AWS Trusted Advisor General FAQs
  • Q: What is AWS Trusted Advisor?

    AWS Trusted Advisor is an application that draws upon best practices learned from AWS’ aggregated operational history of serving hundreds of thousands of AWS customers. Trusted Advisor inspects your AWS environment and makes recommendations for saving money, improving system performance, or closing security gaps. 

  • Q: How do I access Trusted Advisor?

    Trusted Advisor is available in the AWS Management Console. All AWS users have access to the data for the seven core checks. Users with Business- or Enterprise-level Support can access all checks. You can access the Trusted Advisor console directly at

  • Q: What made you choose the current checks/recommendations over others?

    Every check was vetted for accuracy, consistency, and usefulness to our customers. We gather data and research to ensure we are making the right recommendations based on best practices and historical values. We have identified many possible checks for future implementation, and we will continue to add them over time.

  • Q: Does Trusted Advisor monitor my usage? Can Amazon see what I’m doing with AWS?

    Trusted Advisor respects your privacy just as all Amazon Web Services do. We will never have access to your data or the software running on your account without your consent.

  • Q: What does Trusted Advisor check?

    Trusted Advisor includes an ever-expanding list of checks in the following five categories:

    Cost Optimization – recommendations that can potentially save you money by highlighting unused resources and opportunities to reduce your bill.

    Security – identification of security settings that could make your AWS solution less secure.

    Fault Tolerance – recommendations that help increase the resiliency of your AWS solution by highlighting redundancy shortfalls, current service limits, and overutilized resources.

    Performance – recommendations that can help to improve the speed and responsiveness of your applications.

    Service Limits – recommendations that will tell you when service usage is more than 80% of the service limit.

    For more information on Trusted Advisor and an up-to-date listing of checks, see AWS Trusted Advisor Best Practice Checks.  

  • Q: How does the Trusted Advisor notification feature work?

    The Trusted Advisor notification feature helps you stay up-to-date with your AWS resource deployment. You will be notified by weekly email when you opt in for this service, and it is totally free.

    What is in the notification? The notification email includes the summary of saving estimates and your check status, especially highlighting changes of check status.

    How do I sign up for the notification? This is an opt-in service, so do make sure to set up the notification in your dashboard. You can choose which contacts receive notification on the Preferences pane of the Trusted Advisor console.

    Who can get this notification? You can indicate up to 3 recipients for the weekly status updates and savings estimates.

    What language will the notification be in? The notification is available in English and Japanese.

    How often will I get notified, and when? Currently, you will receive a weekly notification email, typically on Thursday or Friday, and it will reflect your resource configuration over the past week (7 days). It is in our roadmap to provide an event-triggered mailer and more flexibility.

    Can I unsubscribe from the notifications if I do not want to receive the email anymore? Yes. You can change the setting in your dashboard by clearing all the check boxes and then clicking Save Preferences. Also, help us make this feature more relevant and better for you by using the Feedback button on the dashboard.

    How much does it cost? It is totally free. Get started today!

  • Q: How does the "Recent Changes" feature work?

    Trusted Advisor tracks the recent changes to your resource status on the console dashboard. The most recent changes over the past 30 days appear at the top to bring them to your attention. The system will track seven updates per page, and you can go to different pages to view all recent changes by clicking the forward or the backward arrow displayed on the top-right corner of the "Recent Changes" area.

  • Q: How does the "Exclude Items" function work?

    If you don’t want to be notified about the status of a particular resource, you can choose to exclude (suppress) the reporting for that resource. You would normally do this after you have inspected the results of a check and decide not to make any changes to the AWS resource or setting that Trusted Advisor is flagging.

    To exclude items, check the box to the left of the resource items, and then click the Exclude button. Excluded items appear in a separate view. You can restore (include) them at any time by selecting the items in the excluded items list and then clicking the Include button.

    The "Exclude Items" function is available only at the resource level, not at the check level. We recommend that you examine each resource alert before excluding it to make sure that you can still see the overall status of your deployment without overlooking a certain area.  

  • Q: What is an "Action Link"?

    Some items in a Trusted Advisor report have hyperlinks to the AWS Management Console, where you can take action on the Trusted Advisor recommendations. Currently, all checks have the action links in the check description "Recommended Action" section; three checks have links directly to the AWS Management Console: Security Groups - Specific Ports Unrestricted, Security Ports - Unrestricted Access,  and Service Limits.  

  • Q: How do I manage the access to the Trusted Advisor console? What is the new IAM policy?

    For the Trusted Advisor console, access is controlled by IAM policies that use the trustedadvisor namespace, and access options include viewing and refreshing individual checks or categories of checks. For more information, see Controlling Access to the Trusted Advisor Console.

  • Q: How do I access AWS Trusted Advisor via API?

    You can retrieve and refresh Trusted Advisor results programmatically. For more information, see About the AWS Support API.

  • Q: How often can I refresh my Trusted Advisor result?

    You can refresh individual checks or refresh all the checks at once by clicking the Refresh All button in the top-right corner of the summary dashboard. The minimum refresh interval varies based on the check.

    Checks are periodically refreshed without user action, but the interval can vary considerably. You can always see the date and time of the last refresh to the right of the check title.

  • Q: How do Trusted Advisor activities affect my Amazon CloudTrail logs?

    Each customer action in Trusted Advisor triggers an API call that is documented in your Amazon CloudTrail logs. For example, when you refresh a Trusted Advisor check, you will see a call to the relevant resources with invokedBy and userAgent values of "". This logging incurs minimal charges (a few cents per month).

  • Q: Which Trusted Advisor checks and features are available to all AWS customers?

    All AWS customers get access to the seven core Trusted Advisor checks to help increase the security and performance of the AWS environment. Checks include:


    • S3 Bucket Permissions
    • Security Groups - Specific Ports Unrestricted
    • IAM Use
    • MFA on Root Account
    • EBS Public Snapshots
    • RDS Public Snapshots

    Service Limits

  • Q: Why aren’t my CloudWatch event rules and metric alarms for the EC2 On-Demand Instances check working? 

    If your account has been opted in to vCPU-based On-Demand Instance limits, you must adjust your metric alarms and event rules to account for the vCPU-based instance limits. To see if you are using vCPU-based On-Demand Instances, visit the Limits page on Amazon EC2 console.  

Service Limit Check Questions
  • Q:  What service limits do you check?

    The following table shows the limits that Trusted Advisor checks. For information about limits, see AWS Service Limits.



    Amazon Elastic Compute Cloud
    (Amazon EC2)

    Elastic IP addresses (EIPs)
    Reserved Instances - purchase limit (monthly)
    On-Demand instances (see notes below)

    Amazon Elastic Block Store
    (Amazon EBS)

    Active volumes
    Active snapshots
    General Purpose (SSD) volume storage (GiB)
    Provisioned IOPS
    Provisioned IOPS (SSD) volume storage (GiB)
    Magnetic volume storage (GiB)

    Amazon Kinesis Streams


    Amazon Relational Database Service
    (Amazon RDS)

    Cluster parameter groups
    Cluster roles
    DB instances
    DB parameter groups
    DB security groups
    DB snapshots per user
    Event subscriptions
    Max auths per security group
    Option groups
    Read replicas per master
    Reserved Instances
    Storage quota (GiB)
    Subnet groups
    Subnets per subnet group

    Amazon Simple Email Service
    (Amazon SES)

    Daily sending quota

    Amazon Virtual Private Cloud
    (Amazon VPC)

    Elastic IP addresses (EIPs)
    Internet gateways

    Auto Scaling

    Auto Scaling groups
    Launch configurations

    AWS CloudFormation


    Elastic Load Balancing (ELB)

    Active load balancers

    Identity and Access Management (IAM)

    Instance profiles
    Server certificates


    Note: Data for EC2 On-Demand instance limits is available only for these AWS Regions:

    Asia Pacific (Tokyo) [ap-northeast-1]
    Asia Pacific (Singapore) [ap-southeast-1]
    Asia Pacific (Sydney) [ap-southeast-2]
    EU (Ireland) [eu-west-1]
    South America (São Paulo) [sa-east-1]
    US East (N. Virginia) [us-east-1]
    US West (N. California) [us-west-1]
    US West (Oregon) [us-west-2]

    Note: Trusted Advisor does not currently track regional limits for EC2 On-Demand instances. By default, this limit is 20 On-Demand instances per account, per region.

    In cases where you have reached this regional limit, you might be unable to launch new On-Demand instances even though Trusted Advisor will indicate that you have not reached any of your per-instance type limits within that region. For more detail on EC2 On-Demand limits, please refer to How many instances can I run in Amazon EC2.

    We are constantly working on including more services in the Service Limits check. Your feedback is really helpful to us.


  • Q:  What are the default service limits?

    For a list of the default service limits and instructions for requesting increases, see AWS Service Limits.

  • Q:  How can I get the Service Limit data with command-line tools?

    You can retrieve Service Limit data using the AWS CLI. This AWS Command Line Interface command displays the regions Trusted Advisor has flagged as approaching or reaching the limit for Amazon EC2 On-Demand instance utilization, sorted by region name.


    aws support describe-trusted-advisor-check-result --language en --check-id 0Xc6LMYG8P --query 'result.sort_by(flaggedResources[?status!=`ok`],&metadata[2])[].metadata' --output table

    You can check any of the limits covered by Trusted Advisor using this method. For more details, see Check Categories, IDs, and Report Columns.


Reserved Instance Optimization Check Questions