Operations Management

Optimizing Your AWS Environment - Best Practice Checks with Trusted Advisor

Learn how to use AWS Trusted Advisor for automated environment diagnostics. This article covers the check items and usage across five categories: cost optimization, security, fault tolerance, performance, and service limits.

約 5 分で読めます

Trusted Advisor Overview and Five Diagnostic Categories

AWS Trusted Advisor is a service that automatically diagnoses your AWS environment against best practices. It provides recommendations based on operational data from thousands of AWS accounts, identifying opportunities for cost reduction, security hardening, and availability improvement. Diagnostics are organized into five categories. Cost optimization detects unused and underutilized resources (EC2, RDS, EBS, Elastic IP, Redshift) and presents specific savings amounts. Security checks for S3 bucket public access settings, overly permissive security group ports, root account MFA not enabled, and IAM access key rotation. Fault tolerance checks for missing EBS snapshots, RDS Multi-AZ not configured, and Auto Scaling group AZ distribution. Performance detects high-utilization EC2 instances and CloudFront optimization opportunities. Service limits monitors quota usage for each service and warns when items reach 80% of their limit.

Check Scope Differences by Support Plan

The scope of Trusted Advisor checks varies by support plan. Basic/Developer plans provide only 6 core security checks and service limit checks. The core security checks cover S3 bucket permissions, security group unrestricted access (0.0.0.0/0), IAM usage, root account MFA, EBS public snapshots, and RDS public snapshots. Business plan ($100+/month) or Enterprise plan ($15,000+/month) unlocks access to all 300+ check items and enables programmatic access via the AWS Support API. Cost optimization checks alone often uncover savings that exceed the monthly support plan cost, making the upgrade to Business plan a high-ROI investment.

Cost Optimization Checks in Practice

Trusted Advisor's cost optimization checks present recommendations along with specific savings amounts. Here are the main check items and typical findings. Low-utilization EC2 instances detects instances with CPU usage below 10% over the past 14 days and recommends downsizing or stopping. Idle RDS instances detects instances with no connections over the past 7 days. Unassociated Elastic IP addresses detects EIPs not associated with an EC2 instance (unused EIPs cost approximately $3.6/month each). Unused EBS volumes detects volumes not attached to any instance. Savings Plans and Reserved Instance recommendations suggest optimal purchase plans based on past usage patterns. These check results can be exported as CSV and used as input data for regular cost reviews. For designing cloud operations best practices, related books on Amazon are a helpful reference.

Automation and Organizations Integration

Trusted Advisor integrates with EventBridge to detect check result changes as events. For example, when a new security warning is detected, you can send notifications via SNS or execute automated remediation actions with Lambda. ```bash # Retrieve Trusted Advisor check results (Business/Enterprise plan) aws support describe-trusted-advisor-checks \ --language en \ --region us-east-1 \ --query 'checks[?category==`cost_optimizing`].{id:id,name:name}' # Retrieve results for a specific check aws support describe-trusted-advisor-check-result \ --check-id Qch7DwouX1 \ --language en \ --region us-east-1 ``` With AWS Organizations integration, the organizational view aggregates Trusted Advisor results across all accounts. From the management account dashboard, you can see which accounts have which recommendations, enabling efficient organization-wide cost optimization and security improvement. Note that the Trusted Advisor API is only available in the us-east-1 region.

Summary - Guidelines for Using Trusted Advisor

AWS Trusted Advisor is a service that automatically diagnoses your AWS environment across cost, security, fault tolerance, performance, and service limits. Even the Basic plan provides 6 core security checks for free, while Business plan and above unlocks all 300+ check items and API access. The main use cases are specific cost savings estimates from cost optimization checks, proactive service limit warnings, and automation through EventBridge integration. We recommend regularly reviewing Trusted Advisor results as input data for monthly cost reviews and quarterly security audits.

Related Services

AWS Trusted AdvisorA service that checks your AWS environment for cost optimization, performance, security, and resilience improvementsAWS Cost ExplorerA service that visualizes and analyzes your AWS costs and usage to identify optimization opportunitiesAWS ConfigA service that records and evaluates AWS resource configuration changes and continuously monitors compliance

Related Articles

Architecture Review - Systematically Evaluate Workloads with the AWS Well-Architected ToolLearn about architecture reviews using the AWS Well-Architected Tool. Covers evaluation based on the six pillars, improvement planning, and custom lens usage.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.

More on This Topic

How AWS Keeps Time Internally - Amazon Time Sync Service and Leap Second Smearing DesignLearn how Amazon Time Sync Service works, how GPS and atomic clocks provide high-precision time sources, the design decision to absorb leap seconds through smearing, and why time synchronization matters in distributed systems.Centralizing SaaS Audit Logs with AWS AppFabric - OCSF Standardization and Security Lake IntegrationLearn how AppFabric collects audit logs from SaaS applications, standardizes them to OCSF format, and builds analysis pipelines.Implementing Feature Flags with AWS AppConfig - Safe Configuration Deployment and RollbackRoll out configuration changes independently from code deployments using Linear and Exponential strategies. Ensure safety with automatic rollback triggered by CloudWatch alarms.Architecture Review - Systematically Evaluate Workloads with the AWS Well-Architected ToolLearn about architecture reviews using the AWS Well-Architected Tool. Covers evaluation based on the six pillars, improvement planning, and custom lens usage.Audit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.Lessons from AWS Incident Reports (COE) - How Past Major Outages Shaped Design PrinciplesAnalyze the root causes of past major incidents including the S3 outage, us-east-1 DNS failure, and Kinesis outage from AWS's published Correction of Errors (COE) and incident reports, and explain how they changed AWS's design principles.Tag Design Determines Operations - Trivia and Practical Naming Conventions for AWS Resource Tagging StrategyWe explain why AWS resource tags are not just labels but the foundation for cost allocation, access control, and automation, covering tag key naming conventions, how to use the 50-tag limit, and governance through tag policies.Why AWS Service Quotas Exist - Multi-Tenant Design That Protects Shared InfrastructureExplain how AWS service quotas (formerly service limits) are not mere restrictions but a design to protect other customers in a multi-tenant environment, covering the noisy neighbor problem, soft vs hard limits, and what happens behind quota increase requests.

Similar Articles and Services

AWS Trusted AdvisorA service that automatically inspects your AWS environment across five categories - cost optimization, security, performance, fault tolerance, and service limits - and provides improvement recommendations based on best practicesAutomated Best Practice Checks with AWS Trusted Advisor - Cost Reduction and Security ImprovementAutomatically check account health across five categories: cost optimization, performance, security, fault tolerance, and service limits. Learn about Priority for organization-wide best practice management and API integration.AWS Cost Management Tools - Native Integration of Cost Explorer, Budgets, and Compute OptimizerAWS natively integrates cost management tools such as Cost Explorer, Budgets, Compute Optimizer, and Trusted Advisor. We analyze the advantages of AWS's cost visibility and optimization compared to Azure Cost Management and GCP's billing management.Compute Resource Optimization - Rightsizing with AWS Compute OptimizerLearn about resource rightsizing with AWS Compute Optimizer. Covers recommendations for EC2, Lambda, EBS, and ECS on Fargate, cost savings estimates, and implementation steps.