The AWS Trusted Advisor console controls access to Trusted Advisor checks by using AWS Identity and Access Management (IAM) features:
- To view Trusted Advisor results or take actions such as refreshing check data or excluding items from results, an IAM user or role must have permission for actions and resources specified with the "trustedadvisor" namespace.
- To use the tag filter feature of the Trusted Advisor console, the user or role must also have permission associated with AWS tags. These permissions can be assigned by using AWS managed policies or with custom policies. For more information, see Obtaining Permissions for Tagging.
For a list of Trusted Advisor actions and example IAM policies, see Manage access for AWS Trusted Advisor. For more information about creating policies and applying them to users, groups, and roles, see the AWS Identity and Access Management User Guide.
Note: The trustedadvisor namespace does not apply to the Trusted Advisor actions of the AWS Support API. Permissions for the API are controlled by IAM policies that include actions and resources specified with the "support" IAM namespace.
Trusted Advisor displays information about some of the resources that are associated with an AWS account.
Important: Although the user cannot make changes to these resources unless they are authorized to do so by policies that explicitly allow it, the user can view information that they might otherwise not be authorized to view. For example, a user viewing a check related to Amazon EC2 Instances might see information or usage data for instances, even if another policy specifically denies access to viewing this information.
The following two tables show the information that Trusted Advisor displays:
- Table 1 shows the title, category, ID, and report columns of the current Trusted Advisor checks.
- Table 2 shows examples of service-specific actions (APIs) and data that correspond to the information that is shown by the checks.
Although the list of report columns in the following tables can alert you to information that is exposed by a check, you should examine a Trusted Advisor report for your account to make sure you fully understand what information is exposed by each check.
Category |
Check ID |
Report columns |
|
---|---|---|---|
Amazon Aurora DB Instance Accessibility | Fault Tolerance | xuy7H1avtl | Status | Region | Cluster | Public DB Instances | Private DB Instances | Reason |
Amazon EBS Provisioned IOPS Volume Attachment Configuration | Performance | PPkZrjsH2q | Region/AZ | Volume ID | Volume Name | Volume Attachment | Instance ID | Instance Type | EBS Optimized | Status |
Amazon EBS Public Snapshots | Security | ePs02jT06w | Region | Snapshot ID | Status | Volume ID |
Amazon EBS Snapshots | Fault Tolerance | H7IgTzjTYb | Region | Volume ID | Volume Name | Snapshot ID | Snapshot Name | Snapshot Age | Volume Attachment | Status | Reason |
Amazon EC2 Availability Zone Balance | Fault Tolerance | wuy7G1zxql | Region | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason |
Amazon EC2 Reserved Instance Lease Expiration | Cost Optimization | 1e93e4c0b5 | Status | Zone | Instance Type | Platform | Instance Count | Current Monthly Cost | Estimated Monthly Savings | Expiration Date | Reserved Instance ID | Reason |
Amazon EC2 Reserved Instances Optimization | Cost Optimization | cX3c2R1chu | Region | Instance Type | Platform | Recommended Number of Ris to Purchase | Expected Average RI Utilization | Estimated Savings with Recommended (Monthly) Upfront Cost of Ris | Estimated cost of RIs (Monthly) | Estimated On-Demand Cost Post Recommended RI Purchase (Monthly) | Estimated Break Even (Months) | Lookback Period (Days) | Term (Years) |
Amazon EC2 to EBS Throughput Optimization | Performance | Bh2xRR2FGH | Region | Instance ID | Instance Type | Status | Time Near Maximum |
Amazon ElastiCache Reserved Node Optimization | Cost Optimization | h3L1otH3re | Region | Family | Node Type | Product Description | Recommended number of Reserved Nodes to purchase | Expected Average Reserved Node Utilization | Estimated Savings with Recommendation (Monthly) | Upfront Cost of Reserved Nodes | Estimated cost of Reserved Nodes (Monthly) | E |
Amazon OpenSearch Reserved Instance Optimization | Cost Optimization | 7ujm6yhn5t | Region | Instance Class | Instance Size | Recommended number of Reserved Instances to purchase | Expected Average Reserved Instances (Monthly) | Upfront Cost of Reserved Instances | Estimated cost of Reserved Instances (Monthly) | Estimated On-Demand Cost Post Recommended Reserved Instance Purchase (Monthly) | Estimated Break Even (Months) | Lookback Period (Days) | Term (Years) |
Amazon RDS Backups | Fault Tolerance | opQPADkZvH | Region/AZ | DB Instance | VPC ID | Backup Retention Period | Status |
Amazon RDS Idle DB Instances | Cost Optimization | Ti39halfu8 | Region | DB Instance Name | Multi-AZ | Instance Type | Storage Provisioned (GB) | Days Since Last Connection | Estimated Monthly Savings (On Demand) |
Amazon RDS Multi-AZ | Fault Tolerance | f2iK5R6Dep | Region/AZ | DB Instance | VPC ID | Multi-AZ | Status |
Amazon RDS Public Snapshots | Security | rSs93HQwa1 | Region | DB Instance ID | Snapshot ID | Status |
Amazon RDS Reserved Instance Optimization | Cost Optimization | 1qazXsw23e | Region | Family | Instance Type | License Model | Database Edition | Database Engine | Deployment Option | Recommended number of Reserved Instances to purchase | Expected Average Reserved Instance Utilization | Estimated Savings with Recommendation (Monthly) | Upfront Cost of Reserved Instances (Monthly) | Estimated On-Demand Cost Post Recommended Reserved Instance Purchase (Monthly) | Estimated Break Even (Months) | Lookback Period (Days) | Term (Years) |
Amazon RedShift Reserved Node Optimization | Cost Optimization | 1qw23er45t | Region | Family | Node Type | Recommended number of Reserved Nodes to purchase | Expected Average Reserved Node Utilization | Estimated Savings with Recommendation (Monthly) | Upfront Cost of Reserved Nodes | Estimated cost of Reserved Nodes (Monthly) | Estimated On-Demand Cost Post Recommended Reserved Nodes Purchase (Monthly) | Estimated Break Even (Months) | Lookback Period (Days) | Term (Years) |
Amazon RDS Security Group Access Risk | Security | nNauJisYIT | Region | RDS Security Group Name | Ingress Rule | Status | Reason |
Amazon Route 53 Alias Resource Record Sets | Performance | B913Ef6fb4 | Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Resource Record Set Identifier | Alias Target | Status |
Amazon Route 53 Deleted Health Checks | Fault Tolerance | Cb877eB72b | Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Resource Record Set Identifier |
Amazon Route 53 Failover Resource Record Sets | Fault Tolerance | b73EEdD790 | Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Reason |
Amazon Route 53 High TTL Resource Record Sets | Fault Tolerance | C056F80cR3 | Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Resource Record Set ID | TTL | Status |
Amazon Route 53 Latency Resource Record Sets | Cost Optimization | 51fC20e7I2 | Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type |
Amazon Route 53 MX and SPF Resource Record Sets | Security | c9D319e7sG | Hosted Zone Name | Hosted Zone ID | Resource Record Set Name |
Amazon Route 53 Name Server Delegations | Fault Tolerance | cF171Db240 | Hosted Zone Name | Hosted Zone ID | Number of Name Server Delegations Used |
Amazon S3 Bucket Logging | Fault Tolerance | BueAdJ7NrP | Region | Bucket Name | Target Name | Target Exists | Same Owner | Write Enabled | Status | Reason |
Amazon S3 Bucket Permissions | Security | Pfx0RwqBli | Region Name | Region API Parameter | Bucket Name | Global List Access | Global Upload/Delete Access | Status |
Amazon S3 Bucket Versioning | Fault Tolerance | R365s2Qddf | Region | Bucket Name | Versioning | MFA Delete Enabled | Status |
Auto Scaling Group Health Check | Fault Tolerance | CLOG40CDO8 | Region | Auto Scaling Group Name | Load Balancer Associated | Health Check | Status |
Auto Scaling Group Resources | Fault Tolerance | 8CNsSllI5v | Region | Auto Scaling Group Name | Launch Configuration Name | Resource Type | Resource Name | Status | Reason |
AWS CloudTrail Logging | Security | vjafUGJ9H0 | Region | Trail Name | Logging Status | Bucket Name | Last Delivery Error | Status |
AWS Direct Connect Connection Redundancy | Fault Tolerance | 0t121N1Ty3 | Status | Time Stamp | Region | Connection ID | Location |
AWS Direct Connect Location Redundancy | Fault Tolerance | 8M012Ph3U5 | Status | Time Stamp | Region | Location | Connection Details |
AWS Direct Connect Virtual Interface Redundancy | Fault Tolerance | 4g3Nt5M1Th | Status | Time Stamp | Region | Gateway ID | Location for VIF | Connection ID for VIF |
AWS Lambda Functions Using Deprecated Runtimes | Security | L4dfs2Q4C5 | Status | Region | Function ARN | Runtime | Days to Deprecation | Deprecation Date | Average Daily Invokes | Last Refresh Time |
AWS Lambda Functions with Excessive Timeouts | Cost Optimization | L4dfs2Q3C3 | Status | Region | Function ARN | Max Daily Timeout Rate | Date of Max Daily Timeout Rate | Average Daily Timeout Rate | Function Timeout Setting | Lost Daily Compute Cost | Average Daily Invokes | Current Day Invokes | Current Day Timeout Rate | Last Refresh Time |
AWS Lambda Functions with High Error Rates | Cost Optimization | L4dfs2Q3C2 | Status | Region | Function ARN | Max Daily Error Rate | Date for Max Error Rate | Average Daily Error Rate | Lost Daily Compute Cost | Average Daily Invokes | Current Day Invokes | Current Day Error Rate | Last Refresh Time |
AWS Lambda VPC-enabled Functions without Multi-AZ Redundancy | Fault Tolerance | L4dfs2Q4C6 | Status | Region | Function ARN | VPC ID | Average Daily Invokes | Last Refresh Time |
CloudFront Alternate Domain Names | Performance | N420c450f2 | Distribution ID | Distribution Domain Name | Alternate Domain Name |
CloudFront Content Delivery Optimization | Performance | 796d6f3D83 | Region | Bucket Name | S3 Storage (GB) | Data Transfer Out (GB) | Ratio of Transfer to Storage | Status |
CloudFront Custom SSL Certificates in the IAM Certificate Store | Security | N425c450f2 | Distribution ID | Distribution Domain Name | Certificate Name | Reason |
CloudFront Header Forwarding and Cache Hit Ratio | Performance | N415c450f2 | Distribution ID | Distribution Domain Name | Cache Behavior Path Pattern | Headers |
CloudFront SSL Certificate on the Origin Server | Security | N430c450f2 | Distribution ID | Distribution Domain Name | Origin | Reason |
ELB Connection Draining | Fault Tolerance | 7qGXsKIUw | Region | Load Balancer Name | Status | Reason |
ELB Cross-Zone Load Balancing | Fault Tolerance | xdeXZKIUy | Region | Load Balancer Name | Status | Reason |
ELB Listener Security | Security | a2sEc6ILx | Region | Load Balancer Name | Load Balancer Port | Status [Ciphers/Protocols] | Reason |
ELB Security Groups | Security | xSqX82fQu | Region | Load Balancer Name | Status | Security Group IDs | Reason |
Exposed Access Keys | Security | 12Fnkpl8Y5 | Access Key ID | User Name (IAM or Root) | Fraud Type | Case ID | Time Updated | Location | Deadline | Usage (USD per Day) |
High Utilization Amazon EC2 Instances | Performance | ZRxQlPsb6c | Region/AZ | Instance ID | Instance Name | Instance Type | Day 1 ... Day 14 | 14-Day Average CPU Utilization | Number of Days over 90% CPU Utilization |
IAM Access Key Rotation | Security | DqdJqYeRm5 | IAM User | Access Key | Key Last Rotated | Reason |
IAM Password Policy | Security | Yw2K9puPzl | Password Policy | Uppercase | Lowercase | Number | Non-alphanumeric | Status | Reason |
IAM Use | Security | zXCkfM1nI3 | [None] |
Idle Load Balancers | Cost Optimization | hjLMh88uM8 | Region | Load Balancer Name | Reason | Estimated Monthly Savings |
Large Number of EC2 Security Group Rules Applied to an Instance | Performance | j3DFqYTe29 | Region | Instance ID | Instance Name | VPC ID | Total Inbound Rules | Total Outbound Rules |
Large Number of Rules in an EC2 Security Group | Fault Tolerance | tfg86AVHAZ | Region | Security Group Name | Group ID | Description | Instance Count | VPC ID | Total Inbound Rules | Total Outbound Rules |
Load Balancer Optimization | Fault Tolerance | iqdCTZKCUp | Region | Load Balancer Name | # of Zones | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason |
Low Utilization Amazon EC2 Instances | Cost Optimization | Qch7DwouX1 | Region/AZ | Instance ID | Instance Name | Instance Type | Estimated Monthly Savings | Day 1 ... Day 14 | 14-Day Average CPU Utilization | 14-Day Average Network I/O | Number of Days Low Utilization |
MFA on Root Account | Security | 7DAFEmoDos | [None] |
Overutilized Standard Amazon EBS Volumes | Performance | k3J2hns32g | Region | Volume ID | Volume Name | Day 1 ... Day 14 | Number of Days Over | Max Daily Median | Status |
Savings Plan | Cost Optimization | vZ2c2W1srf | Savings Plan type | Hourly commitment to purchase | Lookback period | Payment option | Upfront cost | Estimated average utilization | Estimated monthly savings | Estimated savings percentage |
Security Groups - Specific Ports Unrestricted | Security | HCP4007jGY | Region | Security Group Name | Security Group ID | Protocol | Status | Ports |
Security Groups - Unrestricted Access | Security | 1iG5NDGVre | Region | Security Group Name | Security Group ID | Protocol | Port | Status | IP Range |
Service Limit: Auto Scaling - Groups | Service Limits | fW7HH0l7J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: Auto Scaling - Launch Configurations | Service Limits | aW7HH0l7J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: CloudFormation - Stacks | Service Limits | gW7HH0l7J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: DynamoDB Read Capacity | Service Limits | 6gtQddfEw6 | Status | Region | Limit Amount | Current Usage |
Service Limit: DynamoDB Write Capacity | Service Limits | c5ftjdfkMr | Status | Region | Limit Amount | Current Usage |
Service Limit: EBS - Active Snapshots | Service Limits | eI7KK0l7J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: EBS - Cold HDD (sc1) | Service Limits | gH5CC0e3J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: EBS - General Purpose SSD Volume Storage | Service Limits | dH7RR0l6J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: EBS - Magnetic (standard) Volume Storage | Service Limits | cG7HH0l7J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: EBS Throughput Optimized HDD (st1) | Service Limits | wH7DD0l3J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: EBS - Provisioned IOPS (SSD) Volume Aggregate IOPS | Service Limits | tV7YY0l7J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: EBS - Provisioned IOPS SSD (io1) Volume Storage | Service Limits | gI7MM0l7J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: EC2 - Classic Elastic IP Addresses | Service Limits | aW9HH0l8J6 | Status | Region | Limit Amount | Current Usage |
Service Limit: EC2 - On-Demand Instances | Service Limits | 0Xc6LMYG8P | Status | Region | Instance Type | Limit Amount | Current Usage |
Service Limit: EC2 - Reserved Instance Leases | Service Limits | iH7PP0l7J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: EC2 - VPC Elastic IP Address | Service Limits | lN7RR0l7J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: ELB - Active Load Balancers | Service Limits | iK7OO0l7J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: ELB - Application Load Balancers | Service Limits | EM8b3yLRTr | Status | Region | Limit Amount | Current Usage |
Service Limit: ELB - Network Load Balancers | Service Limits | 8wIqYSt25K | Status | Region | Limit Amount | Current Usage |
Service Limit: IAM - Group | Service Limits | sU7XX0l7J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: IAM - Instance Profiles | Service Limits | nO7SS0l7J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: IAM - Policies | Service Limits | pR7UU0l7J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: IAM - Roles | Service Limits | oQ7TT0l7J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: IAM - Server Certificates | Service Limits | rT7WW0l7J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: IAM - Users | Service Limits | qS7VV0l7J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: Kinesis - Shards per Region | Service Limits | bW7HH0l7J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: RDS - Cluster Parameter Groups | Service Limits | jtlIMO3qZM | Status | Region | Limit Amount | Current Usage |
Service Limit: RDS - Cluster roles | Service Limits | 7fuccf1Mx7 | Status | Region | Limit Amount | Current Usage |
Service Limit: RDS - Clusters | Service Limits | gjqMBn6pjz | Status | Region | Limit Amount | Current Usage |
Service Limit: RDS - DB Instances | Service Limits | XG0aXHpIEt | Status | Region | Limit Amount | Current Usage |
Service Limit: RDS - DB Parameter Groups | Service Limits | jEECYg2YVU | Status | Region | Limit Amount | Current Usage |
Service Limit: RDS - DB Security Groups | Service Limits | gfZAn3W7wl | Status | Region | Limit Amount | Current Usage |
Service Limit: RDS - DB snapshots per user | Service Limits | dV84wpqRUs | Status | Region | Limit Amount | Current Usage |
Service Limit: RDS - Event Subscriptions | Service Limits | keAhfbH5yb | Status | Region | Limit Amount | Current Usage |
Service Limit: RDS - Max Auths per Security Group | Service Limits | dBkuNCvqn5 | Status | Region | Limit Amount | Current Usage |
Service Limit: RDS - Option Groups | Service Limits | 3Njm0DJQO9 | Status | Region | Limit Amount | Current Usage |
Service Limit: RDS - Read Replicas per Master | Service Limits | pYW8UkYz2w | Status | Region | Limit Amount | Current Usage |
Service Limit: RDS - Reserved Instances | Service Limits | UUDvOa5r34 | Status | Region | Limit Amount | Current Usage |
Service Limit: RDS - Subnet Groups | Service Limits | dYWBaXaaMM | Status | Region | Limit Amount | Current Usage |
Service Limit: RDS - Subnets per Subnet Group | Service Limits | jEhCtdJKOY | Status | Region | Limit Amount | Current Usage |
Service Limit: RDS - Total Storage Quota | Service Limits | P1jhKWEmLa | Status | Region | Limit Amount | Current Usage |
Service Limit: Route 53 Hosted Zones | Service Limits | dx3xfcdfMr | Status | Region | Limit Amount | Current Usage |
Service Limit: Route 53 Max Health Checks | Service Limits | ru4xfcdfMr | Status | Region | Limit Amount | Current Usage |
Service Limit: Route 53 Reusable Delegation Sets | Service Limits | ty3xfcdfMr | Status | Region | Limit Amount | Current Usage |
Service Limit: Route 53 Traffic Policies | Service Limits | dx3xfbjfMr | Status | Region | Limit Amount | Current Usage |
Service Limit: Route 53 Traffic Policy Instances | Service Limits | dx8afcdfMr | Status | Region | Limit Amount | Current Usage |
Service Limit: SES - Daily Sending Quota | Service Limits | hJ7NN0l7J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: VPC - Internet Gateways | Service Limits | kM7QQ0l7J9 | Status | Region | Limit Amount | Current Usage |
Service Limit: VPCs | Service Limits | jL7PP0l7J9 | Status | Region | Limit Amount | Current Usage |
Unassociated Elastic IP Addresses | Cost Optimization | Z4AUBRNSmz | Region | IP Address |
Underutilized Amazon EBS Volumes | Cost Optimization | DAvU99Dc4C | Region | Volume ID | Volume Name | Volume Type | Volume Size | Monthly Storage Cost | Snapshot ID | Snapshot Name | Snapshot Age |
Underutilized Amazon Redshift Clusters | Cost Optimization | G31sQ1E9U | Status | Region | Cluster | Instance Type | Reason | Estimated Monthly Savings |
VPN Tunnel Redundancy | Fault Tolerance | S45wrEXrLz | Region | VPN ID | VPC | Virtual Private Gateway | Customer Gateway | Active Tunnels | Status | Reason |
The following table shows the report columns for each check again, adding examples of the service-specific actions that display data that corresponds to the data displayed in the Trusted Advisor report columns. Note that Trusted Advisor does not necessarily use the actions listed; the actions are only examples of one way to display the information.
For example, if you deny a user access to the Amazon EC2 DescribeInstances operation but also allow the user access to the Trusted Advisor Low Utilization EC2 Instances check, the user can view some of the information that is returned by DescribeInstances, even though access to DescribeInstances has been explicitly denied.
Check title |
Report columns |
Actions |
Data |
---|---|---|---|
Amazon Aurora DB Instance Accessibility | Status | Region | Cluster | Public DB Instances | Private DB Instances | Reason | rds:DescribeDBClusters | AvailabilityZones DBClusterIdentifier DBInstanceIdentifier |
rds:DescribeDBInstances | PubliclyAccessible | ||
Amazon EBS Provisioned IOPS Volume Attachment Configuration |
Region/AZ | Volume ID | Volume Name | Volume Attachment | Instance ID | Instance Type | EBS Optimized | Status |
ec2:DescribeVolumes | AvailabilityZone VolumeId tag:Name VolumeType AttachmentSet.Item.VolumeId AttachmentSet.Item.InstanceId AttachmentSet.Item.Device |
ec2:DescribeInstanceAttribute | InstanceId EbsOptimized |
||
Amazon EBS Public Snapshots |
Region | Snapshot ID | Status | Volume |
ec2:DescribeSnapshots | Description SnapshotId VolumeId |
Amazon EBS Snapshots |
Region | Volume ID | Volume Name | Snapshot ID | Snapshot Name | Snapshot Age | Volume Attachment | Status | Reason |
ec2:DescribeVolumes | VolumeId VolumeType tag:Name |
cloudwatch:GetMetricStatistics | VolumeReadOps VolumeWriteOps |
||
Amazon EC2 Availability Zone Balance |
Region | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason |
ec2:DescribeInstances | AvailabilityZone |
Amazon EC2 Reserved Instance Lease Expiration | Status | Zone | Instance Type | Platform | Instance Count | Current Monthly Cost | Estimated Monthly Savings | Expiration Date | Reserved Instance ID | Reason | ec2:DescribeReservedInstances | AvailabilityZone InstanceType ProductDescription InstanceCount End ReservedInstancesId |
Amazon EC2 Reserved Instances Optimization |
Region | Instance Type | Platform | Recommended number of RIs to purchase | Expected Average RI Utilization | Estimated Savings with Recommendation (Monthly) | Upfront Cost of RIs | Estimated cost of RIs (Monthly) | Estimated On-Demand Cost Post Recommended RI Purchase (Monthly) | Estimated Lookback Period (Days) | Term (Years) |
ce:GetReservationPurchaseRecommendation | Region InstanceType Platform RecommendedNumberOfInstancesToPurchase AverageUtilization EstimatedMonthlySavingsAmount UpfrontCost RecurringStandardMonthlyCost EstimatedMonthlyOnDemandCost EstimatedBreakEvenInMonths LookbackPeriodInDays TermInYears |
Amazon EC2 to EBS Throughput Optimization | Region | Instance ID | Instance Type | Status | Time Near Maximum | ec2:DescribeInstances | AvailabilityZone InstanceId InstanceType |
Amazon ElastiCache Reserved Node Optimization | Region | Family | Node Type | Product Description | Recommended number of Reserved Nodes to purchase | Expected Average Reserved Node Utilization | Estimated Savings with Recommendation (Monthly) | Upfront Cost of Reserved Nodes (Monthly) | Estimated On-Demand Cost Post Recommended Reserved Nodes Purchase (Monthly) | Estimated Break Even (Monthly) | Lookback Period (Days) | Term (Years) | ce:GetReservedPurchaseRecommendation | Region Family Node Type Product Description RecommendedNumberOfInstancesToPurchase AverageUtilization EstimatedMonthlySavingsAmount UpfrontCost RecurringStandardMonthlyCost EstimatedMonthlyOnDemandCost EstimatedBreakEvenInMonths LookbackPeriodInDays TermInYears |
Amazon OpenSearch Reserved Instance Optimization | Region | Instance Class | Instance Size | Recommended number of Reserved Instances to purchase | Expected Average Reserved Instance Utilization | Estimated Savings with Recommendadtion (Monthly) | Upfront Cost of Reserved Instances | Estimated cost of Reserved Instances (Monthly) | Estimated On-Demand Cost Post Recommended Reserved Instance Purchase (Monthly) | Estimated Break Even (Monthly) | Lookback Period (Days) | Term (Years) | ce:GetReservationPurchaseRecommendation | Region InstanceClass InstanceSize RecommendedNumberOfInstancesToPurchase AverageUtilization EstimatedMonthlySavingsAmount UpfrontCost RecurringStandardMonthlyCost EstimatedMonthlyOnDemandCost EstimatedBreakEvenInMonths LookbackPeriodInDays TermInYears |
Amazon RDS Backups |
Region/AZ | DB Instance | VPC ID | Backup Retention Period | Status |
rds:DescribeDBInstances | AvailabilityZone DBInstanceIdentifier DBSubnetGroup.VpcId BackupRetentionPeriod |
Amazon RDS Idle DB Instances |
Region | DB Instance Name | Multi-AZ | Instance Type | Storage Provisioned (GB) | Days Since Last Connection | Estimated Monthly Savings (On Demand) |
rds:DescribeDBInstances | DBInstanceIdentifier MultiAZ DBInstanceClass AllocatedStorage |
cloudwatch:GetMetricStatistics | DatabaseConnections | ||
Amazon RDS Multi-AZ |
Region/AZ | DB Instance | VPC ID | Multi-AZ | Status |
rds:DescribeDBInstances | AvailabilityZone DBInstanceIdentifier DBSubnetGroup.VpcId MultiAZ |
Amazon RDS Public Snapshots | Instance ID | Region | Snapshot ID | Status |
rds:DescribeDBSnapshots | DBInstanceIdentifier DBSnapshotIdentifier Status |
Amazon RDS Reserved Instance Optimization | Region | Family | Instance Type | License Model | Database Edition | Database Engine | Deployment Option | Recommended number of Reserved Instances to purchase | Expected Average Reserved Instance Utilization | Estimated Savings with Recommendation (Monthly) | Upfront Cost of Reserved Instances | Estimated Cost of Reserved Instances (Monthly) | Estimated On-Demand Cost Post Recommended Reserved Instance Purchase (Monthly) | Estimated Break Even (Monthly) | Lookback Period (Days) | Term (Years) | ce:GetReservationPurchaseRecommendation | Region Family Instance Type License Model Database Edition Database Engine Deployment Option RecommendedNumberOfInstancesToPurchase AverageUtilization EstimatedMonthlySavingsAmount UpfrontCost RecurringStandardMonthlyCost EstimatedMonthlyOnDemandCost EstimatedBreakEvenInMonths LookbackPeriodInDays TermInYears |
Amazon RDS Security Group Access Risk |
Region | RDS Security Group Name | Ingress Rule | Status | Reason |
rds:DescribeDBInstances | DBSecurityGroupName |
rds:DescribeDBSecurityGroups | IPRanges | ||
Amazon Redshift Reserved Node Optimization | Region | Family | Node Type | Recommended number of Reserved Nodes to purchase | Expected Average Reserved Node Utilization | Estimated Savings with Recommendation (Monthly) | Upfront Cost of Reserved Nodes (Monthly) | Estimated On-Demand Cost Post Recommended Reserved Nodes Purchase (Monthly) | Estimated Break Even (Monthly) | Lookback Period (Days) | Term (Years) | ce:GetReservationPurchaseRecommendation | Region Family Node Type RecommendedNumberOfInstancesToPurchase AverageUtilization EstimatedMonthlySavingsAmount UpfrontCost RecurringStandardMonthlyCost EstimatedMonthlyOnDemandCost EstimatedBreakEvenInMonths LookbackPeriodInDays TermInYears |
Amazon Route 53 Alias Resource Record Sets |
Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Resource Record Set Identifier | Alias Target | Status |
route53:ListResourceRecordSets |
HostedZoneId Name Type DNSName SetIdentifier |
route53:ListHostedZones | Name | ||
Amazon Route 53 Deleted Health Checks |
Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Resource Record Set Identifier |
route53:ListResourceRecordSets |
HostedZoneId Name Type SetIdentifier |
route53:ListHostedZones | Name | ||
Amazon Route 53 Failover Resource Record Sets |
Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Reason |
route53:ListResourceRecordSets |
HostedZoneId Name Type |
route53:ListHostedZones | Name | ||
Amazon Route 53 High TTL Resource Record Sets |
Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Resource Record Set ID | TTL | Status |
route53:ListResourceRecordSets |
HostedZoneId Name Type SetIdentifier TTL |
route53:ListHostedZones | Name | ||
Amazon Route 53 Latency Resource Record Sets |
Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type |
route53:ListResourceRecordSets |
HostedZoneId Name Type |
route53:ListHostedZones | Name | ||
Amazon Route 53 MX and SPF Resource Record Sets |
Hosted Zone Name | Hosted Zone ID | Resource Record Set Name |
route53:ListResourceRecordSets |
HostedZoneId Name |
route53:ListHostedZones | Name | ||
Amazon Route 53 Name Server Delegations |
Hosted Zone Name | Hosted Zone ID | Number of Name Server Delegations Used |
route53:ListHostedZones | Name ID NameServers |
Amazon S3 Bucket Logging |
Region | Bucket Name | Target Name | Target Exists | Same Owner | Write Enabled | Status | Reason |
s3api:GetService | BucketName Owner |
s3api:GetBucketLogging | TargetName | ||
s3api:GetBucketAcl | Grantee Permission |
||
Amazon S3 Bucket Permissions |
Region Name | Region API Parameter | Bucket Name | Global List Access | Global Upload/Delete Access | Status |
s3api:GetService |
BucketName Owner |
s3api:GetBucketAcl |
Grantee Permission |
||
Amazon S3 Bucket Versioning | Region | Bucket Name | Versioning | MFA Delete Enabled | Status | s3api:GetBucketVersioning | Status MFADelete |
Auto Scaling Group Health Check |
Region | Auto Scaling Group Name | Load Balancer Associated | Health Check | Status |
autoscaling: DescribeAutoScalingGroups |
AutoScalingGroupARN AutoScalingGroupName LoadBalancerNames HealthCheckType |
Auto Scaling Group Resources |
Region | Auto Scaling Group Name | Launch Configuration Name | Resource Type | Resource Name | Status | Reason |
autoscaling: DescribeAutoScalingGroups |
AutoScalingGroupARN AutoScalingGroupName LaunchConfigurationName LoadBalancerNames |
autoscaling: DescribeLaunchConfiguration |
ImageId | ||
AWS CloudTrail Logging |
Region | Trail Name | Logging Status | Bucket Name | Last Delivery Error | Status |
cloudtrail:DescribeTrails | Name S3BucketName |
cloudtrail:GetTrailStatus | IsLogging LatestDeliveryError |
||
AWS Direct Connect Connection Redundancy |
Status | Time Stamp | Region | Connection ID | Location |
directconnect: |
Region ConnectionId Location |
AWS Direct Connect Location Redundancy |
Status | Time Stamp | Region | Location | Connection Details |
directconnect: |
Region Location Bandwidth |
AWS Direct Connect Virtual Interface Redundancy |
Status | Time Stamp | Region | Gateway ID | Location for VIF | Connection ID for VIF |
directconnect: |
Region VirtualGatewayId Location ConnectionId |
CloudFront Alternate Domain Names | Distribution ID | Distribution Domain Name | Alternate Domain Name | cloudfront:GetDistributions | Id DomainName Aliases.Items |
CloudFront Content Delivery Optimization |
Region | Bucket Name | S3 Storage (GB) | Data Transfer Out (GB) | Ratio of Transfer to Storage | Status |
s3:GetBucket | Name Contents.Size |
CloudFront Custom SSL Certificates in the IAM Certificate Store | Distribution ID | Distribution Domain Name | Certificate Name | Reason | cloudfront:GetDistributions |
Id DomainName IAMCertificateId |
CloudFront Header Forwarding and Cache Hit Ratio | Distribution ID | Distribution Domain Name | Cache Behavior Path Pattern | Headers | cloudfront:GetDistributions |
Id DomainName PathPattern Headers |
CloudFront SSL Certificate on the Origin Server | Distribution ID | Distribution Domain Name | Origin | Reason | cloudfront:GetDistributions | Id DomainName Origins.Items |
EC2Config Service for EC2 Windows Instances | Region | Instance ID | Instance Name | EC2Config Status | Timestamp | ec2:DescribeInstances | InstanceId AvailabilityZone Tags.Name |
Programs and Features | Ec2ConfigService | ||
ELB Connection Draining | Region | Load Balancer Name | Status | Reason | elasticloadbalancing: DescribeLoadBalancers |
LoadBalancerName |
elasticloadbalancing: DescribeLoadBalancerAttributes |
LoadBalancerAttributes ConnectionDraining |
||
ELB Cross-Zone Load Balancing | Region | Load Balancer Name | Status | Reason | elasticloadbalancing: DescribeLoadBalancers |
LoadBalancerName |
elasticloadbalancing: DescribeLoadBalancerAttributes |
LoadBalancerAttributes CrossZoneLoadBalancing |
||
ELB Listener Security | Region | Load Balancer Name | Load Balancer Port | Status [Ciphers/Protocols] | Reason |
elasticloadbalancing: DescribeLoadBalancers |
LoadBalancerName Listener.LoadBalancerPort Listener.Protocol |
ELB Security Groups | Region | Load Balancer Name | Status | Security Group IDs | Reason |
elasticloadbalancing: DescribeLoadBalancers |
LoadBalancerName SecurityGroups |
Exposed Access Keys | Access Key ID | User Name (IAM or Root) | Fraud Type | Case ID | Time Updated | Location | Deadline | Usage (USD per Day) | iam:ListUsers | UserName |
iam:ListAccessKeys | AccessKeyId | ||
High Utilization Amazon EC2 Instances |
Region/AZ | Instance ID | Instance Name | Instance Type | Day 1 ... Day 14 | 14-Day Average CPU Utilization | Number of Days over 90% CPU Utilization |
ec2:DescribeInstances | AvailabilityZone InstanceId tag:Name |
cloudwatch:GetMetricStatistics | CPUUtilization NetworkIn NetworkOut |
||
IAM Access Key Rotation |
IAM User | Access Key | Key Last Rotated | Reason |
iam:ListUsers |
UserName |
iam:GetCredentialReport |
access_key_1_last_rotated access_key_2_last_rotated |
||
IAM Password Policy |
Password Policy | Uppercase | Lowercase | Number | Non-alphanumeric | Status | Reason |
iam:GetAccountPasswordPolicy | RequireUppercaseCharacters RequireLowercaseCharacters RequireNumbers RequireSymbols |
IAM Use |
[None] |
iam:GetAccountSummary | Users Groups |
iam:ListRoles |
Roles |
||
Idle Load Balancers |
Region | Load Balancer Name | Reason | Estimated Monthly Savings |
elasticloadbalancing: DescribeLoadBalancers |
LoadBalancerName Instances |
elasticloadbalancing: DescribeInstanceHealth |
InstanceStates | ||
cloudwatch:GetMetricStatistics | AWS/ELB/RequestCount | ||
Large Number of EC2 Security Group Rules Applied to an Instance |
Region | Instance ID | Instance Name | VPC ID | Total Inbound Rules | Total Outbound Rules |
ec2:DescribeInstances ec2:DescribeGroups |
InstanceId tag:Name VpcId GroupId GroupName |
ec2:DescribeGroups | IpPermissions IpPermissionsEgress |
||
Large Number of Rules in an EC2 Security Group |
Region | Security Group Name | Group ID | Description | Instance Count | VPC ID | Total Inbound Rules | Total Outbound Rules |
ec2:DescribeGroups | GroupName GroupId GroupDescription VpcId IpPermissions IpPermissionsEgress |
ec2:DescribeInstances | GroupId InstanceId |
||
Load Balancer Optimization |
Region | Load Balancer Name | # of Zones | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason |
elasticloadbalancing: DescribeLoadBalancers |
LoadBalancerName AvailabilityZones |
Low Utilization Amazon EC2 Instances |
Region/AZ | Instance ID | Instance Name | Instance Type | Estimated Monthly Savings | Day 1 ... Day 14 | 14-Day Average CPU Utilization | 14-Day Average Network I/O | Number of Days Low Utilization |
ec2:DescribeInstances |
AvailabilityZone InstanceID tag:Name |
cloudwatch:GetMetricStatistics | CPUUtilization NetworkIn NetworkOut |
||
MFA on Root Account |
[None] |
iam:GetAccountSummary | AccountMFAEnabled |
Overutilized Standard Amazon EBS Volumes |
Region | Volume ID | Volume Name | Day 1 ... Day 14 | Number of Days Over | Max Daily Median | Status |
ec2:DescribeVolumes | VolumeId VolumeType tag:Name |
cloudwatch:GetMetricStatistics | VolumeReadOps VolumeWriteOps |
||
PV Driver Version for EC2 Windows Instances | Region | Instance ID | Driver Status | Timestamp | ec2:DescribeInstances | InstanceId AvailabilityZone |
Device Manager |
Storage Controllers | ||
Savings Plan | Savings Plan type | Hourly commitment to purchase | Lookback Period | Payment option | Upfront cost | Estimated average utilization | Estimated monthly savings | Estimated savings percentage | ce:GetSavingsPlansPurchaseRecommendation | SavingsPlanType HourlyCommitmentToPurchase LookbackPeriodInDays PaymentOption UpfrontCost EstimatedAverageUtilization EstimatedMonthlySavingsAmount EstimatedSavingsPercentage |
Security Groups - Specific Ports Unrestricted |
Region | Security Group Name | Security Group ID | Protocol | Status | Ports |
ec2:DescribeSecurityGroups | GroupName GroupId IpPermissions IpProtocol FromPort ToPort |
Security Groups - Unrestricted Access |
Region | Security Group Name | Security Group ID | Protocol | Port | Status | IP Range |
ec2:DescribeSecurityGroups | GroupName GroupId IpPermissions IpProtocol FromPort ToPort IpRanges |
Service Limits |
Region | Service | Limit Name | Limit Amount | Current Usage | Status |
[Shows limits and current usage for several services. See "What service limits do you check" in the Trusted Advisor FAQs for details.] | [Varies] |
Unassociated Elastic IP Addresses |
Region | IP Address |
ec2:DescribeAddresses |
PublicIp InstanceId |
ec2:DescribeInstances | InstanceState | ||
Underutilized Amazon EBS Volumes |
Region | Volume ID | Volume Name | Volume Type | Volume Size | Monthly Storage Cost | Snapshot ID | Snapshot Name | Snapshot Age |
ec2:DescribeVolumes | VolumeId VolumeType tag:Name Size |
ec2:DescribeSnapshots | SnapshotId tag:Name StartTime |
||
Underutilized Amazon Redshift Clusters | Status | Region | Cluster | Instance Type | Reason | Estimated Monthly Savings | redshift:DescribeClusters | AvailabilityZone ClusterIdentifier NodeType |
cloudwatch:GetMetricsStatistics | CPUUtilization DatabaseConnections |
||
VPN Tunnel Redundancy |
Region | VPN ID | VPC | Virtual Private Gateway | Customer Gateway | Active Tunnels | Status | Reason |
ec2:DescribeVpnConnections | VpnConnectionId VpnGatewayId CustomerGatewayId VgwTelemetry |
ec2:DescribeVpnGateways | VpcId |