This cheat sheet is designed to provide you with a concise and practical overview of AWS Trusted Advisor and is also part of my AWS Certified DevOps Engineer exam guide that contains all the details on how to prepare for this exam.
The AWS Trusted Advisor contains 6 categories:
- Cost optimization
- Performance
- Security
- Fault tolerance
- Service limits
- Operational Excellence
For each categorie I have a cheatsheet containing all the checks and a small description to explain what the check does.
Table of Contents
Cost Optimization check reference
| Check Name | Description |
|---|---|
| AWS Account Not Part of AWS Organizations | Identifies accounts not part of AWS Organizations for better management and consolidated billing. |
| Amazon Comprehend Underutilized Endpoints | Detects underutilized Amazon Comprehend endpoints to optimize costs. |
| Amazon EBS Over-Provisioned Volumes | Identifies EBS volumes that are over-provisioned to reduce costs. |
| Amazon EC2 Instances Consolidation for Microsoft SQL Server | Recommends consolidating EC2 instances running Microsoft SQL Server to optimize usage. |
| Amazon EC2 Instances Over-Provisioned for Microsoft SQL Server | Identifies over-provisioned EC2 instances running Microsoft SQL Server to reduce costs. |
| Amazon EC2 Instances Stopped | Detects stopped EC2 instances to avoid unnecessary charges. |
| Amazon EC2 Reserved Instance Lease Expiration | Alerts on upcoming Reserved Instance lease expirations to plan renewals. |
| Amazon EC2 Reserved Instance Optimization | Recommends purchasing Reserved Instances to save on long-term costs. |
| Amazon ECR Repository Without Lifecycle Policy Configured | Identifies ECR repositories without lifecycle policies to manage image retention. |
| Amazon ElastiCache Reserved Node Optimization | Suggests purchasing Reserved Nodes for ElastiCache to save costs. |
| Amazon OpenSearch Service Reserved Instance Optimization | Recommends Reserved Instances for OpenSearch Service to reduce costs. |
| Amazon RDS Idle DB Instances | Identifies idle RDS instances to optimize costs. |
| Amazon Redshift Reserved Node Optimization | Suggests purchasing Reserved Nodes for Redshift to save costs. |
| Amazon Relational Database Service (RDS) Reserved Instance Optimization | Recommends Reserved Instances for RDS to reduce costs. |
| Amazon Route 53 Latency Resource Record Sets | Recommends using latency-based routing to improve application performance and availability. |
| Amazon S3 Bucket Lifecycle Policy Configured | Suggests configuring lifecycle policies for S3 buckets to manage storage costs. |
| Amazon S3 Incomplete Multipart Upload Abort Configuration | Identifies S3 buckets without abort policies for incomplete multipart uploads to save costs. |
| Amazon S3 Version-Enabled Buckets Without Lifecycle Policies Configured | Detects version-enabled S3 buckets without lifecycle policies to manage storage costs. |
| AWS Lambda Functions with Excessive Timeouts | Identifies Lambda functions with excessive timeouts to optimize performance and costs. |
| AWS Lambda Functions with High Error Rates | Detects Lambda functions with high error rates to improve reliability. |
| AWS Lambda Over-Provisioned Functions for Memory Size | Identifies Lambda functions over-provisioned for memory to reduce costs. |
| AWS Well-Architected High Risk Issues for Cost Optimization | Highlights high-risk issues from AWS Well-Architected reviews related to cost optimization. |
| Idle Load Balancers | Detects load balancers with low traffic to reduce unnecessary costs. |
| Low Utilization Amazon EC2 Instances | Identifies EC2 instances with low utilization to help reduce costs. |
| Savings Plan | Recommends Savings Plans to save on long-term costs. |
| Unassociated Elastic IP Addresses | Identifies Elastic IP addresses that are not associated with any running instance. |
| Underutilized Amazon EBS Volumes | Detects underutilized EBS volumes to optimize storage costs. |
| Underutilized Amazon Redshift Clusters | Identifies underutilized Redshift clusters to optimize costs. |
Performance checks reference
| Check Name | Description |
|---|---|
| Amazon Aurora DB Cluster Under-Provisioned for Read Workload | Identifies Aurora DB clusters that are under-provisioned for read workloads to optimize performance. |
| Amazon DynamoDB Auto Scaling Not Enabled | Detects DynamoDB tables without auto-scaling enabled to ensure performance under varying loads. |
| Amazon EBS Optimization Not Enabled | Identifies EC2 instances that do not have EBS optimization enabled to improve I/O performance. |
| Amazon EBS Provisioned IOPS (SSD) Volume Attachment Configuration | Checks if provisioned IOPS volumes are attached to instances that can fully utilize them. |
| Amazon EBS Under-Provisioned Volumes | Identifies EBS volumes that are under-provisioned for their workload to ensure performance. |
| Amazon EC2 Auto Scaling Group is Not Associated with a Launch Template | Ensures Auto Scaling groups are using launch templates for better configuration management. |
| Amazon EC2 to EBS Throughput Optimization | Recommends optimizing EC2 to EBS throughput for better performance. |
| EC2 Virtualization Type is Paravirtual | Identifies instances using paravirtual (PV) instead of hardware virtual machine (HVM) for better performance. |
| Amazon ECS Memory Hard Limit | Ensures ECS tasks have memory hard limits set to prevent overcommitment. |
| Amazon EFS Throughput Mode Optimization | Recommends optimizing EFS throughput mode for better performance. |
| Amazon RDS Autovacuum Parameter is Turned Off | Detects RDS instances with autovacuum turned off to ensure database performance. |
| Amazon RDS DB Clusters Support Only Up to 64 TiB Volume | Alerts on RDS DB clusters that support only up to 64 TiB volume to plan for scaling. |
| Amazon RDS DB Instances in the Clusters with Heterogeneous Instance Classes | Identifies RDS clusters with heterogeneous instance classes to ensure uniform performance. |
| Amazon RDS DB Instances in the Clusters with Heterogeneous Instance Sizes | Detects RDS clusters with heterogeneous instance sizes to ensure uniform performance. |
| Amazon RDS DB Memory Parameters are Diverging from Default | Identifies RDS instances with memory parameters diverging from default to optimize performance. |
| Amazon RDS Enable_Indexonlyscan Parameter is Turned Off | Ensures the enable_indexonlyscan parameter is turned on for better query performance. |
| Amazon RDS Enable_Indexscan Parameter is Turned Off | Ensures the enable_indexscan parameter is turned on for better query performance. |
| Amazon RDS General_Logging Parameter is Turned On | Detects RDS instances with general logging turned on to reduce unnecessary logging overhead. |
| Amazon RDS InnoDB_Change_Buffering Parameter Using Less Than Optimum Value | Identifies suboptimal InnoDB change buffering settings to improve performance. |
| Amazon RDS Innodb_Open_Files Parameter is Low | Ensures the innodb_open_files parameter is set to a higher value for better performance. |
| Amazon RDS Innodb_Stats_Persistent Parameter is Turned Off | Ensures the innodb_stats_persistent parameter is turned on for better performance. |
| Amazon RDS Instance Under-Provisioned for System Capacity | Identifies RDS instances that are under-provisioned for their workload to ensure performance. |
| Amazon RDS Magnetic Volume is in Use | Detects RDS instances using magnetic volumes to recommend switching to SSD for better performance. |
| Amazon RDS Parameter Groups Not Using Huge Pages | Ensures RDS parameter groups are configured to use huge pages for better performance. |
| Amazon RDS Query Cache Parameter is Turned On | Detects RDS instances with query cache turned on to reduce unnecessary caching overhead. |
| Amazon RDS Resources Instance Class Update is Required | Alerts on RDS instances that require an instance class update for better performance. |
| Amazon RDS Resources Major Versions Update is Required | Identifies RDS instances that require a major version update to ensure performance and security. |
| Amazon RDS Resources Using End of Support Engine Edition Under License-Included | Detects RDS instances using end-of-support engine editions to plan for updates. |
| Amazon Route 53 Alias Resource Record Sets | Recommends using alias resource record sets for better performance and cost efficiency. |
| AWS Lambda Under-Provisioned Functions for Memory Size | Identifies Lambda functions that are under-provisioned for memory to ensure performance. |
| AWS Lambda Functions Without Concurrency Limit Configured | Ensures Lambda functions have concurrency limits configured to prevent throttling. |
| AWS Well-Architected High Risk Issues for Performance | Highlights high-risk issues from AWS Well-Architected reviews related to performance. |
| CloudFront Alternate Domain Names | Recommends configuring alternate domain names for CloudFront distributions to improve performance. |
| CloudFront Content Delivery Optimization | Suggests optimizations for CloudFront distributions to improve content delivery performance. |
| CloudFront Header Forwarding and Cache Hit Ratio | Recommends optimizing header forwarding settings to improve CloudFront cache hit ratio. |
| High Utilization Amazon EC2 Instances | Identifies EC2 instances with high utilization to ensure performance and plan for scaling. |
Security checks reference
| Check Name | Description |
|---|---|
| Amazon CloudWatch Log Group Retention Period | Ensures CloudWatch log groups have a retention period set to avoid indefinite data storage. |
| Amazon EC2 Instances with Microsoft SQL Server End of Support | Identifies EC2 instances running Microsoft SQL Server that are no longer supported. |
| Amazon EC2 Instances with Microsoft Windows Server End of Support | Detects EC2 instances running Microsoft Windows Server that are no longer supported. |
| Amazon EC2 Instances with Ubuntu LTS End of Standard Support | Identifies EC2 instances running Ubuntu LTS versions that are no longer supported. |
| Amazon EFS Clients Not Using Data-in-Transit Encryption | Detects EFS clients not using encryption for data in transit to enhance security. |
| Amazon EBS Public Snapshots | Identifies EBS snapshots that are publicly accessible to prevent unauthorized access. |
| Amazon RDS Aurora Storage Encryption is Turned Off | Ensures Aurora storage encryption is enabled to protect data at rest. |
| Amazon RDS Engine Minor Version Upgrade is Required | Recommends upgrading RDS engine minor versions to ensure security and performance. |
| Amazon RDS Public Snapshots | Detects RDS snapshots that are publicly accessible to prevent unauthorized access. |
| Amazon RDS Security Group Access Risk | Identifies RDS security groups with overly permissive access to enhance security. |
| Amazon RDS Storage Encryption is Turned Off | Ensures RDS storage encryption is enabled to protect data at rest. |
| Amazon Route 53 Mismatching CNAME Records Pointing Directly to S3 Buckets | Detects mismatching CNAME records pointing to S3 buckets to prevent security risks. |
| Amazon Route 53 MX Resource Record Sets and Sender Policy Framework | Ensures MX records have proper SPF records to prevent email spoofing. |
| Amazon S3 Bucket Permissions | Checks for publicly accessible S3 buckets to prevent unauthorized access. |
| Amazon S3 Server Access Logs Enabled | Ensures server access logging is enabled for S3 buckets to track access requests. |
| Amazon VPC Peering Connections with DNS Resolution Disabled | Identifies VPC peering connections with DNS resolution disabled to enhance connectivity. |
| AWS Backup Vault Without Resource-based Policy to Prevent Deletion of Recovery Points | Ensures backup vaults have policies to prevent deletion of recovery points. |
| AWS CloudTrail Logging | Ensures CloudTrail is enabled for auditing AWS account activity. |
| AWS Lambda Functions Using Deprecated Runtimes | Identifies Lambda functions using deprecated runtimes to ensure security and support. |
| AWS Well-Architected High Risk Issues for Security | Highlights high-risk issues from AWS Well-Architected reviews related to security. |
| CloudFront Custom SSL Certificates in the IAM Certificate Store | Recommends using ACM for managing SSL certificates instead of IAM. |
| CloudFront SSL Certificate on the Origin Server | Ensures SSL certificates are configured on the origin server for secure communication. |
| ELB Listener Security | Checks ELB listeners for secure configurations to prevent vulnerabilities. |
| ELB Security Groups | Ensures ELB security groups are properly configured to restrict access. |
| Exposed Access Keys | Identifies exposed access keys to prevent unauthorized access. |
| IAM Access Key Rotation | Recommends rotating IAM access keys regularly to reduce security risks. |
| IAM Password Policy | Ensures IAM password policies enforce strong password requirements. |
| MFA on Root Account | Ensures Multi-Factor Authentication is enabled on the root account for enhanced security. |
| Security Groups – Specific Ports Unrestricted | Identifies security groups with unrestricted access on specific ports to enhance security. |
| Security Groups – Unrestricted Access | Detects security groups with unrestricted access to prevent unauthorized access. |
Fault tolerance checks reference
| Check Name | Description |
|---|---|
| ALB Multi-AZ | Ensures Application Load Balancers are deployed across multiple Availability Zones. |
| Amazon Aurora MySQL Cluster Backtracking Not Enabled | Identifies Aurora MySQL clusters without backtracking enabled to enhance data recovery. |
| Amazon Aurora DB Instance Accessibility | Ensures Aurora DB instances are accessible and properly configured for fault tolerance. |
| Amazon CloudFront Origin Failover | Recommends configuring origin failover for CloudFront distributions to improve availability. |
| Amazon Comprehend Endpoint Access Risk | Identifies Comprehend endpoints with access risks to enhance security and availability. |
| Amazon DocumentDB Single AZ Clusters | Detects DocumentDB clusters deployed in a single AZ to recommend multi-AZ deployment. |
| Amazon DynamoDB Point-in-time Recovery | Ensures DynamoDB tables have point-in-time recovery enabled for data protection. |
| Amazon DynamoDB Table Not Included in Backup Plan | Identifies DynamoDB tables not included in a backup plan to ensure data protection. |
| Amazon EBS Not Included in AWS Backup Plan | Ensures EBS volumes are included in a backup plan for data protection. |
| Amazon EBS Snapshots | Recommends taking regular EBS snapshots to protect against data loss. |
| Amazon EC2 Auto Scaling Does Not Have ELB Health Check Enabled | Ensures Auto Scaling groups have ELB health checks enabled for better instance management. |
| Amazon EC2 Auto Scaling Group Has Capacity Rebalancing Enabled | Ensures Auto Scaling groups have capacity rebalancing enabled for better fault tolerance. |
| Amazon EC2 Auto Scaling Is Not Deployed in Multiple AZs or Does Not Meet the Minimum Number of AZs | Ensures Auto Scaling groups are deployed across multiple AZs for high availability. |
| Amazon EC2 Availability Zone Balance | Ensures EC2 instances are balanced across multiple AZs for fault tolerance. |
| Amazon EC2 Detailed Monitoring Not Enabled | Recommends enabling detailed monitoring for EC2 instances to improve visibility and management. |
| Amazon ECS AWSLogs Driver in Blocking Mode | Identifies ECS services using the AWSLogs driver in blocking mode to recommend non-blocking mode. |
| Amazon ECS Service Using a Single AZ | Detects ECS services deployed in a single AZ to recommend multi-AZ deployment. |
| Amazon ECS Multi-AZ Placement Strategy | Ensures ECS services use a multi-AZ placement strategy for high availability. |
| Amazon EFS No Mount Target Redundancy | Identifies EFS file systems without redundant mount targets to enhance availability. |
| Amazon EFS Not in AWS Backup Plan | Ensures EFS file systems are included in a backup plan for data protection. |
| Amazon ElastiCache Multi-AZ Clusters | Ensures ElastiCache clusters are deployed across multiple AZs for high availability. |
| Amazon ElastiCache Redis Clusters Automatic Backup | Ensures automatic backups are enabled for ElastiCache Redis clusters for data protection. |
| Amazon MemoryDB Multi-AZ Clusters | Ensures MemoryDB clusters are deployed across multiple AZs for high availability. |
| Amazon MSK Brokers Hosting Too Many Partitions | Identifies MSK brokers hosting too many partitions to recommend rebalancing. |
| Amazon OpenSearch Service Domains with Less Than Three Data Nodes | Ensures OpenSearch Service domains have at least three data nodes for fault tolerance. |
| Amazon RDS Backups | Ensures RDS instances have automated backups enabled for data protection. |
| Amazon RDS DB Clusters Have One DB Instance | Identifies RDS DB clusters with only one instance to recommend adding more instances. |
| Amazon RDS DB Clusters with All Instances in the Same Availability Zone | Detects RDS DB clusters with all instances in the same AZ to recommend multi-AZ deployment. |
| Amazon RDS DB Clusters with All Reader Instances in the Same Availability Zone | Ensures RDS DB clusters have reader instances spread across multiple AZs for high availability. |
| Amazon RDS DB Instance Enhanced Monitoring Not Enabled | Recommends enabling enhanced monitoring for RDS instances to improve visibility and management. |
| Amazon RDS DB Instances Have Storage Autoscaling Turned Off | Ensures RDS instances have storage autoscaling enabled for better capacity management. |
| Amazon RDS DB Instances Not Using Multi-AZ Deployment | Identifies RDS instances not using multi-AZ deployment to recommend high availability configuration. |
| Amazon RDS DiskQueueDepth | Monitors RDS instances for high disk queue depth to ensure performance and availability. |
| Amazon RDS FreeStorageSpace | Ensures RDS instances have sufficient free storage space to avoid disruptions. |
| Amazon RDS Log_Output Parameter is Set to Table | Detects RDS instances with log_output set to table to recommend switching to file for better performance. |
| Amazon RDS Innodb_Default_Row_Format Parameter Setting is Unsafe | Identifies unsafe settings for the innodb_default_row_format parameter to recommend safer configurations. |
| Amazon RDS Innodb_Flush_Log_At_Trx_Commit Parameter is Not 1 | Ensures the innodb_flush_log_at_trx_commit parameter is set to 1 for data durability. |
| Amazon RDS Max_User_Connections Parameter is Low | Identifies RDS instances with low max_user_connections to recommend increasing the limit. |
| Amazon RDS Multi-AZ | Ensures RDS instances are using multi-AZ deployment for high availability. |
| Amazon RDS Not in AWS Backup Plan | Ensures RDS instances are included in a backup plan for data protection. |
| Amazon RDS Read Replicas are Open in Writable Mode | Detects RDS read replicas that are open in writable mode to recommend read-only configuration. |
| Amazon RDS Resource Automated Backups is Turned Off | Ensures automated backups are enabled for RDS instances for data protection. |
| Amazon RDS Sync_Binlog Parameter is Turned Off | Ensures the sync_binlog parameter is turned on for data durability in RDS instances. |
| RDS DB Cluster Has No Multi-AZ Replication Enabled | Identifies RDS DB clusters without multi-AZ replication to recommend high availability configuration. |
| RDS Multi-AZ Standby Instance Not Enabled | Ensures RDS instances have a standby instance in another AZ for high availability. |
| Amazon RDS ReplicaLag | Monitors RDS read replicas for high replication lag to ensure performance and availability. |
| Amazon RDS Synchronous_Commit Parameter is Turned Off | Ensures the synchronous_commit parameter is turned on for data durability in RDS instances. |
| Amazon Redshift Cluster Automated Snapshots | Ensures automated snapshots are enabled for Redshift clusters for data protection. |
| Amazon Route 53 Deleted Health Checks | Identifies deleted health checks in Route 53 to recommend reconfiguration. |
| Amazon Route 53 Failover Resource Record Sets | Ensures failover resource record sets are configured in Route 53 for high availability. |
| Amazon Route 53 High TTL Resource Record Sets | Identifies high TTL resource record sets in Route 53 to recommend lower TTL for faster failover. |
| Amazon Route 53 Name Server Delegations | Ensures proper name server delegations in Route 53 for DNS reliability. |
| Amazon Route 53 Resolver Endpoint Availability Zone Redundancy | Ensures Route 53 resolver endpoints are deployed across multiple AZs for high availability. |
| Amazon S3 Bucket Logging | Ensures logging is enabled for S3 buckets to track access and changes. |
| Amazon S3 Bucket Replication Not Enabled | Identifies S3 buckets without replication enabled to recommend cross-region replication for data protection. |
| Amazon S3 Bucket Versioning | Ensures versioning is enabled for S3 buckets to protect against accidental deletions. |
| Application, Network, and Gateway Load Balancers Not Spanning Multiple Availability Zones | Ensures load balancers are deployed across multiple AZs for high availability. |
| Auto Scaling Available IPs in Subnets | Ensures Auto Scaling groups have sufficient available IPs in subnets for scaling. |
| Auto Scaling Group Health Check | Ensures Auto Scaling groups have proper health checks configured for instance replacement. |
| Auto Scaling Group Resources | Ensures Auto Scaling groups have sufficient resources for scaling and high availability. |
| AWS CloudHSM Clusters Running HSM Instances in a Single AZ | Identifies CloudHSM clusters running instances in a single AZ to recommend multi-AZ deployment. |
| AWS Direct Connect Location Resiliency | Ensures Direct Connect connections are resilient by being deployed in multiple locations. |
| AWS Lambda Functions Without a Dead-Letter Queue Configured | Ensures Lambda functions have a dead-letter queue configured for error handling. |
| AWS Lambda On Failure Event Destinations | Ensures Lambda functions have failure event destinations configured for error handling. |
| AWS Lambda VPC-Enabled Functions Without Multi-AZ Redundancy | Ensures VPC-enabled Lambda functions are deployed across multiple AZs for high availability. |
| AWS Resilience Hub Application Component Check | Ensures application components meet resilience requirements in AWS Resilience Hub. |
| AWS Resilience Hub Policy Breached | Identifies breaches in resilience policies in AWS Resilience Hub to recommend remediation. |
| AWS Resilience Hub Resilience Scores | Monitors resilience scores in AWS Resilience Hub to ensure applications meet resilience requirements. |
| AWS Resilience Hub Assessment Age | Ensures resilience assessments in AWS Resilience Hub are up-to-date. |
| AWS Site-to-Site VPN Has at Least One Tunnel in DOWN Status | Identifies VPN connections with at least one tunnel down to recommend troubleshooting. |
| AWS Well-Architected High Risk Issues for Reliability | Highlights high-risk issues from AWS Well-Architected reviews related to reliability. |
| Classic Load Balancer Has No Multiple AZs Configured | Ensures Classic Load Balancers are deployed across multiple AZs for high availability. |
| ELB Connection Draining | Ensures connection draining is enabled for ELBs to allow in-flight requests to complete. |
| Load Balancer Optimization | Recommends optimizations for load balancers to improve performance and availability. |
| NAT Gateway AZ Independence | Ensures NAT gateways are deployed independently across multiple AZs for high availability. |
| Network Load Balancers Cross Load Balancing | Ensures Network Load Balancers are configured for cross-zone load balancing for high availability. |
| NLB – Internet-Facing Resource in Private Subnet | Identifies internet-facing Network Load Balancers deployed in private subnets to recommend reconfiguration. |
| NLB Multi-AZ | Ensures Network Load Balancers are deployed across multiple AZs for high availability. |
| Number of AWS Regions in an Incident Manager Replication Set | Ensures Incident Manager replication sets span multiple AWS regions for high availability. |
| Single AZ Application Check | Identifies applications deployed in a single AZ to recommend multi-AZ deployment. |
| VPC Interface Endpoint Network Interfaces in Multiple AZs | Ensures VPC interface endpoints have network interfaces in multiple AZs for high availability. |
| VPN Tunnel Redundancy | Ensures VPN connections have redundant tunnels for high availability. |
| ActiveMQ Availability Zone Redundancy | Ensures ActiveMQ brokers are deployed across multiple AZs for high availability. |
| RabbitMQ Availability Zone Redundancy | Ensures RabbitMQ brokers are deployed across multiple AZs for high availability. |
Service limits checks reference
| Check Name | Description |
|---|---|
| Auto Scaling Groups | Monitors the number of Auto Scaling groups against the service limit. |
| Auto Scaling Launch Configurations | Monitors the number of Auto Scaling launch configurations against the service limit. |
| CloudFormation Stacks | Monitors the number of CloudFormation stacks against the service limit. |
| DynamoDB Read Capacity | Monitors the provisioned read capacity units for DynamoDB tables against the service limit. |
| DynamoDB Write Capacity | Monitors the provisioned write capacity units for DynamoDB tables against the service limit. |
| EBS Active Snapshots | Monitors the number of active EBS snapshots against the service limit. |
| EBS Cold HDD (sc1) Volume Storage | Monitors the total storage for EBS Cold HDD (sc1) volumes against the service limit. |
| EBS General Purpose SSD (gp2) Volume Storage | Monitors the total storage for EBS General Purpose SSD (gp2) volumes against the service limit. |
| EBS General Purpose SSD (gp3) Volume Storage | Monitors the total storage for EBS General Purpose SSD (gp3) volumes against the service limit. |
| EBS Magnetic (standard) Volume Storage | Monitors the total storage for EBS Magnetic (standard) volumes against the service limit. |
| EBS Provisioned IOPS (SSD) Volume Aggregate IOPS | Monitors the aggregate IOPS for EBS Provisioned IOPS (SSD) volumes against the service limit. |
| EBS Provisioned IOPS SSD (io1) Volume Storage | Monitors the total storage for EBS Provisioned IOPS SSD (io1) volumes against the service limit. |
| EBS Provisioned IOPS SSD (io2) Volume Storage | Monitors the total storage for EBS Provisioned IOPS SSD (io2) volumes against the service limit. |
| EBS Throughput Optimized HDD (st1) Volume Storage | Monitors the total storage for EBS Throughput Optimized HDD (st1) volumes against the service limit. |
| EC2 On-Demand Instances | Monitors the number of EC2 On-Demand instances against the service limit. |
| EC2 Reserved Instance Leases | Monitors the number of EC2 Reserved Instance leases against the service limit. |
| EC2-Classic Elastic IP Addresses | Monitors the number of EC2-Classic Elastic IP addresses against the service limit. |
| EC2-VPC Elastic IP Address | Monitors the number of EC2-VPC Elastic IP addresses against the service limit. |
| ELB Application Load Balancers | Monitors the number of Application Load Balancers against the service limit. |
| ELB Classic Load Balancers | Monitors the number of Classic Load Balancers against the service limit. |
| ELB Network Load Balancers | Monitors the number of Network Load Balancers against the service limit. |
| IAM Group | Monitors the number of IAM groups against the service limit. |
| IAM Instance Profiles | Monitors the number of IAM instance profiles against the service limit. |
| IAM Policies | Monitors the number of IAM policies against the service limit. |
| IAM Roles | Monitors the number of IAM roles against the service limit. |
| IAM Server Certificates | Monitors the number of IAM server certificates against the service limit. |
| IAM Users | Monitors the number of IAM users against the service limit. |
| Kinesis Shards per Region | Monitors the number of Kinesis shards per region against the service limit. |
| Lambda Code Storage Usage | Monitors the total storage used by Lambda function code against the service limit. |
| RDS Cluster Parameter Groups | Monitors the number of RDS cluster parameter groups against the service limit. |
| RDS Cluster Roles | Monitors the number of RDS cluster roles against the service limit. |
| RDS Clusters | Monitors the number of RDS clusters against the service limit. |
| RDS DB Instances | Monitors the number of RDS DB instances against the service limit. |
| RDS DB Manual Snapshots | Monitors the number of manual snapshots for RDS DB instances against the service limit. |
| RDS DB Parameter Groups | Monitors the number of RDS DB parameter groups against the service limit. |
| RDS DB Security Groups | Monitors the number of RDS DB security groups against the service limit. |
| RDS Event Subscriptions | Monitors the number of RDS event subscriptions against the service limit. |
| RDS Max Auths per Security Group | Monitors the maximum number of authorizations per RDS security group against the service limit. |
| RDS Option Groups | Monitors the number of RDS option groups against the service limit. |
| RDS Read Replicas per Master | Monitors the number of read replicas per master RDS instance against the service limit. |
| RDS Reserved Instances | Monitors the number of RDS reserved instances against the service limit. |
| RDS Subnet Groups | Monitors the number of RDS subnet groups against the service limit. |
| RDS Subnets per Subnet Group | Monitors the number of subnets per RDS subnet group against the service limit. |
| RDS Total Storage Quota | Monitors the total storage quota for RDS instances against the service limit. |
| Route 53 Hosted Zones | Monitors the number of Route 53 hosted zones against the service limit. |
| Route 53 Max Health Checks | Monitors the number of Route 53 health checks against the service limit. |
| Route 53 Reusable Delegation Sets | Monitors the number of reusable delegation sets in Route 53 against the service limit. |
| Route 53 Traffic Policies | Monitors the number of Route 53 traffic policies against the service limit. |
| Route 53 Traffic Policy Instances | Monitors the number of Route 53 traffic policy instances against the service limit. |
| SES Daily Sending Quota | Monitors the daily sending quota for SES against the service limit. |
| VPC | Monitors the number of VPCs against the service limit. |
| VPC Internet Gateways | Monitors the number of VPC internet gateways against the service limit. |
Operational Excellence checks reference
| Check Name | Description |
|---|---|
| Amazon API Gateway Not Logging Execution Logs | Ensures API Gateway execution logging is enabled for monitoring and troubleshooting. |
| Amazon API Gateway REST APIs Without X-Ray Tracing Enabled | Identifies REST APIs without X-Ray tracing enabled to enhance observability. |
| Amazon CloudFront Access Log Configured | Ensures CloudFront distributions have access logging enabled for monitoring and analysis. |
| Amazon CloudWatch Alarm Action is Disabled | Detects CloudWatch alarms with actions disabled to ensure proper alerting. |
| Amazon EC2 Instance Not Managed by AWS Systems Manager | Identifies EC2 instances not managed by AWS Systems Manager for better operational control. |
| Amazon ECR Repository With Tag Immutability Disabled | Ensures ECR repositories have tag immutability enabled to prevent overwriting images. |
| Amazon ECS Clusters with Container Insights Disabled | Identifies ECS clusters without Container Insights enabled for enhanced monitoring. |
| Amazon ECS Task Logging Not Enabled | Ensures ECS tasks have logging enabled for better observability. |
| Amazon OpenSearch Service Logging CloudWatch Not Configured | Ensures OpenSearch Service domains have logging configured to CloudWatch for monitoring. |
| Amazon RDS DB Instances in the Clusters with Heterogeneous Parameter Groups | Identifies RDS DB clusters with heterogeneous parameter groups to ensure consistency. |
| Amazon RDS Enhanced Monitoring is Turned Off | Ensures enhanced monitoring is enabled for RDS instances for better performance insights. |
| Amazon RDS Performance Insights is Turned Off | Ensures Performance Insights is enabled for RDS instances to monitor database performance. |
| Amazon RDS Track_Counts Parameter is Turned Off | Ensures the track_counts parameter is enabled for RDS instances to improve performance monitoring. |
| Amazon Redshift Cluster Audit Logging | Ensures audit logging is enabled for Redshift clusters for security and compliance. |
| Amazon S3 Does Not Have Event Notifications Enabled | Identifies S3 buckets without event notifications enabled to enhance automation. |
| Amazon SNS Topics Not Logging Message Delivery Status | Ensures SNS topics have message delivery status logging enabled for monitoring. |
| Amazon VPC Without Flow Logs | Ensures VPCs have flow logs enabled for network traffic monitoring. |
| Application Load Balancers and Classic Load Balancers Without Access Logs Enabled | Ensures load balancers have access logging enabled for monitoring and analysis. |
| AWS CloudFormation Stack Notification | Ensures CloudFormation stacks have notifications enabled for stack events. |
| AWS CloudTrail Data Events Logging for Objects in an S3 Bucket | Ensures CloudTrail is logging data events for S3 objects for better security and compliance. |
| AWS CodeBuild Project Logging | Ensures CodeBuild projects have logging enabled for build monitoring and troubleshooting. |
| AWS CodeDeploy Auto Rollback and Monitor Enabled | Ensures CodeDeploy has auto rollback and monitoring enabled for deployment reliability. |
| AWS CodeDeploy Lambda is Using All-at-Once Deployment Configuration | Identifies Lambda deployments using all-at-once configuration to recommend safer strategies. |
| AWS Elastic Beanstalk Enhanced Health Reporting is Not Configured | Ensures Elastic Beanstalk environments have enhanced health reporting enabled for better monitoring. |
| AWS Elastic Beanstalk with Managed Platform Updates Disabled | Identifies Elastic Beanstalk environments with managed platform updates disabled to recommend enabling them. |
| AWS Fargate Platform Version is Not Latest | Ensures Fargate tasks are using the latest platform version for better performance and security. |
| AWS Systems Manager State Manager Association in Non-compliant Status | Identifies non-compliant State Manager associations to ensure configuration compliance. |
| CloudTrail Trails Are Not Configured with Amazon CloudWatch Logs | Ensures CloudTrail trails are configured to send logs to CloudWatch for better monitoring. |
| Elastic Load Balancing Deletion Protection Not Enabled for Load Balancers | Ensures deletion protection is enabled for load balancers to prevent accidental deletions. |
| RDS DB Cluster Deletion Protection Check | Ensures deletion protection is enabled for RDS DB clusters to prevent accidental deletions. |
| RDS DB Instance Automatic Minor Version Upgrade Check | Ensures automatic minor version upgrades are enabled for RDS instances for better security and performance. |
