The Amazon Trusted Advisor console introduces new ways to control access to Trusted Advisor checks by adding new Amazon Identity and Access Management (IAM) features. To view Trusted Advisor results or take actions such as refreshing check data or excluding items from results, an IAM user must have permission for actions and resources specified with the "trustedadvisor" namespace. For complete information about creating policies and applying them to users and groups, see the Amazon Identity and Access Management documentation.
The following table shows common permission scenarios for the Trusted Advisor console.
Table 1: Common Permission Scenarios
| Access |
Specification |
IAM Console Template |
|---|---|---|
| Full | "Action": "trustedadvisor:*", "Resource": "*" |
Administrator Access Power User Access |
| Read-only | "Action": "trustedadvisor:Describe*", "Resource": "*" |
Read Only Access |
| Specific check category | "Resource": "arn:aws-cn:trustedadvisor:*:acct:checks/category/*" | None; see Categories of Checks |
| Specific check | "Resource": "arn:aws-cn:trustedadvisor:*:acct:checks/category/checkID" | None; see Specific Checks |
| Specific action | "Action": "trustedadvisor:actionName" | None; see Specific Actions |
Information That Trusted Advisor Displays
Trusted Advisor displays information about some of the resources that are associated with an Amazon Web Services account.
Important: Although the user cannot make changes to these resources unless they are authorized to do so by policies that explicitly allow it, the user can view information that they might otherwise not be authorized to view. For example, a user viewing a check related to Amazon EC2 Instances might see information or usage data for instances, even if another policy specifically denies access to viewing this information.
The following two tables show the information that Trusted Advisor displays:
Table 2 shows the title, category, ID, and report columns of the current Trusted Advisor checks. You use the category and check ID to refer to specific checks in an IAM policy.
Table 3 shows examples of service-specific actions (APIs) and data that correspond to the information that is shown by the checks.
Although the list of report columns in the following tables can alert you to information that is exposed by a check, you should examine a Trusted Advisor report for your account to make sure you fully understand what information is exposed by each check.
Table 2: Check Categories, IDs, and Report Columns
| Check Title | Category | Check ID | Report Columns |
|---|---|---|---|
| Amazon EBS Provisioned IOPS Volume Attachment Configuration | Performance | PPkZrjsH2q | Region/AZ | Volume ID | Volume Name | Volume Attachment | Instance ID | Instance Type | EBS Optimized | Status |
| Amazon EBS Snapshots | Fault Tolerance | H7IgTzjTYb | Region | Volume ID | Volume Name | Snapshot ID | Snapshot Name | Snapshot Age | Volume Attachment | Status | Reason |
| Amazon EC2 Availability Zone Balance | Fault Tolerance | wuy7G1zxql | Region | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason |
| Amazon S3 Bucket Logging | Fault Tolerance | BueAdJ7NrP | Region | Bucket Name | Target Name | Target Exists | Same Owner | Write Enabled | Status | Reason |
| Amazon S3 Bucket Permissions | Security | Pfx0RwqBli | Region Name | Region API Parameter | Bucket Name | Global List Access | Global Upload/Delete Access | Status |
| High Utilization Amazon EC2 Instances | Performance | ZRxQlPsb6c | Region/AZ | Instance ID | Instance Name | Instance Type | Day 1 ... Day 14 | 14-Day Average CPU Utilization | Number of Days over 90% CPU Utilization |
| Large Number of EC2 Security Group Rules Applied to an Instance | Performance | j3DFqYTe29 | Region | Instance ID | Instance Name | VPC ID | Total Inbound Rules | Total Outbound Rules |
| Large Number of Rules in an EC2 Security Group | Fault Tolerance | Tolerance tfg86AVHAZ | Region | Security Group Name | Group ID | Description | Instance Count | VPC ID | Total Inbound Rules | Total Outbound Rules |
| Load Balancer Optimization | Fault Tolerance | iqdCTZKCUp | Region | Load Balancer Name | # of Zones | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason |
| Overutilized Standard Amazon EBS Volumes | Performance | k3J2hns32g | Region | Volume ID | Volume Name | Day 1 ... Day 14 | Number of Days Over | Max Daily Median | Status |
| Security Groups - Specific Ports Unrestricted | Security | HCP4007jGY | Region | Security Group Name | Security Group ID | Protocol | Status | Ports |
| Security Groups - Unrestricted Access | Security | 1iG5NDGVre | Region | Security Group Name | Security Group ID | Protocol | Port | Status | IP Range |
| Unassociated Elastic IP Addresses | Cost Optimization | Z4AUBRNSmz | Region | IP Address |
The following table shows the report columns for each check again, adding examples of the service-specific actions that display data that corresponds to the data displayed in the Trusted Advisor report columns. Note that Trusted Advisor does not necessarily use the actions listed; the actions are only examples of one way to display the information.
For example, if you deny a user access to the Amazon EC2 DescribeInstances operation but also allow the user access to the Trusted Advisor Low Utilization EC2 Instances check, the user can view some of the information that is returned by DescribeInstances, even though access to DescribeInstances has been explicitly denied.
Table 3: Example Actions and Data
| Check Title | Report Columns | Actions | Data |
|---|---|---|---|
| Amazon EBS Provisioned IOPS Volume Attachment Configuration | Region/AZ | Volume ID | Volume Name | Volume Attachment | Instance ID | Instance Type | EBS Optimized | Status | ec2:DescribeVolumes | AvailabilityZone VolumeId tag:Name VolumeType AttachmentSet.Item.VolumeId AttachmentSet.Item.InstanceId AttachmentSet.Item.Device |
| ec2:DescribeInstanceAttribute | InstanceId EbsOptimized |
||
| Amazon EBS Snapshots | Region | Volume ID | Volume Name | Snapshot ID | Snapshot Name | Snapshot Age | Volume Attachment | Status | Reason | ec2:DescribeVolumes | VolumeId VolumeType tag:Name |
| cloudwatch:GetMetricStatistics | VolumeReadOps VolumeWriteOps |
||
| Amazon EC2 Availability Zone Balance | Region | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason | ec2:DescribeInstances | AvailabilityZone |
| Amazon S3 Bucket Logging | Region | Bucket Name | Target Name | Target Exists | Same Owner | Write Enabled | Status | Reason | s3:GetService | BucketName Owner |
| s3:GetBucketLogging | TargetName | ||
| s3:GetBucketAcl | Grantee Permission |
||
| Amazon S3 Bucket Permissions | Region Name | Region API Parameter | Bucket Name | Global List Access | Global Upload/Delete Access | Status | s3:GetService | BucketName Owner |
| s3:GetBucketAcl | Grantee Permission |
||
| High Utilization Amazon EC2 Instances | Region/AZ | Instance ID | Instance Name | Instance Type | Day 1 ... Day 14 | 14-Day Average CPU Utilization | Number of Days over 90% CPU Utilization | ec2:DescribeInstances | AvailabilityZone InstanceId tag:Name |
| cloudwatch:GetMetricStatistics | CPUUtilization NetworkIn NetworkOut |
||
| Large Number of EC2 Security Group Rules Applied to an Instance | Region | Instance ID | Instance Name | VPC ID | Total Inbound Rules | Total Outbound Rules | ec2:DescribeInstances ec2:DescribeGroups |
InstanceId tag:Name VpcId GroupId GroupName |
| ec2:DescribeGroups | IpPermissions IpPermissionsEgress |
||
| Large Number of Rules in an EC2 Security Group | Region | Security Group Name | Group ID | Description | Instance Count | VPC ID | Total Inbound Rules | Total Outbound Rules | ec2:DescribeGroups | GroupName GroupId GroupDescription VpcId IpPermissions IpPermissionsEgress |
| ec2:DescribeInstances | GroupId InstanceId |
||
| Load Balancer Optimization | Region | Load Balancer Name | # of Zones | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason | elasticloadbalancing: DescribeLoadBalancers | LoadBalancerName AvailabilityZones |
| Overutilized Standard Amazon EBS Volumes | Region | Volume ID | Volume Name | Day 1 ... Day 14 | Number of Days Over | Max Daily Median | Status | ec2:DescribeVolumes | VolumeId VolumeType tag:Name |
| cloudwatch:GetMetricStatistics | VolumeReadOps VolumeWriteOps |
||
| Security Groups - Specific Ports Unrestricted | Region | Security Group Name | Security Group ID | Protocol | Status | Ports | ec2:DescribeSecurityGroups | GroupName GroupId IpPermissions IpProtocol FromPort ToPort |
| Security Groups - Unrestricted Access | Region | Security Group Name | Security Group ID | Protocol | Port | Status | IP Range | ec2:DescribeSecurityGroups | GroupName GroupId IpPermissions IpProtocol FromPort ToPort IpRanges |
| Service Limits | Region | Service | Limit Name | Limit Amount | Current Usage | Status | [Shows limits and current usage for several services. See "What service limits do you check" in the Trusted Advisor FAQs for details.] | [Varies] |
| Unassociated Elastic IP Addresses | Region | IP Address | ec2:DescribeAddresses | PublicIp InstanceId |
| ec2:DescribeInstances | InstanceState |
IAM Policy Examples
The following are examples of IAM policies that you might use to control access to the Trusted Advisor console. For more information about how to construct policies, see Overview of Amazon IAM Policies in the Amazon Identity and Access Management User Guide.
Deny All
The following example policy denies access to all Trusted Advisor check results:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "trustedadvisor:*",
"Resource": "*"
}
]
}
Allow All
The following example policy allows the user to view (and take all actions on) all Trusted Advisor checks:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "trustedadvisor:*",
"Resource": "*"
}
]
}
Categories of Checks
To specify a Trusted Advisor check category in a policy, use an Amazon resource name (ARN) in this form:
arn:aws-cn:trustedadvisor:*:accountnumber:checks/categoryCode/*To see the check categories, see Table 2. The following table shows the category code to specify for each category.
Table 4: Categories and Category Codes
| Category | Category Code |
|---|---|
| Cost Optimization | cost_optimizing |
| Performance | performance |
| Security | security |
| Fault Tolerance | fault_tolerance |
The following example policy allows the user to view (and perform other actions on) the checks in the Fault Tolerance and Performance categories by specifying the category codes:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "trustedadvisor:*",
"Resource": ["arn:aws-cn:trustedadvisor:*:123456789012:checks/fault_tolerance/*", "arn:aws-cn:trustedadvisor:*:123456789012:checks/performance/*"]
}
]
}Specific Checks
To allow or deny permission to a specific Trusted Advisor check in a policy, use an Amazon resource name (ARN) in this form:
arn:aws-cn:trustedadvisor:*:accountnumber:checks/categoryCode/checkIdCategories and IDs are shown in Table 2; category codes are shown in Table 4.
The following example policy allows the user to view (and perform other actions on) two specific checks related to Amazon S3, by specifying the categories and IDs of those checks:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "trustedadvisor:*",
"Resource": [
"arn:aws:trustedadvisor:*:123456789012:checks/fault_tolerance/BueAdJ7NrP",
"arn:aws:trustedadvisor:*:123456789012:checks/security/Pfx0RwqBli"
]
}
]
}Specific Actions
You can control the amount of information that a user can see, and you can also control the ability to refresh checks, to exclude and include items from check results, and to view and modify notification preferences.
To allow or deny the use of a specific Trusted Advisor action in a policy, precede the action with the "trustedadvisor:" namespace prefix.
The following table shows the actions you can specify and the result of denying permission for that action.
Table 5: Trusted Advisor Actions
| Action | Effect when denied |
|---|---|
| DescribeCheckResult | Cannot view any Trusted Advisor information. Viewing and changing notification preferences is controlled separately. |
| DescribeCheckItems | Cannot view details (items in results table). |
| RefreshCheck | Cannot refresh checks. Also cannot change the exclusion or inclusion status of items, because change of item status requires a refresh of the check. |
| ExcludeCheckItems | Cannot change the status of items from included to excluded. Might be able to change items from excluded to included, depending on the permission for IncludeCheckItems. |
| IncludeCheckItems | Cannot change the status of items from excluded to included. Might be able to change items from included to excluded, depending on the permission for ExcludeCheckItems. |
| DescribeNotificationPreferences | Cannot view information on the notification preferences page. |
| UpdateNotificationPreferences | Cannot change options on the notification preferences page. |
The following example policy allows the user to view all Trusted Advisor checks, but it does not allow the user to refresh any checks:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "trustedadvisor:*",
"Resource": [
"arn:aws-cn:trustedadvisor:*:123456789012:checks/fault_tolerance/BueAdJ7NrP",
"arn:aws-cn:trustedadvisor:*:123456789012:checks/security/Pfx0RwqBli"
]
}
]
}For more information about how to construct policies, see Overview of Amazon IAM Policies in the Amazon Identity and Access Management User Guide.
