Check Trusted Advisor for Errors and Warnings

Overview

This check verifies that your AWS Trusted Advisor does not have unresolved errors or warnings. Trusted Advisor is AWS's built-in tool that continuously monitors your account and flags issues across security, performance, cost optimization, fault tolerance, and service limits.

When Trusted Advisor shows errors or warnings, it means AWS has detected potential problems that need your attention.

Risk

Ignoring Trusted Advisor findings can lead to:

• Security gaps - Weak authentication, overly permissive access, or unintended public exposure of resources
• Service disruptions - Hitting resource limits or lacking sufficient redundancy for high availability
• Unauthorized changes - Overly broad permissions that could allow unintended modifications
• Unnecessary costs - Unused or underutilized resources that continue to incur charges

Remediation Steps

Prerequisites

• AWS account access with permissions to view Trusted Advisor
• Note: Full Trusted Advisor access requires an AWS Business, Enterprise On-Ramp, or Enterprise Support plan. Basic and Developer support plans only have access to core security checks.

AWS Console Method

1. Sign in to the AWS Management Console
2. Navigate to Trusted Advisor (search for it in the top search bar)
3. On the Trusted Advisor dashboard, look for checks showing red (error) or yellow (warning) status
4. Click View all recommendations or browse by category:
   • Cost Optimization
   • Performance
   • Security
   • Fault Tolerance
   • Service Limits
5. For each flagged item:
   • Click on the check name to see details
   • Review the Recommended Action section
   • Follow the guidance to fix the issue
6. After making changes, click the Refresh icon on each check to verify the fix
7. Repeat until all checks show green (OK) status

Prioritization tip: Address red (error) items first, then yellow (warning) items. Security-related findings should generally take priority.

AWS CLI (optional)

You can use the AWS CLI to list Trusted Advisor check results. Note that this requires the AWS Support API, which is available only with Business, Enterprise On-Ramp, or Enterprise Support plans.

List all available Trusted Advisor checks:

aws support describe-trusted-advisor-checks \
    --language en \
    --region us-east-1

Get the status summary for all checks:

aws support describe-trusted-advisor-check-summaries \
    --check-ids $(aws support describe-trusted-advisor-checks --language en --region us-east-1 --query 'checks[*].id' --output text) \
    --region us-east-1

Get detailed results for a specific check:

aws support describe-trusted-advisor-check-result \
    --check-id <check-id> \
    --language en \
    --region us-east-1

Replace <check-id> with the ID of the check you want to examine (obtained from the first command).

Refresh a specific check:

aws support refresh-trusted-advisor-check \
    --check-id <check-id> \
    --region us-east-1

Setting up automated alerts (optional)

You can configure Trusted Advisor to send notifications when new issues are detected:

1. In the Trusted Advisor console, click Preferences in the left navigation
2. Under Notification Preferences, enable weekly email notifications
3. Enter the email addresses that should receive alerts
4. Click Save preferences

For more granular alerting, you can use Amazon EventBridge to trigger actions when Trusted Advisor check statuses change:

1. Navigate to Amazon EventBridge in the AWS Console
2. Create a new rule with the event pattern:

{
  "source": ["aws.trustedadvisor"],
  "detail-type": ["Trusted Advisor Check Item Refresh Notification"]
}

3. Add a target such as an SNS topic or Lambda function to handle the notification

Verification

To confirm you have addressed all Trusted Advisor findings:

1. Return to the Trusted Advisor dashboard
2. Refresh any checks you recently remediated
3. Verify all categories show green checkmarks or acceptable status
4. No items should appear with red (error) or yellow (warning) status

CLI verification

# Check for any non-ok statuses
aws support describe-trusted-advisor-check-summaries \
    --check-ids $(aws support describe-trusted-advisor-checks --language en --region us-east-1 --query 'checks[*].id' --output text) \
    --region us-east-1 \
    --query 'summaries[?status!=`ok`].[checkId,status]' \
    --output table

An empty table indicates all checks are passing.

Additional Resources

• AWS Trusted Advisor Documentation
• Trusted Advisor Best Practices
• AWS Support Plans Comparison
• Trusted Advisor Check Reference

Notes

• Support plan requirement: Full Trusted Advisor functionality requires AWS Business, Enterprise On-Ramp, or Enterprise Support. Basic and Developer plans only have access to core security checks and service quota checks.
• Refresh limits: Some checks can only be refreshed once every few minutes. If refresh is unavailable, wait and try again.
• Regional considerations: Trusted Advisor is a global service, but some checks are region-specific. Review findings in the context of your deployed regions.
• Continuous monitoring: Treat Trusted Advisor as an ongoing process, not a one-time fix. New issues can emerge as your environment changes. Consider scheduling regular reviews (weekly or monthly).