AWS Resilience Hub Overview
- AWS Resilience Hub is a central location in the AWS Console to manage and improve the resilience of workloads on AWS.
- It helps proactively prepare and protect applications from disruptions by providing expert-level analysis and actionable guidance to achieve resilience objectives.
- Resilience Hub identifies gaps before they become incidents and provides centralized visibility into resilience posture.
- It enables defining resilience goals, assessing resilience posture against those goals, and implementing recommendations for improvement based on the AWS Well-Architected Framework and the AWS Resilience Analysis Framework.
- A built-in generative AI-driven assessment engine (multi-agent AI engine) evaluates the resilience of workloads against resilience policies, Well-Architected best practices, and the Resilience Analysis Framework to deliver actionable recommendations.
- Resilience Hub can be integrated into CI/CD pipelines to validate every build before it is released into production.
- It is part of the Management & Governance category of AWS services.
Key Features
Application/Service Definition
- Resilience Hub allows defining applications (or services in the next-generation model) by importing resources from multiple sources:
- AWS CloudFormation stacks
- Terraform state files
- Amazon EKS clusters and namespaces
- AWS Service Catalog AppRegistry (myApplications)
- AWS Resource Groups
- Resource Tags
- Each collection supports cross-Region and cross-account resources.
- The next-generation model (launched May 2026) introduces a business-level understanding with:
- Systems – represent a business application
- User Journeys – describe critical business paths
- Services – deployable units comprising AWS resources, code, and observability
- Resilience Hub automatically discovers and maps resources into a topology showing how resources connect (data flow, containment, and permissions).
Resiliency Policy with RTO/RPO Targets
- Resiliency policies define the resilience expectations for applications through modular, composable requirements.
- Policies can include:
- Service Level Objective (SLO) – e.g., 99.95% or 99.99% availability
- Recovery Time Objective (RTO) – maximum acceptable time to restore service after a disruption
- Recovery Point Objective (RPO) – maximum acceptable data loss measured in time
- Disaster Recovery strategy – aligned with RTO/RPO requirements
- Data Recovery Time Objective – time for restoring from backups
- Policies can be defined at different disruption levels:
- Application disruption
- Infrastructure disruption
- Availability Zone (AZ) disruption
- Region disruption
- Policies are reusable and can be assigned to multiple services/applications across the organization.
Assessment Against Targets
- Resilience Hub runs failure mode assessments powered by a multi-agent AI engine to uncover potential failures before they occur in production.
- The assessment engine:
- Reads current resource state
- Analyzes application topology
- Evaluates architecture against five critical failure modes: Single Points of Failure, Excessive Load, Excessive Latency, Misconfiguration, and Shared Fate
- Identifies potential failure modes and provides actionable recommendations
- Assessments compare the estimated workload RTO and RPO against the targets defined in the resiliency policy.
- Applications are rated as meeting or not meeting their policy targets.
- Two failure mode assessments per month are included per service.
Recommendations
- Resilience Hub provides both Resiliency Recommendations and Operational Recommendations:
- Resiliency Recommendations – architectural guidance for improving application resiliency (e.g., add Multi-AZ deployment, enable cross-Region replication)
- Operational Recommendations – include:
- Amazon CloudWatch Alarms – recommended alarms to monitor resilience
- Standard Operating Procedures (SOPs) – utilizing AWS Systems Manager Documents
- Chaos Experiments – using AWS Fault Injection Service (FIS)
- Recommendations include code (CloudFormation templates) for implementing tests, alarms, and SOPs that can be deployed in CI/CD pipelines.
- Each finding identifies what the failure mode is, why it matters, how to fix it, and which policy requirement it relates to.
Drift Detection
- Resilience Hub can detect drift when the actual application infrastructure deviates from the defined application description.
- Drift detection identifies when resources have been added, removed, or modified outside of the defined infrastructure-as-code templates.
- Helps ensure that the assessed state matches the deployed state, maintaining assessment accuracy.
- Integrates with CloudFormation drift detection to identify configuration changes.
Automated Dependency Discovery
- Automatically discovers AWS services, internal endpoints, and third-party endpoints that services depend on.
- Uses DNS query log analysis (VPC query logs) to identify dependencies, including:
- Unexpected cross-Region calls
- Critical third-party dependencies
- Internal service-to-service dependencies
- Provides a 35-day lookback for comprehensive dependency identification.
- Continuous scanning keeps the dependency inventory always up to date, eliminating stale point-in-time snapshots.
- Available as an optional add-on ($10 per service per month).
Testing with FIS Integration
- Resilience Hub integrates with AWS Fault Injection Service (FIS) to provide fault-injection simulations of real-world failures.
- FIS experiments recommended by Resilience Hub include:
- Network errors
- Application processing errors
- Database connection failures
- AZ disruptions
- Instance terminations
- Resilience Hub generates FIS experiment templates as CloudFormation templates that can be deployed and executed.
- Tests validate that the application meets its defined RTO/RPO targets under real failure conditions.
- FIS provides guardrails (stop conditions) to automatically roll back experiments if specific thresholds are breached.
Resiliency Score
- AWS Resilience Hub calculates a resiliency score (0-100 points) for each application based on assessment results.
- The score reflects how well the application meets its defined resiliency policy targets.
- Score components consider:
- Whether estimated RTO/RPO meets targets for each disruption type (Application, Infrastructure, AZ, Region)
- Resource-level compliance with resilience best practices
- Implementation status of recommended alarms, SOPs, and tests
- A higher score indicates better alignment with the defined resiliency policy.
- The score is visible in the Resilience Hub dashboard and can be tracked over time.
- AWS Trusted Advisor integrates with Resilience Hub to alert when application resiliency scores fall below a specific threshold.
Operational Recommendations
- Operational recommendations provide actionable implementation guidance in three categories:
Alarm Recommendations
- Resilience Hub recommends Amazon CloudWatch alarms based on the resources and components of the application configuration.
- Alarms monitor key resilience metrics and alert when thresholds are breached.
- Provides CloudFormation templates to deploy recommended alarms.
- Supports alarm detection – identifies existing CloudWatch alarms already monitoring the application and avoids duplicating them.
- Alarm recommendations are tailored to each resource type (e.g., CPU utilization for EC2, throttle events for DynamoDB, error rates for Lambda).
SOP Recommendations (Systems Manager Integration)
- Recommends Standard Operating Procedures implemented as AWS Systems Manager Documents (SSM Documents).
- SOPs cover recovery procedures such as:
- Database failover procedures
- Instance recovery steps
- Scaling procedures
- Backup restoration workflows
- SOPs can be automated using Systems Manager Automation runbooks.
- Provides code templates for immediate deployment.
Testing Recommendations (FIS Integration)
- Recommends AWS FIS experiments to validate resilience under failure conditions.
- Experiments are provided as deployable CloudFormation templates.
- Covers various failure scenarios: AZ failures, network disruptions, resource terminations.
Supported Resources
- AWS Resilience Hub supports resources from the following AWS services:
| Category | Supported Services |
|---|---|
| Compute | Amazon EC2, AWS Lambda, Amazon EKS, Amazon ECS (including Fargate), AWS Step Functions |
| Database | Amazon RDS, Amazon DynamoDB, Amazon DocumentDB, Amazon ElastiCache (Redis OSS) |
| Networking | Amazon Route 53, Elastic Load Balancing, NAT Gateway |
| Storage | Amazon EBS, Amazon EFS, Amazon S3, Amazon FSx for Windows File Server |
| Others | Amazon API Gateway, Amazon ARC, Amazon SNS, Amazon SQS, AWS Auto Scaling, AWS Backup, AWS Elastic Disaster Recovery |
- Resources that do not affect estimated workload RTO or RPO (e.g., DB parameter groups) are ignored.
- Only top-level resources are imported; child resources are derived from parent properties.
- Amazon EKS assessments support Deployments, ReplicaSets, and Pods.
Cross-Region and Cross-Account Support
- Resilience Hub supports cross-Region resource assessment – resources in different Regions can be grouped under a single Application Component.
- Supports cross-account assessment through:
- AWS Organizations integration – enables organization-wide resilience management from a single delegated administrator account
- Cross-account IAM roles – for environments not using Organizations, trust policies with ExternalId prevent confused deputy attacks
- Organization-wide reporting provides:
- Resilience posture across all AWS accounts, Regions, and organizational units
- Centralized policy management
- Assessment trends over time
- Compliance status filtering
- Eliminates the need to log in to individual accounts to assess resilience posture across the enterprise.
Integration with Other AWS Services
- AWS Fault Injection Service (FIS) – generates chaos engineering experiment templates to validate resilience
- AWS Systems Manager – provides SOPs as SSM Documents/Automation runbooks for recovery procedures
- Amazon CloudWatch – recommends and detects alarms for monitoring application resilience
- AWS CloudFormation – imports application resources and provides implementation templates
- AWS Organizations – enables multi-account, organization-wide resilience management
- AWS Trusted Advisor – surfaces Resilience Hub scores and alerts when scores fall below thresholds
- AWS Backup – assesses backup configurations as part of RPO evaluation
- AWS Elastic Disaster Recovery – assesses DR configurations for recovery validation
- Amazon Application Recovery Controller (ARC) – assesses readiness for DynamoDB global, ELB, RDS, and Auto Scaling groups
- AWS Well-Architected Tool – assessments are based on Well-Architected best practices
Comparison: Resilience Hub vs. Well-Architected Tool vs. Trusted Advisor
| Feature | AWS Resilience Hub | AWS Well-Architected Tool | AWS Trusted Advisor |
|---|---|---|---|
| Purpose | Assess and improve application resilience (RTO/RPO) | Review workloads against all 6 Well-Architected pillars | Automated best practice checks across account |
| Scope | Application-level resilience focused | Workload-level across all pillars (Reliability, Security, Performance, Cost, Operational Excellence, Sustainability) | Account-level checks (Cost, Performance, Security, Fault Tolerance, Service Limits) |
| Assessment Type | Automated AI-powered failure mode analysis against defined RTO/RPO targets | Manual questionnaire-based review with best practice guidance | Automated checks against predefined rules |
| Input | Actual infrastructure (CloudFormation, Terraform, EKS, tags) | Self-reported answers to framework questions | Automated scanning of AWS account resources |
| Output | Resiliency score, failure modes, recommendations with implementation code (alarms, SOPs, FIS tests) | Improvement plan, high/medium risk items, milestones | Check results (OK, Warning, Error) with recommendations |
| Resilience Focus | Deep – RTO/RPO targets, multi-AZ/Region DR, failure mode analysis | Broad – covers reliability pillar among other concerns | Shallow – basic fault tolerance checks (ELB, RDS Multi-AZ, backups) |
| Testing | Generates FIS experiment templates for chaos engineering | No testing capabilities | No testing capabilities |
| Dependency Discovery | Yes – automated via DNS query log analysis | No | No |
| Cross-Account | Yes – via Organizations or cross-account roles | Yes – supports multi-account via Organizations | Yes – via Organizations (organizational view) |
| CI/CD Integration | Yes – can validate builds before release | No | No |
| Pricing | $15/service/month (includes 2 assessments); optional dependency discovery $10/service/month | Free | Free (basic); full checks require Business/Enterprise Support |
Pricing
- Original Resilience Hub (legacy model):
- Free for first 3 applications for 6 months
- $15 per application per month after free period
- Next-Generation Resilience Hub (launched May 28, 2026):
- $15 per service per month – includes 2 failure mode assessments for services with ≤150 resources
- Additional resources beyond 150 – $0.10 per resource during each failure mode assessment
- Additional assessments (beyond 2 included) – $0.10 per assessed resource (minimum 50 resources billed)
- Automated Dependency Discovery – optional add-on at $10 per service per month
- Billing begins after the service is created and the first failure mode assessment is completed.
- Billing stops when the service is removed from Resilience Hub.
AWS Certification Relevance
- AWS Solutions Architect Professional (SAP-C02):
- Domain 1: Design Solutions for Organizational Complexity – multi-account resilience management
- Domain 3: Design Solutions for Reliability – defining and validating RTO/RPO targets, DR strategy assessment
- Understanding when to use Resilience Hub vs. Well-Architected Tool vs. Trusted Advisor
- AWS Solutions Architect Associate (SAA-C03):
- Domain 2: Design Resilient Architectures – understanding RTO/RPO concepts, high availability patterns
- Knowing that Resilience Hub can assess and validate disaster recovery configurations
- Understanding the integration between Resilience Hub and FIS for resilience testing
- Resilience Hub may also appear in AWS DevOps Engineer Professional and AWS SysOps Administrator exams in the context of operational resilience and chaos engineering.
AWS Resilience Hub Practice Questions
Question 1:
A company wants to validate that their multi-Region application can recover within 15 minutes (RTO) and lose no more than 5 minutes of data (RPO) during a Regional failure. They need automated assessment against these targets and recommendations for improvement. Which AWS service should they use?
- AWS Trusted Advisor
- AWS Well-Architected Tool
- AWS Resilience Hub
- AWS Config
Show Answer
Answer: 3
Explanation: AWS Resilience Hub enables defining RTO/RPO targets as resiliency policies and running automated assessments to validate whether applications can meet those targets. It provides specific architectural recommendations when targets are not met. Trusted Advisor provides basic fault tolerance checks but cannot assess against custom RTO/RPO targets. The Well-Architected Tool is questionnaire-based and does not perform automated infrastructure assessment. AWS Config tracks configuration compliance but does not assess resilience against RTO/RPO targets.
Question 2:
A solutions architect wants to implement chaos engineering to test an application’s ability to handle AZ failures. They need the testing approach to align with their defined resiliency policies and generate appropriate experiment templates. Which combination of services should they use?
- AWS Resilience Hub with AWS Fault Injection Service (FIS)
- AWS CloudFormation with AWS Config
- AWS Well-Architected Tool with Amazon CloudWatch
- AWS Systems Manager with AWS Trusted Advisor
Show Answer
Answer: 1
Explanation: AWS Resilience Hub integrates with AWS Fault Injection Service (FIS) to generate chaos engineering experiment templates based on the application’s defined resiliency policies. These templates can simulate AZ failures, network disruptions, and resource terminations. Resilience Hub provides the policy-aligned testing recommendations, while FIS executes the actual fault injection experiments with guardrails.
Question 3:
An enterprise runs 200+ applications across 15 AWS accounts. The SRE team needs to establish consistent resilience standards, assess all applications from a central location, and report compliance to stakeholders. Which approach provides centralized multi-account resilience management?
- Deploy AWS Config rules in each account with an aggregator
- Use AWS Resilience Hub with AWS Organizations integration
- Create Well-Architected reviews for each application in each account
- Use AWS Trusted Advisor organizational view
Show Answer
Answer: 2
Explanation: AWS Resilience Hub integrates with AWS Organizations to enable organization-wide resilience management from a single delegated administrator account. This allows setting resilience policies once and applying them organization-wide, tracking assessment trends, and filtering by compliance status. This eliminates the need to log in to individual accounts. Trusted Advisor organizational view provides basic checks but lacks application-level resilience assessment with RTO/RPO targets.
Question 4:
A company discovers that their application has undocumented dependencies on third-party services and unexpected cross-Region API calls that could cause failures. Which AWS Resilience Hub feature helps identify these hidden dependencies automatically?
- Resiliency Score calculation
- Failure Mode Assessment
- Automated Dependency Discovery
- Drift Detection
Show Answer
Answer: 3
Explanation: AWS Resilience Hub’s Automated Dependency Discovery uses DNS query log analysis to identify AWS services, internal endpoints, and third-party endpoints that services depend on—including unexpected cross-Region calls and integrations the team may not be aware of. It provides a 35-day lookback for comprehensive identification. Failure Mode Assessment evaluates architecture against failure scenarios but doesn’t specifically discover undocumented external dependencies through DNS analysis.
Question 5:
A team uses AWS Resilience Hub and wants to implement the recommended monitoring for their application. Resilience Hub has generated alarm recommendations. How should they deploy these alarms?
- Manually create each alarm in the CloudWatch console
- Deploy the CloudFormation templates provided by Resilience Hub’s operational recommendations
- Use AWS Config managed rules to create alarms
- Enable AWS Trusted Advisor alarm checks
Show Answer
Answer: 2
Explanation: AWS Resilience Hub provides operational recommendations that include CloudFormation templates for recommended Amazon CloudWatch alarms. These templates can be deployed directly into the application’s infrastructure-as-code pipeline. This approach ensures alarms are version-controlled, repeatable, and aligned with the application’s resilience requirements. Resilience Hub also supports alarm detection to identify existing alarms and avoid duplication.
Frequently Asked Questions
What is AWS Resilience Hub?
Resilience Hub assesses your applications against defined RTO/RPO targets, identifies resiliency gaps, and provides actionable recommendations. It discovers application components from CloudFormation, Terraform, or EKS and scores your resiliency posture.
Is AWS Resilience Hub free?
The legacy model charges $0.001 per resource per assessment. The next-gen model (2025) provides continuous monitoring at $3/month per application for up to 100 resources, with $0.03/month per additional resource.
How does Resilience Hub differ from Well-Architected Tool?
Well-Architected Tool provides manual questionnaire-based reviews across 6 pillars. Resilience Hub automatically discovers your architecture, runs automated assessments against specific RTO/RPO targets, and integrates with FIS for chaos testing.
