AWS – AWS Trusted Advisor

How to Install Kubernetes cluster on Ubuntu 18.04

Trusted Advisor covers five main areas, and it is designed to give you some guidance around what are considered the best practices for your cloud deployment. The areas that are covered are as follows:

  • Cost optimization
  • Performance
  • Security
  • Fault tolerance
  • Service limits

It’s available to everyone and free to use for basic coverage. If you are paying for Business- or Enterprise-level support with AWS, you get access to additional checks that are important for production workloads. At the time of writing, there are 53 checks for cost optimization, performance, security, and fault tolerance, and 48 separate checks for service limits.

How to do it…

The good news is that you don’t need to do anything at all to turn on Trusted Advisor. It’s automatically enabled when your AWS account is created, and will continue to update for the lifetime of your account. Go ahead and navigate to the Trusted Advisor section of the AWS web console.

How it works…

The checks that are provided for free with this service are as follows:

  • Unrestricted ports: This is a check on the highest-risk ports in your security groups. They’ll be flagged if they’re open to everyone (
  • IAM usage: This is a fairly rudimentary check. If there isn’t at least one IAM user in your account, this check won’t pass. It’s considered good practice to not use your root login credentials for your AWS account, and instead create IAM users with least privileged access.
  • MFA on root account: You need to have MFA enabled for your root login in order for this check to pass. It’s also a good idea to enable MFA for your IAM users as well, as we discussed in Chapter 1, AWS Fundamentals.
  • Amazon S3 bucket permissions: This will alert you to any buckets that are configured for public access.
  • Service limits: This one is quite handy—if you’re approaching 80% of your service limits, this check won’t pass. For example, it’s nice to know if you’re about to hit the cap of CloudFormation stacks or EC2 instances before you attempt to create them.
  • EBS and RDS public snapshots: This checks to see if any of your snapshots are open to the general public.

Even though there is only a handful of checks here, these are some of the more useful ones, so we’d encourage you to pay attention to them. The console uses a color scheme to denote the status of each check:

  • Red: It’s recommended that you take action to remedy this check.
  • Yellow: This check requires investigation and possible remediation.
  • Green: This check is passing and needs no attention.
Visit the Preferences page in the Trusted Advisor web console if you’d like to have a weekly report emailed to you.

There’s more…

As well as opening up the entire suite of Trusted Advisor checks, a Business- or Enterprise-level support arrangement gives you access to the following:

  • Notifications: You are able to have notifications delivered to you at a higher frequency using a number of delivery methods. Since Trusted Advisor is an available source in CloudWatch Events, you’ll be able to create notifications that can be handled by SNS (email, push, SMS), or even notifications that will trigger Lambda functions.
  • API access: You’ll have access to a number of Trusted Advisor API methods, such as DescribeTrustedAdvisorCheckResult and DescribeTrustedAdvisorCheckSummaries. You can use these to integrate the results from checks into your own dashboards or monitoring systems. You’ll also be able to use the APIs to refresh Trusted Advisor checks (after you’ve taken corrective action on them, for example).
  • Exclusion: You can selectively mute checks that are failing. You’ll sometimes want to do this for things such as RDS instances in your development environments that aren’t in multi-AZ mode, or don’t have backups enabled.

Finally, some of the more useful checks that we see for Business- and Enterprise-level support customers are as follows:

  • Reserved Instances: This is a nice cost optimization if you have a reasonably static workload since a reserved instance allows you to pay upfront for EC2 instances when you know they will run steadily for long periods of time.
  • Unassociated Elastic IPs: If IP addresses are not associated with a network interface (on an EC2 instance, for example), you will be charged for them. Also, if there are unassociated IPs floating around, that is usually a sign that they are being allocated manually, instead of with CloudFormation. Remember that the goal here is for more automation, not less.
  • Idle load balancers: Again, these cost money, and are often easily orphaned in low-automation environments.
  • S3 bucket permissions: It’s not always obvious if the permissions on an S3 bucket have been misconfigured. This check helps you to avoid unintentionally leaking data.

As we have stated in other chapters, if you are running any production workload in an AWS account, you should have, as a minimum, a Business support contract, which will unlock the full functionality of Trusted Advisor.

Comments are closed.