AWS Trusted Advisor is a built-in AWS service that continuously evaluates your AWS environment against AWS best practices and provides actionable recommendations. It covers six categories — cost optimization, performance, security, resilience, operational excellence, and service limits — helping you identify misconfigurations and cloud waste.

 

In this essential guide, we’ll cover how Trusted Advisor works, best practices for making the most of it, as well as its limitations.

How Does AWS Trusted Advisor Work?

Trusted Advisor works by comparing your AWS resource configurations against a library of predefined best-practice checks. Each check evaluates a specific condition — an idle RDS instance, an unrestricted security group port, an underutilized EC2 instance — and returns one of three statuses:

  • Green (no problem detected): Your configuration aligns with the best practice.
  • Yellow (investigation recommended): A potential issue exists but may not require immediate action.
  • Red (action recommended): A clear deviation from best practices that should be addressed.

Results refresh automatically for accounts on Business Support+ plans and above. Basic and Developer Support accounts must refresh checks manually. You can also access results programmatically through the AWS Trusted Advisor API and integrate them with Amazon EventBridge for automated alerting.

For organizations managing multiple accounts, the Organizational View feature aggregates Trusted Advisor findings across your entire AWS Organization — useful for central cloud teams tracking compliance across dozens or hundreds of accounts.

AWS Trusted Advisor Check Categories

Trusted Advisor organizes its checks into six categories. As of 2026, accounts with Business Support+ or higher have access to 482 total checks. All accounts get 56 checks covering service limits and select security items.

Cost Optimization

These checks identify resources you’re paying for but not fully using. Examples include idle EC2 instances, underutilized EBS volumes, unassociated Elastic IP addresses, and RDS instances with no connections in the past seven days. Trusted Advisor also recommends Reserved Instance purchases based on your On-Demand usage history and flags opportunities for Savings Plans based on EC2, Lambda, and Fargate usage.

Security

Security checks flag exposed resources and misconfigurations. On the free tier, you get checks for publicly accessible S3 buckets, public EBS and RDS snapshots, unrestricted security group ports, and whether MFA is enabled on the root account. Paid plans add checks for IAM access key rotation, CloudTrail logging status, and more.

Performance

Performance checks look at resources that could benefit from configuration changes — like EBS volumes with high IOPS but provisioned throughput that doesn’t match, EC2 instances running older generation types, or CloudFront distributions without optimized caching.

Resilience (Fault Tolerance)

These checks evaluate redundancy and backup configurations. They flag load balancers without instances in multiple Availability Zones, Auto Scaling groups with a single AZ, EBS volumes without recent snapshots, and Route 53 health check misconfigurations.

Operational Excellence

Added as a category in 2023, operational excellence checks focus on management hygiene — things like whether you’re using AWS Config rules, whether your Lambda functions use deprecated runtimes, and whether your CloudFormation stacks have drifted from their templates.

Service Limits

Service limit checks compare your current resource usage against AWS account quotas. If you’re at 80% or more of a limit — like the maximum number of VPCs per region or the maximum number of Auto Scaling groups — Trusted Advisor flags it so you can request a quota increase before hitting a hard wall.

AWS Trusted Advisor vs. Inspector vs. Cost Explorer

These three services often get confused because they all “check” something in your AWS account. Here’s how they differ:
FeatureAWS Trusted AdvisorAWS InspectorAWS Cost Explorer
Primary purposeBest-practice recommendations across 6 categoriesAutomated vulnerability scanning for workloadsCost visualization and forecasting
What it checksResource configuration, usage patterns, service limitsSoftware vulnerabilities (CVEs), network exposure, codeHistorical and projected spending
ScopeAccount-wide (all services)EC2 instances, Lambda functions, container imagesBilling and usage data
OutputRecommendations with action itemsFindings with severity scoresCharts, reports, RI/SP recommendations
CostIncluded with AWS Support planPer-assessment pricingFree, included with all accounts
Best forOngoing operational hygieneSecurity compliance and patchingBudget tracking and cost allocation

In short: AWS Trusted Advisor evaluates if your AWS infrastructure follows best practices. Inspector tells you if your software has known vulnerabilities. Cost Explorer tells you what you’re spending and where.

Use Cases for AWS Trusted Advisor

Here are classic cases Trusted Advisor was built for:

Catching Idle Resources Before They Accumulate

Review Trusted Advisor’s cost optimization checks weekly to identify resources nobody is using. An RDS instance spun up for a proof-of-concept three months ago, an EBS volume detached from a terminated instance, an Elastic IP sitting unassociated — these individually small charges compound across dozens of accounts.

Pre-Launch Security Reviews

Before launching a new workload into production, teams use Trusted Advisor’s security checks as a lightweight validation pass. It won’t replace a full penetration test, but it catches obvious misconfigurations — publicly accessible snapshots, overly permissive security groups, missing encryption — that should never reach production.

Proactive Service Limit Monitoring

Hitting an AWS service quota mid-deployment causes outages that are difficult to diagnose in the moment. Teams that monitor Trusted Advisor’s service limit checks proactively can request quota increases before hitting the ceiling — especially important during seasonal scaling events or rapid growth periods.

Multi-Account Compliance Dashboards

Using the Organizational View, central platform teams aggregate Trusted Advisor findings across all member accounts. This creates a compliance surface — on the Trusted Advisor Dashboard you can see which accounts have open high-risk security findings, which accounts waste the most on idle resources, and where operational excellence checks are failing.

Supporting AWS Well-Architected Reviews

Trusted Advisor checks align directly with the AWS Well-Architected Framework pillars. Teams preparing for a formal Well-Architected Review use Trusted Advisor output as a starting point, addressing flagged items before the review so they can focus the conversation on architectural decisions rather than basic misconfigurations.

AWS Trusted Advisor Pricing and Support Plans

Trusted Advisor itself doesn’t have separate pricing — it’s bundled with your AWS Support plan. What you get depends on which plan you’re on:
Support PlanTrusted Advisor AccessMinimum Cost
Basic (free)56 checks: service limits, plus select security and fault tolerance checks$0
Business Support+All 482 checks, plus API access and auto-refresh$29/month per account
Enterprise Support All checks, plus Trusted Advisor Priority and TAM-prioritized recommendations$5,000/month

Note: AWS is discontinuing Developer Support, Business Support (legacy), and Enterprise On-Ramp plans on January 1, 2027. Customers on those plans will be migrated to Business Support+ or Enterprise Support. See AWS documentation for details.

For most organizations, the decision comes down to whether 56 free checks cover your needs or whether you need the full 482-check set with API access. If you’re managing more than a handful of accounts, the Business Support+ tier is typically the minimum for meaningful Trusted Advisor coverage.

Benefits of AWS Trusted Advisor

No agents or installation. Trusted Advisor is native to AWS. It reads your resource configurations directly — no software to deploy, no permissions to configure beyond your Support plan.

Continuous evaluation. On paid plans, checks refresh automatically. You don’t need to remember to run a scan — deviations surface as they happen.

Actionable output. Each recommendation includes a description of the issue, why it matters, and a direct link to the resource or documentation needed to fix it. 

Organizational visibility. For multi-account environments, aggregated views give leadership and platform teams a single pane of glass across the organization.

Integration-ready. Trusted Advisor integrates with EventBridge, AWS Config, Security Hub, and Compute Optimizer — so you can pipe recommendations into existing workflows, ticketing systems, or automation pipelines.

Limitations of AWS Trusted Advisor

Trusted Advisor is useful as a starting point, but it has clear boundaries.

Recommendations, not automation. Trusted Advisor tells you what’s wrong — it doesn’t fix anything. You still need to manually act on each recommendation or build automation around the API output.

Limited free tier. The 56 checks available on Basic accounts cover service limits and a handful of security items. Cost optimization, performance, and operational excellence checks require a paid Support plan.

Point-in-time snapshots. Checks refresh periodically (typically daily on paid plans), not in real time. A misconfiguration introduced at 9 AM might not surface until the next refresh cycle.

No cross-cloud visibility. Trusted Advisor only evaluates AWS resources. If you run workloads across multiple providers, you need separate tooling for Azure and GCP.

Generic thresholds. Trusted Advisor uses fixed thresholds (like flagging RDS instances idle for 7 days). It doesn’t learn your organization’s specific patterns or adjust recommendations based on your workload characteristics.

How nOps Goes Beyond AWS Trusted Advisor

While Trusted Advisor surfaces best-practice checks, taking action on recommendations still falls to your team. 

nOps does the optimization on your behalf, freeing your engineers to focus on building and innovating. We operate on a results-based model that means you pay only a fraction of additional savings we generate for you. You get: 

  1. Full cost visibility across AWS, Azure & GCP
  2. Commitment Management that automatically optimizes your savings and reduces your risk
  3. Free Savings Analysis so you can find out in just 30 minutes how much you can save

 If you’re looking to get best-in-class AWS savings rates without any manual effort, schedule a demo with one of our AWS experts.

 nOps optimizes $4 billion in cloud spending and was recently ranked #1 in G2’s Cloud Cost Management category.

FAQ

Let’s dive into a few FAQ about AWS Trusted Advisor, AWS Management console, and more.
All AWS accounts get 56 checks at no cost, covering service limits and select security and fault tolerance items — including S3 bucket permissions, public EBS/RDS snapshots, unrestricted security group ports, and root account MFA status.
You can use the free-tier checks on any account. To unlock all 482 checks, Trusted Advisor APIs, and automatic refresh, you need Business Support+ ($29/month minimum) or higher.
On Business Support+ and Enterprise plans, checks refresh automatically (typically daily). On Basic and Developer plans, you must manually trigger a refresh from the console.