Cargando...
Cargando...
Real-time best practice recommendations across cost, performance, security, fault tolerance, and service limits — all in one pane of glass.
AWS Trusted Advisor is an online tool that inspects your AWS environment and provides real-time guidance based on AWS best practices across five pillars: Cost Optimization, Performance, Security, Fault Tolerance, and Service Limits. It continuously analyzes your account configuration and compares it against proven AWS best practices, surfacing actionable recommendations. Trusted Advisor is NOT a compliance engine, NOT a migration tracker, and NOT a cost analytics tool — it is an operational guidance and recommendation service.
Proactively identify misconfigurations, underutilized resources, security gaps, and approaching service limits before they become incidents or unexpected costs — enabling continuous operational excellence across your AWS environment.
Use When
Avoid When
Cost Optimization Checks
Identifies idle/underutilized resources: EC2, RDS, ELB, EBS, Redshift, ElastiCache, Route 53. Requires Business Support or higher.
Security Checks
Includes MFA on root, IAM use, S3 bucket permissions, security group rules, EBS/RDS public snapshots. 6 checks available on Basic/Developer; full suite on Business+.
Fault Tolerance Checks
Checks for Multi-AZ RDS, Auto Scaling groups, S3 versioning, EC2 AMI age, Route 53 DNS TTLs. Business Support or higher required.
Performance Checks
Identifies high-utilization EC2 instances, CloudFront header forwarding, overutilized EBS volumes. Business Support or higher required.
Service Limits / Quotas Checks
Monitors usage against service quotas and alerts at 80% threshold. Available on ALL support tiers including Basic. Integrates with Service Quotas for automatic limit increase requests.
Trusted Advisor API (AWS Support API)
Allows programmatic retrieval of check results, refresh triggers, and integration with automation pipelines. Requires Business Support or higher.
Organizational View
Aggregates Trusted Advisor findings across all AWS Organizations member accounts. Must be enabled from management account. Requires Business Support or higher on the management account.
EventBridge Integration
Trusted Advisor publishes events to EventBridge when check status changes (OK → WARNING → ERROR). Enables event-driven automation.
CloudWatch Integration
Trusted Advisor publishes Service Limits metrics to CloudWatch, enabling alarms when approaching quotas.
Exclude Items from Checks
Resources can be excluded from specific checks (e.g., a known intentionally public S3 bucket) to reduce noise.
Automated Remediation
Trusted Advisor RECOMMENDS but does NOT automatically remediate. Automation must be built externally using EventBridge + Lambda.
Multi-Account Aggregation (without Organizations)
Without Organizational View, Trusted Advisor is account-scoped only. You cannot natively aggregate across accounts without Organizations integration.
Event-Driven Automated Remediation Pipeline
high freqTrusted Advisor emits events to EventBridge when a check status changes (e.g., a security group becomes overly permissive). An EventBridge rule triggers a Lambda function to automatically remediate the issue (e.g., revoke the offending rule) or notify the team via SNS. This is the canonical pattern for real-time response to Trusted Advisor findings. Requires Business Support or higher for API/EventBridge integration.
Service Limit Alarm Pattern
high freqTrusted Advisor publishes Service Limits check data as CloudWatch metrics. You create CloudWatch Alarms on these metrics (e.g., EC2 instance count approaching limit) and route alerts to SNS for immediate notification. This is critical during large migrations where service limits can be hit unexpectedly. Available even on Basic Support for Service Limits checks.
Organizational View for Enterprise Governance
high freqEnable Trusted Advisor Organizational View from the management account to get a consolidated dashboard of findings across all member accounts. Allows central security and cost teams to identify organization-wide patterns (e.g., all accounts with open security groups) without logging into each account individually. Essential for SAP-C02 multi-account governance scenarios.
Complementary Governance: Recommendations vs. Compliance
high freqTrusted Advisor provides RECOMMENDATIONS based on best practices (e.g., 'this RDS instance is not Multi-AZ — consider enabling it'). AWS Config provides COMPLIANCE MONITORING based on rules you define (e.g., 'all RDS instances MUST be Multi-AZ — flag violations'). These are complementary, not redundant. Use both: Config for mandatory compliance enforcement, Trusted Advisor for proactive best practice guidance.
Layered Right-Sizing Strategy
high freqTrusted Advisor identifies idle/underutilized EC2 instances at a high level (e.g., CPU < 10% for 14 days). AWS Compute Optimizer provides deeper ML-powered recommendations including specific instance type changes, considering CPU, memory, network, and storage patterns. Use Trusted Advisor for broad sweeps and Compute Optimizer for precise right-sizing decisions.
Cost Intelligence: Recommendations vs. Analysis
high freqTrusted Advisor tells you WHAT to change to save money (e.g., 'you have 5 idle EC2 instances costing $X/month'). Cost Explorer shows you WHERE your money is going historically and forecasts future spend. They answer different questions: Trusted Advisor = actionable optimization opportunities; Cost Explorer = spend analysis and forecasting. Use both in a complete FinOps practice.
Proactive Quota Management
high freqTrusted Advisor's Service Limits checks identify when you are approaching 80% of a service quota. From the Trusted Advisor console, you can directly link to AWS Service Quotas to submit quota increase requests before hitting limits. This is especially critical during migrations or rapid scaling events. Available on all support tiers.
The #1 differentiator: Basic and Developer Support get ONLY 6 security checks + Service Limits. You MUST have Business Support or higher to access Cost Optimization, Performance, and Fault Tolerance checks. If an exam question asks how to enable full Trusted Advisor functionality, the answer is upgrading to Business Support.
Trusted Advisor does NOT auto-remediate anything. It only surfaces recommendations. To automate responses to Trusted Advisor findings, the correct architecture is: Trusted Advisor → EventBridge → Lambda (for remediation) or SNS (for notification). Any answer that says Trusted Advisor 'automatically fixes' an issue is wrong.
Know the distinction triangle: Trusted Advisor (best practice RECOMMENDATIONS) vs. AWS Config (configuration COMPLIANCE monitoring and history) vs. AWS Compute Optimizer (ML-powered right-sizing RECOMMENDATIONS) vs. AWS Cost Explorer (cost ANALYSIS and forecasting). Exam questions deliberately mix these up. Each solves a different problem.
For SAP-C02 and DOP-C02 migration scenarios: Trusted Advisor's Service Limits checks are critical during migrations because you may rapidly consume service quotas (EC2 instances, VPCs, EIPs, etc.). The exam tests whether you know to monitor service limits proactively using Trusted Advisor + CloudWatch alarms during large-scale migrations.
Support plan controls Trusted Advisor access: Basic/Developer = 6 security checks + Service Limits only. Business Support = ALL 5 pillars + API access. Any question asking how to unlock full Trusted Advisor = upgrade to Business Support.
Trusted Advisor NEVER auto-remediates. The correct automation pattern is always: Trusted Advisor finding → EventBridge event → Lambda function → remediation. Requires Business Support for API/EventBridge integration.
Know the four-way distinction: Trusted Advisor (best practice recommendations) vs. AWS Config (compliance monitoring + config history) vs. Compute Optimizer (ML right-sizing) vs. Cost Explorer (spend analysis + forecasting). Exam questions deliberately conflate these.
Trusted Advisor Organizational View requires: (1) AWS Organizations enabled, (2) Trusted Advisor Organizational View explicitly enabled from the management account, (3) Business Support or higher on the management account. It does NOT require Business Support on every member account — this is a common trap.
Service Limits checks in Trusted Advisor alert at the 80% utilization threshold of a quota. This is available on ALL support tiers including Basic/Free. If a question asks what's available on Basic Support, Service Limits + 6 security checks is the correct answer.
Trusted Advisor check results are NOT real-time — they refresh on a schedule (weekly automatic, with manual refresh available but subject to a per-check cooldown of approximately 5 minutes). For truly real-time monitoring, combine with CloudWatch metrics and EventBridge. Don't select Trusted Advisor as a real-time monitoring solution in exam answers.
On the CLF-C02 (Cloud Practitioner) exam, Trusted Advisor is tested on its five pillars: Cost Optimization, Performance, Security, Fault Tolerance, and Service Limits. Memorize these five — questions may ask you to identify which pillar a given recommendation falls under (e.g., 'MFA on root account' = Security; 'idle EC2 instances' = Cost Optimization; 'single-AZ RDS' = Fault Tolerance).
When a question describes a scenario where a company wants to 'identify unused Reserved Instances' or 'find unattached EBS volumes' or 'detect security groups with unrestricted access' across their AWS account — the answer is Trusted Advisor, not Cost Explorer, not Config, not Security Hub alone.
Trusted Advisor integrates with AWS Security Hub — Trusted Advisor security findings can be ingested into Security Hub for a unified security posture view. This is tested in SCS-C02 scenarios where candidates must identify how to centralize security findings from multiple sources.
Common Mistake
AWS Config and AWS Trusted Advisor do the same thing — both check your resources for compliance and best practices, so you only need one of them.
Correct
They are fundamentally different: Trusted Advisor provides PROACTIVE RECOMMENDATIONS based on AWS best practices (e.g., 'consider enabling Multi-AZ on this RDS instance to improve fault tolerance'). AWS Config provides CONTINUOUS COMPLIANCE MONITORING by recording resource configuration changes over time and evaluating them against rules you define (e.g., 'all RDS instances MUST be Multi-AZ — this one is NON-COMPLIANT'). Config tracks history and drift; Trusted Advisor suggests improvements. Config enforces; Trusted Advisor advises.
This is the most common trap in exam questions. The key differentiator: Config = compliance enforcement + configuration history; Trusted Advisor = best practice recommendations. A question saying 'ensure all S3 buckets are never public AND get alerted immediately when one becomes public' points to Config (with a Config Rule). A question saying 'identify S3 buckets that are currently public and get recommendations' points to Trusted Advisor.
Common Mistake
AWS Trusted Advisor is primarily a cost management tool — its main purpose is to reduce your AWS bill.
Correct
Cost Optimization is ONE of five equal pillars in Trusted Advisor. The other four — Security, Fault Tolerance, Performance, and Service Limits — are equally important and frequently tested. In fact, the Security and Service Limits checks are available even on the free Basic Support tier, underscoring that Trusted Advisor's value extends well beyond cost savings. Many exam questions test Trusted Advisor in security and fault tolerance contexts, not just cost.
Candidates who only associate Trusted Advisor with cost will miss questions about using it for security gap detection, fault tolerance assessment, or service limit monitoring during migrations. Remember all 5 pillars: Cost, Security, Performance, Fault Tolerance, Service Limits (mnemonic: 'Can Smart People Fix Systems?').
Common Mistake
AWS Trusted Advisor automatically fixes the issues it finds — it's a self-healing service.
Correct
Trusted Advisor is PURELY a recommendation and advisory service. It identifies issues and surfaces them in a dashboard with estimated impact, but it NEVER automatically changes or remediates anything in your account. To act on Trusted Advisor findings automatically, you must build an automation pipeline: Trusted Advisor findings → EventBridge event → Lambda function → remediation action. The human or automated pipeline must take action separately.
This misconception appears in questions that ask 'how do you automatically remediate Trusted Advisor findings?' The correct answer always involves EventBridge + Lambda, never 'Trusted Advisor will handle it.' Any answer choice suggesting Trusted Advisor self-remediates is a distractor.
Common Mistake
AWS Migration Hub and AWS Trusted Advisor both help track and manage large-scale migrations, so they can be used interchangeably.
Correct
AWS Migration Hub tracks the STATUS and PROGRESS of migrations (which servers have been discovered, assessed, migrated, and are now running in AWS). Trusted Advisor provides OPERATIONAL BEST PRACTICE GUIDANCE for resources already running in AWS. During a migration, Trusted Advisor is valuable for monitoring SERVICE LIMITS (ensuring you don't hit EC2, VPC, or EIP quotas as you migrate workloads) — but it does not track migration progress, server inventory, or migration waves.
SAP-C02 and DOP-C02 questions on large-scale migrations often include both Migration Hub and Trusted Advisor as answer options. The key: if the question is about tracking migration progress → Migration Hub. If it's about ensuring you don't hit service limits during migration or about best practices for migrated workloads → Trusted Advisor.
Common Mistake
AWS Compute Optimizer and Trusted Advisor both recommend right-sizing, so they provide the same recommendations and you only need one.
Correct
Trusted Advisor's cost optimization checks identify IDLE or significantly UNDERUTILIZED resources at a broad level (e.g., EC2 instances with CPU < 10% over 14 days). AWS Compute Optimizer uses MACHINE LEARNING to analyze 14 days of utilization metrics across CPU, memory, network, and disk to recommend specific optimal instance types, including cases where you should scale UP (over-provisioned workloads running hot). Compute Optimizer is deeper and more precise; Trusted Advisor is broader and simpler. Compute Optimizer also covers Lambda, ECS on Fargate, EBS volumes, and Auto Scaling groups — beyond what Trusted Advisor covers.
Questions will describe a scenario requiring 'precise ML-based right-sizing recommendations considering memory and network utilization' — that's Compute Optimizer, not Trusted Advisor. If the question says 'identify idle resources broadly' or 'get a quick cost optimization overview' — that's Trusted Advisor.
Common Mistake
Trusted Advisor is available with full functionality on all AWS support plans, including the free Basic tier.
Correct
The free Basic and paid Developer Support plans provide access to ONLY 6 security checks (S3 bucket permissions, security groups with unrestricted access, IAM use, MFA on root account, EBS public snapshots, RDS public snapshots) plus Service Limits checks. ALL other checks — including ALL Cost Optimization, ALL Performance, ALL Fault Tolerance, and most Security checks — require Business Support ($100+/month) or higher. This is one of the most tested facts about Trusted Advisor.
Exam scenarios will describe a company on Basic or Developer Support complaining that Trusted Advisor isn't showing cost optimization recommendations. The correct answer is to upgrade to Business Support. Never select 'enable the checks in the Trusted Advisor console' as a standalone solution — the support tier controls access.
TRUSTED ADVISOR'S 5 PILLARS → 'Can Smart People Fix Systems?' = Cost, Security, Performance, Fault Tolerance, Service Limits
SUPPORT TIER MEMORY TRICK → 'Basic/Developer = BARE MINIMUM (6 security + limits only); Business = FULL ACCESS; Enterprise = FULL ACCESS + TAM'
TRUSTED ADVISOR vs CONFIG → 'Advisor ADVISES (recommendations, no enforcement); Config CONTROLS (compliance rules, mandatory, tracks history)'
REMEDIATION PIPELINE → 'TA finds it → EventBridge hears it → Lambda fixes it' (Trusted Advisor never fixes anything itself)
TRUSTED ADVISOR vs COMPUTE OPTIMIZER → 'TA = Broad Idle Spotter; CO = Deep ML Sizer' — if the question mentions memory or ML, pick Compute Optimizer
ORGANIZATIONAL VIEW GOTCHA → 'O-View needs O-Enable' — Organizational View must be explicitly turned on from the management account even with Business Support
CertAI Tutor · SAP-C02, SAA-C03, DOP-C02, SCS-C02, CLF-C02 · 2026-02-22
In the Same Category