Management of AWS Trusted Advisor
The course is part of these learning pathsSee 1 more
Trying to ensure that your AWS infrastructure remains optimized at all times can be a daunting task. By the very nature of AWS, your infrastructure is likely to be very fluid with the different resources used across your entire AWS account. As this infrastructure grows within your organization, the management of it can get harder and harder. How can you ensure that you are deploying your resources in the best way to ensure your costs are kept low, you're not over or under-provisioning instances, that your security is tight and that you are implementing the correct level of resiliency should a failure occur? The simple answer would be to use AWS Trusted Advisor.
The main function of AWS Trusted Advisor is to recommend improvements across your AWS account to help optimise and hone your environment based on AWS best practices. These recommendations cover four distinct categories:
Cost optimization - which helps to identify ways in which you could optimise your resources
Performance - this scans your resources to highlight any potential performance issues across multiple services
Security - this category analyses your environment for any potential security weaknesses or vulnerabilities
Fault Tolerance - which suggests best practices to maintain service operations by increasing resiliency, should a fault or incident occur across your resources
This course dives into the service to explain how it works and how you can use it to benefit your AWS account
- Understand the purpose and benefits of AWS Trusted Advisor
- Learn how to navigate the AWS Trusted Advisor Console
- Understand how to use AWS Trusted Advisor to optimize your AWS resources and account
- Understand how to take actionable steps with AWS Trusted Advisor to improve your AWS infrastructure
- Learn how to configure different methods of granting access to AWS Trusted Advisor using IAM policies
- Understand how Amazon CloudWatch can monitor and react to changes within AWS Trusted Advisor
This course would be of benefit to:
- Security Professionals & Security Auditors
- Systems Engineers and Administrators
- CIO, CTO, IT Managers & Technical Business Leads
- Compliance Managers
- Anyone looking to learn more about AWS Security
I recommend that you have a basic understanding and awareness of AWS and common services. It would also be advantageous if you have an understanding of IAM Policies, although this is not essential
This course includes
- 6 lectures
- 3 demonstrations
If you have thoughts or suggestions for this course, please contact Cloud Academy at firstname.lastname@example.org.
Resources used within this lecture
Hello and welcome to this lecture where I shall be looking at how to review the status of your checks and take action against any findings identified by Trusted Advisor.
Firstly, let me explain the dashboard. When you first go into Trusted Advisor you'll be presented with the four different categories. Beneath each of these categories, there are three icons, these being a tick in a box, a triangle with an exclamation mark, and a circle with an exclamation mark. If any of these icons are gray, it means there are no checks within that category meeting a specific status that the icon represents.
Now, if a check does meet any of these statuses within the category, then the following is represented: The ticked box will become green and mean no action is necessary, the triangle will become yellow, meaning investigation required, and the circle will become red, identifying that an item requires immediate action and attention. Next to each of these icons when active will be a number, and that number represents the amount of checks within that category with that specific status. So, as we can see from this image, I have one check within the performance category that should be investigated, four checks within the security category where no action is required, but I do have one check within this category that requires immediate attention. So, at a very quick glance of the dashboard, I can see that I have a potential security threat that I need to look into immediately.
As mentioned previously, if you don't have an enterprise or business support plan with AWS for your account, like in this example, then you'll not be able to take full advantage of what Trusted Advisor has to offer. However, for this lecture, I will review the six core checks that are freely available to anyone with an AWS account. Let me start by providing an explanation of what each of these checks are and what they are used for, starting with the Service Limit check.
This check sits within the Performance category of Trusted Advisor and is used to assess when a service limit reaches 80% or more. Unfortunately, this doesn't perform checks for all AWS services. It does, however, support the following services and limits. It's important to bear in mind that this list is changing all the time. AWS are constantly evolving and updating their services and so over time, this list will change. For the most accurate and up to date list, please visit the link at the top of the slide. So, if I look at an example from this list, such as Amazon Virtual Private Cloud, we can see that this will monitor the quantities of elements against these thresholds: Elastic IP addresses, you are allowed five EIPs per region, internet gateways, you are allowed five internet gateways per region, and VPCs, again, you are allowed five VPCs per region. As a result, the service limit check will highlight if any of these thresholds get to four, which is 80% of five. The advantage of having this check gives you enough time to either request an increased limit with AWS if possible or allowed, or you're able to simply reduce the amount of EIPs, internet gateways, or VPCs that you have. This may also force you to undertake some much needed housekeeping of your environment.
Security Groups, Specific Ports Unrestricted. This check and the remaining five free call checks all fall under the Security category of Trusted Advisor. This particular check assesses your security groups that you have configured and checks to see if you have any rules that allow an unrestricted source or destination, such 0.0.0.0/0. Having an unrestricted rule such as this is not considered a best practice and so you should aim to implement a tight and more restrictive range. Although some ports and protocols are required to have an unrestricted setting, such as HTTP port 80 for web traffic on a web server. With this in mind, the following alert criteria is defined for this check. A green tick when you have access to these ports unrestricted, a red exclamation mark when you have access to the following ports unrestricted, and a yellow exclamation mark when you have access to any other port unrestricted. If you do have security group rules that are exposed and fall within yellow or red status, then it could lead to a security breach, allowing the intrusion of malicious activity within your network and against your resources. When organizations are implementing security at the incidence level using security groups, unrestricted access is often given to test or help resolve incidents to identify where a problem might exist, and as a result, the correct and original source or destination are sometimes left exposed without intention.
IAM use. The IAM check use simply ascertains if you are using Identity and Access Management. It recommends that you should have at least one user created to log in with, instead of operating your AWS account using your root administrator account.
MFA on Root Account. Your root account has administrative level access to your AWS account and as a result, is a very powerful account to use. As such, logging in as the root account should have strict security. Adding multi-factor authentication to your root account helps you protect your AWS account. So, this check simply looks to see if you have activated MFA on your root account.
Amazon EBS Public Snapshots. This check identifies if any of your Elastic Block Store snapshots have been marked as public. When an EBS snapshot is public, it is then accessible to all other AWS accounts and users within those accounts. With access to these snapshots, users can then access the data held within the snapshot. There may be circumstances whereby you need to allow other users or AWS accounts to access specific snapshots. In this case, you should explicitly allow access on a per account or user level rather than exposing all of the data to all accounts by marking it as public.
Amazon RDS Public Snapshots. This check performs exactly the same function as the Amazon EBS public snapshots, but for your RDS snapshots instead of EBS.
I now want to perform a demonstration where I shall provide an overview of the Trusted Advisor dashboard and how to drill down into the issues I identified earlier. Within this demonstration, I will perform the following steps:
- I'll navigate to the AWS Trusted Advisor console, provide an overview of the dashboard
- Drill down into the Trusted Advisor checks
- Identify and rectify any issues that are displayed
- I'll refresh Trusted Advisor to ensure the issues have been resolved
- and I will download the status of the checks as an Excel file for offline review.
Okay, so I've logged into my AWS account. And as we can see, under Management Tools, we can see Trusted Advisor. So, if I click on that, it will then take me to the Trusted Advisor dashboard. So, this is what you'll see when you first log in. And across the top, we have the four different categories. So, we have Cost Optimization, Performance, Security, and Fault Tolerance. And then, underneath that are a list of checks that I have access to and I don't have the business support or the enterprise support plan and so I've just got the six free call checks on my own personal account. And, we can see at the top here and, as I mentioned earlier, I've got investigation recommended under the Performance and on Security, I have action recommended and I have four checks that are absolutely okay and there's no problems detected. So, I'll look into those shortly.
I just want to take you across to the left side over here. So, we have the four different categories highlighted here as well, and if we click on any one of those, it will take us into that specific category. And here, we can see a list of all the checks that fall in that category. So, in this instance, Cost Optimization. And, if I had the enterprise or business support plan, then all these would be available for me. And similarly for Performance, we have the same thing. We have a list of all the different Performance checks. The only one I have access to is Service Limits. And Security, I have access to five here, but as you can see, there's a lot more with the additional support plan. And then, finally, Fault Tolerance and there's quite a long list in the Fault Tolerance category. So as you can see, there's quite a big difference between what you get for free in the standard and then what you get extra for the business or enterprise support plan.
If we go into Preferences, this just allows you to stay up to date with Trusted Advisor's statuses and you can get weekly emails that you can setup here with Cost Savings Estimates, etc.
So, if we go back to the dashboard, I explained that I have a couple of alerts here that I'd like to look into. And, we can see here under recommended actions the checks that these are related to. So, we have a yellow status for Service Limits and a red status for Security Groups, Specific Ports Unrestricted. So, as this is a high priority, I want to take a look at this, so I can click on the arrow to the left there and it'll drop down and give me a lot more information. It gives me a description of what the check is about and also it give me the alert criteria and the recommended action to take. And if we look at this table at the bottom, we can see exactly what issues I have within my security groups.
So, I have two security groups here. One of them is a yellow warning and the other is a red. So, we can see here, if we look at the port numbers that the red one is using port 3389. And if we look at the alert criteria, we can see that if 3389 is unrestricted, it will set it to red. And then, for the yellow alert, it's port 22. And yellow here says access to any other port is unrestricted. So, it doesn't fall into the green or the red category, so it's yellow. So, we need to take a look at those and try and make those a bit more restrictive. So, we can use this action link here, so there's a couple of hyperlinks that will take us straight to the security group. So, if we look at this one first, click on the action link, and that takes me straight to the security group.
If I look at the inbound rules, and we can see here that it's using port 3389 with source of anywhere, which is why it's picked it up. So, if we go into Edit, and for the sake of this demonstration, I'll just say change that source just to my IP. Click on Save. Now, if we go back to Trusted Advisor, and take a look at the second security group, we can see here that this is also of any source as well. So, if we edit that, I'll delete that rule. Say my IP, so restricting that. Okay. Now, if we go back to Trusted Advisor, and then now, I can refresh this check using this button here or I can refresh all of the checks by using this one here. But I just want to refresh the security groups to see if that has resolved our issue. And there you go. Our Security Groups Specific Ports Unrestricted is now green, so that's no longer an issue, which is great.
So, now, if we look at Service Limits to see what the problem is here. Again, the alert criteria is usage is more than 80% of the service limit. So, we can have a look to see what's affected and here we can see it's our VPCs. We can see in region US-East-1, we have a limit amount of five and we're currently using four. So, I have two choices here. I can either request an increased limit and if I click on the action link there, it will take me to create a case to increase a service limit. However, I'm not going to do that for this demonstration. What I will do is delete one on my VPCs, so I'll reduce it from 4 to 3 and that should clear this check.
So, if I go across to my VPC, I'm in the right region, click on my VPCs, select a VPC to delete, click on CloudAcademy, and I shall delete that VPC. So, now, if we go back to Trusted Advisor, and I refresh this check, that should also come up green. Excellent, and there we have it.
So, we now have all of our checks green, which means there's no action necessary. And we could see at the top here as well, we no longer have the red alert on under Security and we no longer have the yellow alert under Performance. So, you can see that it's very easy to identify any issues that you have within your dashboard and it's very quick and easy to drill down into each of the checks and understand which resource or resources are affected. And using those action links helps you to remediate the problem very quickly.
And there's one more thing I wanted to show you, and it's the fact that you can download this information within the dashboard into an Excel file. And you can either download it on a per check basis, see here's a download button for each check, or you can download all the checks that you have using this button at the top here. So, let me do that and show you what that looks like.
Okay, so once you have that opened, you can see that there's a different tab for every check that we have. And if we look at Service Limits, for example, we can see the region, the service, the limit name, the limit amount, and the current usage. So, we had an issue with our VPCs where in US-East-1, we had a current usage of 4, which gave me a warning, and then I reduced it to 3 and then that changed the status back to green. So, these spreadsheets just give you the same information from within the console, but downloaded so you can review offline and pass it around to different teams, etc, to take a look at what's happening within your account.
And that's essentially it for the Trusted Advisor dashboard. There's not much more to it than that. Like I say, just have your different categories and your checks and you can drill down into your checks and remediate any problems you have and that's it.
That now brings me to the end of this lecture. Coming up in the next lecture, I'll be discussing how to control access at different levels to Trusted Advisor.
About the Author
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data centre and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 50+ courses relating to Cloud, most within the AWS category with a heavy focus on security and compliance
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.