1. Home
  2. Training Library
  3. Amazon Web Services
  4. Courses
  5. An Overview of AWS Trusted Advisor

Controlling access to AWS Trusted Advisor



The course is part of these learning paths

Optimizing Cloud Costs
Technical Essentials of AWS
DevOps Engineer – Professional Certification Preparation for AWS
Solutions Architect – Professional Certification Preparation for AWS
Security - Specialty Certification Preparation for AWS
more_horizSee 3 more
Start course


Trying to ensure that your AWS infrastructure remains optimized at all times can be a daunting task. By the very nature of AWS, your infrastructure is likely to be very fluid with the different resources used across your entire AWS account.  As this infrastructure grows within your organization, the management of it can get harder and harder. How can you ensure that you are deploying your resources in the best way to ensure your costs are kept low, you're not over or under-provisioning instances, that your security is tight and that you are implementing the correct level of resiliency should a failure occur? The simple answer would be to use AWS Trusted Advisor.

The main function of AWS Trusted Advisor is to recommend improvements across your AWS account to help optimize and hone your environment based on AWS best practices. These recommendations cover four distinct categories:

  • Cost Optimization - which helps to identify ways in which you could optimize your resources
  • Performance - this scans your resources to highlight any potential performance issues across multiple services
  • Security - this category analyses your environment for any potential security weaknesses or vulnerabilities
  • Fault Tolerance - which suggests best practices to maintain service operations by increasing resiliency, should a fault or incident occur across your resources

This course dives into the service to explain how it works and how you can use it to benefit your AWS account.

Learning Objectives

  • Understand the purpose and benefits of AWS Trusted Advisor
  • Learn how to navigate the AWS Trusted Advisor Console
  • Understand how to use AWS Trusted Advisor to optimize your AWS resources and account
  • Understand how to take actionable steps with AWS Trusted Advisor to improve your AWS infrastructure
  • Learn how to configure different methods of granting access to AWS Trusted Advisor using IAM policies
  • Understand how Amazon CloudWatch can monitor and react to changes within AWS Trusted Advisor

Intended Audience

This course would be of benefit to:

  • Security Professionals & Security Auditors
  • Systems Engineers and Administrators
  • CIO, CTO, IT Managers & Technical Business Leads
  • Compliance Managers
  • Anyone looking to learn more about AWS Security


I recommend that you have a basic understanding and awareness of AWS and common services. It would also be advantageous if you have an understanding of IAM Policies, although this is not essential

This Course Includes

  • 6 lectures
  • 3 demonstrations


If you have thoughts or suggestions for this course, please contact Cloud Academy at support@cloudacademy.com.


Resources used within this lecture:

Controlling Access to the Trusted Advisor Console

Hello, and welcome to this lecture, where I want to focus on how to create different policies, to grant varied levels of access to AWS Trusted Advisor.

You may have different teams or departments that are responsible for managing and maintaining different elements of your environment. Or, specific resources or resource types. As a part of this operational support, you may need a number of people from different teams, to be able to have different privileges within Trusted Advisor. Giving them awareness of specific checks that are available and the status of those checks against resources.

Within your organization, you should always be thinking about security. Therefore it makes sense to restrict access to Trusted Advisor, to only the areas that are required by those who need it.

I want to show you a varied Demonstration, how to assign permissions that could provide the following levels of access. Using both AWS managed and custom-managed policies.

  • Starting with Full Access. This is a simple policy, that can be applied to your users who will require access to everything that Trusted Advisor and your support plan allows.
  • Next I'll move on to looking at a policy that only allows Read-Only Access.
  • Following this, I want to show you how to create a policy that restricts access against specific categories. And in the demonstration, I will show you how to allow access only to the security category.
  • If you needed to restrict access even further down to specific checks, then I'll then show you how to create a policy to do just that. I will create a policy allowing access to only the IAM use and MFA on root account checks.
  • Lastly, I will demonstrate how you can even restrict access at an action level, where I will create a policy that has full access, but I'll explicitly deny the action of being able to refresh the status of the checks.

Let me now show you the demonstration.

Okay, so I've logged into my AWS account, and I'm going go down to IAM, which is under Security, Identity & Compliance. And I want to create a new policy, to assign some users. What I need to do is go across to policies on the left. And the first policy I want to talk about, is the Full Access to Trusted Advisor. Now, there's a couple of ways to do this. You can use the AWS managed policies. So the Administrator access will give you Full Access to Trusted Advisor, along with Full Access to all of the services as well. So, we can see here that within this policy, if we go down this list, you can see that Trusted Advisor is given Full access. Like I say, with this policy, Administrator access also gives you Full Access to all the other services as well. And, it's a similar thing with the Read-Only as well. So, if we do a search for Read-Only Access. There's another policy here, which is AWS managed entitled Read-Only Access. And if we have a look at that, that will give you Read-Only Access to all the AWS services, which also includes Trusted Advisor as well here. And you can see that it gives you these describe permissions. But, like I say, it also gives you Read-Only Access to all the other services as well.

If you just wanted to grant Full Access to Trusted Advisor or Read-Only Access to Trusted Advisor, then I suggest you create your own policies. Now, it's very easy to do. If you click on create policy up here in the blue. Create your own policy. Just give the policy a name, so TA-Full-Access. Full Access to Trusted Advisor. And then here in the policy document, we can write our JSON Script, to give the relevant information. And what I've done, I've already written all this out so I'll just paste it in, just to make it a little bit easier and quicker for the demonstration. And, if we look at this policy, we can see the effect of allow, the action is everything within Trusted Advisor, and against all resources. Now, if we go down to the bottom right, click on validate policy. We can see that this policy is valid. So, it's a very simple policy that simply allows all actions of Trusted Advisor, against every resource. That's Full Access. Click on create policy. And there we have it, so our policy's been created.

Now let's move onto the next policy of Read-Only Access. So, again create policy, create your own policy. TA-Read-Only. Give it a description. And again, I'll paste in the policy. And it's very similar to the previous one. But, what we have here under the action is only the describe actions within Trusted Advisor. So effectively, just Read-Only, rather than everything. Click on validate policy. The policy's valid. So again, a very simple policy, that simply allows only the describe actions within Trusted Advisor, to give the Read-Only Access, against all resources. Create policy. Okay, so now it created two policies, one for Full-Access and one for Read-Only.

Now, the next one I want to look at, is if we want to restrict access by categories. So, if you only want to give someone access to the performance category, or the security category. So, let's create a policy now, where it's restricted only to the security category within Trusted Advisor. So, they won't be able to access customization, performance or fault tolerance. So, if we go to create policy, create your own policy. Give this a name, TA-Category. Give it a description. And again, we'll paste in the document. And what we have here again, is the effect of allow, all actions within Trusted Advisor. But instead of all resources, we have the arn (aws resource name) of just the Trusted Advisor security checks. Now, if you wanted to change security to something else, we could change it to performance. But for this demonstration, I'm not going to leave it as security. We can even add in another line, and add performance in as well as another category, if you wanted to have access to two categories, or even three. Go down to validate policy. Policy is valid. So, this policy will simply allow access to only the security checks within Trusted Advisor. Click on create policy.

Now, the next policy I want to create, will allow you to restrict access down to specific checks within the category. So the previous policy I just created, allowed access to everything within the security category. But now I want to drill down in that even further and only allow access to two particular checks. So, if we go to create policy, again create your own policy. TA-Checks Give it a description. Again, paste in the document. So here we have the effect of allow all actions within Trusted Advisor. But on the resource we have two different arn's. And if we have a look, here's my account number, checks, security. And these codes are specific to different checks within Trusted Advisor. Now there was a link to get all these different codes from AWS. I'll just show you quickly here. We can see the category, the title and also the check ID. So it's these codes here that I'm using. Now I'll add a link to this URL within the transcription of this lecture. So, I'll make sure you can get that link as well. So what I have here is two different checks. One that will allow access to MFA on root account, and another that will check for IAM use. So, if we go down to validate policy. We see the policy is valid, click on create policy.

Now the final policy I want to create, is a Full Access policy, but I want to deny the action of being able to refresh the data. So, let's go ahead and create a new policy. Give it a title. Paste in the policy. And what we have here is an effect of allow, with an action of everything to do with Trusted Advisor, against all resources. But then further down we have a deny effect against the following action within Trusted Advisor, which is the refresh check, against all resources. So we should have Full Access to everything within Trusted Advisor, but it would deny us refreshing the check status. So, if we validate policy. Click on create policy.

Now what I want to do quickly, is just show you the last policy I just created. So, I'll assign that policy to a user. I'll then login as that user, and show you how that deny action works, against the refresh check.

Okay, so I've logged back into my AWS account, where I've created a user and assigned the permissions that allows Full Access to Trusted Advisor, but denies the permission to refresh the status of the checks. Let me go into Trusted Advisor, to see if that's worked.

Okay, so I've come into the dashboard. Now, let me try and do a refresh of the status. So let me try this top individual check first, by clicking on the refresh this check button. And we see that we have a message pop up here, and it says welcome to the Trusted Advisor console. A limited number of checks are available in this free version, as we know. And it says the Trusted Advisor console uses IAM policies for better security and flexibility. And here it says some of your actions are currently restricted by these policies. Contact the account owner or administrator, if you need help. And we can see that this is still trying to refresh. And, it will never complete, simply because we denied the action. And that's why we got this message here. It's simply stating that some of our actions are currently restricted by IAM policies. So, we can see that that deny action has worked. And if I was to do the same on the other checks, I'd get the same message as well, simply stating that it's not possible. And there you go. So, that shows that the policy that we created allows the access to Trusted Advisor, but denies the action of refresh.

That now brings me to the end of this lecture. Coming up next, I want to explain how you can use Amazon CloudWatch in conjunction with AWS Trusted Advisor, to respond to the change of state to different checks.

About the Author
Learning paths67

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 90+ courses relating to Cloud reaching over 100,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.