Skip to main content

Amazon Web Services Support

Controlling Access to the Trusted Advisor Console

Overview

The Amazon Trusted Advisor console introduces new ways to control access to Trusted Advisor checks by adding new Amazon Identity and Access Management (IAM) features. To view Trusted Advisor results or take actions such as refreshing check data or excluding items from results, an IAM user must have permission for actions and resources specified with the "trustedadvisor" namespace. For complete information about creating policies and applying them to users and groups, see the Amazon Identity and Access Management documentation.

The following table shows common permission scenarios for the Trusted Advisor console.

Table 1: Common Permission Scenarios

Access
Specification
IAM Console Template
Full

"Action": "trustedadvisor:*",
"Resource": "*"

Administrator Access
Power User Access
Read-only

"Action": "trustedadvisor:Describe*",
"Resource": "*"

Read Only Access
Specific check category

"Resource": "arn:aws-cn:trustedadvisor:*:acct:checks/category/*"

None; see Categories of Checks
Specific check

"Resource": "arn:aws-cn:trustedadvisor:*:acct:checks/category/checkID"

None; see Specific Checks
Specific action

"Action": "trustedadvisor:actionName"

None; see Specific Actions

Information That Trusted Advisor Displays

Trusted Advisor displays information about some of the resources that are associated with an Amazon Web Services account.

Important: Although the user cannot make changes to these resources unless they are authorized to do so by policies that explicitly allow it, the user can view information that they might otherwise not be authorized to view. For example, a user viewing a check related to Amazon EC2 Instances might see information or usage data for instances, even if another policy specifically denies access to viewing this information.

The following two tables show the information that Trusted Advisor displays:

Table 2 shows the title, category, ID, and report columns of the current Trusted Advisor checks. You use the category and check ID to refer to specific checks in an IAM policy.

Table 3 shows examples of service-specific actions (APIs) and data that correspond to the information that is shown by the checks.

Although the list of report columns in the following tables can alert you to information that is exposed by a check, you should examine a Trusted Advisor report for your account to make sure you fully understand what information is exposed by each check.

Table 2: Check Categories, IDs, and Report Columns

Check Title
Category
Check ID
Report Columns
Amazon EBS Provisioned IOPS Volume Attachment Configuration

Performance

PPkZrjsH2q

Region/AZ | Volume ID | Volume Name | Volume Attachment | Instance ID | Instance Type | EBS Optimized | Status
Amazon EBS Snapshots

Fault Tolerance

H7IgTzjTYb

Region | Volume ID | Volume Name | Snapshot ID | Snapshot Name | Snapshot Age | Volume Attachment | Status | Reason
Amazon EC2 Availability Zone Balance

Fault Tolerance

wuy7G1zxql

Region | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason
Amazon S3 Bucket Logging

Fault Tolerance

BueAdJ7NrP

Region | Bucket Name | Target Name | Target Exists | Same Owner | Write Enabled | Status | Reason
Amazon S3 Bucket Permissions

Security

Pfx0RwqBli

Region Name | Region API Parameter | Bucket Name | Global List Access | Global Upload/Delete Access | Status
High Utilization Amazon EC2 Instances

Performance

ZRxQlPsb6c

Region/AZ | Instance ID | Instance Name | Instance Type | Day 1 ... Day 14 | 14-Day Average CPU Utilization | Number of Days over 90% CPU Utilization
Large Number of EC2 Security Group Rules Applied to an Instance

Performance

j3DFqYTe29

Region | Instance ID | Instance Name | VPC ID | Total Inbound Rules | Total Outbound Rules
Large Number of Rules in an EC2 Security Group

Fault Tolerance

Tolerance tfg86AVHAZ

Region | Security Group Name | Group ID | Description | Instance Count | VPC ID | Total Inbound Rules | Total Outbound Rules
Load Balancer Optimization

Fault Tolerance

iqdCTZKCUp

Region | Load Balancer Name | # of Zones | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason
Overutilized Standard Amazon EBS Volumes

Performance

k3J2hns32g

Region | Volume ID | Volume Name | Day 1 ... Day 14 | Number of Days Over | Max Daily Median | Status
Security Groups - Specific Ports Unrestricted

Security

HCP4007jGY

Region | Security Group Name | Security Group ID | Protocol | Status | Ports
Security Groups - Unrestricted Access

Security

1iG5NDGVre

Region | Security Group Name | Security Group ID | Protocol | Port | Status | IP Range
Unassociated Elastic IP Addresses

Cost Optimization

Z4AUBRNSmz

Region | IP Address

Report Columns

The following table shows the report columns for each check again, adding examples of the service-specific actions that display data that corresponds to the data displayed in the Trusted Advisor report columns. Note that Trusted Advisor does not necessarily use the actions listed; the actions are only examples of one way to display the information.

For example, if you deny a user access to the Amazon EC2 DescribeInstances operation but also allow the user access to the Trusted Advisor Low Utilization EC2 Instances check, the user can view some of the information that is returned by DescribeInstances, even though access to DescribeInstances has been explicitly denied.

Table 3: Example Actions and Data

Check Title
Report Columns
Actions
Data
Amazon EBS Provisioned IOPS Volume Attachment Configuration

Region/AZ | Volume ID | Volume Name | Volume Attachment | Instance ID | Instance Type | EBS Optimized | Status

ec2:DescribeVolumes

AvailabilityZone
VolumeId
tag:Name
VolumeType
AttachmentSet.Item.VolumeId
AttachmentSet.Item.InstanceId
AttachmentSet.Item.Device
Amazon EBS Provisioned IOPS Volume Attachment Configuration

Region/AZ | Volume ID | Volume Name | Volume Attachment | Instance ID | Instance Type | EBS Optimized | Status

ec2:DescribeInstanceAttribute

InstanceId
EbsOptimized
Amazon EBS Snapshots

Region | Volume ID | Volume Name | Snapshot ID | Snapshot Name | Snapshot Age | Volume Attachment | Status | Reason

ec2:DescribeVolumes

VolumeId
VolumeType
tag:Name
Amazon EBS Snapshots

Region | Volume ID | Volume Name | Snapshot ID | Snapshot Name | Snapshot Age | Volume Attachment | Status | Reason

cloudwatch:GetMetricStatistics

VolumeReadOps
VolumeWriteOps
Amazon EC2 Availability Zone Balance

Region | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason

ec2:DescribeInstances

AvailabilityZone
Amazon S3 Bucket Logging

Region | Bucket Name | Target Name | Target Exists | Same Owner | Write Enabled | Status | Reason

s3:GetService

BucketName
Owner
Amazon S3 Bucket Logging

Region | Bucket Name | Target Name | Target Exists | Same Owner | Write Enabled | Status | Reason

s3:GetBucketLogging

TargetName
Amazon S3 Bucket Logging

Region | Bucket Name | Target Name | Target Exists | Same Owner | Write Enabled | Status | Reason

s3:GetBucketAcl

Grantee
Permission
Amazon S3 Bucket Permissions

Region Name | Region API Parameter | Bucket Name | Global List Access | Global Upload/Delete Access | Status

s3:GetService

BucketName Owner
Amazon S3 Bucket Permissions

Region Name | Region API Parameter | Bucket Name | Global List Access | Global Upload/Delete Access | Status

s3:GetBucketAcl

Grantee Permission
High Utilization Amazon EC2 Instances

Region/AZ | Instance ID | Instance Name | Instance Type | Day 1 ... Day 14 | 14-Day Average CPU Utilization | Number of Days over 90% CPU Utilization

ec2:DescribeInstances

AvailabilityZone
InstanceId
tag:Name
High Utilization Amazon EC2 Instances

Region/AZ | Instance ID | Instance Name | Instance Type | Day 1 ... Day 14 | 14-Day Average CPU Utilization | Number of Days over 90% CPU Utilization

cloudwatch:GetMetricStatistics

CPUUtilization
NetworkIn
NetworkOut
Large Number of EC2 Security Group Rules Applied to an Instance

Region | Instance ID | Instance Name | VPC ID | Total Inbound Rules | Total Outbound Rules

ec2:DescribeInstances
ec2:DescribeGroups

InstanceId
tag:Name
VpcId
GroupId
GroupName
Large Number of EC2 Security Group Rules Applied to an Instance

Region | Instance ID | Instance Name | VPC ID | Total Inbound Rules | Total Outbound Rules

ec2:DescribeGroups

IpPermissions
IpPermissionsEgress
Large Number of Rules in an EC2 Security Group

Region | Security Group Name | Group ID | Description | Instance Count | VPC ID | Total Inbound Rules | Total Outbound Rules

ec2:DescribeGroups

GroupName
GroupId
GroupDescription
VpcId
IpPermissions
IpPermissionsEgress
Large Number of Rules in an EC2 Security Group

Region | Security Group Name | Group ID | Description | Instance Count | VPC ID | Total Inbound Rules | Total Outbound Rules

ec2:DescribeInstances

GroupId
InstanceId
Load Balancer Optimization

Region | Load Balancer Name | # of Zones | Instances in Zone a | Instances in Zone b | Instances in Zone c | Instances in Zone d | Instances in Zone e | Status | Reason

elasticloadbalancing: DescribeLoadBalancers

LoadBalancerName
AvailabilityZones
Overutilized Standard Amazon EBS Volumes

Region | Volume ID | Volume Name | Day 1 ... Day 14 | Number of Days Over | Max Daily Median | Status

ec2:DescribeVolumes

VolumeId
VolumeType
tag:Name
Overutilized Standard Amazon EBS Volumes

Region | Volume ID | Volume Name | Day 1 ... Day 14 | Number of Days Over | Max Daily Median | Status

cloudwatch:GetMetricStatistics

VolumeReadOps
VolumeWriteOps
Security Groups - Specific Ports Unrestricted

Region | Security Group Name | Security Group ID | Protocol | Status | Ports

ec2:DescribeSecurityGroups

GroupName
GroupId
IpPermissions
IpProtocol
FromPort
ToPort
Security Groups - Unrestricted Access

Region | Security Group Name | Security Group ID | Protocol | Port | Status | IP Range

ec2:DescribeSecurityGroups

GroupName
GroupId
IpPermissions
IpProtocol
FromPort
ToPort
IpRanges
Service Limits

Region | Service | Limit Name | Limit Amount | Current Usage | Status

[Shows limits and current usage for several services. See "What service limits do you check" in the Trusted Advisor FAQs for details.]

[Varies]
Unassociated Elastic IP Addresses

Region | IP Address

ec2:DescribeAddresses

PublicIp
InstanceId
Unassociated Elastic IP Addresses

Region | IP Address

ec2:DescribeInstances

InstanceState

IAM Policy Examples

The following are examples of IAM policies that you might use to control access to the Trusted Advisor console. For more information about how to construct policies, see Overview of Amazon IAM Policies in the Amazon Identity and Access Management User Guide.

Deny All

The following example policy denies access to all Trusted Advisor check results:

bash 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "trustedadvisor:*",
            "Resource": "*"
        }
    ]
}

Allow All

The following example policy allows the user to view (and take all actions on) all Trusted Advisor checks:

bash 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "trustedadvisor:*",
            "Resource": "*"
        }
    ]
}

Categories of Checks

To specify a Trusted Advisor check category in a policy, use an Amazon resource name (ARN) in this form:

bash 
arn:aws-cn:trustedadvisor:*:accountnumber:checks/categoryCode/*

Check Categories

To see the check categories, see Table 2. The following table shows the category code to specify for each category.

Table 4: Categories and Category Codes

Category
Category Code
Cost Optimization

cost_optimizing
Performance

performance
Security

security
Fault Tolerance

fault_tolerance

Table 4: Categories and Category Codes

The following example policy allows the user to view (and perform other actions on) the checks in the Fault Tolerance and Performance categories by specifying the category codes:

bash 
{   
    "Version": "2012-10-17",   
    "Statement": [     
        {       
            "Effect": "Allow",       
            "Action": "trustedadvisor:*",       
            "Resource": ["arn:aws-cn:trustedadvisor:*:123456789012:checks/fault_tolerance/*", "arn:aws-cn:trustedadvisor:*:123456789012:checks/performance/*"]     
            } 
      ]
}

Specific Checks

To allow or deny permission to a specific Trusted Advisor check in a policy, use an Amazon resource name (ARN) in this form:

bash 
arn:aws-cn:trustedadvisor:*:accountnumber:checks/categoryCode/checkId

Specific Checks

Categories and IDs are shown in Table 2; category codes are shown in Table 4.

Example Policy

The following example policy allows the user to view (and perform other actions on) two specific checks related to Amazon S3, by specifying the categories and IDs of those checks:

bash 
{   
    "Version": "2012-10-17", 
    "Statement": [     
        {       
            "Effect": "Allow", 
            "Action": "trustedadvisor:*",       
            "Resource": [           
               "arn:aws:trustedadvisor:*:123456789012:checks/fault_tolerance/BueAdJ7NrP",           
               "arn:aws:trustedadvisor:*:123456789012:checks/security/Pfx0RwqBli" 
             ]
        }   
    ] 
}

Specific Actions

You can control the amount of information that a user can see, and you can also control the ability to refresh checks, to exclude and include items from check results, and to view and modify notification preferences.

To allow or deny the use of a specific Trusted Advisor action in a policy, precede the action with the "trustedadvisor:" namespace prefix.

The following table shows the actions you can specify and the result of denying permission for that action.

Table 5: Trusted Advisor Actions

Action
Effect when denied
DescribeCheckResult

Cannot view any Trusted Advisor information.
Viewing and changing notification preferences is controlled separately.
DescribeCheckItems

Cannot view details (items in results table).
RefreshCheck

Cannot refresh checks. Also cannot change the exclusion or inclusion status of items, because change of item status requires a refresh of the check.
ExcludeCheckItems

Cannot change the status of items from included to excluded.
Might be able to change items from excluded to included, depending on the permission for IncludeCheckItems.
IncludeCheckItems

Cannot change the status of items from excluded to included.
Might be able to change items from included to excluded, depending on the permission for ExcludeCheckItems.
DescribeNotificationPreferences

Cannot view information on the notification preferences page.
UpdateNotificationPreferences

Cannot change options on the notification preferences page.

Table 5: Trusted Advisor Actions

The following example policy allows the user to view all Trusted Advisor checks, but it does not allow the user to refresh any checks:

json 
{   
    "Version": "2012-10-17", 
    "Statement": [     
        {       
            "Effect": "Allow", 
            "Action": "trustedadvisor:*",       
            "Resource": [           
                "arn:aws-cn:trustedadvisor:*:123456789012:checks/fault_tolerance/BueAdJ7NrP",           
                "arn:aws-cn:trustedadvisor:*:123456789012:checks/security/Pfx0RwqBli" 
             ]
        }   
    ] 
}

More

For more information about how to construct policies, see Overview of Amazon IAM Policies in the Amazon Identity and Access Management User Guide.