WAF++

Back to WAF++ Homepage

Evidence & Audit – Performance Efficiency

This page describes the evidence requirements for all WAF-PERF controls in an overview format suitable for audits.

Evidence Types

Type	Description
IaC	Terraform code or equivalent infrastructure-as-code artifacts that prove a compliant configuration.
Config	Screenshots, exports, or API outputs from cloud consoles or monitoring tools.
Governance	Documents, policies, strategy papers, or meeting minutes that demonstrate processes and decisions.
Process	Evidence of regularly performed processes: reports, tickets, calendar entries, review minutes.

Type

Description

IaC

Terraform code or equivalent infrastructure-as-code artifacts that prove a compliant configuration.

Config

Screenshots, exports, or API outputs from cloud consoles or monitoring tools.

Governance

Documents, policies, strategy papers, or meeting minutes that demonstrate processes and decisions.

Process

Evidence of regularly performed processes: reports, tickets, calendar entries, review minutes.

Required Evidence per Control

WAF-PERF-010 – Compute Sizing

Type	Required	Description
Config	✅ Required	Sizing document or ADR section with measured CPU/memory baselines and instance type justification.
IaC	✅ Required	Terraform configuration with current instance generation and explicit size declaration.
Process	Optional	Quarterly report on sizing reviews with a list of over/under-provisioned resources.
Config	Optional	Export from AWS Compute Optimizer, Azure Advisor, or GCP Recommender.

Type

Required

Description

Config

✅ Required

Sizing document or ADR section with measured CPU/memory baselines and instance type justification.

IaC

✅ Required

Terraform configuration with current instance generation and explicit size declaration.

Process

Optional

Quarterly report on sizing reviews with a list of over/under-provisioned resources.

Config

Optional

Export from AWS Compute Optimizer, Azure Advisor, or GCP Recommender.

WAF-PERF-020 – Auto-Scaling

Type	Required	Description
IaC	✅ Required	Auto-scaling configuration with min/desired/max and scaling policy.
Process	✅ Required	Load test results demonstrating that auto-scaling triggers within the latency SLO.
Config	Optional	CloudWatch/Azure Monitor/GCP monitoring alerts for scaling events.
Governance	Optional	Runbook with documented scaling limits and known bottlenecks.

Type

Required

Description

IaC

✅ Required

Auto-scaling configuration with min/desired/max and scaling policy.

Process

✅ Required

Load test results demonstrating that auto-scaling triggers within the latency SLO.

Config

Optional

CloudWatch/Azure Monitor/GCP monitoring alerts for scaling events.

Governance

Optional

Runbook with documented scaling limits and known bottlenecks.

WAF-PERF-030 – Caching

Type	Required	Description
Governance	✅ Required	Caching strategy document with layer definition, TTL policies, and invalidation mechanism.
IaC	✅ Required	Terraform configuration for ElastiCache/Azure Redis/Memorystore and CDN with cache rules.
Config	Optional	Cache hit rate dashboard with target achievement evidence (>= 80% application cache).
Process	Optional	Cache invalidation runbook for data mutations.

Type

Required

Description

Governance

✅ Required

Caching strategy document with layer definition, TTL policies, and invalidation mechanism.

IaC

✅ Required

Terraform configuration for ElastiCache/Azure Redis/Memorystore and CDN with cache rules.

Config

Optional

Cache hit rate dashboard with target achievement evidence (>= 80% application cache).

Process

Optional

Cache invalidation runbook for data mutations.

WAF-PERF-040 – Database Performance

Type	Required	Description
Config	✅ Required	Performance Insights or slow query log configuration (active on production databases).
Governance	✅ Required	Index strategy document for high-frequency queries.
Process	Optional	Monthly slow query review report with action items.
Config	Optional	Query performance baseline (P50/P95/P99 for the top-20 queries).

Type

Required

Description

Config

✅ Required

Performance Insights or slow query log configuration (active on production databases).

Governance

✅ Required

Index strategy document for high-frequency queries.

Process

Optional

Monthly slow query review report with action items.

Config

Optional

Query performance baseline (P50/P95/P99 for the top-20 queries).

WAF-PERF-050 – SLOs & Monitoring

Type	Required	Description
Governance	✅ Required	SLO document for all production services (SLI definition, SLO targets, error budget policy).
Config	✅ Required	Monitoring/APM configuration with SLI instrumentation and SLO alerting rules.
Config	Optional	SLO compliance dashboard with historical trends and current error budget status.
Process	Optional	Quarterly SLO review report with adjustments.

Type

Required

Description

Governance

✅ Required

SLO document for all production services (SLI definition, SLO targets, error budget policy).

Config

✅ Required

Monitoring/APM configuration with SLI instrumentation and SLO alerting rules.

Config

Optional

SLO compliance dashboard with historical trends and current error budget status.

Process

Optional

Quarterly SLO review report with adjustments.

WAF-PERF-060 – Load Tests

Type	Required	Description
IaC / Code	✅ Required	Load test scripts (k6/Gatling/Locust) with explicit acceptance criteria in version control.
Process	✅ Required	CI/CD pipeline configuration with load test as deployment gate.
Config	Optional	Historical load test results across multiple releases as regression baseline.
Governance	Optional	Performance test strategy document with scenarios, acceptance criteria, and execution cadence.

Type

Required

Description

IaC / Code

✅ Required

Load test scripts (k6/Gatling/Locust) with explicit acceptance criteria in version control.

Process

✅ Required

CI/CD pipeline configuration with load test as deployment gate.

Config

Optional

Historical load test results across multiple releases as regression baseline.

Governance

Optional

Performance test strategy document with scenarios, acceptance criteria, and execution cadence.

WAF-PERF-070 – Network Performance

Type	Required	Description
IaC	✅ Required	Terraform configuration with CDN and VPC/Private endpoints for cloud service access.
Governance	✅ Required	Network topology diagram with service placement, AZ distribution, and traffic routing.
Config	Optional	Network latency baselines (service-to-service RTT by AZ combination).
Process	Optional	CDN cache hit rate report.

Type

Required

Description

IaC

✅ Required

Terraform configuration with CDN and VPC/Private endpoints for cloud service access.

Governance

✅ Required

Network topology diagram with service placement, AZ distribution, and traffic routing.

Config

Optional

Network latency baselines (service-to-service RTT by AZ combination).

Process

Optional

CDN cache hit rate report.

WAF-PERF-080 – Serverless & Managed Services

Type	Required	Description
IaC	✅ Required	Terraform configuration for Lambda/functions with explicit memory, timeout, and concurrency.
Governance	✅ Required	Documentation of the serverless adoption rationale for variable workloads.
Config	Optional	Lambda Power Tuning results or equivalent memory optimization analysis.
Process	Optional	Cost comparison serverless vs. EC2/container for spike workloads.

Type

Required

Description

IaC

✅ Required

Terraform configuration for Lambda/functions with explicit memory, timeout, and concurrency.

Governance

✅ Required

Documentation of the serverless adoption rationale for variable workloads.

Config

Optional

Lambda Power Tuning results or equivalent memory optimization analysis.

Process

Optional

Cost comparison serverless vs. EC2/container for spike workloads.

WAF-PERF-090 – Storage I/O

Type	Required	Description
IaC	✅ Required	Terraform configuration with explicit storage type, IOPS, and throughput settings.
Config	✅ Required	Monitoring configuration for storage I/O alerts (queue depth, throughput, burst balance).
Process	Optional	Storage I/O baseline with P95/P99 queue depth and throughput utilization.
Governance	Optional	Storage tier selection guidelines by workload type.

Type

Required

Description

IaC

✅ Required

Terraform configuration with explicit storage type, IOPS, and throughput settings.

Config

✅ Required

Monitoring configuration for storage I/O alerts (queue depth, throughput, burst balance).

Process

Optional

Storage I/O baseline with P95/P99 queue depth and throughput utilization.

Governance

Optional

Storage tier selection guidelines by workload type.

WAF-PERF-100 – Performance Debt Register

Type	Required	Description
Governance	✅ Required	Performance debt register with all required fields (ID, description, impact, owner, priority).
Process	✅ Required	Quarterly review meeting minutes or calendar with evidence of regular reviews.
Process	Optional	Sprint/backlog entries with prioritized performance debt tickets.
Config	Optional	Dashboard with performance debt metrics (open entries, age distribution, paydown rate).

Type

Required

Description

Governance

✅ Required

Performance debt register with all required fields (ID, description, impact, owner, priority).

Process

✅ Required

Quarterly review meeting minutes or calendar with evidence of regular reviews.

Process

Optional

Sprint/backlog entries with prioritized performance debt tickets.

Config

Optional

Dashboard with performance debt metrics (open entries, age distribution, paydown rate).

Audit Checklist (Short Form)

For a quick audit overview, the following checklist can be used:

Sizing documentation for all production compute resources present
Auto-scaling configuration in IaC with min/max and scaling policy
Load test result as evidence of validated auto-scaling present
Caching strategy document created and current
Performance Insights or equivalent DB monitoring active
SLO document for all critical services present
CI/CD pipeline with load test gate configured
CDN and VPC endpoints configured in IaC
Lambda/functions configuration with explicit memory and timeout
gp3 or equivalent optimal storage types used
Performance debt register maintained and current
Quarterly review evidence present