AWS Trusted Advisor Best Practices
The course is part of these learning pathsSee 4 more
This course looks at how you can use AWS Trusted Advisor to help you follow and implement some best practices and recommendations across your AWS environment within your organization. We'll cover the Trusted Advisor console, and how to use the service to enhance your AWS resources, account, and infrastructure.
If you have any feedback relating to this course, feel free to contact us at firstname.lastname@example.org.
In this course, you will learn:
- The purpose and benefits of Trusted Advisor
- How to navigate the Trusted Advisor Console
- How to use Trusted Advisor to optimize your AWS resources and account
- How to take actionable steps with Trusted Advisor to improve your AWS infrastructure
- Security Professionals & Security Auditors
- Systems Engineers and Administrators
- Compliance Managers
To get the most out of this course, you should have a basic understanding of some of the core services, such as IAM.
- Hello, and welcome to this lecture, while we shall be looking at how to review the status of your checks and take action against any findings identified by Trusted Advisor. Firstly, let me explain the dashboard, when you first go into Trusted Advisor, you'll be presented with the five different categories. Beneath each of these categories, there are three icons, these being a tick, a triangle with an exclamation mark, and a circle with an exclamation mark. If any of these icons are Grey, it means there are no checks within that category that I've met an alert criteria to activate the icon. In this screenshot, the reason that so many of the icons are Grey, will be that my personal AWS account, is not covered by a business or enterprise support plan, and so those checks are locked as explained in the previous lecture. If a check does meet the criteria within the category, then one of the following will be presented. The tick box may become green, meaning no action is necessary for the check that has been reviewed, the triangle may become yellow meaning investigation required, and the circle may become red, identifying an item requires immediate action and attention. Next to each of these icons when active will be a number, and that number represents the amount of checks within that category, with a specific status. So as we can see from this image, I've one check within the service limits category, that should have been investigated as a priority. Five checks within the security category when no action is required, but I do have one check within this category that requires investigation. So that's a very quick glance of the dashboard, I can see that I have a potential security threat that I need to look into, in addition to being very close to a service limitation, that I need to check immediately, as it could potentially cause a production issue. As mentioned previously, if you don't have an enterprise or business support plan with AWS for your account, like in my example, then you will not be able to take full advantage of what Trusted Advisor has to offer. However, for this lecture I will review the six core checks that are freely available to anyone with an AWS account. Plus, I shall take a look at some of the service limit checks that are available. For every check that Trusted Advisor provides, it will provide four pieces of information. A description of the check and why it is used, the alert criteria, and this shows the conditions under which a check has given a green, no action necessary status, a yellow, investigation required status, or red, immediate action required status. Recommended action. This gives a high-level suggestion on the steps and actions that you could take to remediate any findings, based upon a yellow or red alert criteria. And additional resources, this highlights additional reading material for you to learn more about the topics being discussed. And this usually refers to AWS documentation or white papers. Let me now take a look at the free checks under the security category in more detail. Security groups, specific ports unrestricted. So this particular check, assesses your security groups that you have configured, and checks to see if you have any rules that allow an unrestricted source or destination, such as 0.0.0.0/0. Having an unrestricted rules such as this, is not considered a best practice, as it is considered a security risk. And so you should aim to implement a tighter and more restrictive IP address range. However, some ports and protocols might be required to have an unrestricted setting, such as HTTP protective for web traffic on a web server. If you do have any secrets group roles that are exposed and fall within a yellow or red alert criteria, then it could lead to a security breach, allowing the intrusion of malicious activity, within your network and against your resources. When organizations are implementing security at the instance level using security groups, unrestricted access is often given to test or to help resolve incidents, to help identify where a problem might exist, and as a result, the correct and original source and destinations, are sometimes left exposed without intention. Trusted Advisor can help you identify these security groups, to make the necessary changes. By selecting this check, I can drill down into the different security groups, that have triggered the yellow or red status. As you can see from the screenshot, I've 13 security groups, that should be investigated. You may also notice that, the security groups listed have hyperlinks associated, and this will allow me to quickly select the security group which will take me directly to the configuration page, to change or modify the security group to make any alterations. If upon investigation I consider this cage group is configured correctly for the use intended, then I can choose to exclude the security group from any further reviews relating to this check. I just simply need to mark the security groups, and then select exclude and refresh. And this will remove the selected security group from any further reviews, carried out by this particular check. To then view the excluded items, I can just change the view from the included items to excluded items. I can then move these security groups back to the included group at any time. IAM use. The IAM use check simply ascertains if you're using the identity and access management service. It recommends that you should have at least one user created to log in with, instead of operating and managing your AWS account using your route administrator account, which has the highest level of security privileges available. MFA on root account. Your root account has administrative level access to your AWS account. As a result, it is a very powerful account to use. And that such, logging in as the root account, should have additional levels of authentication, in addition to a password to verify the account. Added multi-factor authentication, MFA, to your root account, helps you protect your AWS account, so this check simply looks to see if you have activated MFA on your root account. MFA uses a random six digit number that is only available for a very short period of time before the number changes again, which is generated by an MFI device. There is no additional charge for this level of authentication, however, you will need your own MFA device, which can be a physical token or a virtual device. AWS provides a summary of all supported devices found here. Personally, I use Google Authenticator on my phone, because it is simple and easy to set up and configure. Before a user can authenticate with MFA, it must be configured and associated to the user from within IAM. Amazon EBS Public Snapshots. This check identifies if any of your elastic block store snapshots have been marked as public. When EBS snapshot is public, it is then accessible to all other AWS accounts and users within those accounts. With access to these snapshots, users can then access the data held within the snapshot. There may be circumstances where you need to allow other users or AWS accounts, access to specific snapshots. If this is the case, then he should mark the snapshot as private, and explicitly allow access on a per AWS account/user level, rather than exposing all of the data to all accounts by marking it as public. For information on the elastic block store service, please see our existing course here. Amazon RDS Public Snapshots. This check performs exactly the same function as the Amazon EBS Public Snapshots but for your RDS snapshots instead of EBS. For more information on Amazon RDS, please see your existing course here. Service limit category checks. The checks within this category are used to assess when a service limit reaches 80% or more. Unfortunately, this doesn't perform checks on all AWS services. As a recap from our previous lecture, it does support the following services and limits. It's important to bear in mind that this list is changing all the time. AWS are constantly evolving and updating their services, and so over time, this list will change. For the most accurate and up-to-date list, please visit the link shown. If I look at a service from this list, such as Amazon Virtual Private Cloud, We can see that it will monitor the service limits of three different features relating to VPCs. These being elastic IP addresses, internet gateways and VPCs. So for each of these services or service features, you are allowed five per region. As a result, the service limit check will highlight if any of these thresholds get to four, which is 80%. The advantage of having this check, gives you enough time to either request an increased limit with AWS if possible or allowed, or you choose to simply reduce the number of AIPs, internet gateways or VPCs that you have. This may also force you to undertake some much needed housekeeping of your environment. I now want to perform a demonstration while I should provide an overview of the Trusted Advisor dashboard, and how to drill down into the issues or identified area. Within this demonstration, I will perform the following steps, navigate to AWS Trusted Advisor, provide an overview of the dashboard, drill down into the Trusted Advisor checks, identify and rectify the issues that are displayed, and refreshed Trusted Advisor to ensure the issues have been resolved. And then I'll download the status of the checks as an Excel file for offline review. Okay, so I'm in my AWS Management Console, and if I scroll down to the management and governance section here, and I'll be able to see Trusted Advisor just here. So if I select Trust Advisor, and that will take me to the Trusted Advisor dashboard which we can see here. Now we have our five categories our cost optimization, performance, security, full tolerance, and service limits. Now as I explained previously, I don't have the enterprise or business support plans, so I'll just have access to the free checks that are available. So there is six in security, and then all of the service limit checks. Now down here, the recommended actions, this will show all of the checks that I have access to. So it will be the six on the security and the 49 service limit checks here, and it will list them here. Now I'll list them in a priority. So at the top here it is listed the one for action recommended, and then we have our investigation recommended here, and then we have lots of checks that are all absolutely fine. So there's two items that I really need to check. Now here we can see, we have the orange triangle, with one investigation recommended, and over here and more importantly, we have one where the action is recommended. So we have an issue with a service limits and also a security issue as well. So let's take a look at each of these to see if we can rectify them or the actions that we should take to try and rectify them. So firstly, the VPC. So let's break this out a little bit to take a look. So we can see here that this check, checks for usage that is more than 80% of the VPC limit. Now on our alert criteria, we can see that if it's yellow, then 80% of it has been reached, it turns red if a hundred percent of the limit is reached. So that tells me straight away that I'm unable to add any more VPCs in a specific region because I'm at a red alert and I've reached the maximum limit. So if I scroll down, I'll be able to see exactly what region this is in, and we can see at the top here. So we have a red alert for the VPC service in EU West one. The limit amount was five and my current usage is five. So I can do two things, I can request a limit increase, and we can see here under recommended action, that if I click on request a limit increase, then it will take me straight to the support center page, where I can then request a service limit increase for the VPC. Or alternatively, I can go to my VPC configuration, in the EU West one Region and delete one of my VPCs. So if I swap over to VPC, and I'm in the region of EU West one, which has we know is where we have the issue, and I can see here that I have my five VPCs. So if I wanted to reduce these, I can simply select any of the VPCs that I want, and then go to actions and delete VPC, and that will take me down to four, which would be 80%, and I would come off the Radler, but I would go into the yellow because I would bet 80%. So like I say, you can either delete VPCs to reduce the current usage, down to a four, three, two whatever you need to, or request a limit increase if you do need all of these VPCs and would likely be needing more in that region. So that's how we'd resolve the VPC check. Next up, we have our security groups, specific ports are restricted at a investigation required level. So let's take a look at this. So this as we know, checks for any rules that allow unrestrictive access to specific ports. And if we look at the alert criteria, we're at a yellow, so we have a security group that provides access to any other port that is unrestricted, that doesn't fall into either the red or green categories. So let's take a look at some of the VPCs that it's detected. So it can see here, that 10 of the 44 security groups that I have, are meeting the investigation required category. So let's go ahead and take a look at one of these security groups. Let me just pick this one for example, so I can select on the security group name, and it will take me straight to the configuration of that security group. Now, if we look at the details if we look at the inbound rules, we can see there that this is allowing SSH on port 22 from anywhere inbound, and the outbound rules are very open as well. So what we could do, we could edit these inbound rules, and change this from anywhere to just allow my IP address, and then save rules. Then if we go to the outbound, and say edit outbound rules, and again set the destination to only my IP address. If we save that. Now, if we go back to our Trusted Advisor, so as the launch, was it a security group name? So let me just highlight that check, now what I want to do is just refresh this check, to see if that is still an issue or to see if it has been resolved. So I can select the security group that in question, and go up to the check, and then say, refresh this check. So let's do that now. Now we want to see if this is still an issue or if it's been resolved. So as we can see it's done a current refresh at the moment. Okay, so that's refreshed, and we can see that that security group is no longer in the list, so we resolved the issue. So basically, I just went into the security group and removed the unrestricted access that it was granting from both the source and destination. Now I could do the same for each of the rest of these security groups, I can go into them, all the settings if need be, or leave them as they were, if that is how they were intended to be. And if they were supposed to have the open access and it's not an issue, then I can simply select the checks and then select exclude and refresh again. No no, I can't do this straight away because you have to wait five minutes before each refresh, but in another four minutes time, I will be able to simply exclude these from this check and they would move into the excluded items list. Okay, now the last thing I want to show you, is how to download the status of all the checks to an Excel file that you can then view offline. So at the top right-hand of the screen here, if you click on this download arrow, this will then download an Excel spreadsheet, and if we open that up, we can see here there's a tab for every check, and it will print out the details for each of those checks, to allow you to view all of these issues offline outside of the management console. So here we have the security groups specific ports some restricted, and that we looked at just a moment ago, and we can see that we have all of the security groups that still have problems that security group IDs, and also the protocol status, et cetera. So that's just another way of viewing your results of Trusted Advisor offline out of the management console. So that's a very quick overview of the Trusted Advisor dashboard, the different categories and the checks, and how to look into some of those issues if you do have any alerts or investigation that's required and how to resolve them.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.