AWS Trusted Advisor General FAQs
Q: What is AWS Trusted Advisor?
AWS Trusted Advisor is an application that draws upon best practices learned from AWS’ aggregated operational history of serving hundreds of thousands of AWS customers. Trusted Advisor inspects your AWS environment and makes recommendations for saving money, improving system performance, or closing security gaps.
Q: How do I access Trusted Advisor?
Q: What made you choose the current checks/recommendations over others?
Every check was vetted for accuracy, consistency, and usefulness to our customers. We gather data and research to ensure we are making the right recommendations based on best practices and historical values. We have identified many possible checks for future implementation, and we will continue to add them over time.
Q: Does Trusted Advisor monitor my usage? Can Amazon see what I’m doing with AWS?
Trusted Advisor respects your privacy just as all Amazon Web Services do. We will never have access to your data or the software running on your account without your consent.
Q: What does Trusted Advisor check?
Cost Optimization – recommendations that can potentially save you money by highlighting unused resources and opportunities to reduce your bill.
Security – identification of security settings that could make your AWS solution less secure.
Fault Tolerance – recommendations that help increase the resiliency of your AWS solution by highlighting redundancy shortfalls, current service limits, and overutilized resources.
Performance – recommendations that can help to improve the speed and responsiveness of your applications.
Service Limits – recommendations that will tell you when service usage is more than 80% of the service limit.
For more information on Trusted Advisor and an up-to-date listing of checks, see AWS Trusted Advisor Best Practice Checks.
Q: How does the Trusted Advisor notification feature work?
The Trusted Advisor notification feature helps you stay up-to-date with your AWS resource deployment. You will be notified by weekly email when you opt in for this service, and it is totally free.
What is in the notification? The notification email includes the summary of saving estimates and your check status, especially highlighting changes of check status.
How do I sign up for the notification? This is an opt-in service, so do make sure to set up the notification in your dashboard. You can choose which contacts receive notification on the Preferences pane of the Trusted Advisor console.
Who can get this notification? You can indicate up to 3 recipients for the weekly status updates and savings estimates.
What language will the notification be in? The notification is available in English and Japanese.
How often will I get notified, and when? Currently, you will receive a weekly notification email, typically on Thursday or Friday, and it will reflect your resource configuration over the past week (7 days). It is in our roadmap to provide an event-triggered mailer and more flexibility.
Can I unsubscribe from the notifications if I do not want to receive the email anymore? Yes. You can change the setting in your dashboard by clearing all the check boxes and then clicking Save Preferences. Also, help us make this feature more relevant and better for you by using the Feedback button on the dashboard.
How much does it cost? It is totally free. Get started today!
Q: How does the "Recent Changes" feature work?
Trusted Advisor tracks the recent changes to your resource status on the console dashboard. The most recent changes over the past 30 days appear at the top to bring them to your attention. The system will track seven updates per page, and you can go to different pages to view all recent changes by clicking the forward or the backward arrow displayed on the top-right corner of the "Recent Changes" area.
Q: How does the "Exclude Items" function work?
If you don’t want to be notified about the status of a particular resource, you can choose to exclude (suppress) the reporting for that resource. You would normally do this after you have inspected the results of a check and decide not to make any changes to the AWS resource or setting that Trusted Advisor is flagging.
To exclude items, check the box to the left of the resource items, and then click the Exclude button. Excluded items appear in a separate view. You can restore (include) them at any time by selecting the items in the excluded items list and then clicking the Include button.
The "Exclude Items" function is available only at the resource level, not at the check level. We recommend that you examine each resource alert before excluding it to make sure that you can still see the overall status of your deployment without overlooking a certain area.
Q: What is an "Action Link"?
Some items in a Trusted Advisor report have hyperlinks to the AWS Management Console, where you can take action on the Trusted Advisor recommendations. Currently, all checks have the action links in the check description "Recommended Action" section; three checks have links directly to the AWS Management Console: Security Groups - Specific Ports Unrestricted, Security Ports - Unrestricted Access, and Service Limits.
Q: How do I manage the access to the Trusted Advisor console? What is the new IAM policy?
For the Trusted Advisor console, access is controlled by IAM policies that use the trustedadvisor namespace, and access options include viewing and refreshing individual checks or categories of checks. For more information, see Controlling Access to the Trusted Advisor Console.
Q: How do I access AWS Trusted Advisor via API?
Q: How often can I refresh my Trusted Advisor result?
You can refresh individual checks or refresh all the checks at once by clicking the Refresh All button in the top-right corner of the summary dashboard. The minimum refresh interval varies based on the check.
Checks are periodically refreshed without user action, but the interval can vary considerably. You can always see the date and time of the last refresh to the right of the check title.
Q: How do Trusted Advisor activities affect my Amazon CloudTrail logs?
Each customer action in Trusted Advisor triggers an API call that is documented in your Amazon CloudTrail logs. For example, when you refresh a Trusted Advisor check, you will see a call to the relevant resources with invokedBy and userAgent values of "support.amazon.com". This logging incurs minimal charges (a few cents per month).
Q: Which Trusted Advisor checks and features are available to all AWS customers?
All AWS customers get access to the seven core Trusted Advisor checks to help increase the security and performance of the AWS environment. Checks include:
- S3 Bucket Permissions
- Security Groups - Specific Ports Unrestricted
- IAM Use
- MFA on Root Account
- EBS Public Snapshots
- RDS Public Snapshots
Q: Why aren’t my CloudWatch event rules and metric alarms for the EC2 On-Demand Instances check working?
Service Limit Check Questions
Q: What service limits do you check?
The following table shows the limits that Trusted Advisor checks. For information about limits, see AWS Service Limits.
Amazon Elastic Compute Cloud
Elastic IP addresses (EIPs)
Reserved Instances - purchase limit (monthly)
On-Demand instances (see notes below)
Amazon Elastic Block Store
General Purpose (SSD) volume storage (GiB)
Provisioned IOPS (SSD) volume storage (GiB)
Magnetic volume storage (GiB)
Amazon Kinesis Streams
Amazon Relational Database Service
Cluster parameter groups
DB parameter groups
DB security groups
DB snapshots per user
Max auths per security group
Read replicas per master
Storage quota (GiB)
Subnets per subnet group
Amazon Simple Email Service
Daily sending quota
Amazon Virtual Private Cloud
Elastic IP addresses (EIPs)
Auto Scaling groups
Elastic Load Balancing (ELB)
Active load balancers
Identity and Access Management (IAM)
Note: Data for EC2 On-Demand instance limits is available only for these AWS Regions:
Asia Pacific (Tokyo) [ap-northeast-1]
Asia Pacific (Singapore) [ap-southeast-1]
Asia Pacific (Sydney) [ap-southeast-2]
EU (Ireland) [eu-west-1]
South America (São Paulo) [sa-east-1]
US East (N. Virginia) [us-east-1]
US West (N. California) [us-west-1]
US West (Oregon) [us-west-2]
Note: Trusted Advisor does not currently track regional limits for EC2 On-Demand instances. By default, this limit is 20 On-Demand instances per account, per region.
In cases where you have reached this regional limit, you might be unable to launch new On-Demand instances even though Trusted Advisor will indicate that you have not reached any of your per-instance type limits within that region. For more detail on EC2 On-Demand limits, please refer to How many instances can I run in Amazon EC2.
We are constantly working on including more services in the Service Limits check. Your feedback is really helpful to us.
Q: What are the default service limits?
Q: How can I get the Service Limit data with command-line tools?
You can retrieve Service Limit data using the AWS CLI. This AWS Command Line Interface command displays the regions Trusted Advisor has flagged as approaching or reaching the limit for Amazon EC2 On-Demand instance utilization, sorted by region name.
aws support describe-trusted-advisor-check-result --language en --check-id 0Xc6LMYG8P --query 'result.sort_by(flaggedResources[?status!=`ok`],&metadata).metadata' --output table
You can check any of the limits covered by Trusted Advisor using this method. For more details, see Check Categories, IDs, and Report Columns.
Reserved Instance Optimization Check Questions
Q: What data set are you using to make a Reserved Instance recommendation?
Q: Does the recommendation consider volume discounts?
No, Reservation Recommendations are based on public pricing.
Q: I just purchased a new Reserved Instance. Why isn’t it showing up in the recommendation?
Since these recommendations are based on previous on-demand usage, newly purchased reservations do not show until the corresponding usage shows up in your billing data. Recommendations may be inaccurate if reservations have been purchased during the past 30 days.
Q: How do you calculate the optimized number of Reserved Instances?
Reservation recommendations are calculated based on your on-demand usage over the past 30 days. These recommendations are calculated by identifying the reservation purchases which would result in the lowest possible bill you could have achieved over this period. These recommendations target the lowest possible bill, and not any particular utilization or coverage threshold.
Q: Do you include other Reserved Instance types in the recommendation?
This check covers recommendations based on Standard Reserved Instances with partial upfront payment option. For other variations including convertible reserved instances or alternate payments options, please refer to Cost Explorer’s Reservation Recommendations.
Q: Why are there separate sections for 1 year and 3 year Reserved Instances?
Customers have a choice between buying 1 year and 3 year term Reserved Instances from AWS. This check assumes you will purchase Reserved Instances for either 1 year or 3 year terms, not both. As a result, recommendations for purchasing additional 1 year or 3 year term Reserved Instances are not additive across both term lengths, so recommendations are called out separately.
To illustrate: In a recommendation for three additional 1 year Reserved Instances or four additional 3 year Reserved Instances, we are recommending the purchase of three or four Reserved Instances respectively, not a total of seven additional Reserved Instances.
Q: Are all instance types included in the recommendation?
Yes, all instances types are included that have corresponding reservations available.
Q: I use spot instance. Do you include spot rates in the calculation?
No, spot usage is not eligible to be covered by reservations and is excluded from these recommendations.
Q: I have third party Reserved Instances from the Reserved Instance Marketplace. Do you include those in the results?
Recommendation for Reserved Instance purchase is made based on billing usage not covered by all available Reserved Instances, including those purchased from the Marketplace. Cost savings are calculated based on public pricing and do not take into account the availability of reserved instances available on the RI Marketplace.
Q: Does the recommendations include any money I made if I sell my existing Reserved Instance to purchase the recommended Partial Upfront Reserved Instances?
No, these recommendations are only purchase recommendations based on public pricing and on demand usage. They do not take into account any potential sales of existing RIs on the RI Marketplace or the conversion of existing underutilized Reservations.
Q: What defines the alert criteria for this check?
This check is flagged yellow when optimizing the use of partial upfront RIs can help reduce costs.
Q: What is the recommended action when the check goes yellow?
Q: Where can I learn more about Reserved Instances?
Q: What does each field in the check result mean?
- Region - The AWS Region of the recommended reservation.
- Instance Type - The type of instance that AWS recommends.
- Platform - The platform of the recommended reservation. The platform is the specific combination of operating system, license model, and software on an instance.
- Recommended Number of Reserved Instances to Purchase - The number of RIs that AWS recommends that you purchase.
- Expected Average Reserved Instance Utilization - The expected average utilization of the your RIs.
- Estimated Savings with Recommendation (Monthly) - How much AWS estimates that this specific recommendation could save you in a month.
- Upfront Cost of Reserved Instances - How much purchasing this instance costs you upfront.
- Estimated Cost of Reserved Instances (Monthly) - How much the RIs will cost on a monthly basis after purchase.
- Estimated On-Demand Cost Post Recommended Reserved Instance Purchase (Monthly) - How much AWS estimates that you will spend per month on On-Demand Instances after purchasing the recommended RIs.
- Estimated Break Even (Months) - How long AWS estimates that it takes for this instance to start saving you money, in months.
- Lookback Period (Days) - How many days of previous usage that AWS considers when making this recommendation.
- Term (Years) - The term of the reservation that you want recommendations for, in years.
Q: Why do I see a blue question mark for this recommendation on the Trusted Advisor Console?
Q: Why can I not refresh this recommendation every 5 minutes?