AWS Trusted Advisor Items That Actually Matter: Essential Checks for Cost, Security, and Reliability
AWS Trusted Advisor reviews your AWS environment against best practices for cost, security, resilience, performance, operations, and service limits. This guide focuses on high-value checks for production and multi-account environments, emphasizing cost control, risk reduction, and operational stability.
Trusted Advisor draws insights from services like Cost Optimization Hub, Compute Optimizer, and Service Quotas. View results per account or centrally via Organizational View. Refresh intervals vary by check type: many run automatically, while some security checks require manual refresh. Support plans also impact coverage. Every account receives core checks, including basic security and service limits; however, Business Support or higher unlocks the full set of approximately 482 additional checks and enables API access.
Cost Optimization Checks
These identify underutilized resources and savings opportunities. Opt in to Cost Optimization Hub and Compute Optimizer for the most accurate, dynamic recommendations (available within hours to a day).
EC2 Rightsizing and Idle Resources
Highlights EC2 instances with low or no utilization across CPU, network, and I/O. These insights drive recommendations for rightsizing, modernizing instance families, or termination.
Why it matters: Reduces spend on mismatched instances.
Action:
- Review in Cost Optimization Hub or Compute Optimizer.
- Resize, stop, or terminate.
- Cross-validate with Cost Explorer trends.
EBS Volume Optimization
Identifies unattached, idle, or low-utilization volumes.
Why it matters: Storage costs add up on forgotten resources.
Action:
- Delete unattached volumes.
- Downsize or change types.
- Use AWS Backup policies.
Idle Load Balancers
Detects idle Classic, Application, or Network Load Balancers.
Why it matters: Idle ELBs/ALBs/NLBs incur charges.
Action:
- Delete unused ones.
- Monitor via Cost Explorer.
Savings Plans and Reserved Instances Recommendations
Recommends Savings Plans (flexible) or Reserved Instances based on usage patterns.
Why it matters: Significant discounts for steady workloads.
Action:
- Implement via Cost Optimization Hub.
- Review coverage quarterly.
- Purchase incrementally to avoid overcommitment.
Additional high-value checks (powered by Cost Optimization Hub): Include optimizations for RDS, ElastiCache, Lambda, DynamoDB, and more—review the full list in the console for top savings per resource.
Security Checks
Root Account MFA
Alerts if MFA is not enabled on the root user (recommends hardware MFA for highest security).
Why it matters: Root has unrestricted access, a prime target.
Action:
- Enable MFA (preferably hardware) via IAM console.
- In Organizations, centrally manage root credentials (delete passwords/keys in members).
- Enforce MFA for IAM users/roles separately.
Security Groups: Unrestricted Access
Flags rules allowing inbound traffic from 0.0.0.0/0 on risky ports (e.g., SSH/22, RDP/3389, databases). Ports like 80/443 are often treated as lower risk.
Why it matters: Expands attack surface.
Action:
- Restrict to specific IPs.
- Remove unused groups.
- Prefer Session Manager for access (no SSH/RDP ports).
- Review with Firewall Manager.
Many security checks now integrate with Security Hub for broader coverage.
Fault Tolerance (Resilience) Checks
These spots are single points of failure.
RDS Multi-AZ
Flags single-AZ RDS instances or clusters.
Why it matters: No automatic failover during AZ outages.
Action:
- Enable Multi-AZ (note engine-specific behaviors, e.g., SQL Server).
- For clusters, distribute readers across AZs.
ElastiCache Multi-AZ
Identifies Redis clusters without multi-AZ replicas.
Action:
- Add replicas in different AZs.
Load Balancer Multi-AZ
Checks if ALB/NLB/Classic targets/subnets span multiple AZs.
Action:
- Configure across 2+ AZs.
Backups and Snapshots
Flags old/missing EBS snapshots or disabled RDS automated backups.
Action:
- Automate with AWS Backup (7–35 day retention typical).
- Enable RDS backups (1–35 days).
Service Limits Checks
Monitors quotas, warning at ~80% and alarming near 100%.
Common ones: EC2 instances, EBS volumes/provisioned IOPS, Elastic IPs, load balancers, VPCs, etc.
Action:
- Release unused resources.
- Request increases via the Service Quotas console.
When Trusted Advisor Has Limited Value
- Performance checks need application context; use CloudWatch for validation.
- Trusted Advisor checks provide snapshots in time, but AWS environments change rapidly.
- Dismiss false positives and enforce via AWS Config.
Key Takeaways and Next Steps
Prioritizing idle resources, commitment discounts (Savings Plans), root MFA, restricted access, Multi-AZ deployments, backups, and quotas aligns with the Well-Architected Framework.
Treat Trusted Advisor as a starting signal, validate with Cost Optimization Hub, Cost Explorer, CloudWatch, and AWS Backup. You should review Trusted Advisor findings weekly, integrate them into your governance processes, and opt in to supporting services to gain full value.
Pouya Nourizadeh is the founder of Cloudformix, with extensive experience optimizing enterprise cloud environments across AWS, Azure, and Google Cloud. For years, he has addressed real-world challenges in cloud cost management, performance, and architecture, offering practical insights for engineering teams navigating modern cloud complexities.
