AWS Trusted Advisor
Trusted Advisor scans your account against published best-practice checks drawn from AWS's operational experience — idle EC2 instances, unrestricted security groups, unused IAM keys, service limits about to be hit — and reports findings in five categories: cost optimization, performance, security, fault tolerance, and service limits.
It is one of the oldest AWS opinions on running an account well and remains a useful weekly review even alongside newer services like Security Hub.
The Five Categories
Cost Optimization flags idle and underutilized resources, unattached EBS volumes, and Reserved Instance / Savings Plan opportunities. Performance identifies bottlenecks like over-utilized instances and wrong cache-hit ratios. Security highlights open security groups, weak IAM password policies, root access keys, and public buckets.
Fault Tolerance finds single points of failure — EBS volumes without snapshots, single-AZ Auto Scaling Groups, RDS without Multi-AZ. Service Limits tracks how close you are to quotas, since hitting one in production is an avoidable outage.
Support-Plan Tiers
The free tier (every account) covers six core security checks plus a service-limits summary. Business and Enterprise Support unlock all checks across all categories, on-demand refresh, Trusted Advisor Priority (curated findings from the AWS account team), and EventBridge integration.
For Business/Enterprise accounts, a weekly review is the standard practice; for free-tier accounts, Security Hub plus custom Config rules covers more ground.
Trusted Advisor — a broad best-practices checklist across cost, performance, security, fault tolerance, and limits.
Security Hub — deeper, continuous security posture and finding aggregation — broader than Trusted Advisor's security checks.
Cost Explorer — detailed spend analysis and trends — Trusted Advisor only flags specific idle resources.
- Ignoring the Service Limits category until a quota is hit in production, causing an avoidable outage.
- Treating Trusted Advisor's security checks as full coverage instead of pairing them with Security Hub.
- Expecting full Trusted Advisor on the free tier — most checks require Business or Enterprise Support.
- Reviewing it once and never again, so findings drift back as the account changes.
- Using it for deep cost analysis instead of Cost Explorer and Cost and Usage Reports.
- Dismissing fault-tolerance findings, which are the best protection against avoidable AZ-loss outages.
- Review Trusted Advisor weekly on Business or Enterprise Support accounts.
- Wire the Service Limits category into EventBridge to alert before you hit a quota.
- Use it for cost reviews alongside Cost Explorer — it finds specific idle resources.
- Combine with Security Hub for fuller security coverage.
- Take fault-tolerance findings seriously.
Knowledge Check
What does the Service Limits category of Trusted Advisor help prevent?
- Avoidable outages from hitting an AWS service quota in production
- Data leaks from S3 buckets accidentally left open to public read access
- Slow database queries from unindexed tables
- Surprise cross-AZ data-transfer charges
What does the free tier of Trusted Advisor include?
- Six core security checks plus a service-limits summary
- The full set of checks across all five categories
- Curated Trusted Advisor Priority recommendations
- Nothing at all — every check requires Business Support
How does Trusted Advisor relate to Security Hub for security?
- Trusted Advisor's security checks are a useful baseline; Security Hub provides broader, deeper coverage
- They are identical and run exactly the same set of security checks against the same compliance standards
- Trusted Advisor fully replaces the need for Security Hub in a mature security program
- Security Hub only checks cost optimization, not security
For deep analysis of where your spend is going, which tool fits better than Trusted Advisor?
- Cost Explorer and Cost and Usage Reports
- CloudTrail management and data event logs
- AWS Config conformance packs and rules
- Systems Manager Session Manager shell access
You got correct