AWS Trusted Advisor Best Practice Checks

Trusted Advisor Best Practice Checks

AWS Trusted Advisor offers a rich set of best practice checks and recommendations across five categories: cost optimization; security; fault tolerance; performance; and service limits.

Cost Optimization

See how you can save money on AWS by eliminating unused and idle resources or making commitments to reserved capacity.

  • Amazon EC2 Reserved Instances Optimization  

    A significant part of using AWS involves balancing your Reserved Instance (RI) purchase against your On-Demand instance usage. This check provides recommendations on which RIs will help reduce costs incurred from using On-Demand instances.

    We generate these recommendations by analyzing your On-Demand usage for the past 30 days, and then categorizing the usage into eligible categories for reservations. We then simulate every combination of reservations in the generated category of usage in order to identify the best number of each type of RI to purchase to maximize your savings. This check covers recommendations based on Standard Reserved Instances with partial upfront payment option.

    For more information on this recommendation, see Reserved Instance Optimization Check Questions in the Trusted Advisor FAQs.

  • Low Utilization Amazon EC2 Instances  

    Checks the Amazon Elastic Compute Cloud (Amazon EC2) instances that were running at any time during the last 14 days and alerts you if the daily CPU utilization was 10% or less and network I/O was 5 MB or less on 4 or more days. Running instances generate hourly usage charges. Although some scenarios can result in low utilization by design, you can often lower your costs by managing the number and size of your instances.

    Estimated monthly savings are calculated by using the current usage rate for On-Demand Instances and the estimated number of days the instance might be underutilized. Actual savings will vary if you are using Reserved Instances or Spot Instances, or if the instance is not running for a full day. To get daily utilization data, download the report for this check.  

  • Idle Load Balancers  

    Checks your Elastic Load Balancing configuration for load balancers that are not actively used. Any load balancer that is configured accrues charges. If a load balancer has no associated back-end instances or if network traffic is severely limited, the load balancer is not being used effectively.

  • Underutilized Amazon EBS Volumes  

    Checks Amazon Elastic Block Store (Amazon EBS) volume configurations and warns when volumes appear to be underused. Charges begin when a volume is created. If a volume remains unattached or has very low write activity (excluding boot volumes) for a period of time, the volume is probably not being used.

  • Unassociated Elastic IP Addresses  

    Checks for Elastic IP addresses (EIPs) that are not associated with a running Amazon Elastic Compute Cloud (Amazon EC2) instance. EIPs are static IP addresses designed for dynamic cloud computing. Unlike traditional static IP addresses, EIPs can mask the failure of an instance or Availability Zone by remapping a public IP address to another instance in your account. A nominal charge is imposed for an EIP that is not associated with a running instance.

  • Amazon RDS Idle DB Instances  

    Checks the configuration of your Amazon Relational Database Service (Amazon RDS) for any DB instances that appear to be idle. If a DB instance has not had a connection for a prolonged period of time, you can delete the instance to reduce costs. If persistent storage is needed for data on the instance, you can use lower-cost options such as taking and retaining a DB snapshot. Manually created DB snapshots are retained until you delete them. 

  • Amazon Route 53 Latency Resource Record Sets  

    Checks for Amazon Route 53 latency record sets that are configured inefficiently. To allow Amazon Route 53 to route queries to the region with the lowest network latency, you should create latency resource record sets for a particular domain name (such as example.com) in different regions. If you create only one latency resource record set for a domain name, all queries are routed to one region, and you pay extra for latency-based routing without getting the benefits.  

  • Amazon EC2 Reserved Instance Lease Expiration  

    Checks for Amazon EC2 Reserved Instances that are scheduled to expire within the next 30 days or have expired in the preceding 30 days. Reserved Instances do not renew automatically; you can continue using an EC2 instance covered by the reservation without interruption, but you will be charged On-Demand rates. New Reserved Instances can have the same parameters as the expired ones, or you can purchase Reserved Instances with different parameters.


    The estimated monthly savings we show is the difference between the On-Demand and Reserved Instance rates for the same instance type.

  • Underutilized Amazon Redshift Clusters  

    Checks your Amazon Redshift configuration for clusters that appear to be underutilized. If an Amazon Redshift cluster has not had a connection for a prolonged period of time or is using a low amount of CPU, you can use lower-cost options such as downsizing the cluster or shutting down the cluster and taking a final snapshot. Final snapshots are retained even after you delete your cluster.

Security

Improve the security of your application by closing gaps, enabling various AWS security features, and examining your permissions.

  • Security Groups - Specific Ports Unrestricted (Free!)

    Checks security groups for rules that allow unrestricted access (0.0.0.0/0) to specific ports. Unrestricted access increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data). The ports with highest risk are flagged red, and those with less risk are flagged yellow. Ports flagged green are typically used by applications that require unrestricted access, such as HTTP and SMTP.


    If you have intentionally configured your security groups in this manner, we recommend using additional security measures to secure your infrastructure (such as IP tables).

  • Security Groups - Unrestricted Access

    Checks security groups for rules that allow unrestricted access to a resource. Unrestricted access increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data).

  • IAM Use (Free!)

    Checks for your use of AWS Identity and Access Management (IAM). You can use IAM to create users, groups, and roles in AWS, and you can use permissions to control access to AWS resources.

  • Amazon S3 Bucket Permissions (Free!)

    Checks buckets in Amazon Simple Storage Service (Amazon S3) that have open access permissions. Bucket permissions that grant List access to everyone can result in higher than expected charges if objects in the bucket are listed by unintended users at a high frequency. Bucket permissions that grant Upload/Delete access to everyone create potential security vulnerabilities by allowing anyone to add, modify, or remove items in a bucket. This check examines explicit bucket permissions and associated bucket policies that might override the bucket permissions.

  • MFA on Root Account (Free!)

    Checks the password policy for your account and warns when a password policy is not enabled, or if password content requirements have not been enabled. Password content requirements increase the overall security of your AWS environment by enforcing the creation of strong user passwords. When you create or change a password policy, the change is enforced immediately for new users but does not require existing users to change their passwords.

  • Amazon RDS Security Group Access Risk

    Checks security group configurations for Amazon Relational Database Service (Amazon RDS) and warns when a security group rule might grant overly permissive access to your database. Recommended configuration for any security group rule is to allow access from specific Amazon Elastic Compute Cloud (Amazon EC2) security groups or from a specific IP address.

  • AWS CloudTrail Logging

    Checks for your use of AWS CloudTrail. CloudTrail provides increased visibility into activity in your AWS account by recording information about AWS API calls made on the account. You can use these logs to determine, for example, what actions a particular user has taken during a specified time period or which users have taken actions on a particular resource during a specified time period. Because CloudTrail delivers log files to an Amazon Simple Storage Service (Amazon S3) bucket, CloudTrail must have write permissions for the bucket.

  • Amazon Route 53 MX and SPF Resource Record Sets

    Checks for an SPF resource record set for each MX resource record set. An SPF (sender policy framework) record publishes a list of servers that are authorized to send email for your domain, which helps reduce spam by detecting and stopping email address spoofing.

  • ELB Listener Security

    Checks for load balancers with listeners that do not use recommended security configurations for encrypted communication. AWS recommends using a secure protocol (HTTPS or SSL), up-to-date security policies, and ciphers and protocols that are secure. When you use a secure protocol for a front-end connection (client to load balancer), the requests are encrypted between your clients and the load balancer, which is more secure. Elastic Load Balancing provides predefined security policies with ciphers and protocols that adhere to AWS security best practices. New versions of predefined policies are released as new configurations become available.

  • ELB Security Groups  

    Checks for load balancers configured with a missing security group or a security group that allows access to ports that are not configured for the load balancer. If a security group associated with a load balancer is deleted, the load balancer does not work as expected. If a security group allows access to ports that are not configured for the load balancer, the risk of loss of data or malicious attacks increases.  

  • CloudFront Custom SSL Certificates in the IAM Certificate Store  

    Checks the SSL certificates for CloudFront alternate domain names in the IAM certificate store and alerts you if the certificate is expired, will soon expire, uses outdated encryption, or is not configured correctly for the distribution. When a custom certificate for an alternate domain name expires, browsers that display your CloudFront content might show a warning message about the security of your website. Certificates that are encrypted by using the SHA-1 hashing algorithm are being deprecated by web browsers such as Chrome and Firefox. If a certificate doesn't contain any domain names that match either Origin Domain Name or the domain name in the Host header of viewer requests, CloudFront returns an HTTP status code 502 (bad gateway) to the user.

  • CloudFront SSL Certificate on the Origin Server  

    Looks through the user's CloudFront distributions custom origins, and checks whether the origin certificates are properly configured. A misconfigured certificate is a certificate that’s expiring within next 7 days, that’s already expired, or that’s using an SHA1 weak-signature algorithm.

  • Exposed Access Keys  

    Checks popular code repositories for access keys that have been exposed to the public and for irregular Amazon Elastic Compute Cloud (Amazon EC2) usage that could be the result of a compromised access key. An access key consists of an access key ID and the corresponding secret access key. Exposed access keys pose a security risk to your account and other users, could lead to excessive charges from unauthorized activity or abuse, and violate the AWS Customer Agreement. If your access key is exposed, take immediate action to secure your account. To additionally protect your account from excessive charges, AWS temporarily limits your ability to create some AWS resources. This does not make your account secure; it only partially limits the unauthorized usage for which you could be charged. Note: This check does not guarantee the identification of exposed access keys or compromised EC2 instances. You are ultimately responsible for the safety and security of your access keys and AWS resources.

  • Amazon EBS Public Snapshots (Free!)  

    Checks the permission settings for your Amazon Elastic Block Store (Amazon EBS) volume snapshots and alerts you if any snapshots are marked as public. When you make a snapshot public, you give all AWS accounts and users access to all the data on the snapshot. If you want to share a snapshot with particular users or accounts, mark the snapshot as private, and then specify the user or accounts you want to share the snapshot data with.

  • Amazon RDS Public Snapshots (Free!)  

    Checks the permission settings for your Amazon Relational Database Service (Amazon RDS) DB snapshots and alerts you if any snapshots are marked as public. When you make a snapshot public, you give all AWS accounts and users access to all the data on the snapshot. If you want to share a snapshot with particular users or accounts, mark the snapshot as private, and then specify the user or accounts you want to share the snapshot data with.

  • IAM Password Policy  

    Checks the password policy for your account and warns when a password policy is not enabled, or if password content requirements have not been enabled. Password content requirements increase the overall security of your AWS environment by enforcing the creation of strong user passwords. When you create or change a password policy, the change is enforced immediately for new users but does not require existing users to change their passwords.

  • IAM Access Key Rotation  

    Checks for active IAM access keys that have not been rotated in the last 90 days. When you rotate your access keys regularly, you reduce the chance that a compromised key could be used without your knowledge to access resources. For the purposes of this check, the last rotation date and time is when the access key was created or most recently activated. The access key number and date come from the access_key_1_last_rotated and access_key_2_last_rotated information in the most recent IAM credential report.

Fault Tolerance

Increase the availability and redundancy of your AWS application by take advantage of auto scaling, health checks, multi AZ, and backup capabilities.

  • Amazon EBS Snapshots

    Checks the age of the snapshots for your Amazon Elastic Block Store (Amazon EBS) volumes (available or in-use). Even though Amazon EBS volumes are replicated, failures can occur. Snapshots are persisted to Amazon Simple Storage Service (Amazon S3) for durable storage and point-in-time recovery.

  • Amazon EC2 Availability Zone Balance

    Checks the distribution of Amazon Elastic Compute Cloud (Amazon EC2) instances across Availability Zones in a region. Availability Zones are distinct locations that are designed to be insulated from failures in other Availability Zones and to provide inexpensive, low-latency network connectivity to other Availability Zones in the same region. By launching instances in multiple Availability Zones in the same region, you can help protect your applications from a single point of failure.

  • Load Balancer Optimization

    Checks your load balancer configuration. To help increase the level of fault tolerance in Amazon Elastic Compute Cloud (EC2) when using Elastic Load Balancing, we recommend running an equal number of instances across multiple Availability Zones in a region. A load balancer that is configured accrues charges, so this is a cost-optimization check as well.

  • VPN Tunnel Redundancy

    Checks the number of tunnels that are active for each of your VPNs. A VPN should have two tunnels configured at all times to provide redundancy in case of outage or planned maintenance of the devices at the AWS endpoint. For some hardware, only one tunnel is active at a time (see the Amazon Virtual Private Cloud Network Administrator Guide). If a VPN has no active tunnels, charges for the VPN might still apply.

  • Auto Scaling Group Resources

    Checks the availability of resources associated with launch configurations and your Auto Scaling groups. Auto Scaling groups that point to unavailable resources cannot launch new Amazon Elastic Compute Cloud (Amazon EC2) instances. When properly configured, Auto Scaling causes the number of Amazon EC2 instances to increase seamlessly during demand spikes and decrease automatically during demand lulls. Auto Scaling groups and launch configurations that point to unavailable resources do not operate as intended.

  • Amazon RDS Backups

    Checks for automated backups of Amazon RDS DB instances. By default, backups are enabled with a retention period of 1 day. Backups reduce the risk of unexpected data loss and allow for point-in-time recovery.

  • Amazon RDS Multi-AZ

    Checks for DB instances that are deployed in a single Availability Zone. Multi-AZ deployments enhance database availability by synchronously replicating to a standby instance in a different Availability Zone. During planned database maintenance or the failure of a DB instance or Availability Zone, Amazon RDS automatically fails over to the standby so that database operations can resume quickly without administrative intervention. Because Amazon RDS does not support Multi-AZ deployment for Microsoft SQL Server, this check does not examine SQL Server instances.

  • Auto Scaling Group Health Check

    Examines the health check configuration for Auto Scaling groups. If Elastic Load Balancing is being used for an Auto Scaling group, the recommended configuration is to enable an Elastic Load Balancing health check. If an Elastic Load Balancing health check is not used, Auto Scaling can only act upon the health of the Amazon Elastic Compute Cloud (Amazon EC2) instance and not on the application that is running on the instance.

  • Amazon S3 Bucket Logging

    Checks the logging configuration of Amazon Simple Storage Service (Amazon S3) buckets. When server access logging is enabled, detailed access logs are delivered hourly to a bucket that you choose. An access log record contains details about each request, such as the request type, the resources specified in the request, and the time and date the request was processed. By default, bucket logging is not enabled; you should enable logging if you want to perform security audits or learn more about users and usage patterns.

  • Amazon Route 53 Name Server Delegations  

    Checks for Amazon Route 53 hosted zones for which your domain registrar or DNS is not using the correct Route 53 name servers. When you create a hosted zone, Route 53 assigns a delegation set of four name servers. The names of these servers are ns-###.awsdns-##.com, .net, .org, and .co.uk, where ### and ## typically represent different numbers. Before Route 53 can route DNS queries for your domain, you must update your registrar's name server configuration to remove the name servers that the registrar assigned and add all four name servers in the Route 53 delegation set. For maximum availability, you must add all four Route 53 name servers.

  • Amazon Route 53 High TTL Resource Record Sets

    Checks for resource record sets that can benefit from having a lower time-to-live (TTL) value. TTL is the number of seconds that a resource record set is cached by DNS resolvers. When you specify a long TTL, DNS resolvers take longer to request updated DNS records, which can cause unnecessary delay in rerouting traffic (for example, when DNS Failover detects and responds to a failure of one of your endpoints).

  • Amazon Route 53 Failover Resource Record Sets

    Checks for Amazon Route 53 failover resource record sets that are misconfigured. When Amazon Route 53 health checks determine that the primary resource is unhealthy, Amazon Route 53 responds to queries with a secondary, backup resource record set. You must create correctly configured primary and secondary resource record sets for failover to work.

  • Amazon Route 53 Deleted Health Checks

    Checks for resource record sets that are associated with health checks that have been deleted. Amazon Route 53 does not prevent you from deleting a health check that is associated with one or more resource record sets. If you delete a health check without updating the associated resource record sets, the routing of DNS queries for your DNS failover configuration will not work as intended. This will affect the routing of DNS queries for your DNS failover configuration.

  • ELB Connection Draining

    Checks for load balancers that do not have connection draining enabled. When connection draining is not enabled and you remove (deregister) an Amazon EC2 instance from a load balancer, the load balancer stops routing traffic to that instance and closes the connection. When connection draining is enabled, the load balancer stops sending new requests to the deregistered instance but keeps the connection open to serve active requests.

  • ELB Cross-Zone Load Balancing

    Checks for load balancers that do not have cross-zone load balancing enabled. Cross-zone load balancing distributes requests evenly across all back-end instances, regardless of the Availability Zone the instances are in. Cross-zone load balancing reduces the uneven distribution of traffic when clients incorrectly cache DNS information, or when you have an unequal number of instances in each Availability Zone (for example, if you have taken down some instances for maintenance). Cross-zone load balancing makes it easier to deploy and manage applications across multiple Availability Zones.

  • Amazon S3 Bucket Versioning

    Checks for Amazon Simple Storage Service buckets that do not have versioning enabled, or have versioning suspended. When versioning is enabled, you can easily recover from both unintended user actions and application failures. Versioning allows you to preserve, retrieve, and restore any version of any object stored in a bucket. You can use lifecycle rules to manage all versions of your objects as well as their associated costs by automatically archiving objects to the Glacier storage class or removing them after a specified time period. You can also choose to require multi-factor authentication (MFA) for any object deletions or configuration changes to your buckets.

  • AWS Direct Connect Connection Redundancy

    Checks for regions that have only one AWS Direct Connect connection. Connectivity to your AWS resources should have two Direct Connect connections configured at all times to provide redundancy in case a device is unavailable.

  • AWS Direct Connect Location Redundancy  

    Checks for virtual private gateways with AWS Direct Connect virtual interfaces (VIFs) that are not configured on at least two AWS Direct Connect connections. Connectivity to your virtual private gateway should have multiple virtual interfaces configured across multiple Direct Connect connections and locations to provide redundancy in case a device or location is unavailable.

  • AWS Direct Connect Virtual Interface Redundancy

    Checks for virtual private gateways with AWS Direct Connect virtual interfaces (VIFs) that are not configured on at least two AWS Direct Connect connections. Connectivity to your virtual private gateway should have multiple virtual interfaces configured across multiple Direct Connect connections and locations to provide redundancy in case a device or location is unavailable.

  • Amazon Aurora DB Instance Accessibility

    Checks for cases where an Amazon Aurora DB cluster has both private and public instances. When your primary instance fails, a replica can be promoted to a primary instance. If that replica is private, users who have only public access would no longer be able to connect to the database after failover. It's best practice for all the DB instances in a cluster to have the same accessibility.

  • EC2Config Service for EC2 Windows Instances

    Checks the EC2Config service for Amazon EC2 Windows instances and alerts you if the EC2Config agent is out of date or configured incorrectly. Using the latest version of EC2Config enables and optimizes endpoint software management such as PV driver checks to stay up-to-date with the most secure and reliable endpoint software.

    Note: This check displays information for EC2 instances in the following Regions: N. Virginia (us-east-1), N. California (us-west-1), Oregon (us-west-2), Ireland (eu-west-1), Sao Paolo (sa-east-1), Tokyo (ap-northeast-1), Singapore (ap-southeast-1), and Sydney (ap-southeast-2).

  • PV Driver Version for EC2 Windows Instances

    Fault Tolerance

    Increase the availability and redundancy of your AWS application by take advantage of auto scaling, health checks, multi AZ, and backup capabilities.

    Checks the version of the PV driver for Amazon EC2 Windows instances and alerts you if the driver is not up to date. Using the latest PV driver helps to optimize driver performance and minimize runtime issues and security risks.

    Note: This check displays information for EC2 instances in the following Regions: N. Virginia (us-east-1), N. California (us-west-1), Oregon (us-west-2), Ireland (eu-west-1), Sao Paolo (sa-east-1), Tokyo (ap-northeast-1), Singapore (ap-southeast-1), and Sydney (ap-southeast-2).

  • ENA Drivers

    Checks AWS ENA driver version for EC2 Windows instances, and then alerts you if the driver (a) is deprecated and no longer supported; (b) is deprecated with identified issues; or (c) has an available upgrade. Using the latest version of the AWS ENA driver for Windows optimizes ENA driver performance and minimizes runtime issues and security risks.

    Note: This check displays information for EC2 instances in the following Regions: N. Virginia (us-east-1), N. California (us-west-1), Oregon (us-west-2), Ireland (eu-west-1), Sao Paolo (sa-east-1), Tokyo (ap-northeast-1), Singapore (ap-southeast-1), and Sydney (ap-southeast-2).

  • NVMe Driver

    Checks AWS NVMe driver version for EC2 Windows instances, and then alerts you if the driver (a) is deprecated and no longer supported; (b) is deprecated with identified issues; or (c) has an available upgrade. Using the latest version of the AWS NVMe driver for Windows optimizes NVMe driver performance and minimizes runtime issues and security risks.

    Note: this check displays information for EC2 instances in the following Regions: N. Virginia (us-east-1), N. California (us-west-1), Oregon (us-west-2), Ireland (eu-west-1), Sao Paolo (sa-east-1), Tokyo (ap-northeast-1), Singapore (ap-southeast-1), and Sydney (ap-southeast-2).

Performance

Improve the performance of your service by checking your service limits, ensuring you take advantage of provisioned throughput, and monitoring for overutilized instances.

  • High Utilization Amazon EC2 Instances

    Checks the Amazon Elastic Compute Cloud (Amazon EC2) instances that were running at any time during the last 14 days and alerts you if the daily CPU utilization was more than 90% on 4 or more days. Consistent high utilization can indicate optimized, steady performance, but it can also indicate that an application does not have enough resources. To get daily CPU utilization data, download the report for this check.

  • Amazon EBS Provisioned IOPS (SSD) Volume Attachment Configuration

    Checks for Provisioned IOPS (SSD) volumes that are attached to an Amazon Elastic Compute Cloud (Amazon EC2) instance that is not Amazon EBS-optimized. Provisioned IOPS volumes in the Amazon Elastic Block Store (Amazon EBS) are designed to deliver the expected performance only when they are attached to an EBS-optimized instance.

  • Large Number of Rules in an EC2 Security Group

    Checks each Amazon Elastic Compute Cloud (EC2) security group for an excessive number of rules. If a security group has a large number of rules, performance can be degraded.

    For more information, see Amazon EC2 Security Groups.

  • Large Number of EC2 Security Group Rules Applied to an Instance

    Checks for Amazon Elastic Compute Cloud (EC2) instances that have a large number of security group rules. Performance can be degraded if an instance has a large number of rules.

  • Amazon Route 53 Alias Resource Record Sets

    Checks for resource record sets that route DNS queries to AWS resources; these can be changed to alias resource record sets. An alias resource record set is a special Amazon Route 53 record type that routes DNS queries to an AWS resource (for example, an Elastic Load Balancing load balancer or an Amazon S3 bucket) or to another Route 53 resource record set. When you use alias resource record sets, Route 53 routes your DNS queries to AWS resources free of charge.

  • Overutilized Amazon EBS Magnetic Volumes

    Checks for Amazon Elastic Block Store (EBS) Magnetic volumes that are potentially overutilized and might benefit from a more efficient configuration. A Magnetic volume is designed for applications with moderate or bursty I/O requirements, and the IOPS rate is not guaranteed. It delivers approximately 100 IOPS on average, with a best-effort ability to burst to hundreds of IOPS. For consistently higher IOPS, you can use a Provisioned IOPS (SSD) volume. For bursty IOPS, you can use a General Purpose (SSD) volume.

  • Amazon CloudFront Content Delivery Optimization

    Checks for cases where data transfer from Amazon Simple Storage Service (Amazon S3) buckets could be accelerated by using Amazon CloudFront, the AWS global content delivery service. When you configure Amazon CloudFront to deliver your content, requests for your content are automatically routed to the nearest edge location where content is cached, so it can be delivered to your users with the best possible performance. A high ratio of data transfer out to the data stored in the bucket indicates that you could benefit from using Amazon CloudFront to deliver the data.

  • CloudFront Header Forwarding and Cache Hit Ratio

    Checks the HTTP request headers that CloudFront currently receives from the client and forwards to your origin server. Some headers, such as Date or User-Agent, significantly reduce the cache hit ratio (the proportion of requests that are served from a CloudFront edge cache). This increases the load on your origin and reduces performance because CloudFront must forward more requests to your origin.

  • Amazon EC2 to EBS Throughput Optimization

    Checks for Amazon EBS volumes whose performance might be affected by the maximum throughput capability of the Amazon EC2 instance they are attached to. To optimize performance, you should ensure that the maximum throughput of an EC2 instance is greater than the aggregate maximum throughput of the attached EBS volumes.

  • CloudFront Alternate Domain Names

    Checks CloudFront distributions for alternate domain names with incorrectly configured DNS settings. If a CloudFront distribution includes alternate domain names, the DNS configuration for the domains must route DNS queries to that distribution.

Service Limits

Checks for service usage that is more than 80% of the service limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes.

The following table shows the limits that Trusted Advisor checks.

Service
Limits
Amazon DynamoDB
(DynamoDB
Read capacity
Write capacity
Amazon Elastic Block Store
(Amazon EBS)
Active volumes
Active snapshots
General Purpose (SSD) volume storage (GiB)
Provisioned IOPS
Provisioned IOPS (SSD) volume storage (GiB)
Magnetic volume storage (GiB)
Amazon Elastic Compute Cloud
(Amazon EC2)
Elastic IP addresses (EIPs)
Reserved Instances - purchase limit (monthly)
On-Demand instances
Amazon Kinesis Streams Shards
Amazon Relational Database Service
(Amazon RDS)
Clusters
Cluster parameter groups
Cluster roles
DB instances
DB parameter groups
DB security groups
DB snapshots per user
Event subscriptions
Max auths per security group
Option groups
Read replicas per master
Reserved Instances
Storage quota (GiB)
Subnet groups
Subnets per subnet group
Amazon Route 53
(Route 53)
Hosted zones per account
Max health checks per account
Reusable delegation sets per account
Traffic policies per account
Traffic policy instances per account
Amazon Simple Email Service
(Amazon SES)
Daily sending quota
Amazon Virtual Private Cloud
(Amazon VPC)
 
Elastic IP addresses (EIPs)
Internet gateways
VPCs
Auto Scaling
Auto Scaling groups
Launch configurations
AWS CloudFormation Stacks
Elastic Load Balancing (ELB)
Active load balancers
Identity and Access Management (IAM)
Groups
Instance profiles
Policies
Roles
Server certificates
Users

Note: Data for EC2 On-Demand instance limits is available only for these AWS Regions:

Asia Pacific (Tokyo) [ap-northeast-1]
Asia Pacific (Singapore) [ap-southeast-1]
Asia Pacific (Sydney) [ap-southeast-2]
EU (Ireland) [eu-west-1]
South America (São Paulo) [sa-east-1]
US East (N. Virginia) [us-east-1]
US West (N. California) [us-west-1]
US West (Oregon) [us-west-2]

Note: Trusted Advisor does not currently track regional limits for EC2 On-Demand instances. By default, this limit is 20 on-demand instances per account, per region.

In cases where you have reached this regional limit, you might be unable to launch new on-demand instances even though Trusted Advisor will indicate that you have not reached any of your per-instance type limits within that region. For more detail on EC2 On-Demand limits, please refer to How many instances can I run in Amazon EC2.

We are constantly working on including more services in the Service Limits check. Your feedback is really helpful to us.