AWS Trusted Advisor is a service that helps you understand if you are using your AWS services well. It does this by looking at 72 different best practices across 5 total categories, which include Cost Optimization, Performance, Security, Fault Tolerance, and Service Limits. All AWS users have access to 7 of those best practices, while Business Support and Enterprise Support customers have access to all items in all categories. Let’s dive in to each category to see what is there and what is missing.
A category that is near and dear to our hearts here at ParkMyCloud, the Cost Optimization category includes items related to the following services:
- EC2 – Reserved Instance purchase recommendations, underutilized VMs, Reserved Instance lease expirations
- Load Balancers – idle LBs
- EBS – Underutilized volumes
- Elastic IP – unassociated addresses
- RDS – Idle databases
- Route 53 – Inefficient latency record sets
- Redshift – Underutilized clusters
This list includes many of the services that are often the most expensive line items in an AWS account, but doesn’t take into account a large percentage of the AWS services available. Also, these recommendations only provide links to other AWS documentation that might help you solve the problem, as opposed to a service like ParkMyCloud that provides both the recommendations and ability to take the action of shutting down idle instances or resizing those instances for you.
This category caters more towards production instances, as it aims to make sure the performance of your applications is not hindered due to overutilization (as opposed to the Cost Savings category above, which is focused more on underutilization). This includes:
- EC2 – highly-utilized VMs, large number of security group rules (per instance or per security group)
- EBS – SSD volume configuration, overutilized magnetic volumes, EC2 to EBS throughput
- Route 53 – alias record sets
- Cloudfront – CDN optimization, header forwarding, cache hit ratio, alternate domain names
This category is one of the weakest in terms of services supported, so you may want to factor that in if you’re trying to make sure your production applications are performing well on alternative AWS services.
The security checks of AWS Trusted Advisor will look at the following items:
- Security Groups – Unrestricted ports, unrestricted access, RDS access risk
- IAM – Use of Roles/Users, key rotation, root account MFA, password policy
- S3 – Bucket permissions
- CloudTrail – logging use
- Route 53 – MX and SPF record sets
- ELB – Listener security, Security groups
- Cloudfront – Custom SSL certificates, certificates on the origin server
- Access keys – Exposed keys
- Snapshots – EBS public snapshots, RDS public snapshots
Security is a tough category to get right, as almost every one of these needs to be reviewed for your business needs. While this isn’t an exhaustive list of security considerations, it certainly helps your organization cover the basics and prevent some “I can’t believe we did that” moments.
One of the main benefits of the cloud that often gets overlooked is the use of distributed resources to increase fault tolerance for your services. These items in the fault tolerance category are focused on increasing the redundancy and availability of your applications. They include:
- EBS – Snapshots
- EC2 – Availability Zone balance
- Load Balancer – optimization
- VPN Tunnel – redundancy
- Auto Scaling Groups – general ASG usage, health check
- RDS – backups, multi-AZ configuration
- S3 – bucket logging, bucket versioning
- Route 53 – Name server delegations, record sets with high TTL or failover resources, deleted health checks
- ELB – connection draining, cross-zone load balancing
- Direct Connect – Connection / location / virtual interface redundancy
- Aurora DB – instance accessibility
- EC2 Windows – EC2Config agent age, PV driver versions, ENA driver versions, NVMe driver versions
Overall, this turns out to be a great list of AWS services that can really make sure your production applications have minimal downtime and minimal latency. Additionally, some services like snapshots and versioning, help with recovering from problems in a timely fashion.
One of the hidden limitations that AWS puts on each account is a limit of how many resources you can spin up at any given time. This makes sense for AWS, so they don’t have new users unintentionally (or intentionally!) perform a DOS for other users. These service limits can be increased if you ask nicely, but this is one of the few places where you can actually see if you’re coming close. The services covered are:
- Route 53
Verdict: Helpful, But Not Game-Changing
While these checks and advice from AWS Trusted Advisor certainly help AWS users see ways to improve their usage of AWS, the lack of one-click-action makes these recommendations just that – recommendations. Someone still has to go verify the recommendations and take the actions, which means that in practice, a lot of this gets left as-is. That said, while I wouldn’t suggest upgrading your support just for Trusted Advisor, it certainly can provide value if you’re already on Business Support or Enterprise Support.