AWS Cloud Operations Blog

Optimize cost and automate security remediation with AMS Trusted Remediator

Organizations leveraging Amazon Web Services (AWS) receive thousands of security and optimization recommendations monthly, yet many remain unimplemented due to competing priorities and resource constraints. AWS Managed Services (AMS) Trusted Remediator addresses this challenge by automating remediation across AWS accounts, significantly reducing the time and effort required for manual remediation processes. The solution features a continuously expanding library of pre-built remediations for 116 recommendations and is growing steadily as new capabilities are added. These automated solutions span security, cost optimization, and operational excellence domains, enabling enterprises to efficiently close security gaps, optimize costs, and maintain compliance at scale while adapting to evolving AWS best practices.

The challenge: When cloud insights fail to drive action

Thousands of actionable recommendations are generated monthly from AWS services such as AWS Trusted Advisor, AWS Security Hub CSPM, AWS Compute Optimizer, and AWS Well-Architected reviews. These insights provide clear pathways to improve security, reduce costs, enhance resilience, and maintain compliance. Yet the critical question remains: what percentage are implemented? Even well-intentioned organizations struggle to remediate a meaningful portion of the recommendations, leaving significant vulnerabilities unaddressed, compliance gaps open, and cost optimization opportunities unrealized.

Competing priorities create implementation barriers

As enterprises embrace “you build it, you run it” philosophies, application teams gain ownership and autonomy but also inherit competing priorities that fill their backlogs. Product managers demand new features, engineering leaders emphasize technical debt reduction to maintain development velocity, and business stakeholders expect reliability improvements to drive revenue. Into this already crowded backlog comes remediation work—critical for organizational security and compliance, but invisible to end customers. These tasks become difficult to justify when weighed against customer-facing features that directly impact business metrics. This creates a fundamental disconnect: Platform, SecOps, and FinOps leaders hold accountability for enterprise-wide security posture and compliance outcomes, yet they lack direct authority over the distributed application teams who must implement the necessary remediations.

Practical implementation challenges

Even motivated application teams with clear intentions to implement remediation encounter numerous practical barriers. Missing permissions often prevent teams from making necessary changes, requiring additional approvals and coordination across organizational boundaries. The time required to research findings and understand their business impact can be substantial, particularly for complex services or configurations. The teams must also carefully assess changes for safety and compatibility with existing workloads, a process that demands both expertise and caution. Finally, proper documentation and validation work must accompany each remediation to maintain operational standards. Collectively, these challenges can extend remediation efforts from hours to days or weeks per finding, making comprehensive implementation unsustainable without automation.

The remediation gap: Why good recommendations go unimplemented

Manual remediation is unlikely to scale effectively for enterprise needs. The process—requiring research, implementation, testing, service knowledge, and documentation—consumes substantial engineering resources that should be focused on innovation.

The costs are significant: skilled engineers waste time on routine tasks like enabling Amazon Simple Storage Service (Amazon S3) bucket logging or adjusting Amazon Elastic Compute Cloud (Amazon EC2) instance types instead of building customer-focused products. This creates widening gaps between recommendation generation and implementation, exposing organizations to security vulnerabilities from unaddressed findings, unnecessary costs from delayed optimization, regulatory risks from compliance gaps, and team demotivation from growing backlogs.

This fundamental mismatch between recommendation volume and remediation capacity requires rethinking remediation as a systematic, automated process rather than manual tasks. The question isn’t whether to automate remediation, but how quickly to implement automation before manual processes become unsustainable.

The solution: AWS Managed Services (AMS) Trusted Remediator

Automated Remediation across your AWS Organization

AMS Trusted Remediator delivers comprehensive, automated remediation capabilities that operate seamlessly across multi-account AWS environments. The solution addresses findings from Trusted Advisor, Security Hub CSPM, and Compute Optimizer through a unified framework, transforming weeks-long manual processes into minutes-long automated operations—reducing remediation time by up to 95%.The solution provides customers with tested, proven remediations they can configure with just a few simple steps and deploy with confidence. This combination of enterprise-scale automation and intuitive usability enables organizations to close security gaps, reduce costs, and maintain compliance without the burden of manual implementation.

The diagram illustrates the AMS Trusted Remediator solution architecture. AWS AppConfig manages remediation configurations through a delegated administrator account, while AWS Trusted Advisor identifies issues across member accounts numbered from 1 to n. These issues are automatically remediated using Systems Manager Automation documents, with activities tracked through Systems Manager OpsItems numbered from 1 to n. Results are logged to Amazon S3 and visualized in Amazon Quick Suite dashboards.

Figure 1: Diagram on Trusted Remediator configuration

The diagram illustrates the AMS Trusted Remediator solution architecture. AWS AppConfig manages remediation configurations through a delegated administrator account, while AWS Trusted Advisor identifies issues across member accounts numbered from 1 to n. These issues are automatically remediated using Systems Manager Automation documents, with activities tracked through Systems Manager OpsItems numbered from 1 to n. Results are logged to Amazon S3 and visualized in Amazon Quick Suite dashboards.

Remediation coverage: 116 automated solutions with ongoing rapid expansion

The solution delivers 116 automated checks across six critical operational domains. Security leads the way with 64 checks addressing misconfigurations, compliance violations, and access control management. Cost optimization provides 16 checks for unused resource identification, rightsizing opportunities, and cost inefficiency remediation. Fault Tolerance includes 17 checks focused on backup strategy enhancement, disaster recovery configuration, and system resilience. Performance optimization offers eight checks for resource sizing and tuning recommendations, while Service Limits monitoring provides seven checks for quota management and capacity planning. Operational Excellence rounds out the coverage with four checks ensuring proper monitoring, logging, and operational best practices implementation.

AMS Trusted Remediator Key capabilities

Secure remediation framework

The solution features a secure remediation framework built on configurable manual workflows that address critical remediations based on resource type and environment. This approach maintains essential governance controls while unlocking the full benefits of automation. At its core, the framework leverages AWS Systems Manager automation documents that have been carefully engineered for repeatability and idempotency, ensuring consistent and reliable remediation outcomes across your AWS infrastructure.

Integration ecosystem

AMS Trusted Remediator seamlessly integrates with existing AWS operational tools to create a comprehensive automation ecosystem that enhances your cloud operations. It automatically ingests and remediates findings from Trusted Advisor, Security Hub CSPM, and Compute Optimizer, ensuring that the most critical issues are addressed first. Throughout the remediation process, the solution maintains complete audit trails that capture essential details including the actor, action, timestamp, and affected resources, providing the information necessary for compliance reporting and forensic analysis.

Centralized management console

Operations teams benefit from a unified interface that provides multi-account remediation management and monitoring from a single pane of glass. The console includes delegated administration capabilities, empowering distributed operational teams to manage remediations within their scope while maintaining organizational oversight and control.

Diagram illustrating the AMS Trusted Remediator workflow. The process begins with AWS Trusted Advisor identifying resource issues, which are then assessed against predefined Trusted Remediator configurations. The solution schedules appropriate remediation actions and executes automated fixes using AWS Systems Manager Automation documents, ultimately resolving the identified issues

Figure 2: Trusted Remediator workflow for Trusted Advisor finding

Implementation roadmap

Prerequisites

Before implementing the solution, several key prerequisites must be in place. Organizations should have an active AMS Accelerate service engagement and ensure stakeholder alignment across security, FinOps, and operations teams to facilitate smooth adoption. From a technical perspective, Trusted Advisor, AWS Security Hub CSPM, and Compute Optimizer services should be enabled to provide the findings that drive remediation actions. Finally, Amazon CloudWatch and AWS CloudTrail should be configured for comprehensive audit visibility and compliance tracking throughout the remediation process.

Four-phase implementation approach

Phase 1: Assessment and planning

The implementation journey begins with a comprehensive analysis of current remediation backlogs from Trusted Advisor, Security Hub CSPM, and Compute Optimizer to identify high-impact automation opportunities. During this phase, teams establish governance frameworks, define workflows, and prioritize remediations by business value and risk. The outcome of this phase is a prioritized implementation list and clearly defined success metrics that will guide the remainder of the project.

Phase 2: Configuration and setup

After completing the planning phase, you configure Systems Manager automation parameters to align with your organizational requirements. Cloud operation teams implement essential safety controls including notifications, rollback mechanisms, and approval gates for critical operations. The team creates operational dashboards to provide visibility into remediation activities and progress. By the end of this phase, you establish a production-ready automation framework with robust monitoring capabilities ready for initial testing.

Phase 3: Pilot deployment

Validation begins in non-production environments with a focus on cost optimization remediations to demonstrate quick wins with minimal risk. Application teams conduct thorough testing to validate that automated remediations do not negatively impact application functionality, performance, or existing integrations. Impact analysis is performed to assess potential effects on dependent services, workload behavior, and operational workflows. Teams closely monitor outcomes, collect performance metrics, and refine configurations based on feedback from stakeholders and system observations. Testing includes validation of application health checks, performance benchmarks, and compatibility assessments to ensure remediations align with application requirements and business continuity standards. Success in this phase is measured by achieving zero incidents and generating measurable cost savings, building organizational confidence in the solution before broader deployment.

Phase 4: Production rollout

The final phase gradually expands automation to production accounts using a carefully phased approach. Security remediations are enabled with appropriate controls to ensure safe implementation. The scope extends to more complex multi-step scenarios as confidence and experience with the solution grow. The ultimate measure of success is achieving 80% or higher automatic remediation rates across all organizational accounts with continuous improvement in cost efficiency and security posture.

Real-world success stories

Curtin University: Enhancing security compliance

Curtin University, a top-ranked global research institution managing decentralized AWS environments across five international campuses, partnered with AMS to overcome critical security challenges. The university struggled with limited technical resources to address growing cloud security needs. Their manual remediation processes were time-consuming and inconsistent, creating security gaps. Security practices varied across campuses, making standardization difficult and compliance challenging to maintain. By implementing AMS Trusted Remediator, Curtin achieved a 32% improvement in its AWS Security Improvement Program (SIP) score within six months, surpassing annual targets ahead of schedule. The solution delivered dual benefits by automating security remediation across 18 strategic checks while simultaneously implementing 78 cost optimizations. The centralized platform bridged communication gaps between decentralized teams and reduced manual effort significantly. This case demonstrates how managed services automation enables organizations with complex structures to transform from reactive to proactive security management while driving operational efficiency and compliance outcomes.

Financial institution: Achieving operational excellence and compliance at scale

A leading financial services institution managing over 30 AMS accounts faced a challenge familiar to many enterprises: meeting aggressive quarterly compliance goals while their security team was overwhelmed by manual remediation work. Security was the organization’s highest priority, but the sheer volume of findings across their multi-account environment made it difficult to address issues quickly enough to stay ahead of compliance requirements.

After deploying AMS Trusted Remediator, the transformation was immediate and measurable. The solution automatically remediated over 1,000 security and operational findings, with 64% focused specifically on critical security improvements. These improvements included proactive monitoring enablement for Amazon Relational Database Service (Amazon RDS) databases and S3 bucket logging to protect sensitive financial data. The institution experienced reduced manual effort while accelerating time-to-compliance, allowing their security team to shift from reactive firefighting to strategic security posture improvement. Building on this success, the customer and AMS are now assessing additional Security Hub CSPM controls to further enhance their compliance framework with Trusted Remediator.

Conclusion

AMS Trusted Remediator fundamentally transforms cloud operations management by delivering comprehensive automated remediations across security, cost optimization, and operational domains with seamless integration into Trusted Advisor, Security Hub CSPM, and Compute Optimizer. The solution’s documented results—including dramatic time savings and substantial cost reductions—demonstrate a clear path from reactive incident response to proactive optimization. This shift enables organizations to move from multi-day remediation cycles to near-instantaneous response times, transform inconsistent manual implementation to standardized automated excellence, and convert resource-intensive processes to efficient operations at scale.By automating repetitive remediation tasks, technical teams can redirect their focus toward innovation and strategic initiatives while simultaneously maintaining superior security posture, compliance adherence, and cost efficiency across their entire AWS environment.

For additional information about AMS Trusted Remediator and to explore the full Curtin University customer success story, visit these resources:

Jason Wei-Lun Hsia

Jason Wei-Lun Hsia

Jason Wei-Lun Hsia is a senior specialist solutions architect at AWS based in Sydney who specializes in cloud operations and security. He helps customers design and operate secure scalable solutions using AWS capabilities to deliver measurable business outcomes. He is passionate about building effective solutions to manage cloud environments at scale.

Deepa Banerjee

Deepa Banerjee

Deepa Banerjee works as a Senior Technical Program Manager with AWS Managed Services (AMS). She concentrates on achieving operational excellence by leveraging AI driven automation, and intelligent process optimization to continuously improve business outcomes and enhance customer service. She works closely with product and engineering teams across AWS to build automations and solutions that address complex business problems related to customer operations. Outside of work, she enjoys travel, dancing, and painting.

Manu Sasikumar

Manu Sasikumar

Manu Sasikumar is a Senior Systems Engineer Manager at Amazon Web Services, where he leads teams building intelligent automation platforms that leverage generative AI to enhance developer productivity and operational efficiency for enterprise customers. His work focuses on delivering scalable solutions that drive measurable cost optimization and productivity gains across mission-critical workloads. Outside of work, Manu is passionate about contributing to the AWS community through public speaking and participating in volunteer activities

Seongyeol Jerry Cho

Seongyeol Jerry Cho

Seongyeol Jerry Cho is a Senior Systems Development Engineer at AWS Managed Services based in Sydney, Australia. He specializes in building AI-driven cloud operations and remediation solutions, developing highly scalable and automated systems to enhance cloud management. Outside of work, he enjoys travel, camping, reading, cooking, and running.