AWS Monitoring & Management
Trusted Advisor
Real-time recommendations for cost optimization, performance, security, and fault tolerance
AWS Trusted Advisor is an automated best-practice recommendation engine that analyzes your AWS account across five categories - cost optimization, performance, security, fault tolerance, and service limits - and flags issues with actionable guidance. It acts as a continuously running audit that surfaces quick wins and critical risks without requiring manual review.
Check Categories and What Trusted Advisor Examines
Trusted Advisor organizes its checks into five pillars. The number of checks available depends on your AWS Support plan:
| Category | Example Checks | Value |
|---|---|---|
| Cost Optimization | Idle EC2 instances, underutilized EBS volumes, unassociated Elastic IPs, low-utilization Reserved Instances | Find waste and reduce bills |
| Performance | High-utilization EC2 instances, CloudFront delivery optimization, EBS throughput limits | Identify bottlenecks before users notice |
| Security | Open security groups (0.0.0.0/0), exposed S3 buckets, IAM policies with full permissions, MFA not enabled on root | Surface critical misconfigurations |
| Fault Tolerance | EC2 instances not in multiple AZs, RDS without Multi-AZ, EBS snapshots older than 7 days, CloudFront no failover origin | Identify single points of failure |
| Service Limits | EC2 instance limits, EBS volume limits, IAM role limits approaching quota | Prevent deployment failures from hitting quotas |
| Support Plan | Checks Available |
|---|---|
| Basic / Developer | ~7 core checks (S3 bucket permissions, security groups, IAM, MFA on root, EBS snapshots, service limits basics) |
| Business | All checks (~115+) + API access + CloudWatch integration |
| Enterprise / Enterprise On-Ramp | All checks + priority refresh + TAM recommendations |
The security checks in the Basic plan cover only the most critical issues (open S3 buckets, unrestricted SSH). If you rely on Trusted Advisor for security compliance, you need Business or Enterprise support. For comprehensive security checks, complement Trusted Advisor with AWS Security Hub.
Automating Trusted Advisor with API and EventBridge
Trusted Advisor checks can be accessed programmatically via the Support API (aws support describe-trusted-advisor-checks). This enables automated compliance reporting, ticketing integration, and alerting when check status changes.
# List all available Trusted Advisor checks
aws support describe-trusted-advisor-checks \
--language en \
--region us-east-1 # Support API is only available in us-east-1
# Get results for a specific check (e.g., "Security Groups - Unrestricted Access")
aws support describe-trusted-advisor-check-result \
--check-id BueAdJ7NrP # ID for unrestricted security groups check
# Trigger a refresh for a check
aws support refresh-trusted-advisor-check \
--check-id BueAdJ7NrPTrusted Advisor integrates with EventBridge to publish events when check status changes (from OK to WARNING or ERROR). You can use this to automatically open a Jira ticket, send a Slack alert, or trigger a Lambda remediation function.
The Support API is only accessible from us-east-1, regardless of where your resources are. This is a common stumbling block when automating Trusted Advisor - all API calls must specify or default to the us-east-1 region.
For Business and Enterprise customers, Trusted Advisor checks can also be monitored via CloudWatch metrics, allowing you to set alarms when the count of flagged resources for a check exceeds a threshold.
Trusted Advisor vs Security Hub vs Well-Architected Tool
These three services are often confused because they all provide recommendations for improving your AWS environment. They have distinct scopes and are complementary:
| Service | Scope | Format | Update Frequency |
|---|---|---|---|
| Trusted Advisor | Automated checks across 5 pillars for account-level resource issues | Traffic light status per check | Periodic (daily by default; API refresh on demand) |
| Security Hub | Security-focused findings aggregated from GuardDuty, Config, Inspector, Macie, and partner tools; mapped to security standards | ASFF-format findings with severity scores | Near real-time from source services |
| Well-Architected Tool | Structured workload review against 6 pillars; question-and-answer assessment | Milestones, improvement plan, risks per pillar | Manual - you update it when you review |
In practice: Trusted Advisor catches low-hanging fruit across all five pillars automatically. Security Hub is your security operations center for real-time threat and compliance findings. The Well-Architected Tool is used for formal workload reviews, typically quarterly or before major launches.
Service Limits, Service Quotas, and Proactive Limit Management
The Service Limits category in Trusted Advisor is often underestimated. Hitting a service quota can bring down a production service - EC2 instance launch fails silently, Auto Scaling cannot add capacity, or Lambda throttles. Trusted Advisor flags when utilization exceeds 80% of a quota limit.
AWS Service Quotas is the newer dedicated service for managing limits. It provides current quota values, usage metrics integrated with CloudWatch, and one-click quota increase requests without submitting a support ticket.
# List all quotas for a service
aws service-quotas list-service-quotas \
--service-code ec2
# Request a quota increase
aws service-quotas request-service-quota-increase \
--service-code ec2 \
--quota-code L-1216C47A \
--desired-value 100
# Get CloudWatch metric name for a quota (to alarm on)
aws service-quotas get-aws-default-service-quota \
--service-code lambda \
--quota-code L-B99A9384 # Concurrent executionsFor critical limits (EC2 concurrent instance counts, Lambda concurrent executions, ECS task counts), create CloudWatch alarms using the Service Quotas usage metrics. Alert at 70% utilization so you have time to request increases before hitting the limit.
Interview Focus Points
- 1What are the five categories of Trusted Advisor checks and give a specific example of a check in each?
- 2Why does the Trusted Advisor API only work in us-east-1 and how does that affect automation?
- 3How does Trusted Advisor differ from Security Hub - when would you use each?
- 4How would you automate alerting when a Trusted Advisor check status changes to ERROR?
- 5What is the difference between AWS Trusted Advisor and AWS Service Quotas for managing limits?
- 6Which Trusted Advisor checks are available on the free Basic plan vs the paid Business plan?
- 7How would you use Trusted Advisor data to build a weekly cost optimization report for your team?