Refreshed AWS Trusted Advisor Offers Several Free Checks
Amazon Web Services (AWS) has recently integrated the AWS Trusted Advisor into the AWS Management Console and made four security and service limit checks available at no charge. Additional checks from the security, performance, fault tolerance and cost optimization categories remain part of their Business and Enterprise support tiers.
As previously covered, the AWS Trusted Advisor "monitors provisioned AWS services and makes a series of actionable recommendations" regarding best practices (mostly referred to as "checks") in the following categories:
- Cost Optimization – recommendations that can potentially save money by highlighting unused AWS resources and opportunities to reduce cost
- Fault Tolerance – recommendations that help increase the resiliency of AWS solutions by highlighting redundancy shortfalls, current service limits, and overutilized resources
- Performance – recommendations that can help to improve speed and responsiveness of AWS solutions
- Security – identification of security settings that could make using AWS solutions less secure
Checks are following a traffic light scheme from green over yellow (investigation recommended) to red (action recommended). More details are available for each check, including a "description of the recommended best practice, a set of alert criteria, guidelines for action, and a list of useful resources on the topic".
AWS is now making one performance and three security checks available for free, covering the following aspects:
- Service Limits – checks for usage that is more than 80% of the service limit
- MFA on Root Account – checks the root account and warns if multi-factor authentication (MFA) is not enabled
- IAM Use – checks for your use of AWS Identity and Access Management (IAM)
- Security Groups - Specific Ports Unrestricted – checks security groups for rules that allow unrestricted access (0.0.0.0/0) to specific ports
It's worth noting that there are still six more security checks not available for free right now (including trivial ones like whether an IAM password policy is enabled and meets recently expanded requirements), so customers continue to pay for further increased security monitoring. This contrasts with AWS usually offering even complex value adding services like AWS CloudFormation and AWS Elastic Beanstalk for free in favor of charging for the underlying commodity services only (Amazon EC2, Amazon S3 etc.).
Current Trusted Advisor features include a dashboard that surfaces the "most recent changes over the past 30 days" at the top and allows excluding items at the resource level to suppress future notifications. So called "Action Links" provide direct hyperlinks to the potentially offending resource in the AWS Management Console.
Trusted Advisor only provides notifications by weekly emails to a maximum of three recipients. While AWS emphasizes this feature to be "totally free", other AWS services usually avoid such restrictions by integrating with AWS’ own Amazon SNS service instead, which enables respective user self-service regarding choice of communication channel and number of recipients, yet incurs negligible cost due to Amazon SNS’s pay as you go commodity pricing (including a notable free tier).
AWS Trusted Advisor checks "are periodically refreshed without user action, but the interval can vary considerably", however, checks can also be refreshed manually every five minutes "on average". For integration into applications, checks can also be queried programmatically through the AWS Support API, though this is likewise only available with Business and Enterprise-level support plans.
The integration of Trusted Advisor into the AWS Management Console implies the introduction of fine-grained access control via new AWS Identity and Access Management (IAM) permissions in a dedicated "trustedadvisor" namespace. This does not yet apply to the API though, which remains controlled by the former "support" namespace until the legacy AWS Support Center will be "discontinued during 2014".
More information about AWS Trusted Advisor is available as part of the respective AWS Support resources, including pricing and a FAQ as well as the user guide and API reference. Support for the Support API itself is provided via the AWS Support API forum.
Ben Melbourne Jul 04, 2015