The AWS Trusted Advisor console controls access to Trusted Advisor checks by using AWS Identity and Access Management (IAM) features:

  • To view Trusted Advisor results or take actions such as refreshing check data or excluding items from results, an IAM user or role must have permission for actions and resources specified with the "trustedadvisor" namespace.
  • To use the tag filter feature of the Trusted Advisor console, the user or role must also have permission associated with AWS tags. These permissions can be assigned by using AWS managed policies or with custom policies. For more information, see Obtaining Permissions for Tagging.

For complete information about creating policies and applying them to users, groups, and roles, see the AWS Identity and Access Management documentation.

Note: The trustedadvisor namespace does not apply to the Trusted Advisor actions of the AWS Support API. Permissions for the API are controlled by IAM policies that include actions and resources specified with the "support" IAM namespace. For more information, see the AWS Support User Guide.

The following table shows common permission scenarios for the Trusted Advisor console.

  Access

  Specification

  AWS managed policy

Full

"Action": "trustedadvisor:*",
"Resource": "*"

AdministratorAccess
PowerUserAccess

Read-only

"Action": "trustedadvisor:Describe*",
"Resource": "*"

ReadOnlyAccess

Specific check category

"Resource": "arn:aws:trustedadvisor:*:acct:checks/category/*"

 

None; see Categories of Checks

Specific check

"Resource": "arn:aws:trustedadvisor:*:acct:checks/category/checkID"

 

None; see Specific Checks

Specific action

"Action": "trustedadvisor:actionName"

None; see Specific Actions

Trusted Advisor displays information about some of the resources that are associated with an AWS account.

Important: Although the user cannot make changes to these resources unless they are authorized to do so by policies that explicitly allow it, the user can view information that they might otherwise not be authorized to view. For example, a user viewing a check related to Amazon EC2 Instances might see information or usage data for instances, even if another policy specifically denies access to viewing this information.

The following two tables show the information that Trusted Advisor displays:

  • Table 2 shows the title, category, ID, and report columns of the current Trusted Advisor checks. You use the category and check ID to refer to specific checks in an IAM policy.
  • Table 3 shows examples of service-specific actions (APIs) and data that correspond to the information that is shown by the checks.

Although the list of report columns in the following tables can alert you to information that is exposed by a check, you should examine a Trusted Advisor report for your account to make sure you fully understand what information is exposed by each check.

  Check title

Category

Check ID

Report columns

Amazon Aurora DB Instance Accessibility
Fault Tolerance xuy7H1avtl Status | Region | Cluster | Public DB Instances | Private DB Instances | Reason

Amazon EBS Provisioned IOPS Volume Attachment Configuration

Performance

PPkZrjsH2q

Region/AZ | Volume ID | Volume Name | Volume Attachment | Instance ID | Instance Type | EBS Optimized | Status

Amazon EBS Public Snapshots
Security ePs02jT06w Region | Snapshot ID | Status | Volume ID

Amazon EBS Snapshots

Fault Tolerance

H7IgTzjTYb

Region | Volume ID | Volume Name | Snapshot ID | Snapshot Name | Snapshot Age | Volume Attachment | Status | Reason

Amazon EC2 Availability Zone Balance

Fault Tolerance

wuy7G1zxql

Region | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason

Amazon EC2 Reserved Instance Lease Expiration Cost Optimization 1e93e4c0b5 Status | Zone | Instance Type | Platform | Instance Count | Current Monthly Cost | Estimated Monthly Savings | Expiration Date | Reserved Instance ID | Reason

Amazon EC2 Reserved Instances Optimization

Cost Optimization

1MoPEMsKx6

Region / AZ | Instance Type | Operating System | Current RIs (1-Year and 3-Year) | Hourly Instance Usage Max/Average/Min | Recommended Additional 1-Year RIs | Estimated Bill (Current RIs) | Upfront Cost | Estimated Bill (Optimized RIs) | Estimated Monthly Savings | Region / AZ | Instance Type | Operating System | Current RIs  (1-Year and 3-Year) | Hourly Instance Usage Max/Average/Min | Recommended Additional 3-Year RIs | Estimated Bill (Current RIs) | Upfront Cost | Estimated Bill  (Optimized RIs) | Estimated Monthly Savings

Amazon EC2 to EBS Throughput Optimization Performance Bh2xRR2FGH Region | Instance ID | Instance Type | Status | Time Near Maximum

Amazon RDS Backups

Fault Tolerance

opQPADkZvH

Region/AZ | DB Instance | VPC ID | Backup Retention Period | Status

Amazon RDS Idle DB Instances

Cost Optimization

Ti39halfu8

Region | DB Instance Name | Multi-AZ | Instance Type | Storage Provisioned (GB) | Days Since Last Connection | Estimated Monthly Savings (On Demand)

Amazon RDS Multi-AZ

Fault Tolerance

f2iK5R6Dep

Region/AZ | DB Instance | VPC ID | Multi-AZ | Status

Amazon RDS Public Snapshots Security
rSs93HQwa1 Region | DB Instance ID | Snapshot ID | Status

Amazon RDS Security Group Access Risk

Security

nNauJisYIT

Region | RDS Security Group Name | Ingress Rule | Status | Reason

Amazon Route 53 Alias Resource Record Sets

Performance

B913Ef6fb4

Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Resource Record Set Identifier | Alias Target | Status

Amazon Route 53 Deleted Health Checks

Fault Tolerance

Cb877eB72b

Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Resource Record Set Identifier

Amazon Route 53 Failover Resource Record Sets

Fault Tolerance

b73EEdD790

Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Reason

Amazon Route 53 High TTL Resource Record Sets

Fault Tolerance

C056F80cR3

Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Resource Record Set ID | TTL | Status

Amazon Route 53 Latency Resource Record Sets

Cost Optimization

51fC20e7I2

Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type

Amazon Route 53 MX and SPF Resource Record Sets

Security

c9D319e7sG

Hosted Zone Name | Hosted Zone ID | Resource Record Set Name

Amazon Route 53 Name Server Delegations

Fault Tolerance

cF171Db240

Hosted Zone Name | Hosted Zone ID | Number of Name Server Delegations Used

Amazon S3 Bucket Logging

Fault Tolerance

BueAdJ7NrP

Region | Bucket Name | Target Name | Target Exists | Same Owner | Write Enabled | Status | Reason

Amazon S3 Bucket Permissions

Security

Pfx0RwqBli

Region Name | Region API Parameter | Bucket Name | Global List Access | Global Upload/Delete Access | Status

Amazon S3 Bucket Versioning Fault Tolerance R365s2Qddf Region | Bucket Name | Versioning | MFA Delete Enabled | Status

Auto Scaling Group Health Check

Fault Tolerance

CLOG40CDO8

Region | Auto Scaling Group Name | Load Balancer Associated | Health Check | Status

Auto Scaling Group Resources

Fault Tolerance

8CNsSllI5v

Region | Auto Scaling Group Name | Launch Configuration Name | Resource Type | Resource Name | Status | Reason

AWS CloudTrail Logging

Security

vjafUGJ9H0

Region | Trail Name | Logging Status | Bucket Name | Last Delivery Error | Status

AWS Direct Connect Connection Redundancy

Fault Tolerance

0t121N1Ty3

Status | Time Stamp | Region | Connection ID | Location

AWS Direct Connect Location Redundancy

Fault Tolerance

8M012Ph3U5

Status | Time Stamp | Region | Location | Connection Details

AWS Direct Connect Virtual Interface Redundancy

Fault Tolerance

4g3Nt5M1Th

Status | Time Stamp | Region | Gateway ID | Location for VIF | Connection ID for VIF

CloudFront Alternate Domain Names Performance N420c450f2 Distribution ID | Distribution Domain Name | Alternate Domain Name

CloudFront Content Delivery Optimization

Performance

796d6f3D83

Region | Bucket Name | S3 Storage (GB) | Data Transfer Out (GB) | Ratio of Transfer to Storage | Status

CloudFront Custom SSL Certificates in the IAM Certificate Store Security N425c450f2 Distribution ID | Distribution Domain Name | Certificate Name | Reason
CloudFront Header Forwarding and Cache Hit Ratio Performance N415c450f2 Distribution ID | Distribution Domain Name | Cache Behavior Path Pattern | Headers
CloudFront SSL Certificate on the Origin Server Security N430c450f2 Distribution ID | Distribution Domain Name | Origin | Reason
EC2Config Service for EC2 Windows Instances Fault Tolerance V77iOLlBqz Region | Instance ID | Instance Name | EC2Config Status | Timestamp
ELB Connection Draining Fault Tolerance 7qGXsKIUw Region | Load Balancer Name | Status | Reason
ELB Cross-Zone Load Balancing Fault Tolerance xdeXZKIUy Region | Load Balancer Name | Status | Reason
ELB Listener Security Security a2sEc6ILx Region | Load Balancer Name | Load Balancer Port | Status [Ciphers/Protocols] | Reason
ELB Security Groups Security xSqX82fQu Region | Load Balancer Name | Status | Security Group IDs | Reason
Exposed Access Keys Security 12Fnkpl8Y5 Access Key ID | User Name (IAM or Root) | Fraud Type | Case ID | Time Updated | Location | Deadline | Usage (USD per Day)

High Utilization Amazon EC2 Instances

Performance

ZRxQlPsb6c

Region/AZ | Instance ID | Instance Name | Instance Type | Day 1 ... Day 14 | 14-Day Average CPU Utilization | Number of Days over 90% CPU Utilization

IAM Access Key Rotation Security DqdJqYeRm5 IAM User | Access Key | Key Last Rotated | Reason

IAM Password Policy

Security

Yw2K9puPzl

Password Policy | Uppercase | Lowercase | Number | Non-alphanumeric | Status | Reason

IAM Use

Security

zXCkfM1nI3

[None]

Idle Load Balancers

Cost Optimization

hjLMh88uM8

Region | Load Balancer Name | Reason | Estimated Monthly Savings

Large Number of EC2 Security Group Rules Applied to an Instance

Performance

j3DFqYTe29

Region | Instance ID | Instance Name | VPC ID | Total Inbound Rules | Total Outbound Rules

Large Number of Rules in an EC2 Security Group

Fault Tolerance

tfg86AVHAZ

Region | Security Group Name | Group ID | Description | Instance Count | VPC ID | Total Inbound Rules | Total Outbound Rules

Load Balancer Optimization

Fault Tolerance

iqdCTZKCUp

Region | Load Balancer Name | # of Zones | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason

Low Utilization Amazon EC2 Instances

Cost Optimization

Qch7DwouX1

Region/AZ | Instance ID | Instance Name | Instance Type | Estimated Monthly Savings | Day 1 ... Day 14 | 14-Day Average CPU Utilization | 14-Day Average Network I/O | Number of Days Low Utilization

MFA on Root Account

Security

7DAFEmoDos

[None]

Overutilized Standard Amazon EBS Volumes

Performance

k3J2hns32g

Region | Volume ID | Volume Name | Day 1 ... Day 14 | Number of Days Over | Max Daily Median | Status

PV Driver Version for EC2 Windows Instances Fault Tolerance Wnwm9Il5bG Region | Instance ID | Driver Status | Timestamp

Security Groups - Specific Ports Unrestricted

Security

HCP4007jGY

Region | Security Group Name | Security Group ID | Protocol | Status | Ports

Security Groups - Unrestricted Access

Security

1iG5NDGVre

Region | Security Group Name | Security Group ID | Protocol | Port | Status | IP Range

Service Limit: Auto Scaling - Groups Service Limits fW7HH0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: Auto Scaling - Launch Configurations Service Limits aW7HH0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: CloudFormation - Stacks Service Limits gW7HH0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: EBS - Active Snapshots Service Limits eI7KK0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: EBS - Active Volumes Service Limits fH7LL0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: EBS - General Purpose SSD Volume Storage Service Limits dH7RR0l6J9 Status | Region | Limit Amount | Current Usage
Service Limit: EBS - Magnetic (standard) Volume Storage Service Limits cG7HH0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: EBS - Provisioned IOPS (SSD) Volume Aggregate IOPS Service Limits tV7YY0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: EBS - Provisioned IOPS SSD (io1) Volume Storage Service Limits gI7MM0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: EC2 - Elastic IP Addresses Service Limits aW9HH0l8J6 Status | Region | Limit Amount | Current Usage
Service Limit: EC2 - On-Demand Instances Service Limits 0Xc6LMYG8P Status | Region | Instance Type | Limit Amount | Current Usage
Service Limit: EC2 - Reserved Instance Leases Service Limits iH7PP0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: ELB - Active Load Balancers Service Limits iK7OO0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: IAM - Group Service Limits sU7XX0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: IAM - Instance Profiles Service Limits nO7SS0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: IAM - Policies Service Limits pR7UU0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: IAM - Roles Service Limits oQ7TT0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: IAM - Server Certificates Service Limits rT7WW0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: IAM - Users Service Limits qS7VV0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: Kinesis - Shards per Region Service Limits bW7HH0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Cluster Parameter Groups Service Limits jtlIMO3qZM Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Cluster roles Service Limits 7fuccf1Mx7 Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Clusters Service Limits gjqMBn6pjz Status | Region | Limit Amount | Current Usage
Service Limit: RDS - DB Instances Service Limits XG0aXHpIEt Status | Region | Limit Amount | Current Usage
Service Limit: RDS - DB Parameter Groups Service Limits jEECYg2YVU Status | Region | Limit Amount | Current Usage
Service Limit: RDS - DB Security Groups Service Limits gfZAn3W7wl Status | Region | Limit Amount | Current Usage
Service Limit: RDS - DB snapshots per user Service Limits dV84wpqRUs Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Event Subscriptions Service Limits keAhfbH5yb Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Max Auths per Security Group Service Limits dBkuNCvqn5 Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Option Groups Service Limits 3Njm0DJQO9 Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Read Replicas per Master Service Limits pYW8UkYz2w Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Reserved Instances Service Limits UUDvOa5r34 Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Subnet Groups Service Limits dYWBaXaaMM Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Subnets per Subnet Group Service Limits jEhCtdJKOY Status | Region | Limit Amount | Current Usage
Service Limit: RDS - Total Storage Quota Service Limits P1jhKWEmLa Status | Region | Limit Amount | Current Usage
Service Limit: SES - Daily Sending Quota Service Limits hJ7NN0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: VPC - Elastic IP Address Service Limits lN7RR0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: VPC - Internet Gateways Service Limits kM7QQ0l7J9 Status | Region | Limit Amount | Current Usage
Service Limit: VPC - Network Interfaces Service Limits jL7PP0l7J9 Status | Region | Limit Amount | Current Usage

Unassociated Elastic IP Addresses

Cost Optimization

Z4AUBRNSmz

Region | IP Address

Underutilized Amazon EBS Volumes

Cost Optimization

DAvU99Dc4C

Region | Volume ID | Volume Name | Volume Type | Volume Size | Monthly Storage Cost | Snapshot ID | Snapshot Name | Snapshot Age

Underutilized Amazon Redshift Clusters Cost Optimization G31sQ1E9U Status | Region | Cluster | Instance Type | Reason | Estimated Monthly Savings

VPN Tunnel Redundancy

Fault Tolerance

S45wrEXrLz

Region | VPN ID | VPC | Virtual Private Gateway | Customer Gateway | Active Tunnels | Status | Reason

The following table shows the report columns for each check again, adding examples of the service-specific actions that display data that corresponds to the data displayed in the Trusted Advisor report columns. Note that Trusted Advisor does not necessarily use the actions listed; the actions are only examples of one way to display the information.

For example, if you deny a user access to the Amazon EC2 DescribeInstances operation but also allow the user access to the Trusted Advisor Low Utilization EC2 Instances check, the user can view some of the information that is returned by DescribeInstances, even though access to DescribeInstances has been explicitly denied.

  Check title

Report columns

  Actions
  Data
Amazon Aurora DB Instance Accessibility Status | Region | Cluster | Public DB Instances | Private DB Instances | Reason rds:DescribeDBClusters AvailabilityZones
DBClusterIdentifier
DBInstanceIdentifier
rds:DescribeDBInstances PubliclyAccessible

Amazon EBS Provisioned IOPS Volume Attachment Configuration

Region/AZ | Volume ID | Volume Name | Volume Attachment | Instance ID | Instance Type | EBS Optimized | Status

ec2:DescribeVolumes AvailabilityZone
VolumeId
tag:Name
VolumeType
AttachmentSet.Item.VolumeId
AttachmentSet.Item.InstanceId
AttachmentSet.Item.Device
ec2:DescribeInstanceAttribute InstanceId
EbsOptimized
Amazon EBS Public Snapshots
Region | Snapshot ID | Status | Volume
ec2:DescribeSnapshots Description
SnapshotId
VolumeId

Amazon EBS Snapshots

Region | Volume ID | Volume Name | Snapshot ID | Snapshot Name | Snapshot Age | Volume Attachment | Status | Reason

ec2:DescribeVolumes VolumeId
VolumeType
tag:Name
cloudwatch:GetMetricStatistics VolumeReadOps
VolumeWriteOps

Amazon EC2 Availability Zone Balance

Region | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason

ec2:DescribeInstances AvailabilityZone
Amazon EC2 Reserved Instance Lease Expiration Status | Zone | Instance Type | Platform | Instance Count | Current Monthly Cost | Estimated Monthly Savings | Expiration Date | Reserved Instance ID | Reason ec2:DescribeReservedInstances AvailabilityZone
InstanceType
ProductDescription
InstanceCount
End
ReservedInstancesId

Amazon EC2 Reserved Instances Optimization

Region / AZ | Instance Type | Operating System | Current RIs (1-Year and 3-Year) | Hourly Instance Usage Max/Average/Min | Recommended Additional 1-Year RIs | Estimated Bill (Current RIs) | Upfront Cost | Estimated Bill (Optimized RIs) | Estimated Monthly Savings | Region / AZ | Instance Type | Operating System | Current RIs  (1-Year and 3-Year) | Hourly Instance Usage Max/Average/Min | Recommended Additional 3-Year RIs | Estimated Bill (Current RIs) | Upfront Cost | Estimated Bill  (Optimized RIs) | Estimated Monthly Savings

ec2:DescribeReservedInstances AvailabilityZone
InstanceType
ProductDescription
Duration
Amazon EC2 to EBS Throughput Optimization Region | Instance ID | Instance Type | Status | Time Near Maximum ec2:DescribeInstances AvailabilityZone
InstanceId
InstanceType

Amazon RDS Backups

Region/AZ | DB Instance | VPC ID | Backup Retention Period | Status

rds:DescribeDBInstances AvailabilityZone
DBInstanceIdentifier
DBSubnetGroup.VpcId
BackupRetentionPeriod

Amazon RDS Idle DB Instances

Region | DB Instance Name | Multi-AZ | Instance Type | Storage Provisioned (GB) | Days Since Last Connection | Estimated Monthly Savings (On Demand)

rds:DescribeDBInstances DBInstanceIdentifier
MultiAZ
DBInstanceClass
AllocatedStorage
cloudwatch:GetMetricStatistics DatabaseConnections

Amazon RDS Multi-AZ

Region/AZ | DB Instance | VPC ID | Multi-AZ | Status

rds:DescribeDBInstances AvailabilityZone
DBInstanceIdentifier
DBSubnetGroup.VpcId
MultiAZ
Amazon RDS Public Snapshots Instance ID | Region | Snapshot ID | Status
rds:DescribeDBSnapshots DBInstanceIdentifier
DBSnapshotIdentifier
Status

Amazon RDS Security Group Access Risk

Region | RDS Security Group Name | Ingress Rule | Status | Reason

rds:DescribeDBInstances DBSecurityGroupName
rds:DescribeDBSecurityGroups IPRanges

Amazon Route 53 Alias Resource Record Sets

Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Resource Record Set Identifier | Alias Target | Status

route53:ListResourceRecordSets
HostedZoneId
Name
Type
DNSName
SetIdentifier
route53:ListHostedZones Name

Amazon Route 53 Deleted Health Checks

Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Resource Record Set Identifier

route53:ListResourceRecordSets
HostedZoneId
Name
Type
SetIdentifier
route53:ListHostedZones Name

Amazon Route 53 Failover Resource Record Sets

Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Reason

route53:ListResourceRecordSets
HostedZoneId
Name
Type
route53:ListHostedZones Name

Amazon Route 53 High TTL Resource Record Sets

Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type | Resource Record Set ID | TTL | Status

route53:ListResourceRecordSets
HostedZoneId
Name
Type
SetIdentifier
TTL
route53:ListHostedZones Name

Amazon Route 53 Latency Resource Record Sets

Hosted Zone Name | Hosted Zone ID | Resource Record Set Name | Resource Record Set Type

route53:ListResourceRecordSets
HostedZoneId
Name
Type
route53:ListHostedZones Name

Amazon Route 53 MX and SPF Resource Record Sets

Hosted Zone Name | Hosted Zone ID | Resource Record Set Name

route53:ListResourceRecordSets
HostedZoneId
Name
route53:ListHostedZones Name

Amazon Route 53 Name Server Delegations

Hosted Zone Name | Hosted Zone ID | Number of Name Server Delegations Used

route53:ListHostedZones Name
ID
NameServers

Amazon S3 Bucket Logging

Region | Bucket Name | Target Name | Target Exists | Same Owner | Write Enabled | Status | Reason

s3api:GetService BucketName
Owner
s3api:GetBucketLogging TargetName
s3api:GetBucketAcl Grantee
Permission

Amazon S3 Bucket Permissions

Region Name | Region API Parameter | Bucket Name | Global List Access | Global Upload/Delete Access | Status

s3api:GetService
BucketName
Owner
s3api:GetBucketAcl
Grantee
Permission
Amazon S3 Bucket Versioning Region | Bucket Name | Versioning | MFA Delete Enabled | Status s3api:GetBucketVersioning Status
MFADelete

Auto Scaling Group Health Check

Region | Auto Scaling Group Name | Load Balancer Associated | Health Check | Status

autoscaling:
  DescribeAutoScalingGroups
AutoScalingGroupARN
AutoScalingGroupName
LoadBalancerNames
HealthCheckType

Auto Scaling Group Resources

Region | Auto Scaling Group Name | Launch Configuration Name | Resource Type | Resource Name | Status | Reason

autoscaling:
  DescribeAutoScalingGroups
AutoScalingGroupARN
AutoScalingGroupName
LaunchConfigurationName
LoadBalancerNames
autoscaling:
  DescribeLaunchConfiguration
ImageId

AWS CloudTrail Logging

Region | Trail Name | Logging Status | Bucket Name | Last Delivery Error | Status

cloudtrail:DescribeTrails Name
S3BucketName
cloudtrail:GetTrailStatus IsLogging
LatestDeliveryError

AWS Direct Connect Connection Redundancy

Status | Time Stamp | Region | Connection ID | Location

directconnect:
  DescribeConnections

Region
ConnectionId
Location

AWS Direct Connect Location Redundancy

Status | Time Stamp | Region | Location | Connection Details

directconnect:
  DescribeConnections

Region
Location
Bandwidth

AWS Direct Connect Virtual Interface Redundancy

Status | Time Stamp | Region | Gateway ID | Location for VIF | Connection ID for VIF

directconnect:
  DescribeVirtualInterfaces

Region
VirtualGatewayId
Location
ConnectionId
CloudFront Alternate Domain Names Distribution ID | Distribution Domain Name | Alternate Domain Name cloudfront:GetDistributions Id
DomainName
Aliases.Items

CloudFront Content Delivery Optimization

Region | Bucket Name | S3 Storage (GB) | Data Transfer Out (GB) | Ratio of Transfer to Storage | Status

s3:GetBucket Name
Contents.Size
CloudFront Custom SSL Certificates in the IAM Certificate Store Distribution ID | Distribution Domain Name | Certificate Name | Reason cloudfront:GetDistributions
Id
DomainName
IAMCertificateId
CloudFront Header Forwarding and Cache Hit Ratio Distribution ID | Distribution Domain Name | Cache Behavior Path Pattern | Headers cloudfront:GetDistributions
Id
DomainName
PathPattern
Headers
CloudFront SSL Certificate on the Origin Server Distribution ID | Distribution Domain Name | Origin | Reason cloudfront:GetDistributions Id
DomainName
Origins.Items
EC2Config Service for EC2 Windows Instances Region | Instance ID | Instance Name | EC2Config Status | Timestamp ec2:DescribeInstances InstanceId
AvailabilityZone
Tags.Name
Programs and Features Ec2ConfigService
ELB Connection Draining Region | Load Balancer Name | Status | Reason elasticloadbalancing:
 DescribeLoadBalancers
LoadBalancerName
elasticloadbalancing:
 DescribeLoadBalancerAttributes
LoadBalancerAttributes
ConnectionDraining
ELB Cross-Zone Load Balancing Region | Load Balancer Name | Status | Reason elasticloadbalancing:
 DescribeLoadBalancers
LoadBalancerName
elasticloadbalancing:
 DescribeLoadBalancerAttributes
LoadBalancerAttributes
CrossZoneLoadBalancing
ELB Listener Security Region | Load Balancer Name | Load Balancer Port | Status [Ciphers/Protocols] | Reason
elasticloadbalancing:
  DescribeLoadBalancers
LoadBalancerName
Listener.LoadBalancerPort
Listener.Protocol
ELB Security Groups Region | Load Balancer Name | Status | Security Group IDs | Reason
elasticloadbalancing:
  DescribeLoadBalancers
LoadBalancerName
SecurityGroups
Exposed Access Keys Access Key ID | User Name (IAM or Root) | Fraud Type | Case ID | Time Updated | Location | Deadline | Usage (USD per Day) iam:ListUsers UserName
iam:ListAccessKeys AccessKeyId

High Utilization Amazon EC2 Instances

Region/AZ | Instance ID | Instance Name | Instance Type | Day 1 ... Day 14 | 14-Day Average CPU Utilization | Number of Days over 90% CPU Utilization

ec2:DescribeInstances AvailabilityZone
InstanceId
tag:Name
cloudwatch:GetMetricStatistics CPUUtilization
NetworkIn
NetworkOut
IAM Access Key Rotation
IAM User | Access Key | Key Last Rotated | Reason
iam:ListUsers
UserName
iam:GetCredentialReport
access_key_1_last_rotated
access_key_2_last_rotated

IAM Password Policy

Password Policy | Uppercase | Lowercase | Number | Non-alphanumeric | Status | Reason

iam:GetAccountPasswordPolicy RequireUppercaseCharacters
RequireLowercaseCharacters
RequireNumbers
RequireSymbols

IAM Use

[None]

iam:GetAccountSummary Users
Groups
iam:ListRoles
Roles

Idle Load Balancers

Region | Load Balancer Name | Reason | Estimated Monthly Savings

elasticloadbalancing:
  DescribeLoadBalancers
LoadBalancerName
Instances
elasticloadbalancing:
  DescribeInstanceHealth
InstanceStates
cloudwatch:GetMetricStatistics AWS/ELB/RequestCount

Large Number of EC2 Security Group Rules Applied to an Instance

Region | Instance ID | Instance Name | VPC ID | Total Inbound Rules | Total Outbound Rules

ec2:DescribeInstances
ec2:DescribeGroups
InstanceId
tag:Name
VpcId
GroupId
GroupName
ec2:DescribeGroups IpPermissions
IpPermissionsEgress

Large Number of Rules in an EC2 Security Group

Region | Security Group Name | Group ID | Description | Instance Count | VPC ID | Total Inbound Rules | Total Outbound Rules

ec2:DescribeGroups GroupName
GroupId
GroupDescription
VpcId
IpPermissions
IpPermissionsEgress
ec2:DescribeInstances GroupId
InstanceId

Load Balancer Optimization

Region | Load Balancer Name | # of Zones | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason

elasticloadbalancing:
  DescribeLoadBalancers
LoadBalancerName
AvailabilityZones

Low Utilization Amazon EC2 Instances

Region/AZ | Instance ID | Instance Name | Instance Type | Estimated Monthly Savings | Day 1 ... Day 14 | 14-Day Average CPU Utilization | 14-Day Average Network I/O | Number of Days Low Utilization

ec2:DescribeInstances
AvailabilityZone
InstanceID
tag:Name
cloudwatch:GetMetricStatistics CPUUtilization
NetworkIn
NetworkOut

MFA on Root Account

[None]

iam:GetAccountSummary AccountMFAEnabled

Overutilized Standard Amazon EBS Volumes

Region | Volume ID | Volume Name | Day 1 ... Day 14 | Number of Days Over | Max Daily Median | Status

ec2:DescribeVolumes VolumeId
VolumeType
tag:Name
cloudwatch:GetMetricStatistics VolumeReadOps
VolumeWriteOps
PV Driver Version for EC2 Windows Instances Region | Instance ID | Driver Status | Timestamp ec2:DescribeInstances InstanceId
AvailabilityZone
Device Manager
Storage Controllers

Security Groups - Specific Ports Unrestricted

Region | Security Group Name | Security Group ID | Protocol | Status | Ports

ec2:DescribeSecurityGroups GroupName
GroupId
IpPermissions
IpProtocol
FromPort
ToPort

Security Groups - Unrestricted Access

Region | Security Group Name | Security Group ID | Protocol | Port | Status | IP Range

ec2:DescribeSecurityGroups GroupName
GroupId
IpPermissions
IpProtocol
FromPort
ToPort
IpRanges

Service Limits

Region | Service | Limit Name | Limit Amount | Current Usage | Status

[Shows limits and current usage for several services. See "What service limits do you check" in the Trusted Advisor FAQs for details.] [Varies]

Unassociated Elastic IP Addresses

Region | IP Address

ec2:DescribeAddresses
PublicIp
InstanceId
ec2:DescribeInstances InstanceState

Underutilized Amazon EBS Volumes

Region | Volume ID | Volume Name | Volume Type | Volume Size | Monthly Storage Cost | Snapshot ID | Snapshot Name | Snapshot Age

ec2:DescribeVolumes VolumeId
VolumeType
tag:Name
Size
ec2:DescribeSnapshots SnapshotId
tag:Name
StartTime
Underutilized Amazon Redshift Clusters Status | Region | Cluster | Instance Type | Reason | Estimated Monthly Savings redshift:DescribeClusters AvailabilityZone
ClusterIdentifier
NodeType
cloudwatch:GetMetricsStatistics CPUUtilization
DatabaseConnections

VPN Tunnel Redundancy

Region | VPN ID | VPC | Virtual Private Gateway | Customer Gateway | Active Tunnels | Status | Reason

ec2:DescribeVpnConnections VpnConnectionId
VpnGatewayId
CustomerGatewayId
VgwTelemetry
ec2:DescribeVpnGateways VpcId

The following are examples of IAM policies that you might use to control access to the Trusted Advisor console. For more information about how to construct policies, see Overview of AWS IAM Policies in the AWS Identity and Access Management User Guide.

The following example policy denies access to all Trusted Advisor check results:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Deny",

      "Action": "trustedadvisor:*",

      "Resource": "*"

    }

  ]

}

The following example policy allows the user to view (and take all actions on) all Trusted Advisor checks:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Action": "trustedadvisor:*",

      "Resource": "*"

    }

  ]

}

To specify a Trusted Advisor check category in a policy, use an Amazon resource name (ARN) in this form:

arn:aws:trustedadvisor:*:accountnumber:checks/categoryCode/*

To see the check categories, see Table 2. The following table shows the category code to specify for each category.

  Category

  Category code

Cost Optimization

cost_optimizing

Performance

performance

Security

security

Fault Tolerance

fault_tolerance

Service Limits
service_limits

The following example policy allows the user to view (and perform other actions on) the checks in the Fault Tolerance and Performance categories by specifying the category codes:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Action": "trustedadvisor:*",

      "Resource": ["arn:aws:trustedadvisor:*:123456789012:checks/fault_tolerance/*",

                   "arn:aws:trustedadvisor:*:123456789012:checks/performance/*"]

    }

  ]

}

To allow or deny permission to a specific Trusted Advisor check in a policy, use an Amazon resource name (ARN) in this form:

arn:aws:trustedadvisor:*:accountnumber:checks/categoryCode/checkId

Categories and IDs are shown in Table 2; category codes are shown in Table 4. You can also retrieve check IDs and categories by using the DescribeTrustedAdvisorChecks action in the AWS Support API.

The following example policy allows the user to view (and perform other actions on) two specific checks related to Amazon S3, by specifying the categories and IDs of those checks:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Action": "trustedadvisor:*",

      "Resource": [

          "arn:aws:trustedadvisor:*:123456789012:checks/fault_tolerance/BueAdJ7NrP",

          "arn:aws:trustedadvisor:*:123456789012:checks/security/Pfx0RwqBli"

      ]

    }

  ]

}

You can control the amount of information that a user can see, and you can also control the ability to refresh checks, to exclude and include items from check results, and to view and modify notification preferences.

To allow or deny the use of a specific Trusted Advisor action in a policy, precede the action with the "trustedadvisor:" namespace prefix.

The following table shows the actions you can specify and the result of denying permission for that action.

  Action

  Effect when denied

DescribeCheckSummaries

Cannot view any Trusted Advisor information.
Viewing and changing notification preferences is controlled separately.

DescribeCheckItems

Cannot view details (items in results table).

RefreshCheck
DescribeCheckRefreshStatuses

Cannot refresh checks. Also cannot change the exclusion or inclusion status of items, because change of item status requires a refresh of the check.

ExcludeCheckItems

Cannot change the status of items from included to excluded.
Might be able to change items from excluded to included, depending on the permission for IncludeCheckItems, RefreshCheck, and DescribeCheckRefreshStatuses.

IncludeCheckItems

Cannot change the status of items from excluded to included.
Might be able to change items from included to excluded, depending on the permission for ExcludeCheckItems, RefreshCheck, and DescribeCheckRefreshStatuses.
DescribeNotificationPreferences Cannot view information on the notification preferences page.
UpdateNotificationPreferences Cannot change options on the notification preferences page.

The following example policy allows the user to view all Trusted Advisor checks, but it does not allow the user to refresh any checks:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Action": "trustedadvisor:*",

      "Resource": "*"

    },

    {

      "Effect": "Deny",

      "Action": "trustedadvisor:RefreshCheck",

      "Resource": "*"

    }

  ]

}

For more information about how to construct policies, see Overview of AWS IAM Policies in the AWS Identity and Access Management User Guide.