What is AWS Trusted Advisor?

AWS Trusted Advisor is a service that inspects all the resources present in your AWS account and suggests improvements to bring them in line with AWS best practices.

When you first start using AWS it is reasonably easy to keep track of what you have running, however as time goes on and your account footprint grows you may start to get sub-optimal scenarios in terms of cost management and performance that go unnoticed.

You may have orphaned resources, unused or obsolete snapshots, storage volumes that are no longer in use, resources that are not attached to instances, the list goes on and these resources are costing your business money. You may also have resources configured that aren’t optimised for security, performance or fault tolerance.

Trusted Advisor checks five categories of best practice compliance being cost optimization, performance, security, fault tolerance and service limits.

The dashboard will also display recent changes in your findings and a what’s new section showing what new checks have been introduced the the service.

The findings on the trusted advisor dashboard are color coded with green meaning all is well, yellow meaning something isn’t quite right and needs attention and red meaning you need to take immediate action to resolve a potentially catastrophic config error.

Trusted advisor has saved AWS customers using the service many millions of dollars in unnecessary cloud spend by highlighting cost savings. These typically take the form of over provisioned instance sizes or under utilized resources like EBS volumes. Eliminating unused resources, suggesting more optimal configurations and right-sizing compute and storage is the methodology that trusted advisor uses to deliver the savings.

Trusted advisor will alert you when problems are detected, however the service also integrates with Amazon CloudWatch event to trigger AWS Lambda functions to automate the resolution of the detected errors.

You can enter contact email details for notifications related to billing, operations and security within the preferences

Download Trusted Advisor Findings

AWS Trusted Advisor Findings can be downloaded in microsoft excel or csv formats using the download icon.

The download icon can be found on the top right of the trusted advisor dashboard, which will download all findings. There is also an icon adjacent to each individual finding that will allow you to download individual findings.

Refreshing Trusted Advisor Findings

On the dashboard, you can find a refresh icon:

This icon will trigger a refresh of the findings for your entire account. Alongside each individual finding you will see the last time it was refreshed and another refresh icon. This will allow you to trigger a refresh for a single trusted advisor check.

AWS Trusted Advisor Cost Optimization

The checks performed in the Cost Optimization category include:

Low Utilization of EC2 Instances — checks any EC2 instances that were running in the past 14 days that used under 10% CPU capacity or had network I/O under 5MB

Idle Load Balancers — checks for unused load balancers

Under used EBS Volumes — checks volume configurations and reports volumes that appear to be under utilized

Unassociated Elastic IP addresses — checks for EIPs not associated with any EC2 instances

Idle AWS RDS instances — checks for database instances that appear to be unused.

Route 53 latency record sets — checks for inefficiently configured record sets.

Underutilized Redshift Clusters — checks your Amazon Redshift configuration for underutilized clusters.

Amazon EC2 Reserved Instance lease expiration — looks for reserved EC2 instances that are scheduled to expire in the next 30 days.

EC2 Instance Optimization — analyses the use of reserved instances vs on-demand instances

Savings Plan — checks your Fargate, EC2 and Lambda usage over the past 30 days and provides savings plan purchase recommendations.

Amazon Elasticache reserved node optimization — reviews your Elasticache usage and suggests the purchase of reserved nodes over on-demand where it will save money.

Redshift reserved node optimisation — suggests adopting reserved nodes over redshift on-demand resources where it will save you money

RDS reserved instance optimisation — suggests adopting RDS reserved instances instead of using on-demand RDS where beneficial

ElasticSearch reserved instance optimisation — recommends the use of ElasticSearch reserved instances over on-demand instances where it will save money.

AWS Lambda Timeouts — Checks for Lambda functions with excessive timeout rates that might result in much higher costs.

AWS Lambda Errors — Checks for Lambda functions with high error rates that may result in higher costs.

AWS Trusted Advisor Performance Category

In the performance category, AWS trusted advisor checks for:

High utilization EC2 Instances — checks for EC2 instances hitting 90% CPU usage for 4 days in the past 14 days.

EBS Provisioned IOPS Volume Config — checks for volumes attached to EBS-optimizable EC2 instances that are not currently EBS-optimized.

Excessive EC2 security group rules — checks all your security groups for excessive number of rules.

Excessive instance rules — checks for EC2 instances with a large amount of security group rules.

Route 53 alias record sets — checks for resource record sets that can be changed to alias record sets.

Over utilized EBS Magnetic Volumes — checks for over used EBS magnetic volumes that could benefit from a more efficient configuration

Cloudfront Content Delivery — checks for S3 buckets that aren’t using cloudfront.

Cloudfront header forwarding and cache hit ratio — checks HTTP request headers.

EC2 to EBS throughput — checks for volumes that may be affected by the throughput capability of the EC2 instance they are attached to.

Cloudfront alternate domain names — checks for CNAMES that have incorrectly configured DNS settings.

AWS Trusted Advisor Security Category

Amazon EBS Public Snapshots — Checks the permissions of your EBS volume snapshots and warns if they are marked as public

RDS Public Snapshots — Checks your Amazon RDS Database snapshots and warns if they are public

S3 Bucket Permissions — checks your S3 buckets for open permissions or buckets that allow access by any authenticated AWS user.

IAM in use — checks for the presence of at least one IAM user to discourage the use of root access.

MFA on root account — Checks your root account and warns if multi-factor authentication is not set up.

Security Groups 0.0.0.0/0 — warns if you have security groups that allow unrestricted access for specific ports.

Security Groups unrestricted access — checks security groups that allow unrestricted access to specific resources.

IAM password policy — checks if your AWS account password policy is enabled and if the password content requirements have been enabled.

RDS Security Group access risk — checks the level of access to your databases granted by security groups.

Amazon Route 53 MX — checks the record sets for a valid SPF record.

AWS CloudTrail Logging — Checks for your use of CloudTrail.

ELB Listener Security — Checks for elastic load balancers with listeners without encrypted communication.

ELB Security Groups — Checks for missing security group or configurations that allow port access that aren’t associated with the ELB.

CloudFront SSL Certs in the IAM Certificate Store — checks for problems or impending expiry of CF alternate domain names.

CloudFront SSL Certificate on the Origin Server — checks for SSL certificates that are expired, about to expire or not using appropriate encryption.

IAM Access Key Rotation — Checks active IAM access keys not rotated in the past 90 days.

Exposed Access Keys — checks popular code repos for publicly exposed access keys or suspicious activity on EC2 instances that could be the result of compromised access keys.

Deprecated Lambda function runtimes — Checks for Lambda functions that are using deprecated or soon to be deprecated runtimes.

AWS Trusted Advisor Fault Tolerance Checks

EBS Snapshots — Checks the age of your EBS volume snapshots

EC2 Availability Zone Balance — checks the distribution of EC2 instances across availability zones in a region.

Load Balancers — checks the optimization of your load balancers.

VPN Tunnel redundancy — checks the number of tunnels configured for your VPNs.

Autoscaling Group Resources — checks the availability of resources defined in autoscaling group launch configuration.

RDS Backups — checks for automated backups of RDS instances.

RDS Multi-AZ — warns when DB instances are configured in a single availability zone.

Autoscaling group health check — inspects the health check config for autoscaling groups.

S3 Bucket Logging — Checks the logging config for S3 buckets.

Route 53 Name Server delegations — Checks for Route 53 name server configuration.

Route 53 High TTL Resource record sets — checks for record sets that could benefit from a lower TTL value.

Route 53 Failover — checks for misconfigured failover resource record sets.

Route 53 Deleted health checks — Checks for resource record sets associated with deleted health checks.

ELB Cross-zone load balancing — checks for the presence of cross-zone load balancing.

ELB Connection Draining — Checks for load balancers that do not have connection draining enabled.

S3 Bucket Versioning — Checks S3 buckets with suspended or disabled versioning.

AWS Direct Connect Redundancy — checks that regions have only one AWS direct connect connection.

AWS Direct Connect Location Redundancy — checks for the presence of AWS direct connect connections that only have one location configured.

AWS Direct Connect Virtual Interface Redundancy — Checks for Virtual Private Gateways with VIFs that are connected to a single direct connect connection.

Amazon Aurora DB instance accessibility — checks for any Aurora DB cluster that has both public and private instances.

AWS Lambda VPC enabled functions with a single AZ — checks VPC-enabled Lambda functions that only exist in one AZ.

AWS Trusted Advisor Service Limit Checks

The service limit checks for usage of resources that have exceeded 80% of the configured limits. The checks are performed against:

  • Auto Scaling Groups
  • Auto Scaling Launch Configurations
  • CloudFormation Stacks
  • DynamoDB Read Capacity
  • DynamoDB Write Capacity
  • EBS Active Snapshots
  • EBS Volume Storage
  • EC2 On-demand Instances
  • EC2 Reserved Instance Leases
  • EC2 Classic Elastic IP Addresses
  • EC2-VPC Elastic IP Address
  • ELB Application Load Balancers
  • ELB Classic Load Balancers
  • ELB Network Load Balancers
  • IAM Group
  • IAM instance Profiles
  • IAM Policies
  • IAM Roles
  • IAM Server Certificates
  • IAM Users
  • Kinesis Shards per Region
  • RDS Cluster Parameter Groups
  • RDS Cluster Roles
  • RDS Clusters
  • RDS DB Instances
  • RDS Manual DB Snapshots
  • RDS DB Parameter Groups
  • RDS DB Security Groups
  • RDS Event Subscriptions
  • RDS Max Auths per Security Groups
  • RDS Option Groups
  • RDS Read Replicas per Master
  • RDS Reserved Instances
  • RDS Subnet Groups
  • RDS Subnets per Subnet Group
  • RDS Total Storage Quota
  • Route 53 Hosted Zones
  • Route 53 Max Health Checks
  • Route 53 Reusable Delegation Sets
  • Route 53 Traffic Policies
  • Route 53 Traffic Policy Instances
  • SES Daily Sending Quota
  • VPC
  • VPC Internet Gateways

This introduction video walks through the service:

So that’s a quick rundown on AWS Trusted Advisor and what it can do for you.

If you are using Hava.io you can get this information as part of the AWS Compliance Report available within Hava.

The reporting module is accessed from the sidebar of your main Hava dashboard

Once selected the reports dashboard is opened showing the available reports for each AWS account connected to your hava.io data sources

Selecting the required compliance report will open up the detailed report showing

  • An Account Summary
  • Region usage (Map)
  • Graphs Summary
  • Findings

AWS COMPLIANCE REPORTING — REGION USAGE

The region usage section of the AWS compliance reports display a world map with the locations of the regions detected in your AWS account configuration.

The report also displays a table of all known available regions and indicates whether your network configuration is using them or not. Given the importance of load speed and latency this section of the report can highlight where gains can be made when comparing to the location of your application users.

The region report will also demonstrate that your data is stored in appropriate geographical locations in line with local data security compliance regimes like GDPR.

AWS COMPLIANCE REPORTING — GRAPH SUMMARY

Hava’s AWS compliance report includes a number of interactive graphs. The first of which is the Resources by Region graph.

This graph details and totals the resources found in each active region in your AWS console configuration.

The check boxes beneath the graph enable you to turn hide/show resource types in the graph.

Hovering over coloured sections of the bars will pop out an information box with details that relate to that section of the graph.

In the top right hand corner of each graph is a dotted icon that allows you to export just the selected graph to your choice of xls, csv, png or jpeg formats.

AWS COMPLIANCE REPORTING — TOTAL RESOURCES GRAPH

As the name suggest the next graph on the report the “Total Resources” graph details resources totalled by resource type. The same hover and export functionality is available for this graph.

IAM USERS AND ROLES

The final AWS Compliance graph in the series details the number of active and inactive IAM users and roles discovered in your AWS source account.

No account specific details are displayed, only the number of user and roles found and whether they are active or not. From an AWS best practice and security perspective, removing inactive or unused IAM credentials assists in the overall security of your cloud infrastructure.

As with all the other interactive graphs, you are able to toggle on/off visibility of both active and inactive users and roles.

AWS COMPLIANCE REPORTING — BEST PRACTICE FINDINGS

The next section of the report runs through your resources and applies AWS Trusted Advisor style analysis which is visualised as either Informational, or a Low, Medium or High concern level.

This report section starts with a pie chart visualization of the resource types and the percentage of concern levels associated with each resource group.

This chart is also interactive and exportable. Selecting a section of the chart will reveal details about the number, size and gravity of the findings. On the example above, the centre wheel represents the overall number of findings.

Selecting the “Medium” segment for instance, reveals that 4 medium level findings (22.2% of the overall findings) were discovered.

The remainder of the report goes into detail on the nature of each of the findings that make up the above graph.

If we take a look at one of the four medium level findings we can see a summary of a “IMDSv2 not enforced” finding. Clicking the “more…” option reveals the configuration/policy that caused the warning.

An example of a critical “High” level finding is reported in this example against EC2

Low level findings typically make up the bulk of discovered potential configuration improvements like the following:

For presentation, audit and archive purposes the entire compliance report can be exported to PDF by selecting the ‘Export’ function in the top right of the report.

The details in the findings revealed by the ‘more…’ option in the report will be expanded in the exported PDF document.

Resources / Services reported on

Hava’s Compliance reporting currently includes the following services:

Service / Resource Name

Access Analyzer

API Gateway

Autoscaling

Cloudformation

Cloudfront

Cloudsearch

Cloudtrail

Cloudwatch

Config

Directconnect

EC2

ECR

ECS

EFS

EKS

ElastiCache

Elastic Beanstalk

ELB

ELBv2

ES

Events

Firehose

Glacier

GuardDuty

IAM

KMS

Lambda

Lightsail

Logs

Organizations

RDS

RedShift

Route53

S3

Secrets Manager

SNS

SQS

STS

The AWS compliance reporting tool is now generally available as part of as part of the suite of Hava’s automated network topology diagramming and security visualization tools that enable cloud engineers and DevOps teams to easily visualize their AWS, Azure and GCP cloud environments.

Hava’s automated methodology not only ensures your network topology documentation is always up to date, it also detects changes and records a full version history that is fully interactive and can be inspected in detail as soon as you connect your cloud accounts to Hava.

Available in both an easy hands-free SaaS version or as a fully self-hosted enterprise solution Hava continues to be the hands-free cloud documentation choice of top dev teams across the globe.

You can check out the new reporting module starting with the AWS compliance report as well as all the automated diagrams, unique AWS security visualization and version history by contacting us or taking Hava for a free 14 day trial here: https://www.hava.io

Originally published at https://www.hava.io.

Tech Writer, Developer, Marketer and Generator of Leads.