AWS Trusted Advisor – AWS Best practices to Optimize Performance and Security!

When you first start using AWS, keeping track of what you have done is quite simple; but, as your account profile expands, sub-optimal scenarios in terms of cost management and performance may emerge that go unreported.

In short, Unused or obsolete snapshots, storage volumes that are no longer in use, resources that are not tied to instances, and the list goes on, all of which are costing your company money.

It’s also possible that you’ve set up resources that aren’t optimized for security, performance, or fault tolerance.

AWS Trusted Advisor is a service that examines all of the resources in your AWS account and recommends changes to bring them into compliance with AWS best practices.

What is AWS Trusted Advisor?

AWS Trusted Advisor is a real-time AWS tool that assists you in provisioning your resources according to AWS best practices.

It performs checks to assist you in optimizing your AWS infrastructure, improving security and performance, lowering overall costs, and monitoring service restrictions.

Always take advantage of the recommendations given by the Trusted Advisor, whether you wish to develop applications or as part of ongoing improvement. Therefore, It helps maintain your solutions provisioned optimally.

There are 3 categories of fundamental recommendations c:

  • No problem detected – a green check
  • The investigation recommended – an orange exclamation mark
  • Action recommended – a red exclamation mark

AWS Trusted Advisor Checks and Benefits

Trusted Advisor has a huge number of checks that can be performed on a variety of services. So, there are five different types of checks –

Cost Optimization

By identifying idle resources or committing reserved resources, recommendations made by Trusted advisors can help you save money.

  1. EC2
    • Checks for any EC2 instances that consumed less than 10% CPU capacity or had network I/O < 5MB in the previous 14 days.
    • Finds reserved EC2 instances that are about to expire in the next 30 days.
    • Then it compares the use of reserved instances vs on-demand instances.
  2. EBS – Examines volume settings and alerts you to any volumes that look to be underutilized.
  3. Load Balancers – Looks for load balancers that aren’t in use.
  4. RDS –
    • Looks for database instances that don’t seem to be in use.
    • Recommends utilizing RDS reserved instances instead of on-demand RDS where possible.
  5. Elastic IP – Looks for EIPs that aren’t linked to any EC2 instances.
  6. Route 53 – Looks for record sets that have been configured in an inefficient way.
  7. Redshift –
    • Look for unused clusters in your Amazon Redshift architecture.
    • Recommends using reserved nodes instead of on-demand redshift resources to save money.

By verifying your service limitations and monitoring instances, you can improve the overall performance of your applications and cloud infrastructure.

  1. EC2 –
    • Checks for EC2 instances that have used 90% of their CPU for 4 days in the last 14 days.
    • Check for an excessive number of rules in all of your security groups.
  2. EBS –
    • Checks EBS magnetic volumes that are overused and could benefit from a more efficient design.
    • Checks for volumes that may be impacted by the EC2 instance’s throughput capability.
  3. Route 53 – Looks for resource record sets that can be aliased.
  4. Cloudfront –
    • Examines the HTTP request headers
    • Looks for buckets on S3 that don’t use CloudFront.
    • Checks for CNAMES that have DNS settings which are wrongly set up.

Users can harden their AWS services against intruders by setting various security mechanisms with the help of AWS Trusted Advisor.

  1. Security Groups –
    • Checks security groups that provide unlimited access to specified resources.
    • Examines the level of database access provided by security groups.
  2. IAM –
    • To discourage the usage of root access, it checks for the presence of at least one IAM user.
    • Checks your root account for multi-factor authentication and issues a warning if it isn’t enabled.
    • Checks if the password policy for your AWS account is enabled, as well as the password content criteria.
    • Active IAM access keys that haven’t been rotated in the last 90 days are checked.
  3. S3 – Examine your S3 buckets for open permissions or buckets that anyone with an AWS account may access.
  4. Cloud trail – This check verifies that you are using CloudTrail.
  5. Route 53 – looks for a valid SPF record in the record sets.
  6. ELB –
    • Checks for elastic load balancers with listeners that do not communicate in an encrypted manner.
    • Checks for security groups that aren’t related to the ELB, as well as configurations that allow port access that isn’t associated with the ELB.
  7. Cloudfront –
    • Checks for issues with CF alternative domain names, as well as when they are about to expire.
    • Checks for SSL certificates that have expired, are about to expire or are not encrypted properly.
  8. Access Keys – Checks for publicly exposed access keys in prominent code repositories, as well as suspicious activity on EC2 instances that could be the result of hacked access keys.
  9. Snapshots –
    • Checks the permissions of your EBS volume snapshots and issues a warning if they are set to public.
    • Checks for and cautions about public Amazon RDS Database snapshots.
Fault Tolerance

Tips for improving the resiliency of your applications by identifying health issues, missing backups, and redundancy gaps.

  1. EC2 – Examines the distribution of EC2 instances throughout a region’s availability zones.
  2. EBS – Checking the age of your EBS volume snapshots.
  3. Load Balancer – Examine your load balancers for optimization.
  4. VPN Tunnel – Check how many tunnels your VPNs have configured.
  5. Auto Scaling Group –
    • Checks for resource availability in the autoscaling group launch setup.
    • Also examines the autoscaling groups’ health check configuration.
  6. RDS –
    • Checking RDS instances for automated backups.
    • When DB instances are configured in a single availability zone, it raises an alert.
  7. S3 –
    1. Checks the S3 bucket’s logging configuration.
    2. And also Checks for versioning that has been suspended or disabled in S3 buckets.
  8. Route 53 –
    • Checks the setup of the Route 53 name server.
    • Checks for resource record sets connected with health checks that have been destroyed.
    • Also, Looks for failover resource record sets that aren’t configured correctly.
  9. ELB –
    • Checking for cross-zone load balancing.
    • Also, checks for load balancers with connection draining turned off.
  10. Aurora DB – Checking any Aurora DB cluster with both public and private instances.
Service Limit

The service limit looks for resource usage that is more than 80% of the configured limitations. The following are the things it checks:

  1. DyamoDB
  2. EBS
  3. EC2
  4. Kinesis
  5. RDS
  6. Route 53
  7. SES
  8. VPC
  9. ASG
  10. CloudFormation
  11. ELB
  12. IAM

Features of AWS Trusted Advisor

You may further customize recommendations and monitor your AWS resources with AWS Trusted Advisor’s various features –

Recent Changes

On the console dashboard, you may keep track of recent changes in check status. Therefore, the most recent modifications are displayed at the top of the list to draw your attention to them.

Note – However, this feature is only available with a Business or Enterprise level support plan.

Exclude Items

You can modify the Trusted Advisor report by using the “exclude items” option (previously known as “suppress”). If items are not relevant, then you can exclude them from the check result.

The excluded items will appear individually, and you can restore (include) them at any time.

Action LinksBeta

On the console dashboard, you may view recent changes in check status. In order to draw your attention to the most recent changes, they show at the top of the list.

Access Management

You can restrict access to individual checks or check categories using Amazon Identity and Access Management (IAM).


A check can be refreshed every 5 minutes. By pressing the Refresh All button in the top-right corner of the summary dashboard, you can refresh specific checks or all of them at once.

How does it work?

As shown in the image, each service category delivers appropriate checks that compare the organization’s architecture to AWS best practices.

Following the completion of the checks, the console presents an overview of the check, including the status and action recommendation.

Therefore, the action recommended section includes links to the services in the AWS Management Console, where administrators can take corrective action based on the recommendations.

A full dashboard is also available on the Trusted Advisor webpage, indicating the overall condition of each category.


As a result, It enables large organizations to consolidate expense suggestions from AWS Trusted Advisor across various accounts into a single spot.

Resource tags will also help to improve the data visualization and link cost opportunities to specific resources. Finally, the historical view of cost optimizations through time is a useful feature.

Need Help?

Thank You for reading this Blog!

For further more interesting blogs, keep in touch with us. If you need any kind of support, therefore, simply raise a ticket at

For Magento 2 Elastic search, please follow –

Our Cloudkul Blogs

Elasticsearch, Fluentd, and Kibana (EFK) 

Setting up Elasticsearch, Logstash, and Kibana for centralized logging

Managing and Monitoring Magento 2 logs with Kibana

Our store modules –

Magento 2 Elasticsearch

EFK Setup for Magento 2

You may also visit our Magento development services and quality  Magento 2 Extensions.

For further help or query, please contact us or raise a ticket.

. . .


Add Your Comment

Be the first to comment.