AWS Trusted Advisor General FAQs
Q: What is AWS Trusted Advisor?
AWS Trusted Advisor is an application that draws upon best practices learned from AWS’ aggregated operational history of serving hundreds of thousands of AWS customers. Trusted Advisor inspects your AWS environment and makes recommendations for saving money, improving system performance, or closing security gaps.
Q: How do I access Trusted Advisor?
Q: What made you choose the current checks/recommendations over others?
Every check was vetted for accuracy, consistency, and usefulness to our customers. We gather data and research to ensure we are making the right recommendations based on best practices and historical values. We have identified many possible checks for future implementation, and we will continue to add them over time.
Q: Does Trusted Advisor monitor my usage? Can Amazon see what I’m doing with AWS?
Trusted Advisor respects your privacy just as all Amazon Web Services do. We will never have access to your data or the software running on your account without your consent.
Q: What does Trusted Advisor check?
Cost Optimization – recommendations that can potentially save you money by highlighting unused resources and opportunities to reduce your bill.
Security – identification of security settings that could make your AWS solution less secure.
Fault Tolerance – recommendations that help increase the resiliency of your AWS solution by highlighting redundancy shortfalls, current service limits, and overutilized resources.
Performance – recommendations that can help to improve the speed and responsiveness of your applications.
Service Limits – recommendations that will tell you when service usage is more than 80% of the service limit.
For more information on Trusted Advisor and an up-to-date listing of checks, see AWS Trusted Advisor Best Practice Checks.
Q: How does the Trusted Advisor notification feature work?
The Trusted Advisor notification feature helps you stay up-to-date with your AWS resource deployment. You will be notified by weekly email when you opt in for this service, and it is totally free.
What is in the notification? The notification email includes the summary of saving estimates and your check status, especially highlighting changes of check status.
How do I sign up for the notification? This is an opt-in service, so do make sure to set up the notification in your dashboard. You can choose which contacts receive notification on the Preferences pane of the Trusted Advisor console.
Who can get this notification? You can indicate up to 3 recipients for the weekly status updates and savings estimates.
What language will the notification be in? The notification is available in English and Japanese.
How often will I get notified, and when? Currently, you will receive a weekly notification email, typically on Thursday or Friday, and it will reflect your resource configuration over the past week (7 days). It is in our roadmap to provide an event-triggered mailer and more flexibility.
Can I unsubscribe from the notifications if I do not want to receive the email anymore? Yes. You can change the setting in your dashboard by clearing all the check boxes and then clicking Save Preferences. Also, help us make this feature more relevant and better for you by using the Feedback button on the dashboard.
How much does it cost? It is totally free. Get started today!
Q: How does the "Recent Changes" feature work?
Trusted Advisor tracks the recent changes to your resource status on the console dashboard. The most recent changes over the past 30 days appear at the top to bring them to your attention. The system will track seven updates per page, and you can go to different pages to view all recent changes by clicking the forward or the backward arrow displayed on the top-right corner of the "Recent Changes" area.
Q: How does the "Exclude Items" function work?
If you don’t want to be notified about the status of a particular resource, you can choose to exclude (suppress) the reporting for that resource. You would normally do this after you have inspected the results of a check and decide not to make any changes to the AWS resource or setting that Trusted Advisor is flagging.
To exclude items, check the box to the left of the resource items, and then click the Exclude button. Excluded items appear in a separate view. You can restore (include) them at any time by selecting the items in the excluded items list and then clicking the Include button.
The "Exclude Items" function is available only at the resource level, not at the check level. We recommend that you examine each resource alert before excluding it to make sure that you can still see the overall status of your deployment without overlooking a certain area.
Q: What is an "Action Link"?
Some items in a Trusted Advisor report have hyperlinks to the AWS Management Console, where you can take action on the Trusted Advisor recommendations. Currently, all checks have the action links in the check description "Recommended Action" section; three checks have links directly to the AWS Management Console: Security Groups - Specific Ports Unrestricted, Security Ports - Unrestricted Access, and Service Limits.
Q: How do I manage the access to the Trusted Advisor console? What is the new IAM policy?
For the Trusted Advisor console, access is controlled by IAM policies that use the trustedadvisor namespace, and access options include viewing and refreshing individual checks or categories of checks. For more information, see Controlling Access to the Trusted Advisor Console.
Q: How do I access AWS Trusted Advisor via API?
Q: How often can I refresh my Trusted Advisor result?
You can refresh a check 5 minutes after it was last refreshed. You can refresh individual checks or refresh all the checks at once by clicking the Refresh All button in the top-right corner of the summary dashboard.
Checks are periodically refreshed without user action, but the interval can vary considerably. You can always see the date and time of the last refresh to the right of the check title.
Q: How do Trusted Advisor activities affect my Amazon CloudTrail logs?
Each customer action in Trusted Advisor triggers an API call that is documented in your Amazon CloudTrail logs. For example, when you refresh a Trusted Advisor check, you will see a call to the relevant resources with invokedBy and userAgent values of "support.amazon.com". This logging incurs minimal charges (a few cents per month).
Q: Which Trusted Advisor checks and features are available to all AWS customers?
All AWS customers get access to the seven core Trusted Advisor checks to help increase the security and performance of the AWS environment. Checks include:
- S3 Bucket Permissions
- Security Groups - Specific Ports Unrestricted
- IAM Use
- MFA on Root Account
- EBS Public Snapshots
- RDS Public Snapshots
Service Limit Check Questions
Q: What service limits do you check?
The following table shows the limits that Trusted Advisor checks. For information about limits, see AWS Service Limits.
Amazon Elastic Compute Cloud
Elastic IP addresses (EIPs)
Reserved Instances - purchase limit (monthly)
On-Demand instances (see notes below)
Amazon Elastic Block Store
General Purpose (SSD) volume storage (GiB)
Provisioned IOPS (SSD) volume storage (GiB)
Magnetic volume storage (GiB)
Amazon Kinesis Streams
Amazon Relational Database Service
Cluster parameter groups
DB parameter groups
DB security groups
DB snapshots per user
Max auths per security group
Read replicas per master
Storage quota (GiB)
Subnets per subnet group
Amazon Simple Email Service
Daily sending quota
Amazon Virtual Private Cloud
Elastic IP addresses (EIPs)
Auto Scaling groups
Elastic Load Balancing (ELB)
Active load balancers
Identity and Access Management (IAM)
Note: Data for EC2 On-Demand instance limits is available only for these AWS Regions:
Asia Pacific (Tokyo) [ap-northeast-1]
Asia Pacific (Singapore) [ap-southeast-1]
Asia Pacific (Sydney) [ap-southeast-2]
EU (Ireland) [eu-west-1]
South America (São Paulo) [sa-east-1]
US East (N. Virginia) [us-east-1]
US West (N. California) [us-west-1]
US West (Oregon) [us-west-2]
Note: Trusted Advisor does not currently track regional limits for EC2 On-Demand instances. By default, this limit is 20 on-demand instances per account, per region.
In cases where you have reached this regional limit, you might be unable to launch new on-demand instances even though Trusted Advisor will indicate that you have not reached any of your per-instance type limits within that region. For more detail on EC2 On-Demand limits, please refer to How many instances can I run in Amazon EC2.
We are constantly working on including more services in the Service Limits check. Your feedback is really helpful to us.
Q: What are the default service limits?
Q: How can I get the Service Limit data with command-line tools?
You can retrieve Service Limit data using the AWS CLI. This AWS Command Line Interface command displays the regions Trusted Advisor has flagged as approaching or reaching the limit for Amazon EC2 on-demand instance utilization, sorted by region name.
aws support describe-trusted-advisor-check-result --language en --check-id eW7HH0l7J9 --query 'result.sort_by(flaggedResources[?status!=`ok`],&metadata).metadata' --output table
You can check any of the limits covered by Trusted Advisor using this method. For more details, see Check Categories, IDs, and Report Columns.
Reserved Instance Optimization Check Questions
Q: What data set are you using to make a Reserved Instance recommendation?
We calculate the recommendation based on the usage in the last completed calendar month. For example, if it is the 25th of April, the recommendation is based on data from March 1 to March 31.
Q: Does the recommendation consider volume discounts?
No, the recommendation uses standard pricing. Actual results may vary on discounted pricing tiers. We recommend contacting your sales representative by completing the AWS Sales & Business Development form to review a more detailed optimization plan if you are receiving volume discounts.
Q: I just purchased a new Reserved Instance. Why isn’t it showing up in the recommendation?
New Reserved Instance purchases are updated on a daily basis. Refresh the check 24 hours after you make your purchase to see the new recommendation. Also note that the check does not include third-party Reserved Instances purchased from the Reserved Instance Marketplace.
Q: How do you calculate the optimized number of Reserved Instances?
Our system analyzes the hourly usage history during the previous calendar month across all consolidated accounts. The system calculates the number of running instances in each Availability Zone and for each type of instance. An hourly cost is determined by aggregating the cost of all instances that ran the previous month, whether they ran as On-Demand or as a Reserved Instance. In addition to the hourly usage charges, the system calculates a fixed charge by amortizing the one-time upfront fees for each Reserved Instance already purchased.
By adding the aggregated hourly charges and the amortized upfront fees, the system is able to determine your baseline cost for the month. The system then incorporates the hourly and amortized upfront costs for additional Partial Upfront Reserved Instances, and the amortized upfront costs of any existing Reserved Instances into the calculation. Given the baseline cost based on the previous usage, and the costs for adding additional Partial Upfront Reserved Instances, the system uses a simple gradient descent algorithm to determine the number of Partial Upfront Reserved Instances that would result in the lowest overall cost.
Q: How do you amortize the cost of existing Reserved Instances?
The upfront fee for each Reserved Instance is amortized over the period of the Reserved Instance. In simple terms, if the upfront fee was $1200, and the term length was one year, the system will divide $1200 by 12 months, resulting in a cost of $100 per month.
Q: I have many accounts, and the Availability Zones are different for each one. How do you account for that?
We normalize all Availability Zones across all Consolidated Billing accounts and reflect the values using the primary payer account mapping.
Q: Do you include other Reserved Instance types in the recommendation?
Only Partial Upfront Reserved Instances are recommended by this check. However, hourly usage charges and amortized upfront fees for other Reserved Instance types are included in the calculation.
Q: Why are there separate sections for 1 year and 3 year Reserved Instances?
Customers have a choice between buying 1 year and 3 year term Reserved Instances from AWS. This check assumes you will purchase Reserved Instances for either 1 year or 3 year terms, not both. As a result, recommendations for purchasing additional 1 year or 3 year term Reserved Instances are not additive across both term lengths, so recommendations are called out separately.
To illustrate: In a recommendation for three additional 1 year Reserved Instances or four additional 3 year Reserved Instances, we are recommending the purchase of three or four Reserved Instances respectively, not a total of seven additional Reserved Instances.
Q: Are all instance types included in the recommendation?
Recommendations are available for Amazon Linux/UNIX and Windows Reserved Instances. The calculation excludes usage and recommendations for Red Hat Enterprise Linux, SUSE Linux Enterprise, Amazon RDS, Amazon ElastiCache, and others.
Q: I use Spot instances. Do you include Spot rates in the calculation?
Due to the variability of the Spot instance market, the system uses on-demand rates when calculating the optimized number of Reserved Instances.
Q: I have third-party Reserved Instances from the Reserved Instance Marketplace. Do you include those in the results?
Q: Does the recommendation include any money I make if I sell my existing Reserved Instances to purchase the recommended Partial Upfront Reserved Instances?
The system does not include any money that could result from the sale of existing Reserved Instances when calculating the optimal number of Partial Upfront Reserved Instances.