Comprehensive Guide to the AWS Trusted Advisor
The AWS (Amazon Web Services) Trusted Advisor helps you get an almost perfect cloud by giving recommendations based on the AWS Well-Architected Framework. If you’re familiar with the AWS Well-Architected model, you know that the cloud should be secure, reliable, fault-tolerant, and cost-optimized.
While there are hundreds of best practices in each pillar, it’s challenging to become Well-Architected the manual way. The AWS Trusted Advisor saves time by automating the WAFR process.
AWS Trusted Advisor vs. Inspector vs. Cost Explorer
The AWS Cost Explorer dives deep into cost-related metrics and gives recommendations based on past usage. The Trusted Advisor provides recommendations beyond costs from best practices. On the other hand, the AWS inspector checks for security vulnerabilities in your AWS infrastructure.
How Does the AWS Trusted Advisor Work?
The AWS Trusted Advisor has inbuilt design principles and best practices of an AWS Well-Architected infrastructure. Once you subscribe to a support plan, the Trusted Advisor analyzes your infrastructure against those best practices. The Trusted Advisor gives action items and helpful links to help you optimize your cloud. You can use Trusted Advisor to detect service quotas, performance, and security problems.
Benefits of AWS Trusted Advisor
The AWS Trusted Advisor can help you meet compliance faster as you will have a more secure cloud.
Optimize Cloud Costs
The AWS Trusted Advisor analyzes past usage patterns and configurations that affect your cloud spend. You can optimize costs by identifying underutilized resources, terminating idle resources, or downgrading resources. Example checkpoints include:
- Optimize EC2 Costs: The Trusted Advisor checks whether your RI (Reserve Instance) purchases are lower than corresponding On-Demand usage. The Trusted Advisor finds ways of saving you costs through Reserved Instances. The Trusted Advisor performs multiple simulations for each usage category to maximize RI purchases.
- Idle Amazon RDS DB Instances: The Trusted Advisor checks for any idle Database Instances on RDS (remote desktop services) workloads and recommends the deletion of instances that were inactive for the past seven days.
- High-Risk Issues: The AWS high-risk issues may make your costs escalate. The Trusted Advisor pulls this information from the Well-Architected Review reports.
- AWS Savings Plan: The Trusted Advisor recommends using the AWS Savings plan based on AWS Lambda, Fargate, and EC2 usage for the previous month. You can save on these resources through one to three-year commitment plans.
- Unassociated Elastic IPs: AWS Charges for Elastic IPs, one way to save costs is to check for Elastic IPs disconnected from EC2.
- Underutilized EBS Volumes: The Trusted Advisor warns against underutilized EBS volumes, so you only pay for what you use.
Improve Cloud Security
AWS gets best practices on security from leading industry standards and security experts. AWS systems can examine your system for potential flaws and help you practice sound cyber hygiene. Here are common security checkpoints:
- Amazon S3 Bucket Permissions: Some S3 configurations may have permissions that are too permissive; these include open access ports and allowing login on all IP addresses.
- AWS CloudTrail Logs: The Trusted Advisor examines logs on any changes made to the account from various IAM users. CloudTrail can report abnormal activities for further investigation.
- Exposed Access Keys: People with your access key can access the cloud remotely, making your system vulnerable. The Trusted Advisor detects exposed access keys through popular code platforms. The Trusted Advisor limits certain functions temporarily to help secure the account.
- IAM Access Key Rotation: The AWS Advisor ensures that IAM (Identity and Access Management) access keys rotate every 90 days.
- IAM Password Policies: The Trusted Advisor checks for weak passwords and disabled password policies.
- MFA: The AWS Well-Architected Framework recommends the use of MFA (multi-factor authentication) for root users. Root users have to use MFA to get a code on mobile apps, eMail, or SMS before accessing the infrastructure.
Check Service Quotas
Regardless of your support plan, you can check whether you exceed service quotas through the AWS Trusted Advisor. Service quotas are the maximum limits on services you can launch in a given AWS account, including free-tier limits. Some service quota checkpoints include:
- Auto-Scaling Groups: Checks if you’ve used more than 80% of the auto scale group quota.
- EC2 On-Demand Instances: Checks if the CPU utilization of On-Demand instances is more than 80%.
- EC2 Reserved Instance Plans: Checks if the RI usage is more than 80% of the RI lease agreement.
- Route53 Zones: Each account has a limited number of Route53 hosted zones.
AWS Support Plans
To use AWS Trusted Advisor, you’ll need an AWS Support plan.
- The AWS Basic Support and Developer Support Plan gives access to basic security checks and checks on all service quotas.
- AWS Business and Enterprise customers have full access to all AWS Trusted Advisor checks.
The Bottom Line
Having the AWS Trusted Advisor can go a long way to secure your cloud resources, improve operational efficiency, performance, and more. Ideally, the Trusted Advisor helps cloud users provision their resources optimally.
At nOps, we provide deeper visibility, an intuitive user interface, and faster implementation of AWS Trusted Advisor Recommendations. nOps also prioritizes each recommendation and lets you work on what makes the most impact in your compliance journey. nOps helps AWS users become better architected, faster, without compromising any best practice.