Service Screener

COST_OPTIMIZING 0 Error 0 Warning 0 Ok

Services	Findings	# Error	# Warning	# OK	Last Updated	Estimated Monthly Savings	Estimated Percent Savings
UNKNOWN	OK Amazon EC2 Instances Stopped (Source: aws_config)	0	0	0	2024-11-07 06:40:38 UTC	$0.00	0.0%
Checks if there are Amazon EC2 instances that have been stopped for more than 30 days or other specified number. You can specify the allowed number of days value in the "AllowedDays" of AWS Config parameters. For more information, see Why am I being charged for Amazon EC2 when all my instances were terminated? Source AWS Config Managed Rule: ec2-stopped-instance Alert Criteria Yellow: There are Amazon EC2 instances stopped for more than more than allowed number of days. Recommended Action Review the EC2 instances that have been stopped for more than allowed number of days. To avoid incuring unnecessary cost, terminate any instances that are no longer needed. For more information, see Terminate your instance. Additional Resources Amazon EC2 On-Demand Pricing
ec2	OK Savings Plan (Source: ta_check)	0	0	0	2024-11-01 04:31:45 UTC	$0.00	0.0%
Checks your usage of EC2, Fargate, and Lambda over the last 30 days and provides Savings Plan purchase recommendations, which allows you to commit to a consistent usage amount measured in $/hour for a one or three year term in exchange for discounted rates. These are sourced from AWS Cost Explorer which can be used to get more detailed recommendation information, or to purchase a savings plan. These recommendations should be considered an alternative to your RI recommendations and choosing to act fully on both sets of recommendations would likely lead to over commitment. This check is not available to accounts linked in Consolidated Billing. Recommendations are only available for the Paying Account. Alert Criteria Yellow: Optimizing the purchase of Savings Plans can help reduce costs. Recommended Action See the Cost Explorer page for more detailed and customized recommendations and to purchase Savings Plans. Additional Resources Savings Plan User Guide Savings Plan FAQ
ec2	OK Amazon EC2 Reserved Instance Lease Expiration (Source: ta_check)	0	0	0	2024-10-31 04:05:46 UTC	$0.00	0.0%
Checks for Amazon EC2 Reserved Instances that are scheduled to expire within the next 30 days or have expired in the preceding 30 days. Reserved Instances do not renew automatically; you can continue using an EC2 instance covered by the reservation without interruption, but you will be charged On-Demand rates. New Reserved Instances can have the same parameters as the expired ones, or you can purchase Reserved Instances with different parameters. The estimated monthly savings we show is the difference between the On-Demand and Reserved Instance rates for the same instance type. Alert Criteria Yellow: The Reserved Instance lease expires in less than 30 days. Yellow: The Reserved Instance lease expired in the preceding 30 days. Recommended Action Consider purchasing a new Reserved Instance to replace the one that is nearing the end of its term. For more information, see How to Purchase Reserved Instances and Buying Reserved Instances. Additional Resources Reserved Instances Instance Types
ecs	OK Savings Plan (Source: ta_check)	0	0	0	2024-11-01 04:31:45 UTC	$0.00	0.0%
Checks your usage of EC2, Fargate, and Lambda over the last 30 days and provides Savings Plan purchase recommendations, which allows you to commit to a consistent usage amount measured in $/hour for a one or three year term in exchange for discounted rates. These are sourced from AWS Cost Explorer which can be used to get more detailed recommendation information, or to purchase a savings plan. These recommendations should be considered an alternative to your RI recommendations and choosing to act fully on both sets of recommendations would likely lead to over commitment. This check is not available to accounts linked in Consolidated Billing. Recommendations are only available for the Paying Account. Alert Criteria Yellow: Optimizing the purchase of Savings Plans can help reduce costs. Recommended Action See the Cost Explorer page for more detailed and customized recommendations and to purchase Savings Plans. Additional Resources Savings Plan User Guide Savings Plan FAQ
lambda	OK Savings Plan (Source: ta_check)	0	0	0	2024-11-01 04:31:45 UTC	$0.00	0.0%
Checks your usage of EC2, Fargate, and Lambda over the last 30 days and provides Savings Plan purchase recommendations, which allows you to commit to a consistent usage amount measured in $/hour for a one or three year term in exchange for discounted rates. These are sourced from AWS Cost Explorer which can be used to get more detailed recommendation information, or to purchase a savings plan. These recommendations should be considered an alternative to your RI recommendations and choosing to act fully on both sets of recommendations would likely lead to over commitment. This check is not available to accounts linked in Consolidated Billing. Recommendations are only available for the Paying Account. Alert Criteria Yellow: Optimizing the purchase of Savings Plans can help reduce costs. Recommended Action See the Cost Explorer page for more detailed and customized recommendations and to purchase Savings Plans. Additional Resources Savings Plan User Guide Savings Plan FAQ
rds	OK Amazon RDS Idle DB Instances (Source: ta_check)	0	0	0	2024-11-03 19:26:42 UTC	$0.00	0.0%
Checks the configuration of your Amazon Relational Database Service (Amazon RDS) for any DB instances that appear to be idle. If a DB instance has not had a connection for a prolonged period of time, you can delete the instance to reduce costs. If persistent storage is needed for data on the instance, you can use lower-cost options such as taking and retaining a DB snapshot. Manually created DB snapshots are retained until you delete them. Alert Criteria Yellow: An active DB instance has not had a connection in the last 7 days. Recommended Action Consider taking a snapshot of the idle DB instance and then either stopping it or deleting it. Stopping the DB instance removes some of the costs for it, but does not remove storage costs. A stopped instance keeps all automated backups based upon the configured retention period. Stopping a DB instance usually incurs additional costs when compared to deleting the instance and then retaining only the final snapshot. See Stopping an Amazon RDS DB Instance Temporarily and Deleting a DB Instance with a Final Snapshot. Additional Resources Back Up and Restore
rds	OK Amazon Relational Database Service (RDS) Reserved Instance Optimization (Source: ta_check)	0	0	0	2024-11-01 01:52:32 UTC	$0.00	0.0%
Checks your usage of RDS and provides recommendations on purchase of Reserved Instances to help reduce costs incurred from using RDS On-Demand. AWS generates these recommendations by analyzing your On-Demand usage for the past 30 days. We then simulate every combination of reservations in the generated category of usage in order to identify the best number of each type of Reserved Instance to purchase to maximize your savings. This check covers recommendations based on partial upfront payment option with 1-year or 3-year commitment. This check is not available to accounts linked in Consolidated Billing. Recommendations are only available for the Paying Account. Alert Criteria Yellow: Optimizing the purchase of RDS Reserved Instances can help reduce costs. Recommended Action See the Cost Explorer page for more detailed recommendations, customization options (e.g. look-back period, payment option, etc.) and to purchase RDS Reserved Instances. Additional Resources Information on RDS Reserved Instances and how they can save you money can be found here. For more information on this recommendation, see Reserved Instance Optimization Check Questions in the Trusted Advisor FAQs. For more detailed description of fields, see Cost Explorer documentation
elasticloadbalancing	OK Idle Load Balancers (Source: ta_check)	0	0	0	2024-11-03 00:41:14 UTC	$0.00	0.0%
Checks your Elastic Load Balancing configuration for load balancers that are not actively used. Any load balancer that is configured accrues charges. If a load balancer has no associated back-end instances or if network traffic is severely limited, the load balancer is not being used effectively. Alert Criteria Yellow: A load balancer has no active back-end instances. Yellow: A load balancer has no healthy back-end instances. Yellow: A load balancer has had less than 100 requests per day for the last 7 days. Recommended Action If your load balancer has no active back-end instances, consider registering instances or deleting your load balancer. See Registering Your Amazon EC2 Instances with Your Load Balancer or Delete Your Load Balancer. If your load balancer has no healthy back-end instances, see Troubleshooting Elastic Load Balancing: Health Check Configuration. If your load balancer has had a low request count, consider deleting your load balancer. See Delete Your Load Balancer. Additional Resources Managing Load Balancers Troubleshoot Elastic Load Balancing
elasticloadbalancingv2	OK Idle Load Balancers (Source: ta_check)	0	0	0	2024-11-03 00:41:14 UTC	$0.00	0.0%
Checks your Elastic Load Balancing configuration for load balancers that are not actively used. Any load balancer that is configured accrues charges. If a load balancer has no associated back-end instances or if network traffic is severely limited, the load balancer is not being used effectively. Alert Criteria Yellow: A load balancer has no active back-end instances. Yellow: A load balancer has no healthy back-end instances. Yellow: A load balancer has had less than 100 requests per day for the last 7 days. Recommended Action If your load balancer has no active back-end instances, consider registering instances or deleting your load balancer. See Registering Your Amazon EC2 Instances with Your Load Balancer or Delete Your Load Balancer. If your load balancer has no healthy back-end instances, see Troubleshooting Elastic Load Balancing: Health Check Configuration. If your load balancer has had a low request count, consider deleting your load balancer. See Delete Your Load Balancer. Additional Resources Managing Load Balancers Troubleshoot Elastic Load Balancing
opensearch	OK Amazon OpenSearch Service Reserved Instance Optimization (Source: ta_check)	0	0	0	2024-11-02 18:06:04 UTC	$0.00	0.0%
Checks your usage of Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) and provides recommendations on purchase of Reserved Instances to help reduce costs incurred from using Amazon OpenSearch Service On-Demand. AWS generates these recommendations by analyzing your On-Demand usage for the past 30 days. We then simulate every combination of reservations in the generated category of usage in order to identify the best number of each type of Reserved Instance to purchase to maximize your savings. This check covers recommendations based on partial upfront payment option with 1-year or 3-year commitment. This check is not available to accounts linked in Consolidated Billing. Recommendations are only available for the Paying Account. Alert Criteria Yellow: Optimizing the purchase of Amazon OpenSearch Service Reserved Instances can help reduce costs. Recommended Action See the Cost Explorer page for more detailed recommendations, customization options (e.g. look-back period, payment option, etc.) and to purchase Amazon OpenSearch Service Reserved Instances. Additional Resources Information on Amazon OpenSearch Service Reserved Instances and how they can save you money can be found here. For more information on this recommendation, see Reserved Instance Optimization Check Questions in the Trusted Advisor FAQs. For more detailed description of fields, see Cost Explorer documentation
redshift	OK Underutilized Amazon Redshift Clusters (Source: ta_check)	0	0	0	2024-10-31 17:31:51 UTC	$0.00	0.0%
Checks your Amazon Redshift configuration for clusters that appear to be underutilized. If an Amazon Redshift cluster has not had a connection for a prolonged period of time or is using a low amount of CPU, you can use lower-cost options such as downsizing the cluster or shutting down the cluster and taking a final snapshot. Final snapshots are retained even after you delete your cluster. Alert Criteria Yellow: A running cluster has not had a connection in the last 7 days. Yellow: A running cluster had less than 5% cluster-wide average CPU utilization for 99% of the last 7 days. Recommended Action Consider shutting down the cluster and taking a final snapshot, or downsizing the cluster. See Shutting Down and Deleting Clusters and Resizing a Cluster. Additional Resources Amazon CloudWatch Developer Guide
route53	OK Amazon Route 53 Latency Resource Record Sets (Source: ta_check)	0	0	0	2024-11-01 03:12:52 UTC	$0.00	0.0%
Checks for Amazon Route 53 latency record sets that are configured inefficiently. To allow Amazon Route 53 to route queries to the region with the lowest network latency, you should create latency resource record sets for a particular domain name (such as example.com) in different regions. If you create only one latency resource record set for a domain name, all queries are routed to one region, and you pay extra for latency-based routing without getting the benefits. Hosted zones created by AWS services won’t appear in your check results. Alert Criteria Yellow: Only one latency resource record set is configured for a particular domain name. Recommended Action If you have resources in multiple regions, be sure to define a latency resource record set for each region; see Latency-Based Routing. If you have resources in only one region, consider creating resources in more than one region and define latency resource record sets for each; see Latency-Based Routing. If you don't want to use multiple regions, you should use a simple resource record set; see Working with Resource Record Sets. Additional Resources Amazon Route 53 Developer Guide Amazon Route 53 Pricing

SECURITY 78 Error 0 Warning 91 Ok

Services	Findings	# Error	# Warning	# OK	Last Updated
ec2	ERROR The VPC default security group should not allow inbound and outbound traffic (Source: security_hub)	3	0	0	2024-11-07 06:40:42 UTC
Checks that the default security group of a VPC does not allow inbound or outbound traffic. Source AWS Security Hub Security Hub control ID: EC2.2 Alert Criteria Red: Critical or High. Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
ec2	ERROR Security Groups - Unrestricted Access (Source: ta_check)	8	0	0	2024-11-02 14:15:29 UTC
Checks security groups for rules that allow unrestricted access to a resource. Unrestricted access increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data). Note: This check only evaluates security groups that you create and their inbound rules for IPv4 addresses. Security groups created by AWS Directory Services are flagged as red or yellow, but they don’t pose a security risk and can be safely ignored or excluded. For more information, see the Trusted Advisor FAQ. Alert Criteria Red: A security group rule has a source IP address with a /0 suffix for ports other than 25, 80, or 443. Yellow: A security group rule has a source IP address with a /0 suffix for ports other than 25, 80, or 443 and security group is attached to a resource. Red: A security group rule has a source IP address with a /0 suffix for ports other than 25, 80, or 443 and security group is not attached to a resource. Recommended Action Restrict access to only those IP addresses that require it. To restrict access to a specific IP address, set the suffix to /32 (for example, 192.0.2.10/32). Be sure to delete overly permissive rules after creating rules that are more restrictive. Review and delete unused security groups. AWS Firewall Manager can be used to centrally configure and manage security groups at scale across AWS accounts, see the Firewall manager user guide to learn more. Consider using Systems Manager Sessions Manager for SSH (Port 22) and RDP (Port 3389) access to EC2 instances. With sessions manager, you can access your EC2 instances without enabling port 22 and 3389 in the security group. Additional Resources Amazon EC2 Security Groups Classless Inter-Domain Routing (Wikipedia)
ec2	ERROR Security groups should only allow unrestricted incoming traffic for authorized ports (Source: security_hub)	5	0	0	2024-11-07 06:40:42 UTC
Checks if the security groups allow unrestricted incoming traffic. The check fails if ports allow unrestricted traffic on ports other than 80 and 443, which are default values for parameter authorizedTcpPorts. Source AWS Security Hub Security Hub control ID: EC2.18 Alert Criteria Red: Critical or High. Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
ec2	ERROR Security groups should not allow unrestricted access to ports with high risk (Source: security_hub)	5	0	5	2024-11-07 06:40:42 UTC
Checks if unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22 ] that have the highest risk. This check passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for the listed ports. Source AWS Security Hub Security Hub control ID: EC2.19 Alert Criteria Red: Critical or High. Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
ec2	ERROR Security Groups - Specific Ports Unrestricted (Source: ta_check)	6	0	0	2024-11-01 07:06:59 UTC
Checks security groups for rules that allow unrestricted access (0.0.0.0/0) to specific ports. Unrestricted access increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data). The ports with highest risk are flagged red, and those with less risk are flagged yellow. Ports flagged green are typically used by applications that require unrestricted access, such as HTTP and SMTP. If you have intentionally configured your security groups in this manner, we recommend using additional security measures to secure your infrastructure (such as IP tables). Note: This check only evaluates security groups that you create and their inbound rules for IPv4 addresses. Security groups created by AWS Directory Services are flagged as red or yellow, but they don’t pose a security risk and can be safely ignored or excluded. For more information, see the Trusted Advisor FAQ. Alert Criteria Green: Security Group provides unrestricted access on ports 80, 25, 443, or 465. Red: Security Group is attached to a resource and provides unrestricted access to port 20, 21, 22, 1433, 1434, 3306, 3389, 4333, 5432, or 5500. Yellow: Security Group provides unrestricted access to any other port. Yellow: Security Group is not attached to any resource and provides unrestricted access. Recommended Action Restrict access to only those IP addresses that require it. To restrict access to a specific IP address, set the suffix to /32 (for example, 192.0.2.10/32). Be sure to delete overly permissive rules after creating rules that are more restrictive. Review and delete unused security groups. AWS Firewall Manager can be used to centrally configure and manage security groups at scale across AWS accounts, see the Firewall manager user guide to learn more. Consider using Systems Manager Sessions Manager for SSH (Port 22) and RDP (Port 3389) access to EC2 instances. With sessions manager, you can access your EC2 instances without enabling port 22 and 3389 in the security group. Additional Resources Amazon EC2 Security Groups List of TCP and UDP port numbers (Wikipedia) Classless Inter-Domain Routing (Wikipedia)
ec2	OK EBS snapshots should not be public, determined by the ability to be restorable by anyone (Source: security_hub)	0	0	1	2024-11-07 06:40:42 UTC
Checks if Amazon Elastic Block Store snapshots are not publicly restorable. Source AWS Security Hub Security Hub control ID: EC2.1 Alert Criteria Red: Critical or High. Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
ec2	OK Stopped EC2 instances should be removed after a specified time period (Source: security_hub)	0	0	0	2024-11-07 06:40:42 UTC
Checks if any EC2 instances have been stopped for more than the allowed number of days. An EC2 instance fails this check if it is stopped for longer than the maximum allowed time period, which by default is 30 days. Source AWS Security Hub Security Hub control ID: EC2.4 Alert Criteria Yellow: Medium or Low. Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
ec2	OK Unused Network Access Control Lists should be removed (Source: security_hub)	0	0	3	2024-11-07 06:40:42 UTC
Checks to see if there are any NACLs (Network Access Control List) that are unused. The check will check the item configuration of the resource AWS::EC2::NetworkAcl and determine the relationships of the NACL. Source AWS Security Hub Security Hub control ID: EC2.16 Alert Criteria Yellow: Medium or Low. Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
ec2	OK Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389 (Source: security_hub)	0	0	0	2024-11-07 06:40:42 UTC
Checks if a network access check list (NACL) allows unrestricted access to the default ports for SSH/RDP ingress traffic. The rule fails if a NACL inbound entry allows a source CIDR block of '0.0.0.0/0' or '::/0' for ports 22 or 3389 Source AWS Security Hub Security Hub Control Id: EC2.21 Alert Criteria Yellow: Medium or Low Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
ec2	OK EC2 Transit Gateways should not automatically accept VPC attachment requests (Source: security_hub)	0	0	0	2024-11-07 06:40:42 UTC
Checks if EC2 Transit Gateways are automatically accepting shared VPC attachments requests. This check will fail for a Transit Gateway that automatically accept shared VPC attachment requests. Source AWS Security Hub Security Hub Control Id: EC2.23 Alert Criteria Red: Critical or High Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
ec2	OK Attached EBS volumes should be encrypted at-rest (Source: security_hub)	0	0	0	2024-11-07 06:40:42 UTC
Checks if the EBS volumes that are in an attached state are encrypted. Source AWS Security Hub Security Hub control ID: EC2.3 Alert Criteria Yellow: Medium or Low. Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
s3	ERROR S3 Block Public Access setting should be enabled at the bucket-level (Source: security_hub)	1	0	11	2024-11-07 06:40:42 UTC
Checks if Amazon S3 buckets have bucket level public access blocks applied. This check fails if any of the bucket level settings are set to "false" public: ignorePublicAcls, blockPublicPolicy, blockPublicAcls, restrictPublicBuckets. Source AWS Security Hub Security Hub control ID: S3.8 Alert Criteria Red: Critical or High. Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
s3	OK S3 Block Public Access setting should be enabled (Source: security_hub)	0	0	1	2024-11-07 06:40:42 UTC
Checks if the following public access block settings are configured from account level: ignorePublicAcls: True, blockPublicPolicy: True, blockPublicAcls: True, restrictPublicBuckets: True. Source AWS Security Hub Security Hub control ID: S3.1 Alert Criteria Yellow: Medium or Low. Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
accessanalyzer	ERROR IAM Access Analyzer - external access (Source: ta_check)	17	0	1	2024-11-06 07:40:42 UTC
Checks if the IAM Access Analyzer external access at the account or organization level is present.. IAM Access Analyzer external access analyzers help identify resources in your organization and accounts that are shared with an external entity and creates a centralized dashboard with findings. After the new analyzer is enabled in the IAM console, security teams can prioritize which accounts to review based on excessive permissions. An external access analyzer creates public and cross-account access findings for resources, and is provided at no additional charge. Alert Criteria Red: The analyzer external access is not enabled at account level. Green: The analyzer external access is enabled at account level. Recommended Action The creation of an external access analyzer per account helps security teams to prioritize which accounts to review based on excessive permissions. For more information, see Getting started with AWS Identity and Access Management Access Analyzer findings. Additionally, we recommend the use of the unused access analyzer a paid feature that simplifies inspecting unused access to guide you toward least privilege. For more information, see Identifying unused access granted to IAM users and roles. Additional Resources Using AWS Identity and Access Management Access Analyzer. IAM Access Analyzer updates: Find unused access, check policies before deployment
wellarchitected	ERROR AWS Well-Architected high risk issues for security (Source: well_architected)	1	0	1	2024-11-07 06:40:42 UTC
Checks for high risk issues (HRIs) for your workloads in the security pillar. This check is based on your AWS-Well Architected reviews. Your check results depend on whether you completed the workload evaluation with AWS Well-Architected. Alert Criteria Red: At least one active high risk issue was identified in the security pillar for AWS Well-Architected. Green: No active high risk issues were detected in the security pillar for AWS Well-Architected. Recommended Action AWS Well-Architected detected high risk issues during your workload evaluation. These issues present opportunities to reduce risk and save money. Sign in to the AWS Well-Architected tool to review your answers and take action to resolve your active issues.
iam	ERROR MFA on Root Account (Source: ta_check)	1	0	0	2024-11-03 17:33:10 UTC
Checks the root account and warns if multi-factor authentication (MFA) is not enabled. For increased security, we recommend that you protect your account by using MFA, which requires a user to enter a unique authentication code from their MFA hardware or virtual device when interacting with the AWS console and associated websites. Note For your AWS Organization management account, AWS requires multi-factor authentication (MFA) for the root user when accessing the AWS Console. For your AWS Organizations member accounts, AWS recommends the use of MFA. In addition to applying MFA, if you use Organizations to manage multiple accounts, you can apply an SCP to restrict access to member account root user. For more information, please see Best practices for member accounts in AWS Organizations User Guide. Alert Criteria Red: MFA is not enabled on the root account. Recommended Action Log in to your root account and activate an MFA device. See Checking MFA Status and Setting Up an MFA Device. You can enable MFA on your account at any time by visiting the "Security Credentials" page, which is available in the top right account menu drop-down in the AWS Management Console. We support multiple industry standard forms of MFA, such as FIDO2 and virtual authenticators, to give you flexibility to choose a MFA device that meets your needs. We also recommend that you register more than one MFA device for resiliency, in the event one of your MFA devices is lost or stops working. Additional Resources Please refer to General steps for enabling MFA devices and Enable a virtual MFA device for your AWS account root user (console) in our AWS IAM User Guide for additional information.
iam	OK Root User Access Key (Source: ta_check)	0	0	1	2024-11-06 07:40:42 UTC
Checks if the root user access key is present. We strongly recommend that you do not create access key pairs for your root user. Because only a few tasks require the root user and you typically perform those tasks infrequently, we recommend signing in to the AWS Management Console to perform the root user tasks. Before creating access keys, review the alternatives to long-term access keys. Alert Criteria Red: The root user access key is present. Green: The root user access key is not present. Recommended Action Delete the access key(s) for the root user. See Deleting access keys for the root user. This task must be performed by the root user. You can't perform these steps as an IAM user or role. Additional Resources https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-tasks.html https://docs.aws.amazon.com/IAM/latest/UserGuide/reset-root-password.html
iam	OK IAM Access Key Rotation (Source: ta_check)	0	0	0	2024-11-03 12:06:39 UTC
Checks for active IAM access keys that have not been rotated in the last 90 days. When you rotate your access keys regularly, you reduce the chance that a compromised key could be used without your knowledge to access resources. For the purposes of this check, the last rotation date and time is when the access key was created or most recently activated. The access key number and date come from the access_key_1_last_rotated and access_key_2_last_rotated information in the most recent IAM credential report. Because the regeneration frequency of a credential report is restricted, refreshing this check might not reflect recent changes (for details, see Getting Credential Reports for Your AWS Account). In order to create and rotate access keys, a user must have the appropriate permissions. For more information, see Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys. Alert Criteria Green: The access key is active and has been rotated in the last 90 days. Yellow: The access key is active and has been rotated in the last 2 years, but more than 90 days ago. Red: The access key is active and has not been rotated in the last 2 years. Recommended Action Rotate access keys on a regular basis. See Rotating Access Keys and Managing Access Keys for IAM Users. Additional Resources IAM Best Practices How to rotate access keys for IAM users (AWS blog)
iam	OK Hardware MFA should be enabled for the root user (Source: security_hub)	0	0	0	2024-11-07 06:40:42 UTC
Checks if your AWS account is enabled to use hardware multi-factor authentication (MFA) device to sign in with root credentials. Source AWS Security Hub Security Hub control ID: IAM.6 Alert Criteria Red: Critical or High. Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
iam	OK IAM root user access key should not exist (Source: security_hub)	0	0	1	2024-11-07 06:40:42 UTC
Checks if the root user access key is available. Source AWS Security Hub Security Hub control ID: IAM.4 Alert Criteria Red: Critical or High. Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
cloudtrail	ERROR AWS CloudTrail Logging (Source: ta_check)	19	0	38	2024-11-03 16:55:59 UTC
Checks for your use of AWS CloudTrail. CloudTrail provides increased visibility into activity in your AWS account by recording information about AWS API calls made on the account. You can use these logs to determine, for example, what actions a particular user has taken during a specified time period or which users have taken actions on a particular resource during a specified time period. Because CloudTrail delivers log files to an Amazon Simple Storage Service (Amazon S3) bucket, CloudTrail must have write permissions for the bucket. If a trail applies to all regions (the default when creating a new trail), the trail appears multiple times in the Trusted Advisor report. Alert Criteria Yellow: CloudTrail reports log delivery errors for a trail. Red: A trail has not been created for a region, or logging is turned off for a trail. Recommended Action To create a trail and start logging from the console, go to the AWS CloudTrail console. To start logging, see Stopping and Starting Logging for a Trail. If you receive log delivery errors, check to make sure that the bucket exists and that the necessary policy is attached to the bucket; see Amazon S3 Bucket Policy. Additional Resources AWS CloudTrail User Guide Supported Regions Supported Services
ecs	ERROR Amazon ECS Containers should only have read-only access to its root filesystems (Source: security_hub)	1	0	0	2024-11-07 06:40:42 UTC
Checks if ECS Containers are limited to read-only access to its mounted root filesystems. Source AWS Security Hub Security Hub Control Id: ECS.5 Alert Criteria Red: Critical or High Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
ecs	ERROR ECS services should not have public IP addresses assigned to them automatically (Source: security_hub)	1	0	0	2024-11-07 06:40:42 UTC
Checks if ECS services are configured to automatically assign public IP addresses. This check fails if AssignPublicIP is ENABLED. Source AWS Security Hub Security Hub control ID: ECS.2 Alert Criteria Red: Critical or High. Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
ecs	OK ECS task definitions should have a logging configuration (Source: security_hub)	0	0	1	2024-11-07 06:40:42 UTC
Checks if the latest active Amazon ECS task definition has a logging configuration specified. The check fails if the task definition doesn't have the logConfiguration property defined or if the value for logDriver is null in at least one container definition. Source AWS Security Hub Security Hub Control Id: ECS.9 Alert Criteria Red: Critical or High Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
ecs	OK Amazon ECS Task Definitions should not share the host's process namespace (Source: security_hub)	0	0	1	2024-11-07 06:40:42 UTC
Checks if Amazon ECS Task Definitions are configured to share a host's process namespace with its containers. Source AWS Security Hub Security Hub Control Id: ECS.3 Alert Criteria Red: Critical or High Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
lambda	ERROR AWS Lambda Functions Using Deprecated Runtimes (Source: ta_check)	10	0	0	2024-11-07 06:40:42 UTC
Checks for Lambda functions whose $LATEST version is configured to use a runtime that is approaching deprecation, or is deprecated. Deprecated runtimes are not eligible for security updates or technical support Alert Criteria Red: The function's $LATEST version is configured to use a runtime that is already deprecated. Yellow: The function's $LATEST version is running on a runtime that will be deprecated within 180 days. Recommended Action If you have functions that are running on a runtime that is approaching deprecation, you should prepare for migration to a supported runtime. For more information, see Runtime support policy. We recommend that you delete earlier function versions that you’re no longer using. Additional Resources Lambda runtimes
lambda	OK Lambda functions should use supported runtimes (Source: security_hub)	0	0	11	2024-11-07 06:40:42 UTC
Checks that the lambda function settings for runtimes, match the expected values set for the supported runtimes for each language. The supported runtimes this check assesses for are: nodejs18.x, nodejs16.x, nodejs14.x, nodejs12.x, python3.10, python3.9, python3.8, python3.7, java11, java8, java8.al2, go1.x, dotnet6, ruby2.7. Source AWS Security Hub Security Hub control ID: Lambda.2 Alert Criteria Yellow: Medium or Low. Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
sns	OK SNS topics should be encrypted at-rest using AWS KMS (Source: security_hub)	0	0	0	2024-11-07 06:40:42 UTC
Checks if an Amazon SNS topic is encrypted at rest using AWS KMS. Source AWS Security Hub Security Hub control ID: SNS.1 Alert Criteria Yellow: Medium or Low. Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
emr	OK Amazon EMR block public access setting should be enabled (Source: security_hub)	0	0	1	2024-11-07 06:40:42 UTC
Checks if your account is configured with Amazon EMR block public access. The check fails if the block public access setting is not enabled or if any port other than 22 is allowed. Source AWS Security Hub Security Hub Control Id: EMR.2 Alert Criteria Red: Critical or High Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
guardduty	OK GuardDuty should be enabled (Source: security_hub)	0	0	1	2024-11-07 06:40:42 UTC
Checks if Amazon GuardDuty is enabled in your AWS account and region. Source AWS Security Hub Security Hub control ID: GuardDuty.1 Alert Criteria Red: Critical or High. Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
ssm	OK SSM documents should not be public (Source: security_hub)	0	0	9	2024-11-07 06:40:42 UTC
Checks if AWS Systems Manager documents that the account owns are public. This check fails if SSM documents that have "Self" as the owner are public. Source AWS Security Hub Security Hub control ID: SSM.4 Alert Criteria Red: Critical or High. Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
ssm	OK EC2 instances should be managed by AWS Systems Manager (Source: security_hub)	0	0	0	2024-11-07 06:40:42 UTC
Checks if the Amazon EC2 instances in your account are managed by AWS Systems Manager. Source AWS Security Hub Security Hub control ID: SSM.1 Alert Criteria Yellow: Medium or Low. Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
elasticloadbalancing	OK ELB Listener Security (Source: ta_check)	0	0	0	2024-10-31 19:20:50 UTC
Checks for load balancers with listeners that do not use recommended security configurations for encrypted communication. AWS recommends using a secure protocol (HTTPS or SSL), up-to-date security policies, as well as ciphers and protocols that are secure. When you use a secure protocol for a front-end connection (client to load balancer), the requests are encrypted between your clients and the load balancer, which create a more secure environment. Elastic Load Balancing provides predefined security policies with ciphers and protocols that adhere to AWS security best practices. New versions of predefined policies are released as new configurations become available. Alert Criteria Red: A load balancer has no listeners configured with a secure protocol (HTTPS). Yellow: A load balancer HTTPS listener is configured with a Security Policy that contains a weak cipher. Yellow: A load balancer HTTPS listener is not configured with the recommended Security Policy. Green: A load balancer has at least one HTTPS listener AND all HTTPS listeners are configured with the recommended policy. Recommended Action If the traffic to your load balancer must be secure, use either the HTTPS or the SSL protocol for the front-end connection. Upgrade your load balancer to the latest version of the predefined SSL security policy. Use only the recommended ciphers and protocols. For more information, see Listener Configurations for Elastic Load Balancing. Additional Resources Listener Configurations Quick Reference Update SSL Negotiation Configuration of Your Load Balancer SSL Negotiation Configurations for Elastic Load Balancing SSL Security Policy Table elb-listener-security-summary=${error_count} von ${total_count} Load Balancern verfügen über Listener, die nicht die empfohlenen Sicherheitskonfigurationen verwenden.
cloudfront	OK CloudFront SSL Certificate on the Origin Server (Source: ta_check)	0	0	0	2024-11-05 08:42:32 UTC
Checks your origin server for SSL certificates that are expired, about to expire, missing, or that use outdated encryption. If a certificate is expired, CloudFront responds to requests for your content with HTTP status code 502, Bad Gateway. Certificates that were encrypted by using the SHA-1 hashing algorithm are being deprecated by web browsers such as Chrome and Firefox. Depending on the number of SSL certificates that you have associated with your CloudFront distributions, this check might add a few cents per month to your bill with your web hosting provider, for example, AWS if you're using EC2 or ELB as the origin for your CloudFront distribution. This check does not validate your origin certificate chain or certificate authorities; you can check these in your CloudFront configuration. Alert Criteria Red: An SSL certificate on your origin has expired or is missing. Yellow: An SSL certificate on your origin expires in the next thirty days. Yellow: An SSL certificate on your origin was encrypted by using the SHA-1 hashing algorithm. Yellow: An SSL certificate on your origin can't be located. The connection might have failed due to timeout, or other HTTPS connection problems. Recommended Action Renew the certificate on your origin if it has expired or is about to expire. Add a certificate if one does not exist. Replace a certificate that was encrypted by using the SHA-1 hashing algorithm with a certificate that is encrypted by using the SHA-256 hashing algorithm. Additional Resources Using Alternate Domain Names and HTTPS
cloudfront	OK CloudFront Custom SSL Certificates in the IAM Certificate Store (Source: ta_check)	0	0	0	2024-10-30 08:37:48 UTC
Checks the SSL certificates for CloudFront alternate domain names in the IAM certificate store and alerts you if the certificate is expired, will soon expire, uses outdated encryption, or is not configured correctly for the distribution. When a custom certificate for an alternate domain name expires, browsers that display your CloudFront content might show a warning message about the security of your website. Certificates that are encrypted by using the SHA-1 hashing algorithm are being deprecated by most web browsers such as Chrome and Firefox. If a certificate doesn't contain any domain names that match either Origin Domain Name or the domain name in the Host header of viewer requests, CloudFront returns an HTTP status code 502 (bad gateway) to the user. For more information, see Using Alternate Domain Names and HTTPS. Alert Criteria Red: A custom SSL certificate is expired. Yellow: A custom SSL certificate expires in the next seven days. Yellow: A custom SSL certificate was encrypted by using the SHA-1 hashing algorithm. Yellow: One or more of the alternate domain names in the distribution don't appear either in the Common Name field or the Subject Alternative Names field of the custom SSL certificate. Green: A custom SSL certificate is valid. Recommended Action We recommend using AWS Certificate Manager (ACM) to provision, manage, and deploy your server certificates. With ACM, you can request a new certificate or deploy an existing ACM or external certificate to AWS resources. Certificates provided by ACM are free and can be automatically renewed. For more information about using ACM, see the AWS Certificate Manager User Guide. To check Regions ACM supports, see AWS Certificate Manager endpoints and quotas in the AWS General Reference. Renew expired certificates or certificates that are about to expire. For more information on renewing a certificate see Managing server certificates in IAM. Replace a certificate that was encrypted by using the SHA-1 hashing algorithm with a certificate that is encrypted by using the SHA-256 hashing algorithm. Replace the certificate with a certificate that contains the applicable values in the Common Name or Subject Alternative Domain Names fields. Additional Resources Using an HTTPS Connection to Access Your Objects Importing Certificates AWS Certificate Manager User Guide
kms	OK AWS KMS keys should not be deleted unintentionally (Source: security_hub)	0	0	1	2024-11-07 06:40:42 UTC
Checks whether AWS Key Management Service (KMS) keys are scheduled for deletion. The check fails if a KMS key is scheduled for deletion. Source AWS Security Hub Security Hub control ID: KMS.3 Alert Criteria Red: Critical or High. Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
route53	OK Amazon Route 53 MX Resource Record Sets and Sender Policy Framework (Source: ta_check)	0	0	0	2024-11-02 07:29:54 UTC
For each MX record, checks for an associated TXT record that contains a valid SPF value. The TXT record value must start with “v=spf1". SPF record types are deprecated by the Internet Engineering Task Force (IETF). With Route 53, I'ts a best practice to use a TXT record instead of an SPF record. Trusted Advisor reports this check as green when an MX record has at least one associated TXT record with a valid SPF value. Alert Criteria Green: An MX resource record set has a TXT resource record that contains a valid SPF value. Yellow: An MX resource record set has a TXT or SPF resource record that contains a valid SPF value. Red: An MX resource record set doesn't have a TXT or SPF resource record that contains a valid SPF value. Recommended Action For each MX resource record set, create a TXT resource record set that contains a valid SPF value. For more information, see Sender Policy Framework: SPF Record Syntax and Creating Resource Record Sets By Using the Amazon Route 53 Console. Additional Information Sender Policy Framework (Wikipedia) MX record (Wikipedia)re:Post Guidance RFC 7208 (Wikipedia)
rds	OK RDS DB clusters should be configured to copy tags to snapshots (Source: security_hub)	0	0	1	2024-11-07 06:40:42 UTC
Checks if RDS DB clusters are configured to copy all tags to snapshots when the snapshots are created. Source AWS Security Hub Security Hub control ID: RDS.16 Alert Criteria Yellow: Medium or Low. Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
rds	OK RDS snapshot should be private (Source: security_hub)	0	0	2	2024-11-07 06:40:42 UTC
Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. Source AWS Security Hub Security Hub control ID: RDS.1 Alert Criteria Red: Critical or High. Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.
cloudformation	OK CloudFormation stacks should be integrated with Simple Notification Service (SNS) (Source: security_hub)	0	0	0	2024-11-07 06:40:42 UTC
Checks if your CloudFormation stacks are sending event notifications to SNS topic. This check fails if CloudFormation stacks are not sending event notifications to an SNS topic. Source AWS Security Hub Security Hub Control Id: CloudFormation.1 Alert Criteria Yellow: Medium or Low Security Hub control failed. Recommended Action Follow the Security Hub documentation to fix the issue.

PERFORMANCE 0 Error 0 Warning 2 Ok

Services	Findings	# Error	# Warning	# OK	Last Updated
efs	OK Amazon EFS Throughput Mode Optimization (Source: ta_check)	0	0	0	2024-11-06 07:40:57 UTC
Checks whether the customer's Amazon EFS file system is currently configured to use Bursting Throughput mode. File systems in EFS's Bursting Throughput mode [1] deliver a consistent baseline level of throughput (50 KiB/s per GiB of data in EFS Standard storage), and use a credit model to deliver higher levels of "burst throughput" performance when "burst credits" are available. When you exhaust your burst credits, your file system performance is throttled to this lower, baseline level, which can result in slowness, timeouts, or other forms of performance impact for your end users or applications. Alert Criteria Yellow: File system is using Bursting throughput mode. Recommended Action To allow your users and applications to achieve their desired throughput, we recommend that you update your file system configuration to Elastic Throughput mode [2]. When in Elastic Throughput mode, your file system can achieve up to 10 GiB/s of read throughput or 3 GiB/s of write throughput - depending on the AWS Region [3], and you only pay for the throughput you use. Please note that you can update your file system configuration to switch between Elastic and Bursting throughput modes on demand, and that File Systems in Elastic Throughput mode accrue additional charges for data transfer [4]. Additional Resources For more information, see [1] Amazon EFS Performance Throughput Modes, [2] Amazon EFS Performance Elastic Throughput Mode, [3] Amazon EFS Quotas and Limits, and [4] Amazon EFS Pricing.
wellarchitected	OK AWS Well-Architected high risk issues for performance efficiency (Source: well_architected)	0	0	2	2024-11-07 06:40:57 UTC
Checks for high risk issues (HRIs) for your workloads in the performance pillar. This check is based on your AWS-Well Architected reviews. Your check results depend on whether you completed the workload evaluation with AWS Well-Architected. Alert Criteria Red: At least one active high risk issue was identified in the performance pillar for AWS Well-Architected. Green: No active high risk issues were detected in the performance pillar for AWS Well-Architected. Recommended Action AWS Well-Architected detected high risk issues during your workload evaluation. These issues present opportunities to reduce risk and save money. Sign in to the AWS Well-Architected tool to review your answers and take action to resolve your active issues.
ec2	OK Amazon EBS Provisioned IOPS (SSD) Volume Attachment Configuration (Source: ta_check)	0	0	0	2024-11-02 16:06:23 UTC
Checks for Provisioned IOPS (SSD) volumes that are attached to an Amazon EBS-optimizable Amazon Elastic Compute Cloud (Amazon EC2) instance that is not EBS-optimized. Provisioned IOPS (SSD) volumes in the Amazon Elastic Block Store (Amazon EBS) are designed to deliver the expected performance only when they are attached to an EBS-optimized instance. Alert Criteria Yellow: An Amazon EC2 instance that can be EBS-optimized has an attached Provisioned IOPS (SSD) volume but the instance is not EBS-optimized. Recommended Action Create a new instance that is EBS-optimized, detach the volume, and reattach the volume to your new instance. For more information, see Amazon EBS-Optimized Instances and Attaching an Amazon EBS Volume to an Instance. Additional Resources Amazon EBS Volume Types Amazon EBS Volume Performance
ec2	OK Amazon EC2 to EBS Throughput Optimization (Source: ta_check)	0	0	0	2024-11-01 12:14:19 UTC
Checks for Amazon EBS volumes whose performance might be affected by the maximum throughput capability of the Amazon EC2 instance they are attached to. To optimize performance, you should ensure that the maximum throughput of an EC2 instance is greater than the aggregate maximum throughput of the attached EBS volumes. This check computes the total EBS volume throughput for each five-minute period in the preceding day (UTC) for each EBS-optimized instance and alerts you if usage in more than half of those periods was greater than 95% of the maximum throughput of the EC2 instance. Alert Criteria Yellow: In the preceding day (UTC), the aggregate throughput (megabytes/sec) of the EBS volumes attached to the EC2 instance exceeded 95% of the published throughput between the instance and the EBS volumes more than 50% of time. Recommended Action Compare the maximum throughput of your EBS volumes (see Amazon EBS Volume Types) with the maximum throughput of the EC2 instance they are attached to (see Instance Types That Support EBS Optimization). Consider attaching your volumes to an instance that supports higher throughput to EBS for optimal performance. Additional Resources Amazon EBS Volume Types Amazon EBS-Optimized Instances Monitoring the Status of Your Volumes Attaching an Amazon EBS Volume to an Instance Detaching an Amazon EBS Volume from an Instance Deleting an Amazon EBS Volume
s3	OK CloudFront Content Delivery Optimization (Source: ta_check)	0	0	0	2024-11-05 19:26:58 UTC
Checks for cases where data transfer from Amazon Simple Storage Service (Amazon S3) buckets could be accelerated by using Amazon CloudFront, the AWS global content delivery service. When you configure CloudFront to deliver your content, requests for your content are automatically routed to the nearest edge location where content is cached, so it can be delivered to your users with the best possible performance. A high ratio of data transferred out to the data stored in the bucket indicates that you could benefit from using Amazon CloudFront to deliver the data. To estimate the retrieval activity of users, only data transferred by using a GET request is counted for this check. In addition, the transfer activity from the last 24 hours is not included. Alert Criteria Yellow: The amount of data transferred out of the bucket to your users by GET requests in the 30 days preceding the check is at least 25 times greater than the average amount of data stored in the bucket. Red: The amount of data transferred out of the bucket to your users by GET requests in the 30 days preceding the check is at least 10 TB and at least 25 times greater than the average amount of data stored in the bucket. Recommended Action Consider using CloudFront for better performance; see Amazon CloudFront Product Details. If the data transferred is 10 TB per month or more, see Amazon CloudFront Pricing to explore possible cost savings. Additional Resources Amazon CloudFront Developer Guide AWS Case Study: PBS
route53	OK Amazon Route 53 Alias Resource Record Sets (Source: ta_check)	0	0	0	2024-11-03 20:56:41 UTC
Checks for resource record sets that can be changed to alias resource record sets to improve performance and save money. An alias resource record set routes DNS queries to an AWS resource (for example, an Elastic Load Balancing load balancer or an Amazon S3 bucket) or to another Route 53 resource record set. When you use alias resource record sets, Route 53 routes your DNS queries to AWS resources free of charge. Hosted zones created by AWS services won’t appear in your check results. Alert Criteria Yellow: A resource record set is a CNAME to an Amazon S3 website. Yellow: A resource record set is a CNAME to an Amazon CloudFront distribution. Yellow: A resource record set is a CNAME to an Elastic Load Balancing load balancer. Recommended Action Replace the listed CNAME resource record sets with alias resource record sets; see Choosing Between Alias and Non-Alias Resource Record Sets. You also need to change the record type from CNAME to A or AAAA, depending on the AWS resource; see Values that You Specify When You Create or Edit Amazon Route 53 Resource Record Sets. Additional Resources Routing Queries to AWS Resources

FAULT_TOLERANCE 4 Error 0 Warning 8 Ok

Services	Findings	# Error	# Warning	# OK	Last Updated
ec2	ERROR Amazon EC2 Availability Zone Balance (Source: ta_check)	1	0	0	2024-11-05 16:46:03 UTC
Checks the distribution of Amazon Elastic Compute Cloud (Amazon EC2) instances across Availability Zones in a region. Availability Zones are distinct locations that are designed to be insulated from failures in other Availability Zones and to provide inexpensive, low-latency network connectivity to other Availability Zones in the same region. By launching instances in multiple Availability Zones in the same region, you can help protect your applications from a single point of failure. Alert Criteria Yellow: The region has instances in multiple zones, but the distribution is uneven (the difference between the highest and lowest instance counts in utilized Availability Zones is greater than 20%). Red: The region has instances only in a single Availability Zone. Recommended Action Balance your Amazon EC2 instances evenly across multiple Availability Zones. You can do this by launching instances manually or by using Auto Scaling to do it automatically. For more information, see Launch Your Instance and Load Balance Your Auto Scaling Group. Additional Resources Auto Scaling Getting Started Guide Auto Scaling Developer Guide
ec2	ERROR Amazon EBS Snapshots (Source: ta_check)	3	0	0	2024-10-29 12:08:08 UTC
Checks the age of the snapshots for your Amazon Elastic Block Store (Amazon EBS) volumes (available or in-use). Failures can result even if Amazon EBS volumes are replicated. Snapshots are persisted to Amazon Simple Storage Service (Amazon S3) for durable storage and point-in-time recovery. Alert Criteria Yellow: The most recent volume snapshot is between 7 and 30 days old. Red: The most recent volume snapshot is more than 30 days old. Red: The volume does not have a snapshot. Recommended Action Create weekly or monthly snapshots of your volumes. For more information, see Creating an Amazon EBS Snapshot. To automate the creation of EBS snapshots, you can consider using AWS Backup or Amazon Data Lifecycle Manager. Additional Resources Amazon Elastic Block Store (Amazon EBS) Amazon EBS Snapshots AWS Backup Amazon Data Lifecycle Manager
ec2	OK VPN Tunnel Redundancy (Source: ta_check)	0	0	0	2024-11-05 04:36:57 UTC
Checks the number of tunnels that are active for each of your Site-to-Site VPNs. A VPN should have two tunnels configured at all times. This provides redundancy in case of outage or planned maintenance of the devices at the AWS endpoint. For some hardware, only one tunnel is active at a time. If a VPN has no active tunnels, charges for the VPN might still apply. For more information (see the AWS Site-to-Site VPN User Guide.). Alert Criteria Yellow: A VPN has one active tunnel (this is normal for some hardware). Yellow: A VPN has no active tunnels. Recommended Action Be sure that two tunnels are configured for your VPN connection, and that both are active if your hardware supports it. If you no longer need a VPN connection, you can delete it to avoid charges. For more information, see Your Customer Gateway device or Delete a Site-to-Site VPN connection. Additional Resources AWS Site-to-Site VPN User Guide Create a target gateway
ec2	OK Amazon EC2 Detailed Monitoring Not Enabled (Source: aws_config)	0	0	0	2024-11-07 06:40:59 UTC
Checks if detailed monitoring is enabled for your Amazon EC2 instances. Amazon EC2 detailed monitoring provides more frequent metrics, published at one-minute intervals, instead of the five-minute intervals used in Amazon EC2 basic monitoring. Enabling detailed monitoring for Amazon EC2 helps you better manage your Amazon EC2 resources, so that you can find trends and take action faster. For more information, see Basic monitoring and detailed monitoring. Source AWS Config Managed Rule: ec2-instance-detailed-monitoring-enabled Alert Criteria Yellow: Detailed monitoring is not enabled for Amazon EC2 instances. Recommended Action Turn on detailed monitoring for your EC2 instances to increase the frequency at which EC2 metric data is published to Amazon CloudWatch (from 5-minute to 1-minute intervals). To enable detailed monitoring for EC2 instances,see Enable or turn off detailed monitoring for your instances.
wellarchitected	OK AWS Well-Architected high risk issues for reliability (Source: well_architected)	0	0	2	2024-11-07 06:40:59 UTC
Checks for high risk issues (HRIs) for your workloads in the Reliability pillar. This check is based on your AWS-Well Architected reviews. Your check results depend on whether you completed the workload evaluation with AWS Well-Architected. Alert Criteria Red: At least one active high risk issue was identified in the reliability pillar for AWS Well-Architected. Green: No active high risk issues were detected in the reliability pillar for AWS Well-Architected. Recommended Action AWS Well-Architected detected high risk issues during your workload evaluation. These issues present opportunities to reduce risk and save money. Sign in to the AWS Well-Architected tool to review your answers and take action to resolve your active issues.
route53	OK Amazon Route 53 Deleted Health Checks (Source: ta_check)	0	0	0	2024-10-31 19:29:18 UTC
Checks for resource record sets that are associated with health checks that have been deleted. Amazon Route 53 does not prevent you from deleting a health check that is associated with one or more resource record sets. If you delete a health check without updating the associated resource record sets, the routing of DNS queries for your DNS failover configuration will not work as intended. Hosted zones created by AWS services won’t appear in your check results. Alert Criteria Yellow: A resource record set is associated with a health check that has been deleted. Recommended Action Create a new health check and associate it with the resource record set; see Creating, Updating, and Deleting Health Checks and Adding Health Checks to Resource Record Sets. Additional Information Amazon Route 53 Health Checks and DNS Failover How Health Checks Work in Simple Amazon Route 53 Configurations
autoscaling	OK Auto Scaling Group Resources (Source: ta_check)	0	0	0	2024-11-02 03:12:32 UTC
Checks the availability of resources associated with launch configurations and your Auto Scaling groups. Auto Scaling groups that point to unavailable resources cannot launch new Amazon Elastic Compute Cloud (Amazon EC2) instances. When properly configured, Auto Scaling causes the number of Amazon EC2 instances to increase seamlessly during demand spikes and decrease automatically during demand lulls. Auto Scaling groups and launch configurations that point to unavailable resources do not operate as intended. Alert Criteria Red: An Auto Scaling group is associated with a deleted load balancer. Red: A launch configuration is associated with a deleted Amazon Machine Image (AMI). Recommended Action If the load balancer has been deleted, either create a new load balancer or target group then associate it to the Auto Scaling group, or create a new Auto Scaling group without the load balancer. For information about creating a new Auto Scaling group with a new load balancer, see Set Up an Auto-Scaled and Load-Balanced Application. For information about creating a new Auto Scaling group without a load balancer, see "Create Auto Scaling Group" in Getting Started With Auto Scaling Using the Console. If the AMI has been deleted, create a new launch template or launch template version using a valid AMI and associate it with an Auto Scaling group. See "Create Launch Configuration" in Getting Started With Auto Scaling Using the Console. Additional Resources Troubleshooting Auto Scaling: Amazon EC2 AMIs Troubleshooting Auto Scaling: Load Balancer Configuration Auto Scaling Developer Guide
autoscaling	OK Auto Scaling Group Health Check (Source: ta_check)	0	0	2	2024-10-30 11:38:13 UTC
Examines the health check configuration for Auto Scaling groups. If Elastic Load Balancing is being used for an Auto Scaling group, the recommended configuration is to enable an Elastic Load Balancing health check. If an Elastic Load Balancing health check is not used, Auto Scaling can only act upon the health of the Amazon Elastic Compute Cloud (Amazon EC2) instance and not on the application that is running on the instance. Alert Criteria Yellow: An Auto Scaling group has an associated load balancer, but the Elastic Load Balancing health check is not enabled. Yellow: An Auto Scaling group does not have an associated load balancer, but the Elastic Load Balancing health check is enabled. Recommended Action If the Auto Scaling group has an associated load balancer, but the Elastic Load Balancing health check is not enabled, see Add an Elastic Load Balancing Health Check to your Auto Scaling Group. If the Elastic Load Balancing health check is enabled, but no load balancer is associated with the Auto Scaling group, see Set Up an Auto-Scaled and Load-Balanced Application. Additional Resources Auto Scaling Developer Guide
elasticloadbalancingv2	OK ALB Multi-AZ (Source: ta_check)	0	0	0	2024-11-06 07:40:59 UTC
Checks whether your Application Load Balancers (ALB) are configured to use more than one Availability Zone (AZ). An AZ is a distinct location that is insulated from failures in other zones. By configuring your load balancer in multiple AZs in the same Region, you can help improve your workload availability. Alert Criteria Yellow: ALB is in a single AZ Green: Green: ALB has two or more AZs Recommended Action Ensure that your load balancer is configured with at least two Availability Zones. For more information, see Availability Zones for your Application Load Balancer Additional Resources For more information, please refer to the AWS Public documentation on: Availability Zones and load balancer nodes Regions and Availability Zones
UNKNOWN	OK Amazon RDS FreeStorageSpace (Source: ta_check)	0	0	0	2024-10-30 01:46:58 UTC
Checks to see if the FreeStorageSpace CloudWatch metric for an RDS database instance has decreased below an operationally reasonable threshold. Alert Criteria Red: FreeStorageSpace has less than 10% of total capacity Yellow: FreeStorageSpace is between 10% and 20% of total capacity Green: FreeStorageSpace is more than 20% of total capacity Recommended Action Scale up the storage space for the RDS database instance that is running low on memory using the Amazon RDS Management Console, Amazon RDS API or AWS Command Line Interface.
UNKNOWN	OK Amazon MSK brokers hosting too many partitions (Source: ta_check)	0	0	0	2024-11-07 07:25:59 UTC
Checks that the brokers of a Managed Streaming for Kafka (MSK) Cluster do not have more than the recommended number of partitions assigned. Alert Criteria Red: Your MSK broker has reached or exceeded 100% of the recommended maximum partition limit Yellow: Your MSK has reached 80% of the recommended maximum partition limit Recommended Action Please follow MSK recommended best practices to scale your MSK Cluster or delete any unused partitions. Additional Resources Right-sizing your Cluster
UNKNOWN	OK Auto Scaling Available IPs in Subnets (Source: ta_check)	0	0	2	2024-10-29 06:31:08 UTC
Checks that sufficient available IPs remain among targeted Subnets. Having sufficient IPs available for use would help when Auto Scaling Group reaches its maximum size and needs to launch additional instances. Alert Criteria Red: The maximum number of instances and IP addresses that could be created by an ASG exceed the number of IP addresses remaining in the configured subnets. Green: There are sufficient IP addresses available for the remaining scale possible in the ASG. Recommended Action Increase the number of available IP addresses.
UNKNOWN	OK Amazon RDS ReplicaLag (Source: ta_check)	0	0	0	2024-10-29 12:43:46 UTC
Checks to see if the ReplicaLag CloudWatch metric for an RDS database instance has increased above an operationally reasonable threshold over the past day.ReplicaLag metric measures the number of seconds a read replica is behind the primary instance. Replication lag occurs when the asynchronous updates made to the read replica cannot keep up with the updates happening on the primary database instance. In the event of a failure to the primary instance, data could be missing from the read replica if the ReplicaLag is above an operationally reasonable threshold. Alert Criteria Red: ReplicaLag metric exceeded 60 seconds at least once during the week. Yellow: ReplicaLag metric exceeded 10 seconds at least once during the week. Green: ReplicaLag is less than 10 seconds. Recommended Action There are several possible causes for ReplicaLag to increase beyond operationally safe levels. For example, it can be caused by recently replaced/launched replica instances from older backups and these replicas requiring substantial time to catch-up to the primary database instance and live transactions. This ReplicaLag may dwindle over time as catch-up occurs. Another example could be that the transaction velocity able to be achieved on the primary database instance is higher than the replication process or replica infrastructure is able to match. This ReplicaLag may grow over time as replication fails to keep pace with the primary database performance. Finally, the workload may be bursty throughout different periods of the day/month/etc. that result in occasional ReplicaLag to fall behind. Your team should investigate which possible root cause has contributed to high ReplicaLag for the database, and possibly change the database instance type or other characteristics of the workload to ensure data continuity on the replica matches your requirements. Additional Resources Working with read replicas for Amazon RDS for PostgreSQL Working with MySQL replication in Amazon RDS Working with MySQL read replicas
ecs	OK Amazon ECS Multi-AZ placement strategy (Source: ta_check)	0	0	1	2024-11-06 07:40:59 UTC
Checks that your Amazon ECS service uses the spread placement strategy based on availability zone. This strategy distributes tasks across Availability Zones (AZs) in the same AWS Region and can help protect your applications from a single point of failure. For tasks that run as part of an Amazon ECS service, spread is the default task placement strategy. This check also verifies that spread is the first or only strategy in your list of enabled placement strategies. Alert Criteria Yellow: Spread by availability zone is disabled or isn't the first strategy in your list of enabled placement strategies for your Amazon ECS service. Green: Spread by availability zone is the first strategy in your list of enabled placement strategies or the only placement strategy enabled for your Amazon ECS service. Recommended Action Enable the spread task placement strategy to distribute tasks across multiple AZs. Verify that spread by availability zone is the first strategy for all enabled task placement strategies or the only strategy used. If you choose to manage AZ placement, you can use a mirrored service in another AZ to mitigate these risks. Additional Resources Amazon ECS task placement strategies
ecs	OK Amazon ECS service using a single AZ (Source: ta_check)	0	0	1	2024-11-06 07:40:59 UTC
Checks that your service configuration uses a single Availability Zone (AZ). An AZ is a distinct location that is insulated from failures in other zones. This supports inexpensive, low-latency network connectivity between AZs in the same AWS Region. By launching instances in multiple AZs in the same Region, you can help protect your applications from a single point of failure. Alert Criteria Yellow: An Amazon ECS service is running all tasks in a single AZ. Green: An Amazon ECS service is running tasks in at least two different AZs. Recommended Action Create at least one more task for the service in a different AZ. Additional Resources Amazon ECS capacity and availability
rds	OK Amazon RDS Backups (Source: ta_check)	0	0	0	2024-11-06 15:22:58 UTC
Checks for automated backups of Amazon RDS DB instances. By default, backups are enabled with a retention period of 1 day. Backups reduce the risk of unexpected data loss and allow for point-in-time recovery. Alert Criteria Red: A DB instance has the backup retention period set to 0 days. Recommended Action Set the retention period for the automated DB instance backup to 1 to 35 days as appropriate to the requirements of your application. See Working With Automated Backups. Additional Resources Getting Started with Amazon RDS

SERVICE_LIMITS 0 Error 0 Warning 154 Ok

Services	Findings	# Error	# Warning	# OK	Last Updated
ses	OK SES Daily Sending Quota (Source: ta_check)	0	0	18	2024-10-31 18:30:54 UTC
Checks for usage that is more than 80% of the SES Daily Sending Quota Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources SES Limits
iam	OK IAM Users (Source: ta_check)	0	0	1	2024-11-02 00:43:46 UTC
Checks for usage that is more than 80% of the IAM Users Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources IAM Limits
iam	OK IAM Server Certificates (Source: ta_check)	0	0	1	2024-10-30 01:28:54 UTC
Checks for usage that is more than 80% of the IAM Server Certificates Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources IAM Limits
iam	OK IAM Roles (Source: ta_check)	0	0	1	2024-11-06 14:57:28 UTC
Checks for usage that is more than 80% of the IAM Roles Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources IAM Limits
rds	OK RDS Cluster Roles (Source: ta_check)	0	0	0	2024-11-04 15:27:24 UTC
Checks for usage that is more than 80% of the RDS Cluster Roles Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources RDS Limits
rds	OK RDS Clusters (Source: ta_check)	0	0	1	2024-10-29 14:40:59 UTC
Checks for usage that is more than 80% of the RDS Clusters Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources RDS Limits
rds	OK RDS Event Subscriptions (Source: ta_check)	0	0	0	2024-11-07 05:27:18 UTC
Checks for usage that is more than 80% of the RDS Event Subscriptions Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources RDS Limits
rds	OK RDS DB Parameter Groups (Source: ta_check)	0	0	0	2024-10-30 23:31:51 UTC
Checks for usage that is more than 80% of the RDS DB Parameter Groups Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources RDS Limits
rds	OK RDS Total Storage Quota (Source: ta_check)	0	0	0	2024-10-31 18:27:58 UTC
Checks for usage that is more than 80% of the RDS Total Storage Quota Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources RDS Limits
rds	OK RDS Cluster Parameter Groups (Source: ta_check)	0	0	0	2024-10-29 22:56:59 UTC
Checks for usage that is more than 80% of the RDS Cluster Parameter Groups Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources RDS Limits
ec2	OK EBS Cold HDD (sc1) Volume Storage (Source: ta_check)	0	0	16	2024-10-29 05:06:29 UTC
Checks for usage that is more than 80% of the EBS Cold HDD (sc1) Volume Storage Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources EBS Limits
ec2	OK EC2-Classic Elastic IP Addresses (Source: ta_check)	0	0	16	2024-11-04 10:00:12 UTC
Checks for usage that is more than 80% of the EC2-Classic Elastic IP Addresses Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources EC2 Limits
ec2	OK EBS Provisioned IOPS SSD (io2) Volume Storage (Source: ta_check)	0	0	16	2024-11-06 03:51:40 UTC
Checks for usage that is more than 80% of the EBS Provisioned IOPS SSD (io2) Volume Storage Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources EBS Limits
ec2	OK EBS Throughput Optimized HDD (st1) Volume Storage (Source: ta_check)	0	0	16	2024-11-02 06:20:43 UTC
Checks for usage that is more than 80% of the EBS Throughput Optimized HDD (st1) Volume Storage Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources EBS Limits
ec2	OK EC2 On-Demand Instances (Source: ta_check)	0	0	0	2024-11-02 04:28:15 UTC
Checks for usage that is more than 80% of the EC2 On-Demand Instances Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources EC2 Limits
ec2	OK EBS General Purpose SSD (gp3) Volume Storage (Source: ta_check)	0	0	16	2024-11-04 01:03:27 UTC
Checks for usage that is more than 80% of the EBS General Purpose SSD (gp3) Volume Storage Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources EBS Limits
ec2	OK EC2 Reserved Instance Leases (Source: ta_check)	0	0	16	2024-10-31 09:45:27 UTC
Checks for usage that is more than 80% of the EC2 Reserved Instance Leases Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources EC2 Limits
vpc	OK EC2-VPC Elastic IP Address (Source: ta_check)	0	0	16	2024-11-06 21:45:39 UTC
Checks for usage that is more than 80% of the EC2-VPC Elastic IP Address Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources VPC Elastic IP Limits
vpc	OK VPC Internet Gateways (Source: ta_check)	0	0	16	2024-10-24 15:33:33 UTC
Checks for usage that is more than 80% of the VPC Internet Gateways Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources VPC Gateway Limits
route53	OK Route 53 Reusable Delegation Sets (Source: ta_check)	0	0	1	2024-11-02 17:24:36 UTC
Checks for usage that is more than 80% of the Route 53 Reusable Delegation Sets Limit per account. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources Route 53 Limits
route53	OK Route 53 Traffic Policy Instances (Source: ta_check)	0	0	1	2024-10-29 05:03:28 UTC
Checks for usage that is more than 80% of the Route 53 Traffic Policy Instances Limit per account. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources Route 53 Limits
route53	OK Route 53 Max Health Checks (Source: ta_check)	0	0	1	2024-11-01 17:53:50 UTC
Checks for usage that is more than 80% of the Route 53 Health Checks Limit per account. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources Route 53 Limits
route53	OK Route 53 Traffic Policies (Source: ta_check)	0	0	1	2024-11-05 03:32:40 UTC
Checks for usage that is more than 80% of the Route 53 Traffic Policies Limit per account. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources Route 53 Limits
elasticloadbalancing	OK ELB Classic Load Balancers (Source: ta_check)	0	0	0	2024-11-02 01:25:36 UTC
Checks for usage that is more than 80% of the ELB Classic Load Balancers. Application Load Balancers and Network Load Balancers have a separate limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources AWS Service Limits - Elastic Load Balancing default service limits
elasticloadbalancingv2	OK ELB Network Load Balancers (Source: ta_check)	0	0	0	2024-10-30 09:42:41 UTC
Checks for usage that is more than 80% of the ELB Network Load Balancers Limit. Classic Load Balancers and Application Load Balancers have separate limits. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit. Alert Criteria Yellow: 80% of limit reached. Red: 100% of limit reached. Blue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions. Recommended Action If you expect to exceed a service limit, request an increase directly from the Service Quotas console. If Service Quotas doesn’t support your service yet, you can create a support case in Support Center. Additional Resources AWS Service Limits - Elastic Load Balancing default service limits

OPERATIONAL_EXCELLENCE 0 Error 0 Warning 0 Ok

Services	Findings	# Error	# Warning	# OK	Last Updated
ec2	OK Amazon EC2 Instance Not Managed by AWS Systems Manager (Source: aws_config)	0	0	0	2024-11-07 06:41:14 UTC
Checks if the Amazon EC2 instances in your account are managed by AWS Systems Manager. Systems Manager helps you understand and control the current state of your EC2 instance and OS configurations. With Systems Manager, you can collect software configuration and inventory information about your fleet of instances, including the software installed on them. This allows you to track detailed system configuration, OS patch levels, application configurations, and other details about your deployment. For more information, see Setting up Systems Manager for EC2 instances. Source AWS Config Managed Rule: ec2-instance-managed-by-systems-manager Alert Criteria Yellow: The Amazon EC2 instances are not managed by AWS Systems Manager. Recommended Action Configure your EC2 instance to be managed by AWS Systems Manager. For more information, see Why is my EC2 instance not displaying as a managed node or showing a "Connection lost" status in Systems Manager? Additional Resources Setting up Systems Manager for EC2 instances
ssm	OK AWS Systems Manager State Manager Association in Non-compliant Status (Source: aws_config)	0	0	0	2024-11-07 06:41:14 UTC
Checks if the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance. State Manager, a capability of AWS Systems Manager, is a secure and scalable configuration management service that automates the process of keeping your managed nodes and other AWS resources in a state that you define. A State Manager association is a configuration that you assign to your AWS resources. The configuration defines the state that you want to maintain on your resources, so it helps you to achieve the target, such as avoidance of configuration drifts across your EC2 instances. For more information, see AWS Systems Manager State Manager. Source AWS Config Managed Rule: ec2-managedinstance-association-compliance-status-check Alert Criteria Yellow: The status of the AWS Systems Manager association compliance is NON_COMPLIANT Recommended Action Validate the status of the State Manager associations, and then take any needed actions to return the status back to COMPLIANT. For more information, see About State Manager. Additional Resources AWS Systems Manager State Manager

CPTA

COST_OPTIMIZING 0 Error 0 Warning 0 Ok

Alert Criteria

Recommended Action

Additional Resources

Alert Criteria

Recommended Action

Additional Resources

Alert Criteria

Recommended Action

Additional Resources

Alert Criteria

Recommended Action

Additional Resources

Alert Criteria

Recommended Action

Additional Resources

Alert Criteria

Recommended Action

Additional Resources

Alert Criteria

Recommended Action

Additional Resources

Alert Criteria

Recommended Action

Additional Resources

Alert Criteria

Recommended Action

Additional Resources

Alert Criteria

Recommended Action

Additional Resources

Alert Criteria

Recommended Action

Additional Resources

SECURITY 78 Error 0 Warning 91 Ok

Source

Alert Criteria

Recommended Action

Alert Criteria

Recommended Action

Additional Resources

Source

Alert Criteria

Recommended Action

Source

Alert Criteria

Recommended Action

Alert Criteria

Recommended Action

Additional Resources

Source

Alert Criteria

Recommended Action

Source

Alert Criteria

Recommended Action

Source

Alert Criteria

Recommended Action

Source

Alert Criteria

Recommended Action

Source

Alert Criteria

Recommended Action

Source

Alert Criteria

Recommended Action

Source

Alert Criteria

Recommended Action

Alert Criteria

Recommended Action

Additional Resources

Alert Criteria

Recommended Action

Alert Criteria

Recommended Action

Additional Resources