WAF-PERF-010 – Compute Instance Type & Sizing Validated

Pillar: Performance Efficiency | Severity: High | Category: Compute Sizing | Automatable: High

Description

All compute resources MUST use current instance generations. Sizing decisions MUST be based on measured CPU/memory/network baselines, not on intuition. Over-provisioned resources (CPU avg < 20% sustained) and under-provisioned resources (CPU P95 > 80% for non-auto-scaling workloads) MUST be reviewed quarterly.

No instance type upgrade without performance measurement. No instance type downgrade without risk analysis.

Rationale

Incorrectly sized instances are the most common cause of simultaneous performance problems and cost waste. Over-provisioned instances waste budget; under-provisioned instances cause latency spikes under load. Previous-generation instances (t2, m4, c4) offer up to 30% worse price-performance than current generations and should be migrated.

Cloud provider sizing recommendations (Compute Optimizer, Azure Advisor, GCP Recommender) provide data-driven rightsizing recommendations. These MUST be included in the quarterly review.

Threat Context

Risk	Description
Performance Degradation Under Load	Under-provisioned instances saturate CPU/memory during load spikes – timeouts and errors cascade.
Cost Waste	Over-provisioned instances with < 10% CPU utilization pay for unused capacity.
Previous-Generation Risk	t2/m4 instances have burst mechanics and worse baseline performance; t3/m6i are better and cheaper.
Undocumented Sizing	If nobody knows why an instance size was chosen, it will never be optimized.

Risk

Description

Performance Degradation Under Load

Under-provisioned instances saturate CPU/memory during load spikes – timeouts and errors cascade.

Cost Waste

Over-provisioned instances with < 10% CPU utilization pay for unused capacity.

Previous-Generation Risk

t2/m4 instances have burst mechanics and worse baseline performance; t3/m6i are better and cheaper.

Undocumented Sizing

If nobody knows why an instance size was chosen, it will never be optimized.

Requirement

All production compute resources MUST use current instance generations
Sizing decisions MUST be supported by measured baselines (sizing document or ADR)
Quarterly review MUST take place; result documented in a sizing report
Instance type selection MUST carry the sizing-reviewed tag with review date

Implementation Guidance

Collect baseline metrics: 2–4 weeks of CPU/memory/network data from CloudWatch/Azure Monitor/GCP Monitoring
Activate Compute Optimizer: Enable AWS Compute Optimizer, Azure Advisor or GCP Recommender
Create sizing document: docs/sizing/<service>.yml with measured values and rationale
Update IaC: Declare current instance generation in Terraform; set sizing-reviewed tag
CI validation: WAF++ check for previous-generation instances in CI pipeline
Quarterly review: Regular repetition; include cloud provider recommendations

Maturity Levels

Level	Name	Criteria
1	Ad-hoc Sizing	No sizing documentation; previous-generation instances widespread; no review process.
2	Experience-based	Instance size chosen from experience; occasional reviews; partially documented.
3	Measured Baseline	Data-driven sizing for production; ADR/sizing document; quarterly review; >= 90% current generation.
4	Continuous Optimization	Compute Optimizer integrated; automatic rightsizing tickets; 100% current generation.
5	Predictive Sizing	ML-based sizing; cost-per-request as metric; self-optimizing capacity.

Level

Name

Criteria

Ad-hoc Sizing

No sizing documentation; previous-generation instances widespread; no review process.

Experience-based

Instance size chosen from experience; occasional reviews; partially documented.

Measured Baseline

Data-driven sizing for production; ADR/sizing document; quarterly review; >= 90% current generation.

Continuous Optimization

Compute Optimizer integrated; automatic rightsizing tickets; 100% current generation.

Predictive Sizing

ML-based sizing; cost-per-request as metric; self-optimizing capacity.

Terraform Checks

waf-perf-010.tf.aws.ec2-current-generation

Checks: AWS EC2 instances must not use previous-generation types (t2, m4, c4, r4).

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "aws_instance" "app" { ami = data.aws_ami.ubuntu.id instance_type = "t3.medium" tags = { sizing-reviewed = "2026-03-18" workload = "payment-api" } }`	`resource "aws_instance" "app" { ami = data.aws_ami.ubuntu.id instance_type = "t2.medium" # Previous-Gen – # WAF-PERF-010 Violation }`

resource "aws_instance" "app" {
  ami           = data.aws_ami.ubuntu.id
  instance_type = "t3.medium"
  tags = {
    sizing-reviewed = "2026-03-18"
    workload        = "payment-api"
  }
}

resource "aws_instance" "app" {
  ami           = data.aws_ami.ubuntu.id
  instance_type = "t2.medium"
  # Previous-Gen –
  # WAF-PERF-010 Violation
}

Remediation: Migrate previous-generation instances: t2.* → t3.* or t4g., m4. → m6i., c4. → c6i.*. Consult Compute Optimizer before migration. Migration is online (stop/start of the instance).

waf-perf-010.tf.google.gce-machine-type-validated

Checks: GCP compute instances must not use N1 series.

# Compliant
resource "google_compute_instance" "app" {
  machine_type = "n2-standard-2"  # Current generation
}
# Non-Compliant
resource "google_compute_instance" "app" {
  machine_type = "n1-standard-2"  # N1 outdated – WAF-PERF-010 Violation
}

Evidence

Type Required Description

Type	Required	Description
Config	✅ Required	Sizing document or ADR section with measured CPU/memory baselines.
IaC	✅ Required	Terraform configuration with current instance generation and `sizing-reviewed` tag.
Process	Optional	Quarterly sizing review report with rightsizing actions.
Config	Optional	Export from AWS Compute Optimizer, Azure Advisor or GCP Recommender.

Config

✅ Required

Sizing document or ADR section with measured CPU/memory baselines.

IaC

✅ Required

Terraform configuration with current instance generation and sizing-reviewed tag.

Process

Optional

Quarterly sizing review report with rightsizing actions.

Config

Optional

Export from AWS Compute Optimizer, Azure Advisor or GCP Recommender.

Related Controls

Best Practice

Compute Sizing & Instance Selection →