Category: AWS Trusted Advisor

AWS Trusted Advisor Update – New and Updated Checks

The AWS Trusted Advisor helps you to provision and configure your AWS resources so as to improve system performance and reliability, increase security, and optimize for cost. We have added some new checks and improved an existing one in order to make Trusted Advisor even more useful to you. Here is a summary of the changes:

The Service Limits check now reports on your usage of EC2 On-Demand instances:

This check is available to all users of Trusted Advisor. The remaining checks are available to customers who are using AWS Support API at the Business or Enterprise level.

The S3 Bucket Logging Configuration check now looks to see if server access logging has been configured for each bucket:

The new EC2 to EBS Throughput check looks for EBS volumes that might be affected by the throughput capacity of the EC2 instances:

The new CloudFront Alternate Domains check looks at the DNS settings for alternate domains on your CloudFront distributions:

The new CloudFront SSL Certificate on the Origin Server check looks for SSL certificates that are expired, about to expire, or that use outdated encryption:

The new IAM Access Key Rotation check looks for IAM keys that have not been rotated in the last 90 days:

The new checks are available now and you can benefit from them today. Visit the AWS Trusted Advisor to learn more.



New Elastic Load Balancer Checks for AWS Trusted Advisor

We’re adding four new checks to AWS Trusted Advisor. As you may know, AWS Trusted Advisor inspects your AWS environment and looks for ways to save money, increase performance & reliability, and to help close security gaps. Today’s checks are for Elastic Load Balancing, with a focus on security and fault tolerance.

Security Checks
The following new checks are designed to help you to improve the security profile of your Elastic Load Balancers:

ELB Listener Security – This check looks for load balancers that do not use recommended security configurations or protocols. It checks to see if the latest version of applicable security policies are in place and verifies that only recommended ciphers and protocols are used.

ELB Security Groups – This check looks for load balancers that do not have a security group, or that have a security group which allows access to ports that are not configured for the load balancer.

Fault Tolerance Checks
The following new checks are designed to help you to make your Elastic Load Balancing configuration more fault tolerant:

Cross-Zone Load Balancing – This check looks for load balancers that do not have cross-zone load balancing enabled. This feature makes it easier for you to deploy and manage applications that run across more than one Availability Zone.

ELB Connection Draining – This check looks for load balancers that do not have connection draining enabled. With this feature enabled, the load balancer will stop sending new requests to instances that are deregistering (in-flight requests will continue to be served).

Available Now
These new checks are available now and you can start to benefit from them today!


New Action Links for AWS Trusted Advisor

AWS Trusted Advisor inspects your AWS environment and looks for opportunities to save money, increase performance & reliability, and to help close security gaps. Today we are enhancing Trusted Advisor with the addition of Action Links. You can now click on an item in a Trusted Advisor alert to navigate to the appropriate part of the AWS Management Console. For example, I ran the Trusted Advisor on my own AWS account and it displayed the following alert:

I decided to fix the problem and activated an Action Link to head on over to the RDS section of the Console. From there I right-clicked to add a Read Replica:

These new links are available now and you can click on them today!

For Tool Vendors
If you build applications that link (or could link) to the Console, you can use the same URLs. Here are a few to get you started (all of the links are relative to the base URL of the console):

  • EC2 Reserved Instance Purchase –  ec2/home?region={region}#ReservedInstances
  • EC2 Instances – ec2/home?region={region}#Instances:search={search_string}
  • Elastic Load Balancer – ec2/home?region={region}#LoadBalancers:search={search_string}
  • EBS Volumes – ec2/home?region={region}#Volumes:search={search_string}
  • Elastic IP Addresses – vpc/home?region={region}#eips:filter={filter_string}
  • RDS Database Instances – rds/home?#dbinstance:id=dbInstanceId
  • Auto Scaling Configuration – ec2/autoscaling/home?#LaunchConfigurations:id=LaunchConfigurationName

There is a chance that these links will change in the future as the console continues to evolve. If you decide to make use of them, please plan for that eventuality in your application.


AWS Trusted Advisor For Everyone

AWS Trusted Advisor is your customized cloud expert! It helps you to observe best practices for the use of AWS by inspecting your AWS environment with an eye toward saving money, improving system performance and reliability, and closing security gaps. Since we launched Trusted Advisor in 2013, our customers have viewed over 1.7 million best-practice recommendations for cost optimization, performance improvement, security, and fault tolerance and have reduced their costs by about 300 million dollars.

Today I have two big pieces of news for all AWS users. First, we are making a set of four Trusted Advisor best practices available at no charge. Second, we are moving the Trusted Advisor into the AWS Management Console.

Four Best Practices at no Charge
The following Trusted Advisor checks are now available to all AWS users at no charge:

Service Limits Check – This check inspects your position with regard to the most important service limits for each AWS product. It alerts you when you are using more than 80% of your allocation resources such as EC2 instances and EBS volumes.

Security Groups – Specific Ports Unrestricted Check – This check will look for and notify you of overly permissive access to your EC2 instances and help you to avoid malicious activities such as hacking, denial-of-service attacks, and loss of data.

IAM Use Check – This check alerts you if you are using account-level credentials to control access to your AWS resources instead of following security best practices by creating users, groups, and roles to control access to the resources.

MFA on Root Account Check – This check recommends the use of multi-factor authentication (MFA), to improve security by requiring additional authentication data from a secondary device.

You can subscribe to the Business or Enterprise level of AWS Support in order to gain access to the remaining 33 checks (with more on the way).

Trusted Advisor in the Console
The Trusted Advisor is now an integral part of the AWS Management Console. We have fine-tuned the user interface to simplify navigation and to make it even easier for you to find and to act on recommendations and to filter out recommendations that you no longer want to see.

Let’s take a tour of the Trusted Advisor, starting from the Dashboard. I can see a top-level summary of all four categories of checks at a glance:

Each category actually contains four distinct links. If I click on the large icon associated with each category I can see a summary of the checks without regard to their severity or status. Clicking on the smaller green, orange, or red icons will take you to items with no problems, items where investigation is recommended, and items where action is recommended, respectively. It looks like I have room for some improvements in my fault tolerance:

I can use the menu at the top to filter the checks (this is equivalent to using the green, orange, and red icons):

If I sign up for the Business or Enterprise level of support, I can also choose to tell Trusted Advisor to selectively exclude certain resources from the checks. In the following case, I am running several Amazon Relational Database Service (RDS) instances without Multi-AZ. They are test databases and high-availability isn’t essential so I can exclude them from the test results:

I can also download the results of each check for further analysis or distribution:

I can even ask Trusted Advisor to send me a status update each week:

With the introduction of the console, we are also introducing a new, IAM-based model to control access to the results of each check and the actions associated with them in the console. To learn more about this important new feature, read about Controlling Access to the Trusted Advisor Console.

Available Now
As always (I never get tired of saying this), these new features are available now and you can start using them today!


Route 53 and CloudTrail Checks for the AWS Trusted Advisor

The AWS Trusted Advisor monitors your AWS resources and provides you with advice for cost optimization, security, performance, and fault tolerance. Today we are adding five additional checks that will be of benefit to users of Amazon Route 53 (Domain Name Services) and AWS CloudTrail (recording and logging of AWS API calls). With today’s launch, Trusted Advisor now performs a total of 37 checks, up from just 26 six months ago.

New Checks
There are four Route 53 checks and one CloudTrail check. Let’s start with Route 53, and take a look at each check.

As you may know, Route 53 is a highly available and scalable DNS (Domain Name Service) web service. When you use Route 53 for a domain, you create a series of record sets. Each record set provides Route 53 with the information needed to map a name to a set of IP addresses. Today we are adding a set of checks to help you to use Route 53 in the most effective way possible.

The Latency Resource Record Sets check looks for proper and efficient use of latency record sets. A proper record set will always contain records for more than one AWS Region.

The MX and SPF Resource Record Sets check helps to improve email deliverability by checking for an SPF record for each MX record.

The Failover Resource Record Sets check verifies the configuration of record sets that are used to implement failover to a secondary resource set.

The Deleted Health Check check looks for record sets that refer to health checks which have been deleted.

AWS CloudTrail records and logs calls to the AWS API functions. The CloudTrail Logging check verifies that logging is properly configured and working as expected.

Check Today
If you have signed up for AWS Support at the Business or Enterprise level, you have access to the Trusted Advisor at no additional change.

— Jeff;

AWS Trusted Advisor Update – CloudFront Content Delivery Optimization

Step by step, the AWS Trusted Advisor keeps getting better and better. As you might already know, the Trusted Advisor inspects your AWS environment and makes recommendations that can save you money, increase system performance and reliability, and improve your security profile.

Today we are introducing a new check (number 32 if you are keeping count). This new check helps you to identify opportunities to use Amazon CloudFront to optimize delivery of content that is currently being served up from an Amazon S3 bucket.

If you transfer a lot of content from an S3 bucket you can use CloudFront to reduce latency and to increase speed (these recommendations are flagged as yellow in the Trusted Advisor Dashboard). If you transfer more than 10 terabytes of data per month, you can also save money by using CloudFront (these recommendations are flagged as red in the Dashboard).

Here’s what you will see in the Trusted Advisor Dashboard:

 And here are the detailed recommendations:

— Jeff;

PS – I’d also like to remind you that you can now sign up for weekly Trusted Advisor notifications in English or Japanese. Log in to the Trusted Advisor and click on Notification Settings in the top right corner of the dashboard.


AWS Trusted Advisor Update – Notification, New Dashboard, Another Check

The AWS Trusted Advisor monitors your AWS resources and provides you with advice for cost optimization, security, performance, and fault tolerance. The 31 checks performed by the Trusted Advisor will help you to monitor and improve your use of Amazon EC2, Elastic Load Balancing, Elastic Block Store, Amazon S3, Auto Scaling, IAM, the Relational Database Service (RDS), Route 53, and other AWS services.

Today we are improving the Trusted Advisor with support for weekly email notifications, an improved dashboard, and another check. Let’s take a look at each new feature.

Email Notifications
Trusted Advisor can now be configured to send weekly email updates (English or Japanese) to the Billing, Operations, and Security contacts associated with your account, as desired:

Improved Dashboard
We have added additional information to the Trusted Advisor dashboard, while also making the navigation both cleaner and simpler:

Another Check
The newest Trusted Advisor check looks for Standard EBS volumes that are potentially over-utilized. These volumes might benefit from the use of Provisioned IOPS.

Available Now
The AWS Trusted Advisor is available to Business and Professional members of AWS Premium Support; the features outlined above are available today and you can start using them today.

— Jeff;