AWS Trusted Advisor: Check Cost, Security, and Performance at a Glance

Key Takeaway

AWS Trusted Advisor automatically inspects your AWS environment across 5 categories: Cost Optimization, Performance, Security, Fault Tolerance, and Service Limits, providing improvement recommendations. Basic/Developer plans get core checks only; Business/Enterprise plans get full checks.

What is Trusted Advisor?

A service that automatically inspects resources in your AWS account and provides best practice recommendations.

5 Check Categories

[AWS Trusted Advisor]
    │
    ├── 1. Cost Optimization
    │       └── Idle resources, unused RIs, over-provisioning
    │
    ├── 2. Performance
    │       └── High utilization resources, CloudFront optimization
    │
    ├── 3. Security
    │       └── Security groups, IAM, MFA, S3 public access
    │
    ├── 4. Fault Tolerance
    │       └── Backups, Multi-AZ, redundancy
    │
    └── 5. Service Limits
            └── Alert when resource limits reach 80%+ usage

Support Plan Differences

Core Checks (All Plans)

Check Item	Description
S3 Bucket Permissions	Public access status
Security Groups - Unrestricted Access	0.0.0.0/0 port checks
IAM Use	IAM user creation status
Root Account MFA	MFA enabled status
EBS Public Snapshots	Public snapshot detection
RDS Public Snapshots	Public snapshot detection
Service Limits	80%+ utilization warning

Full Checks (Business/Enterprise Support)

Category	Key Checks
Cost Optimization	Idle EC2, idle LB, unused EBS, unused EIP, RI optimization
Performance	High utilization EC2, CloudFront headers, excess EC2 security group rules
Security	IAM key rotation, CloudTrail logging, ELB HTTPS
Fault Tolerance	EBS snapshots, RDS backups, Multi-AZ, Route 53 failover
Service Limits	VPC, EC2, EBS, IAM limits monitoring

Support Plan Comparison

Feature	Basic/Developer	Business	Enterprise
Core Checks	✅ 7 checks	✅	✅
Full Checks	❌	✅	✅
API Access	❌	✅	✅
CloudWatch Integration	❌	✅	✅
Refresh Frequency	Manual only	Auto (weekly)	Auto (weekly)
Programmatic Access	❌	✅ AWS Support API	✅

Key Checks in Detail

Cost Optimization Checks

Trusted Advisor Cost Optimization Recommendations:

[Idle EC2 Instances]
  └── CPU utilization <10% + Network I/O <5MB (14 days)
      → Recommendation: Downsize or terminate

[Unused EBS Volumes]
  └── Unattached volumes detected
      → Recommendation: Create snapshot then delete

[Unused Elastic IPs]
  └── EIPs not associated with instances
      → Recommendation: Release (unused EIPs are charged)

[Idle Load Balancers]
  └── LBs with very low request counts
      → Recommendation: Delete or consolidate

Security Checks

Trusted Advisor Security Recommendations:

[Security Groups - Unrestricted Access]
  └── Ports open to 0.0.0.0/0 detected
      → Recommendation: Restrict to required IP ranges

[IAM Access Key Rotation]
  └── Access keys older than 90 days
      → Recommendation: Rotate keys

[S3 Bucket Public Access]
  └── Public ACL or policy detected
      → Recommendation: Block public access

Service Limits Checks

Service Limits Monitoring:

VPC:      15/20  (75%)  ── OK
EC2:      18/20  (90%)  ── ⚠️ Limit approaching
EBS:      4900/5000 (98%) ── 🔴 Increase immediately
IAM Roles: 250/1000 (25%) ── OK

→ Alert at 80%+ usage
→ Request limit increase in Service Quotas

Trusted Advisor vs Other Cost Tools

Tool	Purpose	Core Features
Trusted Advisor	Overall optimization recommendations	5 category checks, best practices
Cost Explorer	Cost visualization/analysis	Charts, filters, forecasting
AWS Budgets	Budget setting/alerts	Threshold alerts, auto actions
Cost and Usage Report	Detailed usage data	CSV/Parquet detailed data
Compute Optimizer	Compute resource optimization	EC2/Lambda/EBS sizing recommendations

Optimization Purpose:
        │
        ▼
Need overall best practices check?
        │
       Yes → [Trusted Advisor]
        │
        No
        │
        ▼
Is EC2/Lambda sizing appropriate?
        │
       Yes → [Compute Optimizer]
        │
        No
        │
        ▼
Want to visualize and analyze costs?
        │
       Yes → [Cost Explorer]

CloudWatch Integration

Business/Enterprise Support can send Trusted Advisor metrics to CloudWatch for automated alerting.

[Trusted Advisor] → [CloudWatch Metrics]
                          │
                          ├── Alarm: When security check fails
                          ├── Alarm: When service limit reaches 90%
                          └── SNS → Lambda → Auto-remediation

SAA-C03 Exam Focus Points

1. ✅ 5 Categories: "Cost, Performance, Security, Fault Tolerance, Service Limits"
2. ✅ Support Plans: "Full checks = Business/Enterprise Support required"
3. ✅ Core Checks: "Basic includes security groups, S3 public, MFA, service limits"
4. ✅ vs Cost Explorer: "Overall recommendations = Trusted Advisor, Cost analysis = Cost Explorer"
5. ✅ Service Limits: "Limit monitoring + request increase via Service Quotas"

Frequently Asked Questions (FAQ)

Q: Is Trusted Advisor free?

Core checks (7) are free on all plans. Full checks require Business Support or higher ($100/month+).

Q: What's the difference between Trusted Advisor and Compute Optimizer?

Trusted Advisor provides overall checks across 5 categories. Compute Optimizer specializes in EC2/Lambda/EBS/ECS sizing optimization with machine learning-based recommendations.

Q: Can Trusted Advisor check results be automatically remediated?

With Business/Enterprise Support, configure CloudWatch integration then SNS → Lambda for auto-remediation. For example, trigger Lambda to auto-release unused EIPs.

Q: How often are checks run?

Business/Enterprise Support has weekly auto-refresh. Manual refresh is available 5 minutes after the last refresh.

Q: What is Trusted Advisor Priority?

Available with Enterprise Support, this feature lets your TAM (Technical Account Manager) prioritize recommendations so you focus on the most important ones.

Related Posts

• AWS Cost Explorer Guide
• AWS Budgets Alert Setup
• EC2 Pricing Comparison

References

• AWS Trusted Advisor
• Trusted Advisor Check Reference
• AWS Support Plans Comparison