Controls (WAF-SUS)
The Sustainability pillar is operationalized through 10 measurable controls.
Each control has a unique ID in the format WAF-SUS-NNN, a severity rating,
machine-readable YAML checks and a maturity level breakdown.
The YAML source files are located under modules/controls/controls/WAF-SUS-*.yml
and can be executed directly by the WAF++ Checker Tool.
Controls Overview
| Control ID | Title | Severity | Category |
|---|---|---|---|
Carbon Footprint Measurement & Reporting |
High |
Carbon Measurement |
|
Energy-Efficient Compute Selection |
High |
Compute Efficiency |
|
Green Region & Carbon-Aware Workload Placement |
Medium |
Region Selection |
|
Idle & Underutilized Resource Elimination |
High |
Resource Efficiency |
|
Storage Lifecycle & Data Minimization |
Medium |
Storage Efficiency |
|
Workload Scheduling & Time-Shifting |
Low |
Workload Scheduling |
|
Sustainable Software Design Standards |
Medium |
Software Efficiency |
|
Network & Data Transfer Efficiency |
Medium |
Network Efficiency |
|
ESG Reporting & Compliance Automation |
Medium |
ESG Reporting |
|
Sustainability Debt Register & Quarterly Review |
Low |
Sustainability Governance |
Detailed Descriptions
WAF-SUS-010 – Carbon Footprint Measurement & Reporting
Severity: High | Category: Carbon Measurement | Automatable: High
Organizations MUST measure and report the CO₂ emissions of their cloud workloads. Cloud provider carbon footprint tools (AWS Customer Carbon Footprint Tool, Azure Emissions Impact Dashboard, GCP Carbon Footprint) MUST be activated and evaluated at least monthly. Emission data MUST be linked to workload tags and retained for ESG reporting.
CSRD Relevance: High — ESRS E1-6 explicitly requires Scope 3 emissions including cloud IT.
WAF-SUS-020 – Energy-Efficient Compute Selection
Severity: High | Category: Compute Efficiency | Automatable: High
All compute resources MUST prefer energy-efficient processor architectures (ARM64/Graviton for AWS, Ampere Altra for Azure, T2A for GCP). AWS Lambda functions MUST use arm64. EC2 instances MUST NOT use previous-generation families (t2, m4, c4, r4) for new deployments. ARM/Graviton delivers 20–40% better performance-per-watt compared to equivalent x86 instances.
WAF-SUS-030 – Green Region & Carbon-Aware Workload Placement
Severity: Medium | Category: Region Selection | Automatable: Medium
Workloads without data residency requirements MUST take the carbon intensity of cloud regions into account in placement decisions. Region selection decisions MUST document sustainability aspects. Batch workloads with flexible placement MUST evaluate green region alternatives.
Emission potential: The same workload in eu-north-1 instead of ap-east-1 can emit 60–80% less CO₂.
WAF-SUS-040 – Idle & Underutilized Resource Elimination
Severity: High | Category: Resource Efficiency | Automatable: High
All compute resources MUST be monitored for utilization. Resources with CPU < 5% for 14+ days MUST be flagged as idle and subjected to a stop/terminate review. Non-production environments MUST have scheduled shutdown policies. Autoscaling MUST be configured for all stateless workloads.
Typical impact: 30–45% of cloud compute runs idle — elimination = direct emission reduction.
WAF-SUS-050 – Storage Lifecycle & Data Minimization
Severity: Medium | Category: Storage Efficiency | Automatable: High
All storage resources (S3, EBS, Azure Blob, GCS) MUST have lifecycle policies. Data MUST be automatically transitioned into cost-efficient cold storage tiers. Log data MUST have retention limits. Temporary data MUST have expiration dates.
GDPR synergy: Data minimization is both a sustainability and a GDPR Art. 5 requirement.
WAF-SUS-060 – Workload Scheduling & Time-Shifting
Severity: Low | Category: Workload Scheduling | Automatable: Medium
Batch workloads, report generation and data processing pipelines MUST be scheduled for off-peak hours (22:00–06:00 UTC). Flexible time windows SHOULD be activated for all non-latency-sensitive jobs. Carbon intensity APIs MAY be integrated for dynamic scheduling.
Emission potential: Temporal shifting can reduce 20–60% of batch emissions.
WAF-SUS-070 – Sustainable Software Design Standards
Severity: Medium | Category: Software Efficiency | Automatable: Partial
Software MUST be designed with energy efficiency as an explicit quality attribute. ADRs MUST include energy efficiency considerations. Dependencies MUST be reviewed for efficiency. SCI SHOULD be measured for critical workloads.
SCI formula: SCI = ((E × I) + M) / R — measures gCO₂e per functional unit.
WAF-SUS-080 – Network & Data Transfer Efficiency
Severity: Medium | Category: Network Efficiency | Automatable: High
All data transfers MUST be designed for minimal network load. CDN MUST be used for all user-facing static content. HTTP compression MUST be enabled for all API responses > 1KB. VPC endpoints MUST be used for AWS service communication.
Quick win: Activate CDN compression = 60–80% transfer reduction without code changes.
WAF-SUS-090 – ESG Reporting & Compliance Automation
Severity: Medium | Category: ESG Reporting | Automatable: Medium
Organizations subject to CSRD MUST have documented processes for collecting and reporting cloud IT emissions as Scope 3 GHG inventory. Cloud IT emission data MUST be exported at least quarterly. CSRD emission reduction targets MUST be documented and tracked.
CSRD obligation: For in-scope organizations this control is not a recommendation — it is law.
WAF-SUS-100 – Sustainability Debt Register & Quarterly Review
Severity: Low | Category: Sustainability Governance | Automatable: Low
Organizations MUST maintain a sustainability debt register that documents all known gaps between current state and target state. The register MUST be reviewed at least quarterly. Each entry MUST contain estimated CO₂ impact, owner and target resolution date.
CSRD governance evidence: An active debt register is evidence for CSRD governance requirements.