AWS Management & Governance Blog

Multi-account AWS Trusted Advisor summaries now available in AWS Systems Manager Explorer

AWS Systems Manager Explorer is a customizable operations dashboard that reports information about your AWS resources. Explorer displays an aggregated view of operations data (OpsData) for your AWS accounts and across Regions. In Explorer, OpsData includes metadata about your Amazon EC2 instances, patch compliance details, and operational work items (OpsItems).

AWS Trusted Advisor is an online tool that helps you reduce cost and increase performance and security. Trusted Advisor presents its findings for AWS accounts from all Regions in a single dashboard. As your organization’s requirements grow and you create multiple AWS accounts, you need a consolidated list of Trusted Advisor findings in one place.

With Systems Manager Explorer, you now can get a summary of your different accounts’ Trusted Advisor findings in one place without any customization. You can also set up a dashboard that can pull Trusted Advisor data from different accounts and present it in single dashboard without any scripts.

In this post, we show you how to set all this up in your AWS environment.

Prerequisites

Before you get started, you must meet the following prerequisites:

  • All your accounts are managed under AWS Organizations
  • You have a Business or Enterprise support plan for your organization and member accounts

Configuring Resource Data Sync in Systems Manager Explorer

If you meet all the requirements, follow these steps:

  1. In the Systems Manager console, under Operations Management, choose Explorer.
  2. Choose Get started.
  3. In the Explorer Setup section, you create a new AWS Identity and Access Management (IAM) role and different data sources for data collection. You also have an option for tagging.
  4. Choose Enable Explorer.
  5. In the Explorer section, for OpsData Filter, choose Create Resource Data Sync.Create resource DataSync for OpsData filter
  6. In the Configure Resource Data Sync section, enter a DataSync name.
  7. Because this is a member account, select Include only the current account.
  8. Choose the Regions for which you want to collect data.
  9. Choose Create Resource Data Sync.
  10. On the Explorer page, under OpsData Filter, choose the DataSync you just created.

The Trusted Advisor summary is available in the Trusted Advisor Checks section. Data collection may take some time to complete, depending on the number of resources in account.

All Trsuted Advisor Checks in one place

You can repeat the preceding steps in different accounts as needed.

Configuring the Resource Data Sync in Organizations

The Systems Manager Quick Setup helps you enable Systems Manager Explorer easily and quickly with minimal configuration. The Quick Setup is also available in Organizations; you can enable Systems Manager Explorer in all your accounts within the same organization or different organizational units (OU). For more information, see Easily enable operations best practices across AWS accounts and Regions with AWS Systems Manager Quick Setup.

Setting up the DataSync in your Organizations account requires you to repeat some steps from the previous section.

  1. On the Systems Manager console, under Operations Management, choose Explorer.
  2. Choose Get started.
  3. In the Explorer Setup section, you create a new IAM role and different data sources for data collection. You also have an option for tagging.
  4. Choose Enable Explorer.
  5. In the Explorer section, choose Select a Create Resource Data Sync.
  6. In the Configure Resource Data Sync section, enter a DataSync name.

You have three options in the Organizations account.

  1. Choose to add all accounts or any OUs.
  2. Choose Create Resource Data Sync.
  3. In the navigation pane, choose Explorer.
  4. Choose the DataSync you just created.

In the Trusted Advisor Checks section on the Explorer page, you see a summary of all the checks from different accounts. You can view by account ID or category.

Check Trsuted Advisor findings by Category Check Trsuted Advisor findings by AccountID

Generating reports

You can also generate a report on these findings for all accounts. For example, if you must generate a report for cost optimization for all accounts, in the Trusted Advisor Checks section, choose the link next to Cost Optimization.

To create a report on all account statuses, use the filter AWS:TrustedAdvisor.ResourceCategory: Equal: Cost Optimization. This generates a report on cost optimization. The following screenshot shows you what the report looks like.

Generate reports in OpsData filter

If you choose Export, you can export this report to a CSV file in an Amazon S3 (Amazon S3) bucket and publish a notification in Amazon SNS (Amazon SNS).

To export report choose Export data as CSV

As of this writing, you can’t schedule exports.

You can also generate these reports using the AWS CLI or API. For example, you can use the following command to generate the same list to generate a cost optimization report:

aws ssm get-ops-summary --sync-name DataSyncForTA --result-attributes TypeName=AWS:TrustedAdvisor  --region us-east-1 --filters Key=AWS:TrustedAdvisor.ResourceCategory,Values=cost_optimizing;Key=AWS:TrustedAdvisor.ResourceStatus,Values=investigation_recommended

To use the SSM Boto3 API, enter the following code:

import boto3
client = boto3.client('ssm', region_name="us-east-1")
print(client.get_ops_summary(SyncName='DataSyncForTA', Filters=[{ 'Key': 'AWS:TrustedAdvisor.ResourceCategory', 'Values': ['cost_optimizing']}], ResultAttributes=[{'TypeName': 'AWS:TrustedAdvisor'}]))

For more information on this API, see get-ops-summary.

Systems Manager OpsCenter provides a central location where operations engineers and IT professionals can view, investigate, and resolve OpsItems related to AWS resources. OpsCenter is designed to reduce mean time to resolution for issues impacting AWS resources. You can create OpsItems for all the Trusted Advisor summary checks to remediate them using runbooks. For more information, see AWS Systems Manager OpsCenter.

Conclusion

For any organization, centralized monitoring and reporting is essential for running operations smoothly and cost-effectively. It becomes more and more challenging if you don’t have a native solution to generate these kinds of reports. This solution helps you easily customize or configure manual data collection with AWS services. In addition to using Trusted Advisor, you can view operations data from AWS Compute Optimizer, EC2 instances, patch compliance details, and support cases.

Try these new features and please share your feedback in the AWS Systems Manager forum or with your AWS Support contacts.

About the author

Gaurav Verma is a Cloud Infrastructure Architect at Amazon Web Services (AWS). With over 16 years of IT experience, Gaurav likes to build and deploy solutions using AWS services. He also looks for all opportunities to convert Infrastructure as Code using different languages.