AWS Trusted Advisor: What It Is and When to Use It
Definition
AWS Trusted Advisor is an online tool that provides real-time guidance to help you provision your resources following AWS best practices. It acts as an automated cloud expert, scanning your AWS environment and making recommendations to help you optimize costs, improve performance, increase security and fault tolerance, and stay within service quotas.
How It Works
Trusted Advisor operates by continuously evaluating your AWS resource configurations and usage against a comprehensive library of best-practice checks. It gathers metadata from services like Amazon EC2, Amazon S3, AWS IAM, and Amazon RDS without accessing your application's underlying data. The recommendation engine then analyzes this data and presents findings in the AWS Management Console, through the API, or via event-driven notifications.
Each check returns one of three statuses:
- Red (Action Recommended): A significant deviation from best practices that requires immediate attention.
- Yellow (Investigation Recommended): A potential issue or an area for improvement has been identified.
- Green (No Problems Detected): The resource configuration aligns with the best practice check.
For customers with multiple accounts, Trusted Advisor offers an Organizational View, which aggregates findings from all member accounts into a single report in the management account, providing a centralized dashboard for governance.
Key Features and Limits
- Check Categories: Trusted Advisor organizes its checks into six main categories: Cost Optimization, Performance, Security, Resilience (Fault Tolerance), Operational Excellence, and Service Limits.
- Support Plan Dependency: The number of available checks is directly tied to your AWS Support plan.
- Basic and Developer Support: Access to a core set of 56 checks, primarily focused on Service Limits and a few critical security and fault tolerance items like S3 bucket permissions, public snapshots, and MFA on the root account.
- Business Support+ and Enterprise Support: Access to the full set of over 482 checks, covering all categories. These plans also enable programmatic access via the AWS Trusted Advisor API and automated weekly refreshes of check results.
- Data Refresh: For Business and Enterprise plans, checks are refreshed automatically, typically on a weekly or daily basis. For Basic and Developer plans, you must manually refresh the checks from the console.
- Programmatic Access: Customers on Business, Enterprise On-Ramp, or Enterprise Support plans can access all check results programmatically via the AWS Support API and AWS CLI. This allows for integration with third-party ticketing systems or custom automation workflows.
- Automation with Amazon EventBridge: You can use Amazon EventBridge to detect status changes in Trusted Advisor checks and trigger automated actions, such as sending a notification to an Amazon SNS topic or invoking an AWS Lambda function for auto-remediation.
- Trusted Advisor Priority: Available to Enterprise Support customers, this feature provides context-driven, prioritized recommendations directly from your AWS account team, helping you focus on the most critical issues.
Common Use Cases
- Cost Optimization: Identifying idle resources like unassociated Elastic IP addresses, underutilized Amazon EC2 instances, and detached Amazon EBS volumes that incur costs without providing value.
- Security Posture Management: Flagging common security risks such as unrestricted access to ports in security groups, publicly accessible S3 buckets, missing MFA on the root account, and IAM access keys that haven't been rotated.
- Improving Resilience: Highlighting single points of failure in your architecture, such as Amazon RDS databases not configured for Multi-AZ deployment or EC2 instances not part of an Auto Scaling group.
- Proactive Service Limit Monitoring: Tracking your resource usage against AWS service quotas (e.g., the number of EC2 instances or VPCs per region) to prevent unexpected roadblocks when launching new resources.
- Centralized Governance: Using the Organizational View feature to allow a central cloud team to monitor compliance and best practice adherence across hundreds of accounts within an AWS Organization.
Pricing Model
Access to AWS Trusted Advisor is determined by your AWS Support plan.
- AWS Basic Support (Free Tier): All AWS accounts receive access to 56 core checks at no additional cost. These checks cover all Service Limits and a selection of important security and fault tolerance recommendations.
- AWS Developer Support: Includes the same 56 core checks as the Basic plan.
- AWS Business Support+ and Enterprise Support: These paid support plans unlock the full set of over 482 Trusted Advisor checks, along with API access and automated data refreshes. Pricing for these plans is based on a percentage of your monthly AWS usage, with a monthly minimum. Note that as of January 1, 2027, AWS is discontinuing the legacy Developer, Business, and Enterprise On-Ramp plans, migrating customers to the Business Support+ and Enterprise Support tiers.
For detailed pricing, consult the official AWS Support Plans page.
Pros and Cons
Pros:
- Automated Best Practices: Continuously and automatically scans your environment for deviations from hundreds of AWS best practices.
- Broad Coverage: Provides recommendations across multiple critical domains, including cost, security, performance, and resilience.
- Actionable Insights: Each finding includes a description of the issue, a list of affected resources, and guidance on how to remediate it.
- Integration Capabilities: Can be integrated with Amazon EventBridge and other tools for automated alerting and remediation.
Cons:
- Cost for Full Functionality: The most valuable checks, particularly for cost optimization and performance, require a paid Business Support+ or Enterprise Support plan, which can be a significant expense for smaller organizations.
- Recommendations, Not Remediation: Trusted Advisor identifies problems but does not fix them automatically. You must build your own automation or manually act on the recommendations.
- Not Real-Time: Check refreshes are periodic (e.g., weekly or daily), not instantaneous. A misconfiguration might not be detected until the next refresh cycle.
- Generic Thresholds: Recommendations are based on general best practices and fixed thresholds (e.g., flagging an EC2 instance with less than 10% CPU utilization), which may not be suitable for every workload without contextual evaluation.
Comparison with Alternatives
- AWS Security Hub: Security Hub is a dedicated security and compliance service. It aggregates findings from multiple AWS services (like Amazon GuardDuty, Amazon Inspector, and Trusted Advisor itself) and third-party tools into a single view. While Trusted Advisor provides a set of foundational security checks, Security Hub offers a much more comprehensive and specialized security posture management solution.
- AWS Compute Optimizer: This service uses machine learning to analyze historical utilization metrics and provide specific right-sizing recommendations for EC2 instances, EBS volumes, Auto Scaling groups, and AWS Lambda functions. While Trusted Advisor identifies underutilized resources based on simple thresholds, Compute Optimizer offers more nuanced, data-driven recommendations for optimizing compute costs and performance.
- AWS Cost Optimization Hub: This service consolidates cost-saving recommendations from other services like Compute Optimizer and Trusted Advisor into a single, unified dashboard. It is designed specifically to help you identify, prioritize, and track optimization opportunities across your organization.
Exam Relevance
AWS Trusted Advisor is a key topic on several AWS certification exams, particularly at the Foundational and Associate levels.
- AWS Certified Cloud Practitioner (CLF-C02): Understand its purpose as a best-practice recommendation tool and know the five main categories of checks.
- AWS Certified Solutions Architect – Associate (SAA-C03): Be prepared for scenario-based questions where Trusted Advisor is the correct tool for identifying cost savings, security vulnerabilities, or fault tolerance gaps. You should know the difference in features between the free and paid tiers.
- AWS Certified SysOps Administrator – Associate (SOA-C02): Focus on how to operationalize Trusted Advisor, such as setting up notifications with EventBridge and integrating its findings into operational workflows.
Frequently Asked Questions
Q: What is the main difference between the checks available on the free (Basic) tier and the paid (Business/Enterprise) tiers?
A: The free tier provides 56 core checks focused on service limits and critical security settings (like public S3 buckets and MFA on the root account). To unlock the full suite of over 482 checks, especially those for cost optimization (like idle EC2 instances) and performance, you must have a Business Support+ or Enterprise Support plan.
Q: How often does AWS Trusted Advisor refresh its check results?
A: The refresh frequency depends on your support plan. For accounts on Business Support+ or Enterprise Support plans, checks are refreshed automatically, typically on a weekly or daily basis for most checks. Accounts on Basic or Developer plans do not get automatic refreshes and must trigger them manually from the AWS Management Console.
Q: Can Trusted Advisor automatically fix the issues it finds?
A: No, Trusted Advisor is a recommendation engine, not an automated remediation service. It provides detailed guidance on what to fix and why, but you are responsible for implementing the changes. However, you can use its API and Amazon EventBridge integration to build your own automated remediation workflows using services like AWS Lambda.
This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.