In this article we will discuss the AWS Trusted Advisor service and cover the following topics:
How to use Trusted Advisor
Trusted Advisor is a cloud expert that helps users implement best practices in order to save money, increase the reliability of applications and close security gaps.
VMware Training – Resources (Intense)
There are four categories in which Trusted Advisor provides best practices:
Cost Optimization – allows you to save money by eliminating unused or idle resources.
Security – allows you to improve the security of applications by enabling various AWS security features and checking the permissions.
Fault Tolerance – allows you to increase availability and redundancy by advising the use of multi AZ, health check, auto scaling and backups.
Performance – allows improvement in application performance by checking service limits and over utilized resources.
There are more than 40 checks split among these four categories. There are four checks available for free to get a feeling of what Trusted Advisor can do for you and these are:
Service Limits – checks if your usage of various resources is above or below 80%.
Security Groups – Specific Ports Unrestricted –detects if your security groups are too permissive.
IAM Use – checks if you are using any user to access your AWS resources.
MFA on Root Account – checks if you are using MFA to access the root account.
So let’s start examining what Trusted Advisor can do for you.
The Trusted Advisor service can be accessed from the “Administration & Security” section of the AWS Management Console:
But first, let’s check what the resources monitored by Trusted Advisor look like.
Let’s start with the security groups. I have the default security group and another one that is attached to an EC2 instance. The security group allows access on SSH and RDP ports from anywhere.
These are the security groups. There is also another security group I created, but it is not attached to any EC2 instance:
And these are the inbound rules for the security group that is used:
Let’s move to the “Identity and Access Management” console and check the current status.
As you can see, I have no users or groups. I’m currently logged in using the root account:
This is also in the status section where you can see that the MFA is not activated for the root account; that is, I’m logging in using only the password:
Once you access the Trusted Advisor service, you will get a status of your resources. As mentioned, they are split in four major sections so that you know where you might need to consider recommendations. If the check is:
Green – no problem was detected.
Yellow – it is recommended that you start an investigation.
Red – it is recommended to take an action.
Because this is only about the free service, most of the checks will be grey because we don’t have access to them. You can download the report in Excel format where each check has its own tab:
The first one is “Cost Optimization” and is there to save you money:
The next one is “Performance” and allows you to monitor the usage of resources:
The third one is “Security” and its purpose is to make sure you and your applications are not exposed to security flaws:
The last section is “Fault Tolerance” and its purpose is to help increase availability and redundancy:
Now let’s check the outputs. As you can see, some of the checks are red, some are yellow and some are green. We will check each and every one of them:
The first one is “Security Groups – Specific Ports Unrestricted” which means that access is unrestricted for specific ports. You can see below the ports where unrestricted access is allowed which triggered the red check.
As you might remember, the security group was allowing traffic from anywhere for SSH (22) and RDP (3389). 3389 is a port that will trigger a red check, whereas port 22 will not trigger a red check. You also have the recommended action to restrict the IP address/range allowed access to the ports:
Just below, you can see the status of each rule of the security group:
The next check is “IAM Use” and as you might remember, there is no user/group created for this account which triggers a yellow status.
Next is “MFA for Root Account” and it is yellow. Obviously, the recommendation is to enable MFA for the root account:
The last check that we have access to is “Service Limits”. This looks for resource types that use more than 80% of the service limits. You should see something similar to this. In this case, everything is green as I’m nowhere close to the 80% threshold:
So before I run the checker again, I took the recommended actions for both red or yellow statuses by adding an IAM user, activating the MFA for the root account (see this article how you can do this: Amazon AWS – Understanding IAM – Multi-Factor Authentication) and specifying IP addresses from where the SSH and RDP ports can be accessed.
This is the status for the IAM related actions:
And this is for the security group:
Once I run the service again, everything is green:
As you can also see in the detailed recommended actions:
In case you need to have access to more checks, you can upgrade from the free service (Basic) to one of the three paid services:
And we have reached the end of this article about the Trusted Advisor service from AWS.
Now you should know what Trusted Advisor is, how to access it and how you can take advantage of its recommendations in order to reduce costs, harden security and improve the availability and redundancy of your applications that run in AWS.
By going through the links from the references section, you can find detailed information about each Trusted Advisor check.