1. Home
  2. Training Library
  3. Amazon Web Services
  4. Courses
  5. An Overview of AWS Trusted Advisor

Monitoring AWS Trusted Advisor with Amazon CloudWatch



The course is part of these learning paths

Optimizing Cloud Costs
Technical Essentials of AWS
DevOps Engineer – Professional Certification Preparation for AWS
Solutions Architect – Professional Certification Preparation for AWS
Security - Specialty Certification Preparation for AWS
more_horizSee 3 more
Start course


Trying to ensure that your AWS infrastructure remains optimized at all times can be a daunting task. By the very nature of AWS, your infrastructure is likely to be very fluid with the different resources used across your entire AWS account.  As this infrastructure grows within your organization, the management of it can get harder and harder. How can you ensure that you are deploying your resources in the best way to ensure your costs are kept low, you're not over or under-provisioning instances, that your security is tight and that you are implementing the correct level of resiliency should a failure occur? The simple answer would be to use AWS Trusted Advisor.

The main function of AWS Trusted Advisor is to recommend improvements across your AWS account to help optimize and hone your environment based on AWS best practices. These recommendations cover four distinct categories:

  • Cost Optimization - which helps to identify ways in which you could optimize your resources
  • Performance - this scans your resources to highlight any potential performance issues across multiple services
  • Security - this category analyses your environment for any potential security weaknesses or vulnerabilities
  • Fault Tolerance - which suggests best practices to maintain service operations by increasing resiliency, should a fault or incident occur across your resources

This course dives into the service to explain how it works and how you can use it to benefit your AWS account.

Learning Objectives

  • Understand the purpose and benefits of AWS Trusted Advisor
  • Learn how to navigate the AWS Trusted Advisor Console
  • Understand how to use AWS Trusted Advisor to optimize your AWS resources and account
  • Understand how to take actionable steps with AWS Trusted Advisor to improve your AWS infrastructure
  • Learn how to configure different methods of granting access to AWS Trusted Advisor using IAM policies
  • Understand how Amazon CloudWatch can monitor and react to changes within AWS Trusted Advisor

Intended Audience

This course would be of benefit to:

  • Security Professionals & Security Auditors
  • Systems Engineers and Administrators
  • CIO, CTO, IT Managers & Technical Business Leads
  • Compliance Managers
  • Anyone looking to learn more about AWS Security


I recommend that you have a basic understanding and awareness of AWS and common services. It would also be advantageous if you have an understanding of IAM Policies, although this is not essential

This Course Includes

  • 6 lectures
  • 3 demonstrations


If you have thoughts or suggestions for this course, please contact Cloud Academy at support@cloudacademy.com.


Resources used within this lecture:

CloudWatch Event Samples

Hello, and welcome to this lecture. Where I want to show you and explain how you can use Amazon Cloudwatch to monitor and react to changes within AWS Trusted Advisor.

It's possible to use Amazon CloudWatch Events to monitor a change of status of a Trusted Advisor check. Then based on this change Amazon CloudWatch can then trigger a response from this event via one of the following mechanisms. Amazon Inspector Template, Kinesis Stream, Lambda Function SNS Topic, SQS Queue, SSM Automation, SSM Run Command, and Step Functions State Machine. Using CloudWatch Events in this way allows you to take appropriate actions as a change of check status happens, allowing you to implement a proactive and automated response to potential issues within your infrastructure and across your resources.

For those unfamiliar with creating CloudWatch Events, they are comprised of three main elements.

  1. Event. Events within CloudWatch signify a change within your AWS environment and infrastructure. These events are not just related to Trusted Advisor. For example, and event could also be a change of status to an instance such as "terminated" or "shut down", or the launch of a new instance from an auto scaling policy. There are many events that can happen across your AWS environment, and a full list of these events can be found here.
  2. Targets. Targets are the component that processes the CloudWatch Events in a JSON format. These targets can be an Amazon Inspector Template, Kinesis Stream, Lamba Function, SNS Topic, SQS Queue, SMS Automation, SSM Run Command, and Step Functions State Machine.
  3. Rules. Rules sit between Events and Targets and are used to route Events to a single or multiple Target for processing.

Now we have a high level understanding of the different components of CloudWatch Events. I now want to demonstrate how to configure these within CloudWatch. Within this demonstration I will: Navigate to Amazon CloudWatch Create a new rule in events Build an event pattern and Specify a pre-configured SNS target to process the event. Also to make full use of this feature the Business or Enterprise support plan is required. However, I will show you how to configure it all within Cloudwatch.

OK, so I've logged into my AWS account, and I want to go across to CloudWatch, and then from here on the left-hand side, I shall go down to Events. And then here we create a new rule. Now this is where we start creating the rule, and building out an event pattern to match events by service. We want to make sure we have the Event Pattern selected here rather than Schedule, so make sure you have Event Pattern selected on the radio button, and then down on the Service Name, you want to select Trusted Advisor.

Now one thing to bear in mind here is that the Trusted Advisor service name isn't available in all regions. So, for example, we're in the N. Virginia region, at the minute, but if I change to the Ireland Region, for example, and I tried to type in Trusted Advisor here, it's not found. It's not in the list. So that is region dependent. So it's just something to bear in mind, so if I head back to N. Virginia, and enter Trusted Advisor.

Now I'm down to Event Type. Now we can either create this based on All Events or just when the Check Item Refresh Status changes. So, let's select that. So we want to be aware every time the status of a check changes. Now we can select Any Status or a specific status or Statuses. So we have Error, Info, OK and Warning. For this demonstration, I'll just leave it as Any Status. And then we can have Any Check or a specific check. And like I say, to make use of this feature here, we need to have the premium support, which is either the Business or Enterprise Package. So if you do have either of those packages, then you can select the specific check, and then use this dropdown to select a specific check from the 50 plus checks that exist. So we'll just select Any Check for this demonstration. And you can also base it on Any Resources, or indeed, a specific resource that you wanted, and you'd just put in the resource ID there.

Once you have configured the Build Event Pattern, we then need to add a Target, so that every time that this all is met, it will invoke this target. And here there's a number of items that we can have. For this demonstration, I'm just going to pick an SNS Topic. And I created the topic earlier called Trusted Advisor. And that simply has an email address attached to it, so every time this rule is matched, it will invoke this SNS Topic and I will get an email. Once you set your Target, then go to Configure Details at the bottom right. Give it a name and a description. And then you can set this rule to be enabled or disabled. Set it to enabled. Click Create Rule. And there we go.

Here's the list of all the Rules I have, but this is the rule that we just created. So if I have the Business or Enterprise Support plan, Every time a check state changed, then I'd get a notification with an email, telling me that the status changed and then I can investigate straight away. And that's it.

That now brings me to the end of this lecture. Coming up next, I shall summarize the key points throughout the previous lectures of this course.

About the Author
Learning paths73

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 90+ courses relating to Cloud reaching over 100,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.