AWS Trusted Advisor Cheat sheet


This cheat sheet is designed to provide you with a concise and practical overview of AWS Trusted Advisor and is also part of my AWS Certified DevOps Engineer exam guide that contains all the details on how to prepare for this exam.

The AWS Trusted Advisor contains 6 categories:

  • Cost optimization
  • Performance
  • Security
  • Fault tolerance
  • Service limits
  • Operational Excellence

For each categorie I have a cheatsheet containing all the checks and a small description to explain what the check does.

Cost Optimization check reference

Check NameDescription
AWS Account Not Part of AWS OrganizationsIdentifies accounts not part of AWS Organizations for better management and consolidated billing.
Amazon Comprehend Underutilized EndpointsDetects underutilized Amazon Comprehend endpoints to optimize costs.
Amazon EBS Over-Provisioned VolumesIdentifies EBS volumes that are over-provisioned to reduce costs.
Amazon EC2 Instances Consolidation for Microsoft SQL ServerRecommends consolidating EC2 instances running Microsoft SQL Server to optimize usage.
Amazon EC2 Instances Over-Provisioned for Microsoft SQL ServerIdentifies over-provisioned EC2 instances running Microsoft SQL Server to reduce costs.
Amazon EC2 Instances StoppedDetects stopped EC2 instances to avoid unnecessary charges.
Amazon EC2 Reserved Instance Lease ExpirationAlerts on upcoming Reserved Instance lease expirations to plan renewals.
Amazon EC2 Reserved Instance OptimizationRecommends purchasing Reserved Instances to save on long-term costs.
Amazon ECR Repository Without Lifecycle Policy ConfiguredIdentifies ECR repositories without lifecycle policies to manage image retention.
Amazon ElastiCache Reserved Node OptimizationSuggests purchasing Reserved Nodes for ElastiCache to save costs.
Amazon OpenSearch Service Reserved Instance OptimizationRecommends Reserved Instances for OpenSearch Service to reduce costs.
Amazon RDS Idle DB InstancesIdentifies idle RDS instances to optimize costs.
Amazon Redshift Reserved Node OptimizationSuggests purchasing Reserved Nodes for Redshift to save costs.
Amazon Relational Database Service (RDS) Reserved Instance OptimizationRecommends Reserved Instances for RDS to reduce costs.
Amazon Route 53 Latency Resource Record SetsRecommends using latency-based routing to improve application performance and availability.
Amazon S3 Bucket Lifecycle Policy ConfiguredSuggests configuring lifecycle policies for S3 buckets to manage storage costs.
Amazon S3 Incomplete Multipart Upload Abort ConfigurationIdentifies S3 buckets without abort policies for incomplete multipart uploads to save costs.
Amazon S3 Version-Enabled Buckets Without Lifecycle Policies ConfiguredDetects version-enabled S3 buckets without lifecycle policies to manage storage costs.
AWS Lambda Functions with Excessive TimeoutsIdentifies Lambda functions with excessive timeouts to optimize performance and costs.
AWS Lambda Functions with High Error RatesDetects Lambda functions with high error rates to improve reliability.
AWS Lambda Over-Provisioned Functions for Memory SizeIdentifies Lambda functions over-provisioned for memory to reduce costs.
AWS Well-Architected High Risk Issues for Cost OptimizationHighlights high-risk issues from AWS Well-Architected reviews related to cost optimization.
Idle Load BalancersDetects load balancers with low traffic to reduce unnecessary costs.
Low Utilization Amazon EC2 InstancesIdentifies EC2 instances with low utilization to help reduce costs.
Savings PlanRecommends Savings Plans to save on long-term costs.
Unassociated Elastic IP AddressesIdentifies Elastic IP addresses that are not associated with any running instance.
Underutilized Amazon EBS VolumesDetects underutilized EBS volumes to optimize storage costs.
Underutilized Amazon Redshift ClustersIdentifies underutilized Redshift clusters to optimize costs.
AWS Trusted Advisor Cost Optimization checks cheat sheet

Performance checks reference

Check NameDescription
Amazon Aurora DB Cluster Under-Provisioned for Read WorkloadIdentifies Aurora DB clusters that are under-provisioned for read workloads to optimize performance.
Amazon DynamoDB Auto Scaling Not EnabledDetects DynamoDB tables without auto-scaling enabled to ensure performance under varying loads.
Amazon EBS Optimization Not EnabledIdentifies EC2 instances that do not have EBS optimization enabled to improve I/O performance.
Amazon EBS Provisioned IOPS (SSD) Volume Attachment ConfigurationChecks if provisioned IOPS volumes are attached to instances that can fully utilize them.
Amazon EBS Under-Provisioned VolumesIdentifies EBS volumes that are under-provisioned for their workload to ensure performance.
Amazon EC2 Auto Scaling Group is Not Associated with a Launch TemplateEnsures Auto Scaling groups are using launch templates for better configuration management.
Amazon EC2 to EBS Throughput OptimizationRecommends optimizing EC2 to EBS throughput for better performance.
EC2 Virtualization Type is ParavirtualIdentifies instances using paravirtual (PV) instead of hardware virtual machine (HVM) for better performance.
Amazon ECS Memory Hard LimitEnsures ECS tasks have memory hard limits set to prevent overcommitment.
Amazon EFS Throughput Mode OptimizationRecommends optimizing EFS throughput mode for better performance.
Amazon RDS Autovacuum Parameter is Turned OffDetects RDS instances with autovacuum turned off to ensure database performance.
Amazon RDS DB Clusters Support Only Up to 64 TiB VolumeAlerts on RDS DB clusters that support only up to 64 TiB volume to plan for scaling.
Amazon RDS DB Instances in the Clusters with Heterogeneous Instance ClassesIdentifies RDS clusters with heterogeneous instance classes to ensure uniform performance.
Amazon RDS DB Instances in the Clusters with Heterogeneous Instance SizesDetects RDS clusters with heterogeneous instance sizes to ensure uniform performance.
Amazon RDS DB Memory Parameters are Diverging from DefaultIdentifies RDS instances with memory parameters diverging from default to optimize performance.
Amazon RDS Enable_Indexonlyscan Parameter is Turned OffEnsures the enable_indexonlyscan parameter is turned on for better query performance.
Amazon RDS Enable_Indexscan Parameter is Turned OffEnsures the enable_indexscan parameter is turned on for better query performance.
Amazon RDS General_Logging Parameter is Turned OnDetects RDS instances with general logging turned on to reduce unnecessary logging overhead.
Amazon RDS InnoDB_Change_Buffering Parameter Using Less Than Optimum ValueIdentifies suboptimal InnoDB change buffering settings to improve performance.
Amazon RDS Innodb_Open_Files Parameter is LowEnsures the innodb_open_files parameter is set to a higher value for better performance.
Amazon RDS Innodb_Stats_Persistent Parameter is Turned OffEnsures the innodb_stats_persistent parameter is turned on for better performance.
Amazon RDS Instance Under-Provisioned for System CapacityIdentifies RDS instances that are under-provisioned for their workload to ensure performance.
Amazon RDS Magnetic Volume is in UseDetects RDS instances using magnetic volumes to recommend switching to SSD for better performance.
Amazon RDS Parameter Groups Not Using Huge PagesEnsures RDS parameter groups are configured to use huge pages for better performance.
Amazon RDS Query Cache Parameter is Turned OnDetects RDS instances with query cache turned on to reduce unnecessary caching overhead.
Amazon RDS Resources Instance Class Update is RequiredAlerts on RDS instances that require an instance class update for better performance.
Amazon RDS Resources Major Versions Update is RequiredIdentifies RDS instances that require a major version update to ensure performance and security.
Amazon RDS Resources Using End of Support Engine Edition Under License-IncludedDetects RDS instances using end-of-support engine editions to plan for updates.
Amazon Route 53 Alias Resource Record SetsRecommends using alias resource record sets for better performance and cost efficiency.
AWS Lambda Under-Provisioned Functions for Memory SizeIdentifies Lambda functions that are under-provisioned for memory to ensure performance.
AWS Lambda Functions Without Concurrency Limit ConfiguredEnsures Lambda functions have concurrency limits configured to prevent throttling.
AWS Well-Architected High Risk Issues for PerformanceHighlights high-risk issues from AWS Well-Architected reviews related to performance.
CloudFront Alternate Domain NamesRecommends configuring alternate domain names for CloudFront distributions to improve performance.
CloudFront Content Delivery OptimizationSuggests optimizations for CloudFront distributions to improve content delivery performance.
CloudFront Header Forwarding and Cache Hit RatioRecommends optimizing header forwarding settings to improve CloudFront cache hit ratio.
High Utilization Amazon EC2 InstancesIdentifies EC2 instances with high utilization to ensure performance and plan for scaling.
AWS Trusted Advisor Performance checks cheat sheet

Security checks reference

Check NameDescription
Amazon CloudWatch Log Group Retention PeriodEnsures CloudWatch log groups have a retention period set to avoid indefinite data storage.
Amazon EC2 Instances with Microsoft SQL Server End of SupportIdentifies EC2 instances running Microsoft SQL Server that are no longer supported.
Amazon EC2 Instances with Microsoft Windows Server End of SupportDetects EC2 instances running Microsoft Windows Server that are no longer supported.
Amazon EC2 Instances with Ubuntu LTS End of Standard SupportIdentifies EC2 instances running Ubuntu LTS versions that are no longer supported.
Amazon EFS Clients Not Using Data-in-Transit EncryptionDetects EFS clients not using encryption for data in transit to enhance security.
Amazon EBS Public SnapshotsIdentifies EBS snapshots that are publicly accessible to prevent unauthorized access.
Amazon RDS Aurora Storage Encryption is Turned OffEnsures Aurora storage encryption is enabled to protect data at rest.
Amazon RDS Engine Minor Version Upgrade is RequiredRecommends upgrading RDS engine minor versions to ensure security and performance.
Amazon RDS Public SnapshotsDetects RDS snapshots that are publicly accessible to prevent unauthorized access.
Amazon RDS Security Group Access RiskIdentifies RDS security groups with overly permissive access to enhance security.
Amazon RDS Storage Encryption is Turned OffEnsures RDS storage encryption is enabled to protect data at rest.
Amazon Route 53 Mismatching CNAME Records Pointing Directly to S3 BucketsDetects mismatching CNAME records pointing to S3 buckets to prevent security risks.
Amazon Route 53 MX Resource Record Sets and Sender Policy FrameworkEnsures MX records have proper SPF records to prevent email spoofing.
Amazon S3 Bucket PermissionsChecks for publicly accessible S3 buckets to prevent unauthorized access.
Amazon S3 Server Access Logs EnabledEnsures server access logging is enabled for S3 buckets to track access requests.
Amazon VPC Peering Connections with DNS Resolution DisabledIdentifies VPC peering connections with DNS resolution disabled to enhance connectivity.
AWS Backup Vault Without Resource-based Policy to Prevent Deletion of Recovery PointsEnsures backup vaults have policies to prevent deletion of recovery points.
AWS CloudTrail LoggingEnsures CloudTrail is enabled for auditing AWS account activity.
AWS Lambda Functions Using Deprecated RuntimesIdentifies Lambda functions using deprecated runtimes to ensure security and support.
AWS Well-Architected High Risk Issues for SecurityHighlights high-risk issues from AWS Well-Architected reviews related to security.
CloudFront Custom SSL Certificates in the IAM Certificate StoreRecommends using ACM for managing SSL certificates instead of IAM.
CloudFront SSL Certificate on the Origin ServerEnsures SSL certificates are configured on the origin server for secure communication.
ELB Listener SecurityChecks ELB listeners for secure configurations to prevent vulnerabilities.
ELB Security GroupsEnsures ELB security groups are properly configured to restrict access.
Exposed Access KeysIdentifies exposed access keys to prevent unauthorized access.
IAM Access Key RotationRecommends rotating IAM access keys regularly to reduce security risks.
IAM Password PolicyEnsures IAM password policies enforce strong password requirements.
MFA on Root AccountEnsures Multi-Factor Authentication is enabled on the root account for enhanced security.
Security Groups – Specific Ports UnrestrictedIdentifies security groups with unrestricted access on specific ports to enhance security.
Security Groups – Unrestricted AccessDetects security groups with unrestricted access to prevent unauthorized access.
AWS Trusted Advisor Security checks cheat sheet

Fault tolerance checks reference

Check NameDescription
ALB Multi-AZEnsures Application Load Balancers are deployed across multiple Availability Zones.
Amazon Aurora MySQL Cluster Backtracking Not EnabledIdentifies Aurora MySQL clusters without backtracking enabled to enhance data recovery.
Amazon Aurora DB Instance AccessibilityEnsures Aurora DB instances are accessible and properly configured for fault tolerance.
Amazon CloudFront Origin FailoverRecommends configuring origin failover for CloudFront distributions to improve availability.
Amazon Comprehend Endpoint Access RiskIdentifies Comprehend endpoints with access risks to enhance security and availability.
Amazon DocumentDB Single AZ ClustersDetects DocumentDB clusters deployed in a single AZ to recommend multi-AZ deployment.
Amazon DynamoDB Point-in-time RecoveryEnsures DynamoDB tables have point-in-time recovery enabled for data protection.
Amazon DynamoDB Table Not Included in Backup PlanIdentifies DynamoDB tables not included in a backup plan to ensure data protection.
Amazon EBS Not Included in AWS Backup PlanEnsures EBS volumes are included in a backup plan for data protection.
Amazon EBS SnapshotsRecommends taking regular EBS snapshots to protect against data loss.
Amazon EC2 Auto Scaling Does Not Have ELB Health Check EnabledEnsures Auto Scaling groups have ELB health checks enabled for better instance management.
Amazon EC2 Auto Scaling Group Has Capacity Rebalancing EnabledEnsures Auto Scaling groups have capacity rebalancing enabled for better fault tolerance.
Amazon EC2 Auto Scaling Is Not Deployed in Multiple AZs or Does Not Meet the Minimum Number of AZsEnsures Auto Scaling groups are deployed across multiple AZs for high availability.
Amazon EC2 Availability Zone BalanceEnsures EC2 instances are balanced across multiple AZs for fault tolerance.
Amazon EC2 Detailed Monitoring Not EnabledRecommends enabling detailed monitoring for EC2 instances to improve visibility and management.
Amazon ECS AWSLogs Driver in Blocking ModeIdentifies ECS services using the AWSLogs driver in blocking mode to recommend non-blocking mode.
Amazon ECS Service Using a Single AZDetects ECS services deployed in a single AZ to recommend multi-AZ deployment.
Amazon ECS Multi-AZ Placement StrategyEnsures ECS services use a multi-AZ placement strategy for high availability.
Amazon EFS No Mount Target RedundancyIdentifies EFS file systems without redundant mount targets to enhance availability.
Amazon EFS Not in AWS Backup PlanEnsures EFS file systems are included in a backup plan for data protection.
Amazon ElastiCache Multi-AZ ClustersEnsures ElastiCache clusters are deployed across multiple AZs for high availability.
Amazon ElastiCache Redis Clusters Automatic BackupEnsures automatic backups are enabled for ElastiCache Redis clusters for data protection.
Amazon MemoryDB Multi-AZ ClustersEnsures MemoryDB clusters are deployed across multiple AZs for high availability.
Amazon MSK Brokers Hosting Too Many PartitionsIdentifies MSK brokers hosting too many partitions to recommend rebalancing.
Amazon OpenSearch Service Domains with Less Than Three Data NodesEnsures OpenSearch Service domains have at least three data nodes for fault tolerance.
Amazon RDS BackupsEnsures RDS instances have automated backups enabled for data protection.
Amazon RDS DB Clusters Have One DB InstanceIdentifies RDS DB clusters with only one instance to recommend adding more instances.
Amazon RDS DB Clusters with All Instances in the Same Availability ZoneDetects RDS DB clusters with all instances in the same AZ to recommend multi-AZ deployment.
Amazon RDS DB Clusters with All Reader Instances in the Same Availability ZoneEnsures RDS DB clusters have reader instances spread across multiple AZs for high availability.
Amazon RDS DB Instance Enhanced Monitoring Not EnabledRecommends enabling enhanced monitoring for RDS instances to improve visibility and management.
Amazon RDS DB Instances Have Storage Autoscaling Turned OffEnsures RDS instances have storage autoscaling enabled for better capacity management.
Amazon RDS DB Instances Not Using Multi-AZ DeploymentIdentifies RDS instances not using multi-AZ deployment to recommend high availability configuration.
Amazon RDS DiskQueueDepthMonitors RDS instances for high disk queue depth to ensure performance and availability.
Amazon RDS FreeStorageSpaceEnsures RDS instances have sufficient free storage space to avoid disruptions.
Amazon RDS Log_Output Parameter is Set to TableDetects RDS instances with log_output set to table to recommend switching to file for better performance.
Amazon RDS Innodb_Default_Row_Format Parameter Setting is UnsafeIdentifies unsafe settings for the innodb_default_row_format parameter to recommend safer configurations.
Amazon RDS Innodb_Flush_Log_At_Trx_Commit Parameter is Not 1Ensures the innodb_flush_log_at_trx_commit parameter is set to 1 for data durability.
Amazon RDS Max_User_Connections Parameter is LowIdentifies RDS instances with low max_user_connections to recommend increasing the limit.
Amazon RDS Multi-AZEnsures RDS instances are using multi-AZ deployment for high availability.
Amazon RDS Not in AWS Backup PlanEnsures RDS instances are included in a backup plan for data protection.
Amazon RDS Read Replicas are Open in Writable ModeDetects RDS read replicas that are open in writable mode to recommend read-only configuration.
Amazon RDS Resource Automated Backups is Turned OffEnsures automated backups are enabled for RDS instances for data protection.
Amazon RDS Sync_Binlog Parameter is Turned OffEnsures the sync_binlog parameter is turned on for data durability in RDS instances.
RDS DB Cluster Has No Multi-AZ Replication EnabledIdentifies RDS DB clusters without multi-AZ replication to recommend high availability configuration.
RDS Multi-AZ Standby Instance Not EnabledEnsures RDS instances have a standby instance in another AZ for high availability.
Amazon RDS ReplicaLagMonitors RDS read replicas for high replication lag to ensure performance and availability.
Amazon RDS Synchronous_Commit Parameter is Turned OffEnsures the synchronous_commit parameter is turned on for data durability in RDS instances.
Amazon Redshift Cluster Automated SnapshotsEnsures automated snapshots are enabled for Redshift clusters for data protection.
Amazon Route 53 Deleted Health ChecksIdentifies deleted health checks in Route 53 to recommend reconfiguration.
Amazon Route 53 Failover Resource Record SetsEnsures failover resource record sets are configured in Route 53 for high availability.
Amazon Route 53 High TTL Resource Record SetsIdentifies high TTL resource record sets in Route 53 to recommend lower TTL for faster failover.
Amazon Route 53 Name Server DelegationsEnsures proper name server delegations in Route 53 for DNS reliability.
Amazon Route 53 Resolver Endpoint Availability Zone RedundancyEnsures Route 53 resolver endpoints are deployed across multiple AZs for high availability.
Amazon S3 Bucket LoggingEnsures logging is enabled for S3 buckets to track access and changes.
Amazon S3 Bucket Replication Not EnabledIdentifies S3 buckets without replication enabled to recommend cross-region replication for data protection.
Amazon S3 Bucket VersioningEnsures versioning is enabled for S3 buckets to protect against accidental deletions.
Application, Network, and Gateway Load Balancers Not Spanning Multiple Availability ZonesEnsures load balancers are deployed across multiple AZs for high availability.
Auto Scaling Available IPs in SubnetsEnsures Auto Scaling groups have sufficient available IPs in subnets for scaling.
Auto Scaling Group Health CheckEnsures Auto Scaling groups have proper health checks configured for instance replacement.
Auto Scaling Group ResourcesEnsures Auto Scaling groups have sufficient resources for scaling and high availability.
AWS CloudHSM Clusters Running HSM Instances in a Single AZIdentifies CloudHSM clusters running instances in a single AZ to recommend multi-AZ deployment.
AWS Direct Connect Location ResiliencyEnsures Direct Connect connections are resilient by being deployed in multiple locations.
AWS Lambda Functions Without a Dead-Letter Queue ConfiguredEnsures Lambda functions have a dead-letter queue configured for error handling.
AWS Lambda On Failure Event DestinationsEnsures Lambda functions have failure event destinations configured for error handling.
AWS Lambda VPC-Enabled Functions Without Multi-AZ RedundancyEnsures VPC-enabled Lambda functions are deployed across multiple AZs for high availability.
AWS Resilience Hub Application Component CheckEnsures application components meet resilience requirements in AWS Resilience Hub.
AWS Resilience Hub Policy BreachedIdentifies breaches in resilience policies in AWS Resilience Hub to recommend remediation.
AWS Resilience Hub Resilience ScoresMonitors resilience scores in AWS Resilience Hub to ensure applications meet resilience requirements.
AWS Resilience Hub Assessment AgeEnsures resilience assessments in AWS Resilience Hub are up-to-date.
AWS Site-to-Site VPN Has at Least One Tunnel in DOWN StatusIdentifies VPN connections with at least one tunnel down to recommend troubleshooting.
AWS Well-Architected High Risk Issues for ReliabilityHighlights high-risk issues from AWS Well-Architected reviews related to reliability.
Classic Load Balancer Has No Multiple AZs ConfiguredEnsures Classic Load Balancers are deployed across multiple AZs for high availability.
ELB Connection DrainingEnsures connection draining is enabled for ELBs to allow in-flight requests to complete.
Load Balancer OptimizationRecommends optimizations for load balancers to improve performance and availability.
NAT Gateway AZ IndependenceEnsures NAT gateways are deployed independently across multiple AZs for high availability.
Network Load Balancers Cross Load BalancingEnsures Network Load Balancers are configured for cross-zone load balancing for high availability.
NLB – Internet-Facing Resource in Private SubnetIdentifies internet-facing Network Load Balancers deployed in private subnets to recommend reconfiguration.
NLB Multi-AZEnsures Network Load Balancers are deployed across multiple AZs for high availability.
Number of AWS Regions in an Incident Manager Replication SetEnsures Incident Manager replication sets span multiple AWS regions for high availability.
Single AZ Application CheckIdentifies applications deployed in a single AZ to recommend multi-AZ deployment.
VPC Interface Endpoint Network Interfaces in Multiple AZsEnsures VPC interface endpoints have network interfaces in multiple AZs for high availability.
VPN Tunnel RedundancyEnsures VPN connections have redundant tunnels for high availability.
ActiveMQ Availability Zone RedundancyEnsures ActiveMQ brokers are deployed across multiple AZs for high availability.
RabbitMQ Availability Zone RedundancyEnsures RabbitMQ brokers are deployed across multiple AZs for high availability.
AWS Trusted Advisor Fault tolerance checks cheat sheet

Service limits checks reference

Check NameDescription
Auto Scaling GroupsMonitors the number of Auto Scaling groups against the service limit.
Auto Scaling Launch ConfigurationsMonitors the number of Auto Scaling launch configurations against the service limit.
CloudFormation StacksMonitors the number of CloudFormation stacks against the service limit.
DynamoDB Read CapacityMonitors the provisioned read capacity units for DynamoDB tables against the service limit.
DynamoDB Write CapacityMonitors the provisioned write capacity units for DynamoDB tables against the service limit.
EBS Active SnapshotsMonitors the number of active EBS snapshots against the service limit.
EBS Cold HDD (sc1) Volume StorageMonitors the total storage for EBS Cold HDD (sc1) volumes against the service limit.
EBS General Purpose SSD (gp2) Volume StorageMonitors the total storage for EBS General Purpose SSD (gp2) volumes against the service limit.
EBS General Purpose SSD (gp3) Volume StorageMonitors the total storage for EBS General Purpose SSD (gp3) volumes against the service limit.
EBS Magnetic (standard) Volume StorageMonitors the total storage for EBS Magnetic (standard) volumes against the service limit.
EBS Provisioned IOPS (SSD) Volume Aggregate IOPSMonitors the aggregate IOPS for EBS Provisioned IOPS (SSD) volumes against the service limit.
EBS Provisioned IOPS SSD (io1) Volume StorageMonitors the total storage for EBS Provisioned IOPS SSD (io1) volumes against the service limit.
EBS Provisioned IOPS SSD (io2) Volume StorageMonitors the total storage for EBS Provisioned IOPS SSD (io2) volumes against the service limit.
EBS Throughput Optimized HDD (st1) Volume StorageMonitors the total storage for EBS Throughput Optimized HDD (st1) volumes against the service limit.
EC2 On-Demand InstancesMonitors the number of EC2 On-Demand instances against the service limit.
EC2 Reserved Instance LeasesMonitors the number of EC2 Reserved Instance leases against the service limit.
EC2-Classic Elastic IP AddressesMonitors the number of EC2-Classic Elastic IP addresses against the service limit.
EC2-VPC Elastic IP AddressMonitors the number of EC2-VPC Elastic IP addresses against the service limit.
ELB Application Load BalancersMonitors the number of Application Load Balancers against the service limit.
ELB Classic Load BalancersMonitors the number of Classic Load Balancers against the service limit.
ELB Network Load BalancersMonitors the number of Network Load Balancers against the service limit.
IAM GroupMonitors the number of IAM groups against the service limit.
IAM Instance ProfilesMonitors the number of IAM instance profiles against the service limit.
IAM PoliciesMonitors the number of IAM policies against the service limit.
IAM RolesMonitors the number of IAM roles against the service limit.
IAM Server CertificatesMonitors the number of IAM server certificates against the service limit.
IAM UsersMonitors the number of IAM users against the service limit.
Kinesis Shards per RegionMonitors the number of Kinesis shards per region against the service limit.
Lambda Code Storage UsageMonitors the total storage used by Lambda function code against the service limit.
RDS Cluster Parameter GroupsMonitors the number of RDS cluster parameter groups against the service limit.
RDS Cluster RolesMonitors the number of RDS cluster roles against the service limit.
RDS ClustersMonitors the number of RDS clusters against the service limit.
RDS DB InstancesMonitors the number of RDS DB instances against the service limit.
RDS DB Manual SnapshotsMonitors the number of manual snapshots for RDS DB instances against the service limit.
RDS DB Parameter GroupsMonitors the number of RDS DB parameter groups against the service limit.
RDS DB Security GroupsMonitors the number of RDS DB security groups against the service limit.
RDS Event SubscriptionsMonitors the number of RDS event subscriptions against the service limit.
RDS Max Auths per Security GroupMonitors the maximum number of authorizations per RDS security group against the service limit.
RDS Option GroupsMonitors the number of RDS option groups against the service limit.
RDS Read Replicas per MasterMonitors the number of read replicas per master RDS instance against the service limit.
RDS Reserved InstancesMonitors the number of RDS reserved instances against the service limit.
RDS Subnet GroupsMonitors the number of RDS subnet groups against the service limit.
RDS Subnets per Subnet GroupMonitors the number of subnets per RDS subnet group against the service limit.
RDS Total Storage QuotaMonitors the total storage quota for RDS instances against the service limit.
Route 53 Hosted ZonesMonitors the number of Route 53 hosted zones against the service limit.
Route 53 Max Health ChecksMonitors the number of Route 53 health checks against the service limit.
Route 53 Reusable Delegation SetsMonitors the number of reusable delegation sets in Route 53 against the service limit.
Route 53 Traffic PoliciesMonitors the number of Route 53 traffic policies against the service limit.
Route 53 Traffic Policy InstancesMonitors the number of Route 53 traffic policy instances against the service limit.
SES Daily Sending QuotaMonitors the daily sending quota for SES against the service limit.
VPCMonitors the number of VPCs against the service limit.
VPC Internet GatewaysMonitors the number of VPC internet gateways against the service limit.
AWS Trusted Advisor Service limits checks cheat sheet

Operational Excellence checks reference

Check NameDescription
Amazon API Gateway Not Logging Execution LogsEnsures API Gateway execution logging is enabled for monitoring and troubleshooting.
Amazon API Gateway REST APIs Without X-Ray Tracing EnabledIdentifies REST APIs without X-Ray tracing enabled to enhance observability.
Amazon CloudFront Access Log ConfiguredEnsures CloudFront distributions have access logging enabled for monitoring and analysis.
Amazon CloudWatch Alarm Action is DisabledDetects CloudWatch alarms with actions disabled to ensure proper alerting.
Amazon EC2 Instance Not Managed by AWS Systems ManagerIdentifies EC2 instances not managed by AWS Systems Manager for better operational control.
Amazon ECR Repository With Tag Immutability DisabledEnsures ECR repositories have tag immutability enabled to prevent overwriting images.
Amazon ECS Clusters with Container Insights DisabledIdentifies ECS clusters without Container Insights enabled for enhanced monitoring.
Amazon ECS Task Logging Not EnabledEnsures ECS tasks have logging enabled for better observability.
Amazon OpenSearch Service Logging CloudWatch Not ConfiguredEnsures OpenSearch Service domains have logging configured to CloudWatch for monitoring.
Amazon RDS DB Instances in the Clusters with Heterogeneous Parameter GroupsIdentifies RDS DB clusters with heterogeneous parameter groups to ensure consistency.
Amazon RDS Enhanced Monitoring is Turned OffEnsures enhanced monitoring is enabled for RDS instances for better performance insights.
Amazon RDS Performance Insights is Turned OffEnsures Performance Insights is enabled for RDS instances to monitor database performance.
Amazon RDS Track_Counts Parameter is Turned OffEnsures the track_counts parameter is enabled for RDS instances to improve performance monitoring.
Amazon Redshift Cluster Audit LoggingEnsures audit logging is enabled for Redshift clusters for security and compliance.
Amazon S3 Does Not Have Event Notifications EnabledIdentifies S3 buckets without event notifications enabled to enhance automation.
Amazon SNS Topics Not Logging Message Delivery StatusEnsures SNS topics have message delivery status logging enabled for monitoring.
Amazon VPC Without Flow LogsEnsures VPCs have flow logs enabled for network traffic monitoring.
Application Load Balancers and Classic Load Balancers Without Access Logs EnabledEnsures load balancers have access logging enabled for monitoring and analysis.
AWS CloudFormation Stack NotificationEnsures CloudFormation stacks have notifications enabled for stack events.
AWS CloudTrail Data Events Logging for Objects in an S3 BucketEnsures CloudTrail is logging data events for S3 objects for better security and compliance.
AWS CodeBuild Project LoggingEnsures CodeBuild projects have logging enabled for build monitoring and troubleshooting.
AWS CodeDeploy Auto Rollback and Monitor EnabledEnsures CodeDeploy has auto rollback and monitoring enabled for deployment reliability.
AWS CodeDeploy Lambda is Using All-at-Once Deployment ConfigurationIdentifies Lambda deployments using all-at-once configuration to recommend safer strategies.
AWS Elastic Beanstalk Enhanced Health Reporting is Not ConfiguredEnsures Elastic Beanstalk environments have enhanced health reporting enabled for better monitoring.
AWS Elastic Beanstalk with Managed Platform Updates DisabledIdentifies Elastic Beanstalk environments with managed platform updates disabled to recommend enabling them.
AWS Fargate Platform Version is Not LatestEnsures Fargate tasks are using the latest platform version for better performance and security.
AWS Systems Manager State Manager Association in Non-compliant StatusIdentifies non-compliant State Manager associations to ensure configuration compliance.
CloudTrail Trails Are Not Configured with Amazon CloudWatch LogsEnsures CloudTrail trails are configured to send logs to CloudWatch for better monitoring.
Elastic Load Balancing Deletion Protection Not Enabled for Load BalancersEnsures deletion protection is enabled for load balancers to prevent accidental deletions.
RDS DB Cluster Deletion Protection CheckEnsures deletion protection is enabled for RDS DB clusters to prevent accidental deletions.
RDS DB Instance Automatic Minor Version Upgrade CheckEnsures automatic minor version upgrades are enabled for RDS instances for better security and performance.
AWS Trusted Advisor Operational Excellence Checks Cheat Sheet


Danny Steenman

A Senior AWS Cloud Engineer with over 9 years of experience migrating workloads from on-premises to AWS Cloud.

I have helped companies of all sizes shape their cloud adoption strategies, optimizing operational efficiency, reducing costs, and improving organizational agility.

Connect with me todayΒ to discuss your cloud aspirations, and let’s work together to transform your business by leveraging the power of AWS Cloud.

I need help with..
stacked cubes
Improving or managing my CDK App.Maximize the potential of your AWS CDK app by leveraging the expertise of a seasoned CDK professional.
Reducing AWS Costs.We can start by doing a thorough assessment of your current AWS infrastructure, identifying areas with potential for cost reduction and efficiency improvement.
Verifying if my infrastructure is reliable and efficient.We’ve created a comprehensive AWS Operations Checklist that you can utilize to quickly verify if your AWS Resources are set up reliably and efficiently.