5.1.5. Trusted Advisor Security Checks and Remediation
💡 First Principle: Security misconfigurations don't announce themselves — they accumulate silently until someone exploits them. Trusted Advisor is AWS's automated best-practice auditor: it continuously checks your account against hundreds of recommendations and surfaces the ones that require attention before they become incidents.
Trusted Advisor Check Categories:
| Category | Examples |
|---|---|
| Cost Optimization | Underutilized EC2 instances, idle load balancers |
| Performance | High-utilization instances, CloudFront config |
| Security | Open security groups, MFA on root, exposed IAM access keys |
| Fault Tolerance | RDS Multi-AZ, Auto Scaling, EBS snapshots |
| Service Limits | Approaching EC2, VPC, or IAM limits |
| Operational Excellence | CloudTrail enabled, service limits |
Security Checks Available on All Support Plans (Free):
- S3 bucket permissions (public read/write)
- Security groups with unrestricted access (0.0.0.0/0) on high-risk ports (port 22, port 3389)
- MFA not enabled on root account
- IAM access keys exposed (checks public code repositories)
- CloudTrail logging disabled
Additional Security Checks (Business/Enterprise Support):
- EBS public snapshots
- RDS public snapshots
- IAM password policy
- Exposed AWS credentials in public repositories
Trusted Advisor Notifications: Configure email notifications for check status changes. Integrate with EventBridge to trigger automated remediation when a check status changes to "Warning" or "Error."
Trusted Advisor API: Programmatically refresh checks and retrieve results. Use with Lambda and EventBridge for automated remediation workflows:
Trusted Advisor check → "Error" status → EventBridge rule → Lambda → remediate
⚠️ Exam Trap: Trusted Advisor does not automatically fix anything — it identifies issues and reports them. Remediation is always a separate action (manual or automated via Lambda/SSM). Also, the full set of Trusted Advisor checks requires Business or Enterprise support — not Developer or Basic. Questions about "automatically detecting exposed IAM keys" point to Trusted Advisor (with Business support) or IAM Access Analyzer.
Reflection Question: A security operations team wants to receive an automated alert and trigger remediation whenever Trusted Advisor detects a security group with port 22 open to the internet. What event-driven architecture do you build using Trusted Advisor, EventBridge, and Lambda?
