Controlling Access to the Trusted Advisor Console

The AWS Trusted Advisor console controls access to Trusted Advisor checks by using AWS Identity and Access Management (IAM) features:

  • To view Trusted Advisor results or take actions such as refreshing check data or excluding items from results, an IAM user or role must have permission for actions and resources specified with the "trustedadvisor" namespace.
  • To use the tag filter feature of the Trusted Advisor console, the user or role must also have permission associated with AWS tags. These permissions can be assigned by using AWS managed policies or with custom policies. For more information, see Obtaining Permissions for Tagging.

For a list of Trusted Advisor actions and example IAM policies, see Manage access for AWS Trusted Advisor. For more information about creating policies and applying them to users, groups, and roles, see the AWS Identity and Access Management User Guide.

Note: The trustedadvisor namespace does not apply to the Trusted Advisor actions of the AWS Support API. Permissions for the API are controlled by IAM policies that include actions and resources specified with the "support" IAM namespace.

Information That Trusted Advisor Displays

Trusted Advisor displays information about some of the resources that are associated with an AWS account.

Important: Although the user cannot make changes to these resources unless they are authorized to do so by policies that explicitly allow it, the user can view information that they might otherwise not be authorized to view. For example, a user viewing a check related to Amazon EC2 Instances might see information or usage data for instances, even if another policy specifically denies access to viewing this information.

The following two tables show the information that Trusted Advisor displays:

  • Table 1 shows the title, category, ID, and report columns of the current Trusted Advisor checks.
  • Table 2 shows examples of service-specific actions (APIs) and data that correspond to the information that is shown by the checks.

Although the list of report columns in the following tables can alert you to information that is exposed by a check, you should examine a Trusted Advisor report for your account to make sure you fully understand what information is exposed by each check.

Table 1: Check Categories, IDs, and Report Columns

  Check title

Category

Check ID

Report columns
Amazon Aurora DB Instance Accessibility Fault Tolerance xuy7H1avtl Status | Region | Cluster | Public DB Instances | Private DB Instances | Reason
Amazon EBS Provisioned IOPS Volume Attachment Configuration Performance PPkZrjsH2q Region/AZ | Volume ID | Volume Name | Volume Attachment | Instance ID | Instance Type | EBS Optimized | Status
Amazon EBS Public Snapshots Security ePs02jT06w Region | Snapshot ID | Status | Volume ID
Amazon EBS Snapshots Fault Tolerance H7IgTzjTYb Region | Volume ID | Volume Name | Snapshot ID | Snapshot Name | Snapshot Age | Volume Attachment | Status | Reason
Amazon EC2 Availability Zone Balance Fault Tolerance wuy7G1zxql Region | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason
Amazon EC2 Reserved Instance Lease Expiration Cost Optimization 1e93e4c0b5 Status | Zone | Instance Type | Platform | Instance Count | Current Monthly Cost | Estimated Monthly Savings | Expiration Date | Reserved Instance ID | Reason
Amazon EC2 Reserved Instances Optimization Cost Optimization cX3c2R1chu Region | Instance Type | Platform | Recommended Number of Ris to Purchase | Expected Average RI Utilization | Estimated Savings with Recommended (Monthly) Upfront Cost of Ris | Estimated cost of RIs (Monthly) | Estimated On-Demand Cost Post Recommended RI Purchase (Monthly) | Estimated Break Even (Months) | Lookback Period (Days) | Term (Years)
Amazon EC2 to EBS Throughput Optimization Performance Bh2xRR2FGH Region | Instance ID | Instance Type | Status | Time Near Maximum
Amazon ElastiCache Reserved Node Optimization Cost Optimization h3L1otH3re Region | Family | Node Type | Product Description | Recommended number of Reserved Nodes to purchase | Expected Average Reserved Node Utilization | Estimated Savings with Recommendation (Monthly) | Upfront Cost of Reserved Nodes | Estimated cost of Reserved Nodes (Monthly) | E
Amazon OpenSearch Reserved Instance Optimization Cost Optimization 7ujm6yhn5t Region | Instance Class | Instance Size | Recommended number of Reserved Instances to purchase | Expected Average Reserved Instances (Monthly) | Upfront Cost of Reserved Instances | Estimated cost of Reserved Instances (Monthly) | Estimated On-Demand Cost Post Recommended Reserved Instance Purchase (Monthly) | Estimated Break Even (Months) | Lookback Period (Days) | Term (Years)
Amazon RDS Backups Fault Tolerance opQPADkZvH Region/AZ | DB Instance | VPC ID | Backup Retention Period | Status
Amazon RDS Idle DB Instances Cost Optimization Ti39halfu8 Region | DB Instance Name | Multi-AZ | Instance Type | Storage Provisioned (GB) | Days Since Last Connection | Estimated Monthly Savings (On Demand)
Amazon RDS Multi-AZ Fault Tolerance f2iK5R6Dep Region/AZ | DB Instance | VPC ID | Multi-AZ | Status
Amazon RDS Public Snapshots Security rSs93HQwa1 Region | DB Instance ID | Snapshot ID | Status
Amazon RDS Reserved Instance Optimization Cost Optimization 1qazXsw23e Region | Family | Instance Type | License Model | Database Edition | Database Engine | Deployment Option | Recommended number of Reserved Instances to purchase | Expected Average Reserved Instance Utilization | Estimated Savings with Recommendation (Monthly) | Upfront Cost of Reserved Instances (Monthly) | Estimated On-Demand Cost Post Recommended Reserved Instance Purchase (Monthly) | Estimated Break Even (Months) | Lookback Period (Days) | Term (Years)
Amazon RedShift Reserved Node Optimization Cost Optimization 1qw23er45t Region | Family | Node Type | Recommended number of Reserved Nodes to purchase | Expected Average Reserved Node Utilization | Estimated Savings with Recommendation (Monthly) | Upfront Cost of Reserved Nodes | Estimated cost of Reserved Nodes (Monthly) | Estimated On-Demand Cost Post Recommended Reserved Nodes Purchase (Monthly) | Estimated Break Even (Months) | Lookback Period (Days) | Term (Years)
Amazon RDS Security Group Access Risk Security nNauJisYIT Region | RDS Security Group Name | Ingress Rule | Status | Reason
Amazon Route 53 Alias Resource Record Sets Performance B913Ef6fb4 Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Resource Record Set Identifier | Alias Target | Status
Amazon Route 53 Deleted Health Checks Fault Tolerance Cb877eB72b Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Resource Record Set Identifier
Amazon Route 53 Failover Resource Record Sets Fault Tolerance b73EEdD790 Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Reason
Amazon Route 53 High TTL Resource Record Sets Fault Tolerance C056F80cR3 Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Resource Record Set ID | TTL | Status
Amazon Route 53 Latency Resource Record Sets Cost Optimization 51fC20e7I2 Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type
Amazon Route 53 MX and SPF Resource Record Sets Security c9D319e7sG Hosted Zone Name | Hosted Zone ID | Resource Record Set Name
Amazon Route 53 Name Server Delegations Fault Tolerance cF171Db240 Hosted Zone Name | Hosted Zone ID | Number of Name Server Delegations Used
Amazon S3 Bucket Logging Fault Tolerance BueAdJ7NrP Region | Bucket Name | Target Name | Target Exists | Same Owner | Write Enabled | Status | Reason
Amazon S3 Bucket Permissions Security Pfx0RwqBli Region Name | Region API Parameter | Bucket Name | Global List Access | Global Upload/Delete Access | Status
Amazon S3 Bucket Versioning Fault Tolerance R365s2Qddf Region | Bucket Name | Versioning | MFA Delete Enabled | Status
Auto Scaling Group Health Check Fault Tolerance CLOG40CDO8 Region | Auto Scaling Group Name | Load Balancer Associated | Health Check | Status
Auto Scaling Group Resources Fault Tolerance 8CNsSllI5v Region | Auto Scaling Group Name | Launch Configuration Name | Resource Type | Resource Name | Status | Reason
AWS CloudTrail Logging Security vjafUGJ9H0 Region | Trail Name | Logging Status | Bucket Name | Last Delivery Error | Status
AWS Direct Connect Connection Redundancy Fault Tolerance 0t121N1Ty3 Status | Time Stamp | Region | Connection ID | Location
AWS Direct Connect Location Redundancy Fault Tolerance 8M012Ph3U5 Status | Time Stamp | Region | Location | Connection Details
AWS Direct Connect Virtual Interface Redundancy Fault Tolerance 4g3Nt5M1Th Status | Time Stamp | Region | Gateway ID | Location for VIF | Connection ID for VIF
AWS Lambda Functions Using Deprecated Runtimes Security L4dfs2Q4C5 Status | Region | Function ARN | Runtime | Days to Deprecation | Deprecation Date | Average Daily Invokes | Last Refresh Time
AWS Lambda Functions with Excessive Timeouts Cost Optimization L4dfs2Q3C3 Status | Region | Function ARN | Max Daily Timeout Rate | Date of Max Daily Timeout Rate | Average Daily Timeout Rate | Function Timeout Setting | Lost Daily Compute Cost | Average Daily Invokes | Current Day Invokes | Current Day Timeout Rate | Last Refresh Time
AWS Lambda Functions with High Error Rates Cost Optimization L4dfs2Q3C2 Status | Region | Function ARN | Max Daily Error Rate | Date for Max Error Rate | Average Daily Error Rate | Lost Daily Compute Cost | Average Daily Invokes | Current Day Invokes | Current Day Error Rate | Last Refresh Time
AWS Lambda VPC-enabled Functions without Multi-AZ Redundancy Fault Tolerance L4dfs2Q4C6 Status | Region | Function ARN | VPC ID | Average Daily Invokes | Last Refresh Time
CloudFront Alternate Domain Names Performance N420c450f2 Distribution ID | Distribution Domain Name | Alternate Domain Name
CloudFront Content Delivery Optimization Performance 796d6f3D83 Region | Bucket Name | S3 Storage (GB) | Data Transfer Out (GB) | Ratio of Transfer to Storage | Status
CloudFront Custom SSL Certificates in the IAM Certificate Store Security N425c450f2 Distribution ID | Distribution Domain Name | Certificate Name | Reason
CloudFront Header Forwarding and Cache Hit Ratio Performance N415c450f2 Distribution ID | Distribution Domain Name | Cache Behavior Path Pattern | Headers
CloudFront SSL Certificate on the Origin Server Security N430c450f2 Distribution ID | Distribution Domain Name | Origin | Reason
ELB Connection Draining Fault Tolerance 7qGXsKIUw Region | Load Balancer Name | Status | Reason
ELB Cross-Zone Load Balancing Fault Tolerance xdeXZKIUy Region | Load Balancer Name | Status | Reason
ELB Listener Security Security a2sEc6ILx Region | Load Balancer Name | Load Balancer Port | Status [Ciphers/Protocols] | Reason
ELB Security Groups Security xSqX82fQu Region | Load Balancer Name | Status | Security Group IDs | Reason
Exposed Access Keys Security 12Fnkpl8Y5 Access Key ID | User Name (IAM or Root) | Fraud Type | Case ID | Time Updated | Location | Deadline | Usage (USD per Day)
High Utilization Amazon EC2 Instances Performance ZRxQlPsb6c Region/AZ | Instance ID | Instance Name | Instance Type | Day 1 ... Day 14 | 14-Day Average CPU Utilization | Number of Days over 90% CPU Utilization
IAM Access Key Rotation Security DqdJqYeRm5 IAM User | Access Key | Key Last Rotated | Reason
IAM Password Policy Security Yw2K9puPzl Password Policy | Uppercase | Lowercase | Number | Non-alphanumeric | Status | Reason
IAM Use Security zXCkfM1nI3 [None]
Idle Load Balancers Cost Optimization hjLMh88uM8 Region | Load Balancer Name | Reason | Estimated Monthly Savings
Large Number of EC2 Security Group Rules Applied to an Instance Performance j3DFqYTe29 Region | Instance ID | Instance Name | VPC ID | Total Inbound Rules | Total Outbound Rules
Large Number of Rules in an EC2 Security Group Fault Tolerance tfg86AVHAZ Region | Security Group Name | Group ID | Description | Instance Count | VPC ID | Total Inbound Rules | Total Outbound Rules
Load Balancer Optimization Fault Tolerance iqdCTZKCUp Region | Load Balancer Name | # of Zones | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason
Low Utilization Amazon EC2 Instances Cost Optimization Qch7DwouX1 Region/AZ | Instance ID | Instance Name | Instance Type | Estimated Monthly Savings | Day 1 ... Day 14 | 14-Day Average CPU Utilization | 14-Day Average Network I/O | Number of Days Low Utilization
MFA on Root Account Security 7DAFEmoDos [None]
Overutilized Standard Amazon EBS Volumes Performance k3J2hns32g Region | Volume ID | Volume Name | Day 1 ... Day 14 | Number of Days Over | Max Daily Median | Status
Savings Plan Cost Optimization vZ2c2W1srf Savings Plan type | Hourly commitment to purchase | Lookback period | Payment option | Upfront cost | Estimated average utilization | Estimated monthly savings | Estimated savings percentage
Security Groups - Specific Ports Unrestricted Security HCP4007jGY Region | Security Group Name | Security Group ID | Protocol | Status | Ports
Security Groups - Unrestricted Access Security 1iG5NDGVre Region | Security Group Name | Security Group ID | Protocol | Port | Status | IP Range
Service Limit: Auto Scaling - Groups Service Limits fW7HH0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: Auto Scaling - Launch Configurations Service Limits aW7HH0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: CloudFormation - Stacks Service Limits gW7HH0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: DynamoDB Read Capacity Service Limits 6gtQddfEw6 Status | Region | Limit Amount | Current Usage
Service Limit: DynamoDB Write Capacity Service Limits c5ftjdfkMr Status | Region | Limit Amount | Current Usage
Service Limit: EBS - Active Snapshots Service Limits eI7KK0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: EBS - Cold HDD (sc1) Service Limits gH5CC0e3J9 Status | Region | Limit Amount | Current Usage
Service Limit: EBS - General Purpose SSD Volume Storage Service Limits dH7RR0l6J9 Status | Region | Limit Amount | Current Usage
Service Limit: EBS - Magnetic (standard) Volume Storage Service Limits cG7HH0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: EBS Throughput Optimized HDD (st1) Service Limits wH7DD0l3J9 Status | Region | Limit Amount | Current Usage
Service Limit: EBS - Provisioned IOPS (SSD) Volume Aggregate IOPS Service Limits tV7YY0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: EBS - Provisioned IOPS SSD (io1) Volume Storage Service Limits gI7MM0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: EC2 - Classic Elastic IP Addresses Service Limits aW9HH0l8J6 Status | Region | Limit Amount | Current Usage
Service Limit: EC2 - On-Demand Instances Service Limits 0Xc6LMYG8P Status | Region | Instance Type | Limit Amount | Current Usage
Service Limit: EC2 - Reserved Instance Leases Service Limits iH7PP0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: EC2 - VPC Elastic IP Address Service Limits lN7RR0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: ELB - Active Load Balancers Service Limits iK7OO0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: ELB - Application Load Balancers Service Limits EM8b3yLRTr Status | Region | Limit Amount | Current Usage
Service Limit: ELB - Network Load Balancers Service Limits 8wIqYSt25K Status | Region | Limit Amount | Current Usage
Service Limit: IAM - Group Service Limits sU7XX0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: IAM - Instance Profiles Service Limits nO7SS0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: IAM - Policies Service Limits pR7UU0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: IAM - Roles Service Limits oQ7TT0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: IAM - Server Certificates Service Limits rT7WW0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: IAM - Users Service Limits qS7VV0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: Kinesis - Shards per Region Service Limits bW7HH0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Cluster Parameter Groups Service Limits jtlIMO3qZM Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Cluster roles Service Limits 7fuccf1Mx7 Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Clusters Service Limits gjqMBn6pjz Status | Region | Limit Amount | Current Usage
Service Limit: RDS - DB Instances Service Limits XG0aXHpIEt Status | Region | Limit Amount | Current Usage
Service Limit: RDS - DB Parameter Groups Service Limits jEECYg2YVU Status | Region | Limit Amount | Current Usage
Service Limit: RDS - DB Security Groups Service Limits gfZAn3W7wl Status | Region | Limit Amount | Current Usage
Service Limit: RDS - DB snapshots per user Service Limits dV84wpqRUs Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Event Subscriptions Service Limits keAhfbH5yb Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Max Auths per Security Group Service Limits dBkuNCvqn5 Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Option Groups Service Limits 3Njm0DJQO9 Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Read Replicas per Master Service Limits pYW8UkYz2w Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Reserved Instances Service Limits UUDvOa5r34 Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Subnet Groups Service Limits dYWBaXaaMM Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Subnets per Subnet Group Service Limits jEhCtdJKOY Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Total Storage Quota Service Limits P1jhKWEmLa Status | Region | Limit Amount | Current Usage
Service Limit: Route 53 Hosted Zones Service Limits dx3xfcdfMr Status | Region | Limit Amount | Current Usage
Service Limit: Route 53 Max Health Checks Service Limits ru4xfcdfMr Status | Region | Limit Amount | Current Usage
Service Limit: Route 53 Reusable Delegation Sets Service Limits ty3xfcdfMr Status | Region | Limit Amount | Current Usage
Service Limit: Route 53 Traffic Policies Service Limits dx3xfbjfMr Status | Region | Limit Amount | Current Usage
Service Limit: Route 53 Traffic Policy Instances Service Limits dx8afcdfMr Status | Region | Limit Amount | Current Usage
Service Limit: SES - Daily Sending Quota Service Limits hJ7NN0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: VPC - Internet Gateways Service Limits kM7QQ0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: VPCs Service Limits jL7PP0l7J9 Status | Region | Limit Amount | Current Usage
Unassociated Elastic IP Addresses Cost Optimization Z4AUBRNSmz Region | IP Address
Underutilized Amazon EBS Volumes Cost Optimization DAvU99Dc4C Region | Volume ID | Volume Name | Volume Type | Volume Size | Monthly Storage Cost | Snapshot ID | Snapshot Name | Snapshot Age
Underutilized Amazon Redshift Clusters Cost Optimization G31sQ1E9U Status | Region | Cluster | Instance Type | Reason | Estimated Monthly Savings
VPN Tunnel Redundancy Fault Tolerance S45wrEXrLz Region | VPN ID | VPC | Virtual Private Gateway | Customer Gateway | Active Tunnels | Status | Reason

The following table shows the report columns for each check again, adding examples of the service-specific actions that display data that corresponds to the data displayed in the Trusted Advisor report columns. Note that Trusted Advisor does not necessarily use the actions listed; the actions are only examples of one way to display the information.

For example, if you deny a user access to the Amazon EC2 DescribeInstances operation but also allow the user access to the Trusted Advisor Low Utilization EC2 Instances check, the user can view some of the information that is returned by DescribeInstances, even though access to DescribeInstances has been explicitly denied.

Table 2: Example Actions and Data

  Check title

Report columns

   Actions
   Data
Amazon Aurora DB Instance Accessibility Status | Region | Cluster | Public DB Instances | Private DB Instances | Reason rds:DescribeDBClusters AvailabilityZones
DBClusterIdentifier
DBInstanceIdentifier
rds:DescribeDBInstances PubliclyAccessible

Amazon EBS Provisioned IOPS Volume Attachment Configuration

Region/AZ | Volume ID | Volume Name | Volume Attachment | Instance ID | Instance Type | EBS Optimized | Status

 ec2:DescribeVolumes AvailabilityZone
VolumeId
tag:Name
VolumeType
AttachmentSet.Item.VolumeId
AttachmentSet.Item.InstanceId
AttachmentSet.Item.Device
ec2:DescribeInstanceAttribute InstanceId
EbsOptimized
Amazon EBS Public Snapshots
 Region | Snapshot ID | Status | Volume
 ec2:DescribeSnapshots Description
SnapshotId
VolumeId

Amazon EBS Snapshots

Region | Volume ID | Volume Name | Snapshot ID | Snapshot Name | Snapshot Age | Volume Attachment | Status | Reason

 ec2:DescribeVolumes VolumeId
VolumeType
tag:Name
cloudwatch:GetMetricStatistics VolumeReadOps
VolumeWriteOps

Amazon EC2 Availability Zone Balance

Region | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason

 ec2:DescribeInstances AvailabilityZone
Amazon EC2 Reserved Instance Lease Expiration Status | Zone | Instance Type | Platform | Instance Count | Current Monthly Cost | Estimated Monthly Savings | Expiration Date | Reserved Instance ID | Reason ec2:DescribeReservedInstances AvailabilityZone
InstanceType
ProductDescription
InstanceCount
End
ReservedInstancesId

Amazon EC2 Reserved Instances Optimization

Region | Instance Type | Platform | Recommended number of RIs to purchase | Expected Average RI Utilization | Estimated Savings with Recommendation (Monthly) | Upfront Cost of RIs | Estimated cost of RIs (Monthly) | Estimated On-Demand Cost Post Recommended RI Purchase (Monthly) | Estimated Lookback Period (Days) | Term (Years)

 ce:GetReservationPurchaseRecommendation Region
InstanceType
Platform
RecommendedNumberOfInstancesToPurchase
AverageUtilization
EstimatedMonthlySavingsAmount
UpfrontCost
RecurringStandardMonthlyCost
EstimatedMonthlyOnDemandCost
EstimatedBreakEvenInMonths
LookbackPeriodInDays
TermInYears
Amazon EC2 to EBS Throughput Optimization Region | Instance ID | Instance Type | Status | Time Near Maximum ec2:DescribeInstances AvailabilityZone
InstanceId
InstanceType
Amazon ElastiCache Reserved Node Optimization Region | Family | Node Type | Product Description | Recommended number of Reserved Nodes to purchase | Expected Average Reserved Node Utilization | Estimated Savings with Recommendation (Monthly) | Upfront Cost of Reserved Nodes (Monthly) | Estimated On-Demand Cost Post Recommended Reserved Nodes Purchase (Monthly) | Estimated Break Even (Monthly) | Lookback Period (Days) | Term (Years) ce:GetReservedPurchaseRecommendation Region
Family
Node Type
Product Description
RecommendedNumberOfInstancesToPurchase
AverageUtilization
EstimatedMonthlySavingsAmount
UpfrontCost
RecurringStandardMonthlyCost
EstimatedMonthlyOnDemandCost
EstimatedBreakEvenInMonths
LookbackPeriodInDays
TermInYears
Amazon OpenSearch Reserved Instance Optimization Region | Instance Class | Instance Size | Recommended number of Reserved Instances to purchase | Expected Average Reserved Instance Utilization | Estimated Savings with Recommendadtion (Monthly) | Upfront Cost of Reserved Instances | Estimated cost of Reserved Instances (Monthly) | Estimated On-Demand Cost Post Recommended Reserved Instance Purchase (Monthly) | Estimated Break Even (Monthly) | Lookback Period (Days) | Term (Years) ce:GetReservationPurchaseRecommendation Region
InstanceClass
InstanceSize
RecommendedNumberOfInstancesToPurchase
AverageUtilization
EstimatedMonthlySavingsAmount
UpfrontCost
RecurringStandardMonthlyCost
EstimatedMonthlyOnDemandCost
EstimatedBreakEvenInMonths
LookbackPeriodInDays
TermInYears

Amazon RDS Backups

Region/AZ | DB Instance | VPC ID | Backup Retention Period | Status

 rds:DescribeDBInstances AvailabilityZone
DBInstanceIdentifier
DBSubnetGroup.VpcId
BackupRetentionPeriod

Amazon RDS Idle DB Instances

Region | DB Instance Name | Multi-AZ | Instance Type | Storage Provisioned (GB) | Days Since Last Connection | Estimated Monthly Savings (On Demand)

 rds:DescribeDBInstances DBInstanceIdentifier
MultiAZ
DBInstanceClass
AllocatedStorage
cloudwatch:GetMetricStatistics DatabaseConnections

Amazon RDS Multi-AZ

Region/AZ | DB Instance | VPC ID | Multi-AZ | Status

 rds:DescribeDBInstances AvailabilityZone
DBInstanceIdentifier
DBSubnetGroup.VpcId
MultiAZ
Amazon RDS Public Snapshots Instance ID | Region | Snapshot ID | Status
 rds:DescribeDBSnapshots DBInstanceIdentifier
DBSnapshotIdentifier
Status
Amazon RDS Reserved Instance Optimization Region | Family | Instance Type | License Model | Database Edition | Database Engine | Deployment Option | Recommended number of Reserved Instances to purchase | Expected Average Reserved Instance Utilization | Estimated Savings with Recommendation (Monthly) | Upfront Cost of Reserved Instances | Estimated Cost of Reserved Instances (Monthly) | Estimated On-Demand Cost Post Recommended Reserved Instance Purchase (Monthly) | Estimated Break Even (Monthly) | Lookback Period (Days) | Term (Years) ce:GetReservationPurchaseRecommendation Region
Family
Instance Type
License Model
Database Edition
Database Engine
Deployment Option
RecommendedNumberOfInstancesToPurchase
AverageUtilization
EstimatedMonthlySavingsAmount
UpfrontCost
RecurringStandardMonthlyCost
EstimatedMonthlyOnDemandCost
EstimatedBreakEvenInMonths
LookbackPeriodInDays
TermInYears

Amazon RDS Security Group Access Risk

Region | RDS Security Group Name | Ingress Rule | Status | Reason

 rds:DescribeDBInstances DBSecurityGroupName
rds:DescribeDBSecurityGroups IPRanges
Amazon Redshift Reserved Node Optimization Region | Family | Node Type | Recommended number of Reserved Nodes to purchase | Expected Average Reserved Node Utilization | Estimated Savings with Recommendation (Monthly) | Upfront Cost of Reserved Nodes (Monthly) | Estimated On-Demand Cost Post Recommended Reserved Nodes Purchase (Monthly) | Estimated Break Even (Monthly) | Lookback Period (Days) | Term (Years) ce:GetReservationPurchaseRecommendation Region
Family
Node Type
RecommendedNumberOfInstancesToPurchase
AverageUtilization
EstimatedMonthlySavingsAmount
UpfrontCost
RecurringStandardMonthlyCost
EstimatedMonthlyOnDemandCost
EstimatedBreakEvenInMonths
LookbackPeriodInDays
TermInYears

Amazon Route 53 Alias Resource Record Sets

Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Resource Record Set Identifier | Alias Target | Status

 route53:ListResourceRecordSets
 HostedZoneId
Name
Type
DNSName
SetIdentifier
route53:ListHostedZones Name

Amazon Route 53 Deleted Health Checks

Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Resource Record Set Identifier

 route53:ListResourceRecordSets
 HostedZoneId
Name
Type
SetIdentifier
route53:ListHostedZones Name

Amazon Route 53 Failover Resource Record Sets

Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Reason

 route53:ListResourceRecordSets
 HostedZoneId
Name
Type
route53:ListHostedZones Name

Amazon Route 53 High TTL Resource Record Sets

Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Resource Record Set ID | TTL | Status

 route53:ListResourceRecordSets
 HostedZoneId
Name
Type
SetIdentifier
TTL
route53:ListHostedZones Name

Amazon Route 53 Latency Resource Record Sets

Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type

 route53:ListResourceRecordSets
 HostedZoneId
Name
Type
route53:ListHostedZones Name

Amazon Route 53 MX and SPF Resource Record Sets

Hosted Zone Name | Hosted Zone ID | Resource Record Set Name

 route53:ListResourceRecordSets
 HostedZoneId
Name
route53:ListHostedZones Name

Amazon Route 53 Name Server Delegations

Hosted Zone Name | Hosted Zone ID | Number of Name Server Delegations Used

 route53:ListHostedZones Name
ID
NameServers

Amazon S3 Bucket Logging

Region | Bucket Name | Target Name | Target Exists | Same Owner | Write Enabled | Status | Reason

 s3api:GetService BucketName
Owner
s3api:GetBucketLogging TargetName
s3api:GetBucketAcl Grantee
Permission

Amazon S3 Bucket Permissions

Region Name | Region API Parameter | Bucket Name | Global List Access | Global Upload/Delete Access | Status

 s3api:GetService
 BucketName
Owner
s3api:GetBucketAcl
 Grantee
Permission
Amazon S3 Bucket Versioning Region | Bucket Name | Versioning | MFA Delete Enabled | Status s3api:GetBucketVersioning Status
MFADelete

Auto Scaling Group Health Check

Region | Auto Scaling Group Name | Load Balancer Associated | Health Check | Status

 autoscaling:
  DescribeAutoScalingGroups		 AutoScalingGroupARN
AutoScalingGroupName
LoadBalancerNames
HealthCheckType

Auto Scaling Group Resources

Region | Auto Scaling Group Name | Launch Configuration Name | Resource Type | Resource Name | Status | Reason

 autoscaling:
  DescribeAutoScalingGroups		 AutoScalingGroupARN
AutoScalingGroupName
LaunchConfigurationName
LoadBalancerNames
autoscaling:
  DescribeLaunchConfiguration		 ImageId

AWS CloudTrail Logging

Region | Trail Name | Logging Status | Bucket Name | Last Delivery Error | Status

 cloudtrail:DescribeTrails Name
S3BucketName
cloudtrail:GetTrailStatus IsLogging
LatestDeliveryError

AWS Direct Connect Connection Redundancy

Status | Time Stamp | Region | Connection ID | Location

directconnect:
  DescribeConnections

 Region
ConnectionId
Location

AWS Direct Connect Location Redundancy

Status | Time Stamp | Region | Location | Connection Details

directconnect:
  DescribeConnections

 Region
Location
Bandwidth

AWS Direct Connect Virtual Interface Redundancy

Status | Time Stamp | Region | Gateway ID | Location for VIF | Connection ID for VIF

directconnect:
  DescribeVirtualInterfaces

 Region
VirtualGatewayId
Location
ConnectionId
CloudFront Alternate Domain Names Distribution ID | Distribution Domain Name | Alternate Domain Name cloudfront:GetDistributions Id
DomainName
Aliases.Items

CloudFront Content Delivery Optimization

Region | Bucket Name | S3 Storage (GB) | Data Transfer Out (GB) | Ratio of Transfer to Storage | Status

 s3:GetBucket Name
Contents.Size
CloudFront Custom SSL Certificates in the IAM Certificate Store Distribution ID | Distribution Domain Name | Certificate Name | Reason cloudfront:GetDistributions
 Id
DomainName
IAMCertificateId
CloudFront Header Forwarding and Cache Hit Ratio Distribution ID | Distribution Domain Name | Cache Behavior Path Pattern | Headers cloudfront:GetDistributions
 Id
DomainName
PathPattern
Headers
CloudFront SSL Certificate on the Origin Server Distribution ID | Distribution Domain Name | Origin | Reason cloudfront:GetDistributions Id
DomainName
Origins.Items
EC2Config Service for EC2 Windows Instances Region | Instance ID | Instance Name | EC2Config Status | Timestamp ec2:DescribeInstances InstanceId
AvailabilityZone
Tags.Name
Programs and Features Ec2ConfigService
ELB Connection Draining Region | Load Balancer Name | Status | Reason elasticloadbalancing:
 DescribeLoadBalancers		 LoadBalancerName
elasticloadbalancing:
 DescribeLoadBalancerAttributes
 LoadBalancerAttributes
ConnectionDraining
ELB Cross-Zone Load Balancing Region | Load Balancer Name | Status | Reason elasticloadbalancing:
 DescribeLoadBalancers		 LoadBalancerName
elasticloadbalancing:
 DescribeLoadBalancerAttributes		 LoadBalancerAttributes
CrossZoneLoadBalancing
ELB Listener Security Region | Load Balancer Name | Load Balancer Port | Status [Ciphers/Protocols] | Reason
 elasticloadbalancing:
  DescribeLoadBalancers		 LoadBalancerName
Listener.LoadBalancerPort
Listener.Protocol
ELB Security Groups Region | Load Balancer Name | Status | Security Group IDs | Reason
 elasticloadbalancing:
  DescribeLoadBalancers		 LoadBalancerName
SecurityGroups
Exposed Access Keys Access Key ID | User Name (IAM or Root) | Fraud Type | Case ID | Time Updated | Location | Deadline | Usage (USD per Day) iam:ListUsers UserName
iam:ListAccessKeys AccessKeyId

High Utilization Amazon EC2 Instances

Region/AZ | Instance ID | Instance Name | Instance Type | Day 1 ... Day 14 | 14-Day Average CPU Utilization | Number of Days over 90% CPU Utilization

 ec2:DescribeInstances AvailabilityZone
InstanceId
tag:Name
cloudwatch:GetMetricStatistics CPUUtilization
NetworkIn
NetworkOut
IAM Access Key Rotation
 IAM User | Access Key | Key Last Rotated | Reason
 iam:ListUsers
 UserName
iam:GetCredentialReport
 access_key_1_last_rotated
access_key_2_last_rotated

IAM Password Policy

Password Policy | Uppercase | Lowercase | Number | Non-alphanumeric | Status | Reason

 iam:GetAccountPasswordPolicy RequireUppercaseCharacters
RequireLowercaseCharacters
RequireNumbers
RequireSymbols

IAM Use

[None]

 iam:GetAccountSummary Users
Groups
iam:ListRoles
 Roles

Idle Load Balancers

Region | Load Balancer Name | Reason | Estimated Monthly Savings

 elasticloadbalancing:
  DescribeLoadBalancers		 LoadBalancerName
Instances
elasticloadbalancing:
  DescribeInstanceHealth		 InstanceStates
cloudwatch:GetMetricStatistics AWS/ELB/RequestCount

Large Number of EC2 Security Group Rules Applied to an Instance

Region | Instance ID | Instance Name | VPC ID | Total Inbound Rules | Total Outbound Rules

 ec2:DescribeInstances
ec2:DescribeGroups		 InstanceId
tag:Name
VpcId
GroupId
GroupName
ec2:DescribeGroups IpPermissions
IpPermissionsEgress

Large Number of Rules in an EC2 Security Group

Region | Security Group Name | Group ID | Description | Instance Count | VPC ID | Total Inbound Rules | Total Outbound Rules

 ec2:DescribeGroups GroupName
GroupId
GroupDescription
VpcId
IpPermissions
IpPermissionsEgress
ec2:DescribeInstances GroupId
InstanceId

Load Balancer Optimization

Region | Load Balancer Name | # of Zones | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason

 elasticloadbalancing:
  DescribeLoadBalancers		 LoadBalancerName
AvailabilityZones

Low Utilization Amazon EC2 Instances

Region/AZ | Instance ID | Instance Name | Instance Type | Estimated Monthly Savings | Day 1 ... Day 14 | 14-Day Average CPU Utilization | 14-Day Average Network I/O | Number of Days Low Utilization

 ec2:DescribeInstances
 AvailabilityZone
InstanceID
tag:Name
cloudwatch:GetMetricStatistics CPUUtilization
NetworkIn
NetworkOut

MFA on Root Account

[None]

 iam:GetAccountSummary AccountMFAEnabled

Overutilized Standard Amazon EBS Volumes

Region | Volume ID | Volume Name | Day 1 ... Day 14 | Number of Days Over | Max Daily Median | Status

 ec2:DescribeVolumes VolumeId
VolumeType
tag:Name
cloudwatch:GetMetricStatistics VolumeReadOps
VolumeWriteOps
PV Driver Version for EC2 Windows Instances Region | Instance ID | Driver Status | Timestamp ec2:DescribeInstances InstanceId
AvailabilityZone
Device Manager
 Storage Controllers
Savings Plan Savings Plan type | Hourly commitment to purchase | Lookback Period | Payment option | Upfront cost | Estimated average utilization | Estimated monthly savings | Estimated savings percentage ce:GetSavingsPlansPurchaseRecommendation SavingsPlanType
HourlyCommitmentToPurchase
LookbackPeriodInDays
PaymentOption
UpfrontCost
EstimatedAverageUtilization
EstimatedMonthlySavingsAmount
EstimatedSavingsPercentage

Security Groups - Specific Ports Unrestricted

Region | Security Group Name | Security Group ID | Protocol | Status | Ports

 ec2:DescribeSecurityGroups GroupName
GroupId
IpPermissions
IpProtocol
FromPort
ToPort

Security Groups - Unrestricted Access

Region | Security Group Name | Security Group ID | Protocol | Port | Status | IP Range

 ec2:DescribeSecurityGroups GroupName
GroupId
IpPermissions
IpProtocol
FromPort
ToPort
IpRanges

Service Limits

Region | Service | Limit Name | Limit Amount | Current Usage | Status

 [Shows limits and current usage for several services. See "What service limits do you check" in the Trusted Advisor FAQs for details.] [Varies]

Unassociated Elastic IP Addresses

Region | IP Address

 ec2:DescribeAddresses
 PublicIp
InstanceId
ec2:DescribeInstances InstanceState

Underutilized Amazon EBS Volumes

Region | Volume ID | Volume Name | Volume Type | Volume Size | Monthly Storage Cost | Snapshot ID | Snapshot Name | Snapshot Age

 ec2:DescribeVolumes VolumeId
VolumeType
tag:Name
Size
ec2:DescribeSnapshots SnapshotId
tag:Name
StartTime
Underutilized Amazon Redshift Clusters Status | Region | Cluster | Instance Type | Reason | Estimated Monthly Savings redshift:DescribeClusters AvailabilityZone
ClusterIdentifier
NodeType
cloudwatch:GetMetricsStatistics CPUUtilization
DatabaseConnections

VPN Tunnel Redundancy

Region | VPN ID | VPC | Virtual Private Gateway | Customer Gateway | Active Tunnels | Status | Reason

 ec2:DescribeVpnConnections VpnConnectionId
VpnGatewayId
CustomerGatewayId
VgwTelemetry
ec2:DescribeVpnGateways VpcId