance; t3/m6i are better and cheaper.
Undocumented Sizing	If nobody knows why an instance size was chosen, it will never be optimized.

Risk

Description

Performance Degradation Under Load

Under-provisioned instances saturate CPU/memory during load spikes – timeouts and errors cascade.

Cost Waste

Over-provisioned instances with < 10% CPU utilization pay for unused capacity.

Previous-Generation Risk

t2/m4 instances have burst mechanics and worse baseline performance; t3/m6i are better and cheaper.

Undocumented Sizing

If nobody knows why an instance size was chosen, it will never be optimized.

Requirement

All production compute resources MUST use current instance generations
Sizing decisions MUST be supported by measured baselines (sizing document or ADR)
Quarterly review MUST take place; result documented in a sizing report
Instance type selection MUST carry the sizing-reviewed tag with review date

Implementation Guidance

Collect baseline metrics: 2–4 weeks of CPU/memory/network data from CloudWatch/Azure Monitor/GCP Monitoring
Activate Compute Optimizer: Enable AWS Compute Optimizer, Azure Advisor or GCP Recommender
Create sizing document: docs/sizing/<service>.yml with measured values and rationale
Update IaC: Declare current instance generation in Terraform; set sizing-reviewed tag
CI validation: WAF++ check for previous-generation instances in CI pipeline
Quarterly review: Regular repetition; include cloud provider recommendations

Maturity Levels

Level	Name	Criteria
1	Ad-hoc Sizing	No sizing documentation; previous-generation instances widespread; no review process.
2	Experience-based	Instance size chosen from experience; occasional reviews; partially documented.
3	Measured Baseline	Data-driven sizing for production; ADR/sizing document; quarterly review; >= 90% current generation.
4	Continuous Optimization	Compute Optimizer integrated; automatic rightsizing tickets; 100% current generation.
5	Predictive Sizing	ML-based sizing; cost-per-request as metric; self-optimizing capacity.

Level

Name

Criteria

Ad-hoc Sizing

No sizing documentation; previous-generation instances widespread; no review process.

Experience-based

Instance size chosen from experience; occasional reviews; partially documented.

Measured Baseline

Data-driven sizing for production; ADR/sizing document; quarterly review; >= 90% current generation.

Continuous Optimization

Compute Optimizer integrated; automatic rightsizing tickets; 100% current generation.

Predictive Sizing

ML-based sizing; cost-per-request as metric; self-optimizing capacity.

Terraform Checks

waf-perf-010.tf.aws.ec2-current-generation

Checks: AWS EC2 instances must not use previous-generation types (t2, m4, c4, r4).

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "aws_instance" "app" { ami = data.aws_ami.ubuntu.id instance_type = "t3.medium" tags = { sizing-reviewed = "2026-03-18" workload = "payment-api" } }`	`resource "aws_instance" "app" { ami = data.aws_ami.ubuntu.id instance_type = "t2.medium" # Previous-Gen – # WAF-PERF-010 Violation }`

resource "aws_instance" "app" {
  ami           = data.aws_ami.ubuntu.id
  instance_type = "t3.medium"
  tags = {
    sizing-reviewed = "2026-03-18"
    workload        = "payment-api"
  }
}

resource "aws_instance" "app" {
  ami           = data.aws_ami.ubuntu.id
  instance_type = "t2.medium"
  # Previous-Gen –
  # WAF-PERF-010 Violation
}

Remediation: Migrate previous-generation instances: t2.* → t3.* or t4g., m4. → m6i., c4. → c6i.*. Consult Compute Optimizer before migration. Migration is online (stop/start of the instance).

waf-perf-010.tf.google.gce-machine-type-validated

Checks: GCP compute instances must not use N1 series.

# Compliant
resource "google_compute_instance" "app" {
  machine_type = "n2-standard-2"  # Current generation
}
# Non-Compliant
resource "google_compute_instance" "app" {
  machine_type = "n1-standard-2"  # N1 outdated – WAF-PERF-010 Violation
}

Evidence

Type Required Description

Type	Required	Description
Config	✅ Required	Sizing document or ADR section with measured CPU/memory baselines.
IaC	✅ Required	Terraform configuration with current instance generation and `sizing-reviewed` tag.
Process	Optional	Quarterly sizing review report with rightsizing actions.
Config	Optional	Export from AWS Compute Optimizer, Azure Advisor or GCP Recommender.

Config

✅ Required

Sizing document or ADR section with measured CPU/memory baselines.

IaC

✅ Required

Terraform configuration with current instance generation and sizing-reviewed tag.

Process

Optional

Quarterly sizing review report with rightsizing actions.

Config

Optional

Export from AWS Compute Optimizer, Azure Advisor or GCP Recommender.

Related Controls

Regulatorisches Mapping

Framework	Controls
ISO/IEC 25010:2011	8.3.2 – Performance efficiency; 8.3.2.1 – Time behaviour; 8.3.2.2 – Resource utilisation; 8.3.2.3 – Capacity
AWS Well-Architected Framework	Performance Efficiency Pillar – Select the right resource types and sizes
Azure Well-Architected Framework	Performance Efficiency – Choose the right resources
Google Cloud Architecture Framework	Performance optimization – Right-size your instances
TOGAF 10	ADM Phase B – Business architecture; ADM Phase C – Application architecture
DORA	DORA 2024 – Technical practices; DORA 2024 – Performance monitoring
ISO/IEC 29119	4.4.3 – Test design techniques; 4.5.3 – Test execution
ISO/IEC 12207	8.2.2.3 – Design and development of software
ITIL 4	SVS – Service value system; DP – Design principle
BSI C5:2020	OPS-01 – Operational monitoring; OPS-02 – Operational control
CIS Controls v8	CIS 8 – Continuous Vulnerability Management
NIST SP 800-53	RA-1 – Security assessment policy; RA-2 – Security assessment controls
NIST CSF 2.0	DE.CM – Continuous monitoring; DE.AE – Anomaly detection
FedRAMP	RA-2, RA-5 (Moderate/High baseline)
SOC 2 Type II	CC6.1 – Logical access security software; CC7.1 – Infrastructure and software monitoring
TISAX	Information security – Performance monitoring
ANSSI SecNumCloud	Domain – Performance monitoring
BIO	BIO – Prestatiedoelstellingen
ENS High	op.exp.2 – Configuración de seguridad
UK NCSC CAF	B4 – System security; B5 – System performance
CMMC 2.0	RA.L2-3.8.1 – Automated monitoring
IRAP	ISM – Performance monitoring
CCCS PBMM	RA-2 – Security assessment controls; RA-5 – Security assessments
MAS TRM	Ch.5 – Technology risk governance
ISMAP	Performance monitoring and validation
FISC	Technical measures – Performance monitoring

Framework

Controls

ISO/IEC 25010:2011

8.3.2 – Performance efficiency; 8.3.2.1 – Time behaviour; 8.3.2.2 – Resource utilisation; 8.3.2.3 – Capacity

AWS Well-Architected Framework

Performance Efficiency Pillar – Select the right resource types and sizes

Azure Well-Architected Framework

Performance Efficiency – Choose the right resources

Google Cloud Architecture Framework

Performance optimization – Right-size your instances

TOGAF 10

ADM Phase B – Business architecture; ADM Phase C – Application architecture

DORA

DORA 2024 – Technical practices; DORA 2024 – Performance monitoring

ISO/IEC 29119

4.4.3 – Test design techniques; 4.5.3 – Test execution

ISO/IEC 12207

8.2.2.3 – Design and development of software

ITIL 4

SVS – Service value system; DP – Design principle

BSI C5:2020

OPS-01 – Operational monitoring; OPS-02 – Operational control

CIS Controls v8

CIS 8 – Continuous Vulnerability Management

NIST SP 800-53

RA-1 – Security assessment policy; RA-2 – Security assessment controls

NIST CSF 2.0

DE.CM – Continuous monitoring; DE.AE – Anomaly detection

FedRAMP

RA-2, RA-5 (Moderate/High baseline)

SOC 2 Type II

CC6.1 – Logical access security software; CC7.1 – Infrastructure and software monitoring

TISAX

Information security – Performance monitoring

ANSSI SecNumCloud

Domain – Performance monitoring

BIO

BIO – Prestatiedoelstellingen

ENS High

op.exp.2 – Configuración de seguridad

UK NCSC CAF

B4 – System security; B5 – System performance

CMMC 2.0

RA.L2-3.8.1 – Automated monitoring

IRAP

ISM – Performance monitoring

CCCS PBMM

RA-2 – Security assessment controls; RA-5 – Security assessments

MAS TRM

Ch.5 – Technology risk governance

ISMAP

Performance monitoring and validation

FISC

Technical measures – Performance monitoring

WAF-PERF-010 – Compute Instance Type & Sizing Validated

Description

Rationale

Threat Context

Requirement

Implementation Guidance

Maturity Levels

Terraform Checks

waf-perf-010.tf.aws.ec2-current-generation

waf-perf-010.tf.google.gce-machine-type-validated

Evidence

Related Controls

Regulatorisches Mapping

Best Practice