Hello and welcome to this lecture where I am going to be looking at AWS Trusted Advisor, explaining what it is and the different components that make up this service. Show
Trusted Advisor plays an integral part in helping you to optimize your infrastructure across a number of key areas, allowing you to make decisions upon recommendations made by the service which follow and best practices that have been honed over the years by AWS. The service itself can be found within the AWS Management Console under the Management & Governance category, alongside services such as Amazon CloudWatch, Control Tower and Systems Manager. The main function of Trusted Advisor is to recommend improvements across your AWS account to help optimize and streamline your environment based on these AWS best practices. These recommendations cover 5 distinct categories:
Within each of these 5 categories, Trusted Advisor has a list of control points and checks to see how your account, resources and architecture is implemented to determine if you’re aligned with best practice. So it essentially acts as an automatic auditor across your account, which can save you money, increase the efficiency of your resources, maintain a tighter and more secure environment, help to ensure your resources remain operational should a failure occur and that you remain in line with your service limitations, allowing you to request an increase where possible. Between the 5 different categories and at the time of writing this course, there are over 115 different checks. Please note, that the number of these checks are constantly changing, so for the most up to date figures, please review the following link: https://aws.amazon.com/premiumsupport/technology/trusted-advisor/best-practice-checklist/ Although there are a lot of these checks that Trusted Advisor can perform, not all of them are freely available to anyone with an AWS account. The list of checks that you have access to is very dependent on the support agreement with hold with AWS. The full power and potential of AWS Trusted Advisor is only available if you have a Business or Enterprise Support Plan with AWS. Without either of these plans then you will only have access to 6 core checks in the security category and all the Service Limits The 6 checks within security are as follows:
At the time of writing this course, here are the available service limit checks. Now if you compare this to the full list of checks here: https://aws.amazon.com/premiumsupport/technology/trusted-advisor/best-practice-checklist/ ….that are included with Business and Enterprise support plans, you will see that the full checklist can provide a huge wealth of valuable information to help you optimise your infrastructure. In addition to these extra checks that these support plans offer, you will also get the additional benefit of being able to administer certain functions of Trusted Advisor, such as:
There are also a number of features that everyone has access to, including those outside of the Enterprise and Business support plans, these being:
For a full list of IAM permissions using the trustedadvisor namespace please see the following AWS reference: https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html
Before I finish this lecture I just want to give a high level overview of how Trusted Advisor works in a few simple steps:
AWS Trusted Advisor uses a service-linked IAM role to access you resources, named AWSTrustedAdvisorServiceRolePolicy. This is a predefined role created by AWS and allows the services to call other services on your behalf. The policy summary of this role is as shown here and helps to define which AWS services that Trusted Advisor communicates with. Please be aware that this list will change over time, so for an updated list please refer to the role within IAM to determine which services AWSTrustedAdvisorServiceRolePolicy has access to. What are the 7 core checks in trusted advisor?These seven checks are:. S3 Bucket Permissions.. Security Groups – Specific Ports Unrestricted.. IAM Use.. MFA on Root Account.. EBS Public Snapshots.. RDS Public Snapshots.. Service Limits.. Which of the following security events would AWS Trusted Advisor look for within your AWS infrastructure?Which of the following security events would AWS Trusted Advisor look for within your AWS infrastructure? You want to monitor service limits related to Elastic IP addresses that are being used, active snapshots, and EBS volumes.
Which AWS Trusted Advisor check category include the AWS CloudTrail logging check?Trusted Advisor is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Trusted Advisor. CloudTrail captures actions for Trusted Advisor as events. The calls captured include calls from the Trusted Advisor console.
Which of the following AWS Trusted Advisor checks are available for free?These two Trusted Advisor checks are available to all customers at no cost: Service Limits (Performance category; details at What service limits do you check?) and Security Groups - Specific Ports Unrestricted (Security category).
|