AWS Trusted Advisor
AWS Trusted Advisor is a free advisory service that scans your account and tells you where you are wasting money, leaving security holes open, or about to hit a limit. Think of it as an automated cloud consultant that runs checks against AWS best practices and hands you a prioritized to-do list. It is one of the fastest ways for a new team to find easy wins, because it surfaces problems you did not even know to look for. The catch, which we will cover below, is that the most useful checks only unlock once you pay for a higher support tier.
What Trusted Advisor checks
Trusted Advisor groups its checks into five categories. Each check has a status light: green (no problem found), yellow (investigate), or red (action recommended).
| Category | What it looks for | Example finding |
|---|---|---|
| Cost optimization | Idle and under-used resources you are paying for | An EC2 instance i-0a1b2c3d4e5f at under 3% CPU for 14 days |
| Security | Risky configurations | A security group sg-0a1b2c3d open to 0.0.0.0/0 on port 22 (SSH) |
| Fault tolerance | Single points of failure | An EBS volume with no recent snapshot |
| Performance | Bottlenecks and outdated settings | Over-utilized EC2 instances that need a bigger type |
| Service limits | Quotas you are close to exceeding | You are at 18 of 20 Elastic IPs (permanent public IP addresses) in a Region |
An Elastic Block Store (EBS) volume is the virtual hard disk attached to a virtual server. EC2 (Elastic Compute Cloud) is AWS’s virtual server service.
When to use this (and when not to)
Use Trusted Advisor as a recurring health check: glance at it weekly, and always before a big launch or a cost review. The cost and security categories give the highest return. Do not treat it as your only safety net, though. It runs a fixed set of generic checks, so it will miss problems specific to your application (a slow database query, say). Pair it with deeper tools: Cost Explorer for spend trends, AWS Compute Optimizer for right-sizing, and Security Hub for security posture.
The support-tier gotcha
This is the single most important thing to understand. The number of checks you can see depends on your AWS Support plan.
| Support plan | Trusted Advisor access |
|---|---|
| Basic (free) | A small fixed set of checks only: core security and all service-limit checks |
| Developer | Same limited set as Basic |
| Business | All checks across all five categories, plus the API and programmatic access |
| Enterprise | Everything in Business, plus extra operational support |
Gotcha: On Basic and Developer support, the full cost-optimization checks (idle instances, low-utilization RDS databases, unattached Elastic IPs) and most security checks are locked. The “free” Trusted Advisor is therefore quite limited. The good news: the moment you move to Business support or higher, the idle-resource findings are often a quick, concrete win that can pay for the support plan itself.
Business support starts at the greater of 100 USD per month or a percentage of your monthly AWS spend, so weigh that against the savings the cost checks reveal before upgrading purely for Trusted Advisor.
Viewing recommendations in the console
- Sign in to the AWS Management Console and open the Trusted Advisor console (search “Trusted Advisor” in the top search bar).
- The Recommendations dashboard loads, showing the five categories with counts of red and yellow checks.
- Click a category, for example Cost optimization, to see each check.
- Click a check name to expand the list of affected resources, then use the Download all checks button to export a CSV (comma-separated values) for sharing.
- After you fix something, click Refresh on the check to re-run it. Note that some checks refresh automatically at most once every few hours.
Reading recommendations with the AWS CLI
Trusted Advisor’s programmatic access is part of the AWS Support API, which requires Business or Enterprise support. The API only works in the us-east-1 Region, even though the findings cover all Regions. First, list the available checks to get their IDs.
aws support describe-trusted-advisor-checks \
--language en \
--region us-east-1 \
--query "checks[?category=='cost_optimizing'].[id,name]" \
--output tableOutput:
-------------------------------------------------------------------
| DescribeTrustedAdvisorChecks |
+--------------------------+--------------------------------------+
| Qch7DwouX1 | Low Utilization Amazon EC2 Instances |
| DAvU99Dc4C | Idle Load Balancers |
| hjLMh88uM8 | Unassociated Elastic IP Addresses |
+--------------------------+--------------------------------------+Now pull the result of one check using its ID. The example below uses the “Low Utilization Amazon EC2 Instances” check.
aws support describe-trusted-advisor-check-result \
--check-id "Qch7DwouX1" \
--language en \
--region us-east-1 \
--output jsonOutput:
{
"result": {
"checkId": "Qch7DwouX1",
"status": "warning",
"resourcesSummary": {
"resourcesProcessed": 42,
"resourcesFlagged": 3
},
"categorySpecificSummary": {
"costOptimizing": {
"estimatedMonthlySavings": 128.40,
"estimatedPercentMonthlySavings": 4.7
}
},
"flaggedResources": [
{
"status": "warning",
"region": "us-east-1",
"resourceId": "i-0a1b2c3d4e5f",
"metadata": ["us-east-1", "i-0a1b2c3d4e5f", "t3.large", "2.1%"]
}
]
}
}The estimatedMonthlySavings field is the headline number: here, acting on three idle instances would save about 128 USD per month. That metadata array tells you the instance is a t3.large averaging 2.1% CPU, so it is a strong candidate to stop or downsize.
To force a fresh scan before reading the result, call refresh first:
aws support refresh-trusted-advisor-check \
--check-id "Qch7DwouX1" \
--region us-east-1Tip: Trusted Advisor publishes check status changes to Amazon EventBridge (an event bus that routes events between AWS services). You can wire a rule that, when a cost or security check turns red, sends a message to Amazon SNS (Simple Notification Service) so the right person gets emailed automatically. This turns Trusted Advisor from something you remember to check into something that pings you.
Trusted Advisor vs related tools
Trusted Advisor overlaps with other services, so it helps to know which to reach for.
| Tool | Best for | Tier needed |
|---|---|---|
| Trusted Advisor | Broad, account-wide best-practice checks across cost, security, and limits | Full set needs Business+ |
| AWS Compute Optimizer | Deep, ML-based right-sizing recommendations for EC2, EBS, and Lambda | Free |
| AWS Cost Explorer | Visualizing and forecasting spend over time | Free |
| AWS Security Hub | Continuous, detailed security and compliance posture | Paid per check |
A practical pattern: use Trusted Advisor to spot the idle EC2 instances, then jump to Compute Optimizer for the exact instance type to switch to.
Best practices
- Review the cost and security categories at least weekly, and always before a launch or budget review.
- Upgrade to Business support only after estimating the savings the cost checks will expose; the idle-resource findings often justify the cost.
- Automate alerting with EventBridge and SNS instead of relying on someone opening the console.
- Act on red service-limit checks early; hitting a quota mid-deployment causes outages that are slow to fix.
- Treat green lights as “no generic problem found,” not “perfectly optimized” — pair Trusted Advisor with Compute Optimizer and Cost Explorer.
- Re-run (refresh) a check after fixing an issue so your dashboard reflects reality and your team is not chasing stale findings.