Revisit Amazon Web Services re:Invent 2024’s biggest moments and watch keynotes and innovation talks on demand

 ✕

Controlling Access to the Trusted Advisor Console

The Amazon Trusted Advisor console introduces new ways to control access to Trusted Advisor checks by adding new Amazon Identity and Access Management (IAM) features. To view Trusted Advisor results or take actions such as refreshing check data or excluding items from results, an IAM user must have permission for actions and resources specified with the "trustedadvisor" namespace. For complete information about creating policies and applying them to users and groups, see the Amazon Identity and Access Management documentation.

The following table shows common permission scenarios for the Trusted Advisor console.

Table 1: Common Permission Scenarios
Access
Specification
IAM Console Template
Full "Action": "trustedadvisor:*",
"Resource": "*"
Administrator Access
Power User Access
Read-only "Action": "trustedadvisor:Describe*",
"Resource": "*"
Read Only Access
Specific check category "Resource": "arn:aws-cn:trustedadvisor:*:acct:checks/category/*" None; see Categories of Checks
Specific check "Resource": "arn:aws-cn:trustedadvisor:*:acct:checks/category/checkID" None; see Specific Checks
Specific action "Action": "trustedadvisor:actionName" None; see Specific Actions

Information That Trusted Advisor Displays

Trusted Advisor displays information about some of the resources that are associated with an Amazon Web Services account.

Important: Although the user cannot make changes to these resources unless they are authorized to do so by policies that explicitly allow it, the user can view information that they might otherwise not be authorized to view. For example, a user viewing a check related to Amazon EC2 Instances might see information or usage data for instances, even if another policy specifically denies access to viewing this information.

The following two tables show the information that Trusted Advisor displays:

Table 2 shows the title, category, ID, and report columns of the current Trusted Advisor checks. You use the category and check ID to refer to specific checks in an IAM policy.

Table 3 shows examples of service-specific actions (APIs) and data that correspond to the information that is shown by the checks.

Although the list of report columns in the following tables can alert you to information that is exposed by a check, you should examine a Trusted Advisor report for your account to make sure you fully understand what information is exposed by each check.

Table 2: Check Categories, IDs, and Report Columns
Check Title Category Check ID Report Columns
Amazon EBS Provisioned IOPS Volume Attachment Configuration Performance PPkZrjsH2q Region/AZ | Volume ID | Volume Name | Volume Attachment | Instance ID | Instance Type | EBS Optimized | Status
Amazon EBS Snapshots Fault Tolerance H7IgTzjTYb Region | Volume ID | Volume Name | Snapshot ID | Snapshot Name | Snapshot Age | Volume Attachment | Status | Reason
Amazon EC2 Availability Zone Balance Fault Tolerance wuy7G1zxql Region | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason
Amazon S3 Bucket Logging Fault Tolerance BueAdJ7NrP Region | Bucket Name | Target Name | Target Exists | Same Owner | Write Enabled | Status | Reason
Amazon S3 Bucket Permissions Security Pfx0RwqBli Region Name | Region API Parameter | Bucket Name | Global List Access | Global Upload/Delete Access | Status
High Utilization Amazon EC2 Instances Performance ZRxQlPsb6c Region/AZ | Instance ID | Instance Name | Instance Type | Day 1 ... Day 14 | 14-Day Average CPU Utilization | Number of Days over 90% CPU Utilization
Large Number of EC2 Security Group Rules Applied to an Instance Performance j3DFqYTe29 Region | Instance ID | Instance Name | VPC ID | Total Inbound Rules | Total Outbound Rules
Large Number of Rules in an EC2 Security Group Fault Tolerance Tolerance tfg86AVHAZ Region | Security Group Name | Group ID | Description | Instance Count | VPC ID | Total Inbound Rules | Total Outbound Rules
Load Balancer Optimization Fault Tolerance iqdCTZKCUp Region | Load Balancer Name | # of Zones | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason
Overutilized Standard Amazon EBS Volumes Performance k3J2hns32g Region | Volume ID | Volume Name | Day 1 ... Day 14 | Number of Days Over | Max Daily Median | Status
Security Groups - Specific Ports Unrestricted Security HCP4007jGY Region | Security Group Name | Security Group ID | Protocol | Status | Ports
Security Groups - Unrestricted Access Security 1iG5NDGVre Region | Security Group Name | Security Group ID | Protocol | Port | Status | IP Range
Unassociated Elastic IP Addresses Cost Optimization Z4AUBRNSmz Region | IP Address

The following table shows the report columns for each check again, adding examples of the service-specific actions that display data that corresponds to the data displayed in the Trusted Advisor report columns. Note that Trusted Advisor does not necessarily use the actions listed; the actions are only examples of one way to display the information.

For example, if you deny a user access to the Amazon EC2 DescribeInstances operation but also allow the user access to the Trusted Advisor Low Utilization EC2 Instances check, the user can view some of the information that is returned by DescribeInstances, even though access to DescribeInstances has been explicitly denied.

Table 3: Example Actions and Data
Check Title Report Columns Actions Data
Amazon EBS Provisioned IOPS Volume Attachment Configuration Region/AZ | Volume ID | Volume Name | Volume Attachment | Instance ID | Instance Type | EBS Optimized | Status ec2:DescribeVolumes AvailabilityZone
VolumeId
tag:Name
VolumeType
AttachmentSet.Item.VolumeId
AttachmentSet.Item.InstanceId
AttachmentSet.Item.Device
ec2:DescribeInstanceAttribute InstanceId
EbsOptimized
Amazon EBS Snapshots Region | Volume ID | Volume Name | Snapshot ID | Snapshot Name | Snapshot Age | Volume Attachment | Status | Reason ec2:DescribeVolumes VolumeId
VolumeType
tag:Name
cloudwatch:GetMetricStatistics VolumeReadOps
VolumeWriteOps
Amazon EC2 Availability Zone Balance Region | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason ec2:DescribeInstances AvailabilityZone
Amazon S3 Bucket Logging Region | Bucket Name | Target Name | Target Exists | Same Owner | Write Enabled | Status | Reason s3:GetService BucketName
Owner
s3:GetBucketLogging TargetName
s3:GetBucketAcl Grantee
Permission
Amazon S3 Bucket Permissions Region Name | Region API Parameter | Bucket Name | Global List Access | Global Upload/Delete Access | Status s3:GetService BucketName
Owner
s3:GetBucketAcl Grantee
Permission
High Utilization Amazon EC2 Instances Region/AZ | Instance ID | Instance Name | Instance Type | Day 1 ... Day 14 | 14-Day Average CPU Utilization | Number of Days over 90% CPU Utilization ec2:DescribeInstances AvailabilityZone
InstanceId
tag:Name
cloudwatch:GetMetricStatistics CPUUtilization
NetworkIn
NetworkOut
Large Number of EC2 Security Group Rules Applied to an Instance Region | Instance ID | Instance Name | VPC ID | Total Inbound Rules | Total Outbound Rules ec2:DescribeInstances
ec2:DescribeGroups
InstanceId
tag:Name
VpcId
GroupId
GroupName
ec2:DescribeGroups IpPermissions
IpPermissionsEgress
Large Number of Rules in an EC2 Security Group Region | Security Group Name | Group ID | Description | Instance Count | VPC ID | Total Inbound Rules | Total Outbound Rules ec2:DescribeGroups GroupName
GroupId
GroupDescription
VpcId
IpPermissions
IpPermissionsEgress
ec2:DescribeInstances GroupId
InstanceId
Load Balancer Optimization Region | Load Balancer Name | # of Zones | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason elasticloadbalancing: DescribeLoadBalancers LoadBalancerName
AvailabilityZones
Overutilized Standard Amazon EBS Volumes Region | Volume ID | Volume Name | Day 1 ... Day 14 | Number of Days Over | Max Daily Median | Status ec2:DescribeVolumes VolumeId
VolumeType
tag:Name
cloudwatch:GetMetricStatistics VolumeReadOps
VolumeWriteOps
Security Groups - Specific Ports Unrestricted Region | Security Group Name | Security Group ID | Protocol | Status | Ports ec2:DescribeSecurityGroups GroupName
GroupId
IpPermissions
IpProtocol
FromPort
ToPort
Security Groups - Unrestricted Access Region | Security Group Name | Security Group ID | Protocol | Port | Status | IP Range ec2:DescribeSecurityGroups GroupName
GroupId
IpPermissions
IpProtocol
FromPort
ToPort
IpRanges
Service Limits Region | Service | Limit Name | Limit Amount | Current Usage | Status [Shows limits and current usage for several services. See "What service limits do you check" in the Trusted Advisor FAQs for details.] [Varies]
Unassociated Elastic IP Addresses Region | IP Address ec2:DescribeAddresses PublicIp
InstanceId
ec2:DescribeInstances InstanceState

IAM Policy Examples

The following are examples of IAM policies that you might use to control access to the Trusted Advisor console. For more information about how to construct policies, see Overview of Amazon IAM Policies in the Amazon Identity and Access Management User Guide.

Deny All

The following example policy denies access to all Trusted Advisor check results:

{
    "Version": "2012-10-17",
    "Statement": [
        {

            "Effect": "Deny",
            "Action": "trustedadvisor:*",
            "Resource": "*"
        }
    ]
}


Allow All

The following example policy allows the user to view (and take all actions on) all Trusted Advisor checks:

{
    "Version": "2012-10-17",
    "Statement": [
        {

            "Effect": "Allow",
            "Action": "trustedadvisor:*",
            "Resource": "*"
        }
    ]
}


Categories of Checks

To specify a Trusted Advisor check category in a policy, use an Amazon resource name (ARN) in this form:

arn:aws-cn:trustedadvisor:*:accountnumber:checks/categoryCode/*

To see the check categories, see Table 2. The following table shows the category code to specify for each category.

Table 4: Categories and Category Codes
Category Category Code
Cost Optimization cost_optimizing
Performance performance
Security security
Fault Tolerance fault_tolerance

The following example policy allows the user to view (and perform other actions on) the checks in the Fault Tolerance and Performance categories by specifying the category codes:

{   

    "Version": "2012-10-17",   

    "Statement": [     

        {       

            "Effect": "Allow",       

            "Action": "trustedadvisor:*",       

            "Resource": ["arn:aws-cn:trustedadvisor:*:123456789012:checks/fault_tolerance/*", "arn:aws-cn:trustedadvisor:*:123456789012:checks/performance/*"]     

            } 

      ]

}
Specific Checks

To allow or deny permission to a specific Trusted Advisor check in a policy, use an Amazon resource name (ARN) in this form:

arn:aws-cn:trustedadvisor:*:accountnumber:checks/categoryCode/checkId

Categories and IDs are shown in Table 2; category codes are shown in Table 4.

The following example policy allows the user to view (and perform other actions on) two specific checks related to Amazon S3, by specifying the categories and IDs of those checks:

{   

    "Version": "2012-10-17", 

    "Statement": [     

        {       

            "Effect": "Allow", 
            "Action": "trustedadvisor:*",       
            "Resource": [           
               "arn:aws:trustedadvisor:*:123456789012:checks/fault_tolerance/BueAdJ7NrP",           
               "arn:aws:trustedadvisor:*:123456789012:checks/security/Pfx0RwqBli" 

             ]

        }   

    ] 

}
Specific Actions

You can control the amount of information that a user can see, and you can also control the ability to refresh checks, to exclude and include items from check results, and to view and modify notification preferences.

To allow or deny the use of a specific Trusted Advisor action in a policy, precede the action with the "trustedadvisor:" namespace prefix.

The following table shows the actions you can specify and the result of denying permission for that action.

Table 5: Trusted Advisor Actions
Action Effect when denied
DescribeCheckResult Cannot view any Trusted Advisor information.
Viewing and changing notification preferences is controlled separately.
DescribeCheckItems Cannot view details (items in results table).
RefreshCheck Cannot refresh checks. Also cannot change the exclusion or inclusion status of items, because change of item status requires a refresh of the check.
ExcludeCheckItems Cannot change the status of items from included to excluded.
Might be able to change items from excluded to included, depending on the permission for IncludeCheckItems.
IncludeCheckItems Cannot change the status of items from excluded to included.
Might be able to change items from included to excluded, depending on the permission for ExcludeCheckItems.
DescribeNotificationPreferences Cannot view information on the notification preferences page.
UpdateNotificationPreferences Cannot change options on the notification preferences page.

The following example policy allows the user to view all Trusted Advisor checks, but it does not allow the user to refresh any checks:

{   

    "Version": "2012-10-17", 

    "Statement": [     

        {       

            "Effect": "Allow", 
            "Action": "trustedadvisor:*",       
            "Resource": [           
                "arn:aws-cn:trustedadvisor:*:123456789012:checks/fault_tolerance/BueAdJ7NrP",           
                "arn:aws-cn:trustedadvisor:*:123456789012:checks/security/Pfx0RwqBli" 

             ]

        }   

    ] 

}

For more information about how to construct policies, see Overview of Amazon IAM Policies in the Amazon Identity and Access Management User Guide.