diff --git a/MANIFEST.in b/MANIFEST.in
index 9e3dc7cd..9dc2a159 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -5,5 +5,6 @@ include moto/ec2/resources/instance_type_offerings/*/*.json
include moto/ec2/resources/amis.json
include moto/cognitoidp/resources/*.json
include moto/dynamodb2/parsing/reserved_keywords.txt
+include moto/support/resources/*.json
recursive-include moto/templates *
recursive-include tests *
diff --git a/moto/__init__.py b/moto/__init__.py
index 0c3e6d6a..97542da6 100644
--- a/moto/__init__.py
+++ b/moto/__init__.py
@@ -120,6 +120,7 @@ mock_kinesisvideoarchivedmedia = lazy_load(
".kinesisvideoarchivedmedia", "mock_kinesisvideoarchivedmedia"
)
mock_medialive = lazy_load(".medialive", "mock_medialive")
+mock_support = lazy_load(".support", "mock_support")
# import logging
# logging.getLogger('boto').setLevel(logging.CRITICAL)
diff --git a/moto/backends.py b/moto/backends.py
index ac938413..7e6de162 100644
--- a/moto/backends.py
+++ b/moto/backends.py
@@ -77,6 +77,7 @@ BACKENDS = {
"kinesisvideoarchivedmedia_backends",
),
"forecast": ("forecast", "forecast_backends"),
+ "support": ("support", "support_backends"),
}
diff --git a/moto/ec2/models.py b/moto/ec2/models.py
index f492565b..32c29f18 100644
--- a/moto/ec2/models.py
+++ b/moto/ec2/models.py
@@ -34,6 +34,7 @@ from moto.core.utils import (
)
from moto.core import ACCOUNT_ID
from moto.kms import kms_backends
+from moto.utilities.utils import load_resource
from os import listdir
from .exceptions import (
@@ -169,12 +170,7 @@ from .utils import (
)
-def _load_resource(filename):
- with open(filename, "r") as f:
- return json.load(f)
-
-
-INSTANCE_TYPES = _load_resource(
+INSTANCE_TYPES = load_resource(
resource_filename(__name__, "resources/instance_types.json")
)
@@ -190,10 +186,10 @@ for location_type in listdir(resource_filename(__name__, offerings_path)):
)
INSTANCE_TYPE_OFFERINGS[location_type][
region.replace(".json", "")
- ] = _load_resource(full_path)
+ ] = load_resource(full_path)
-AMIS = _load_resource(
+AMIS = load_resource(
os.environ.get("MOTO_AMIS_PATH")
or resource_filename(__name__, "resources/amis.json"),
)
diff --git a/moto/support/__init__.py b/moto/support/__init__.py
new file mode 100644
index 00000000..da0db740
--- /dev/null
+++ b/moto/support/__init__.py
@@ -0,0 +1,6 @@
+from __future__ import unicode_literals
+from .models import support_backends
+from ..core.models import base_decorator
+
+support_backend = support_backends["us-east-1"]
+mock_support = base_decorator(support_backends)
diff --git a/moto/support/exceptions.py b/moto/support/exceptions.py
new file mode 100644
index 00000000..baffc488
--- /dev/null
+++ b/moto/support/exceptions.py
@@ -0,0 +1 @@
+from __future__ import unicode_literals
diff --git a/moto/support/models.py b/moto/support/models.py
new file mode 100644
index 00000000..7e799ea6
--- /dev/null
+++ b/moto/support/models.py
@@ -0,0 +1,37 @@
+from __future__ import unicode_literals
+from boto3 import Session
+from pkg_resources import resource_filename
+from moto.core import BaseBackend
+from moto.utilities.utils import load_resource
+
+
+checks_json = "resources/describe_trusted_advisor_checks.json"
+ADVISOR_CHECKS = load_resource(resource_filename(__name__, checks_json))
+
+
+class SupportBackend(BaseBackend):
+ def __init__(self, region_name=None):
+ super(SupportBackend, self).__init__()
+ self.region_name = region_name
+
+ def reset(self):
+ region_name = self.region_name
+ self.__dict__ = {}
+ self.__init__(region_name)
+
+ def describe_trusted_advisor_checks(self, language):
+ # The checks are a static response
+ checks = ADVISOR_CHECKS["checks"]
+ return checks
+
+
+support_backends = {}
+
+# Only currently supported in us-east-1
+support_backends["us-east-1"] = SupportBackend("us-east-1")
+for region in Session().get_available_regions("support"):
+ support_backends[region] = SupportBackend(region)
+for region in Session().get_available_regions("support", partition_name="aws-us-gov"):
+ support_backends[region] = SupportBackend(region)
+for region in Session().get_available_regions("support", partition_name="aws-cn"):
+ support_backends[region] = SupportBackend(region)
diff --git a/moto/support/resources/describe_trusted_advisor_checks.json b/moto/support/resources/describe_trusted_advisor_checks.json
new file mode 100644
index 00000000..26958c0a
--- /dev/null
+++ b/moto/support/resources/describe_trusted_advisor_checks.json
@@ -0,0 +1,1491 @@
+{
+ "checks": [
+ {
+ "id": "Qch7DwouX1",
+ "name": "Low Utilization Amazon EC2 Instances",
+ "description": "Checks the Amazon Elastic Compute Cloud (Amazon EC2) instances that were running at any time during the last 14 days and alerts you if the daily CPU utilization was 10% or less and network I/O was 5 MB or less on 4 or more days. Running instances generate hourly usage charges. Although some scenarios can result in low utilization by design, you can often lower your costs by managing the number and size of your instances.\n
\nEstimated monthly savings are calculated by using the current usage rate for On-Demand Instances and the estimated number of days the instance might be underutilized. Actual savings will vary if you are using Reserved Instances or Spot Instances, or if the instance is not running for a full day. To get daily utilization data, download the report for this check. \n
\n
\nAlert Criteria
\nYellow: An instance had 10% or less daily average CPU utilization and 5 MB or less network I/O on at least 4 of the previous 14 days.
\n
\nRecommended Action
\nConsider stopping or terminating instances that have low utilization, or scale the number of instances by using Auto Scaling. For more information, see Stop and Start Your Instance, Terminate Your Instance, and What is Auto Scaling?
\n
\nAdditional Resources
\nMonitoring Amazon EC2
\nInstance Metadata and User Data
\nAmazon CloudWatch Developer Guide
\nAuto Scaling Developer Guide",
+ "category": "cost_optimizing",
+ "metadata": [
+ "Region/AZ",
+ "Instance ID",
+ "Instance Name",
+ "Instance Type",
+ "Estimated Monthly Savings",
+ "Day 1",
+ "Day 2",
+ "Day 3",
+ "Day 4",
+ "Day 5",
+ "Day 6",
+ "Day 7",
+ "Day 8",
+ "Day 9",
+ "Day 10",
+ "Day 11",
+ "Day 12",
+ "Day 13",
+ "Day 14",
+ "14-Day Average CPU Utilization",
+ "14-Day Average Network I/O",
+ "Number of Days Low Utilization"
+ ]
+ },
+ {
+ "id": "hjLMh88uM8",
+ "name": "Idle Load Balancers",
+ "description": "Checks your Elastic Load Balancing configuration for load balancers that are not actively used. Any load balancer that is configured accrues charges. If a load balancer has no associated back-end instances or if network traffic is severely limited, the load balancer is not being used effectively.
\n
\nAlert Criteria
\nYellow: A load balancer has no active back-end instances.
\nYellow: A load balancer has no healthy back-end instances.
\nYellow: A load balancer has had less than 100 requests per day for the last 7 days.
\n
\nRecommended Action
\nIf your load balancer has no active back-end instances, consider registering instances or deleting your load balancer. See Registering Your Amazon EC2 Instances with Your Load Balancer or Delete Your Load Balancer.
\nIf your load balancer has no healthy back-end instances, see Troubleshooting Elastic Load Balancing: Health Check Configuration.
\nIf your load balancer has had a low request count, consider deleting your load balancer. See Delete Your Load Balancer.
\n
\nAdditional Resources
\nManaging Load Balancers
\nTroubleshoot Elastic Load Balancing",
+ "category": "cost_optimizing",
+ "metadata": [
+ "Region",
+ "Load Balancer Name",
+ "Reason",
+ "Estimated Monthly Savings"
+ ]
+ },
+ {
+ "id": "DAvU99Dc4C",
+ "name": "Underutilized Amazon EBS Volumes",
+ "description": "Checks Amazon Elastic Block Store (Amazon EBS) volume configurations and warns when volumes appear to be underused. Charges begin when a volume is created. If a volume remains unattached or has very low write activity (excluding boot volumes) for a period of time, the volume is probably not being used.
\n
\nAlert Criteria
\nYellow: A volume is unattached or had less than 1 IOPS per day for the past 7 days.
\n
\nRecommended Action
\nConsider creating a snapshot and deleting the volume to reduce costs. For more information, see Creating an Amazon EBS Snapshot and Deleting an Amazon EBS Volume.
\n
\nAdditional Resources
\nAmazon Elastic Block Store (Amazon EBS)
\nMonitoring the Status of Your Volumes",
+ "category": "cost_optimizing",
+ "metadata": [
+ "Region",
+ "Volume ID",
+ "Volume Name",
+ "Volume Type",
+ "Volume Size",
+ "Monthly Storage Cost",
+ "Snapshot ID",
+ "Snapshot Name",
+ "Snapshot Age"
+ ]
+ },
+ {
+ "id": "Z4AUBRNSmz",
+ "name": "Unassociated Elastic IP Addresses",
+ "description": "Checks for Elastic IP addresses (EIPs) that are not associated with a running Amazon Elastic Compute Cloud (Amazon EC2) instance. EIPs are static IP addresses designed for dynamic cloud computing. Unlike traditional static IP addresses, EIPs can mask the failure of an instance or Availability Zone by remapping a public IP address to another instance in your account. A nominal charge is imposed for an EIP that is not associated with a running instance.
\n
\nAlert Criteria
\nYellow: An allocated Elastic IP address (EIP) is not associated with a running Amazon EC2 instance.
\n
\nRecommended Action
\nAssociate the EIP with a running active instance, or release the unassociated EIP. For more information, see Associating an Elastic IP Address with a Different Running Instance and Releasing an Elastic IP Address.
\n
\nAdditional Resources
\nElastic IP Addresses",
+ "category": "cost_optimizing",
+ "metadata": [
+ "Region",
+ "IP Address"
+ ]
+ },
+ {
+ "id": "HCP4007jGY",
+ "name": "Security Groups - Specific Ports Unrestricted",
+ "description": "Checks security groups for rules that allow unrestricted access (0.0.0.0/0) to specific ports. Unrestricted access increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data). The ports with highest risk are flagged red, and those with less risk are flagged yellow. Ports flagged green are typically used by applications that require unrestricted access, such as HTTP and SMTP.\n
\nIf you have intentionally configured your security groups in this manner, we recommend using additional security measures to secure your infrastructure (such as IP tables).\n
\n
Note: Security groups created by AWS Directory Services are flagged as red or yellow, but do not pose a security risk and can be safely ignored or suppressed. Refer to Trusted Advisor FAQ for more details.\n
\n
\nAlert Criteria\n
\nGreen: Access to port 80, 25, 443, or 465 is unrestricted.
\nRed: Access to port 20, 21, 1433, 1434, 3306, 3389, 4333, 5432, or 5500 is unrestricted.
\nYellow: Access to any other port is unrestricted.\n
\n
\nRecommended Action\n
\nRestrict access to only those IP addresses that require it. To restrict access to a specific IP address, set the suffix to /32 (for example, 192.0.2.10/32). Be sure to delete overly permissive rules after creating rules that are more restrictive.
\n
\nAdditional Resources
\nAmazon EC2 Security Groups
\nList of TCP and UDP port numbers (Wikipedia)
\nClassless Inter-Domain Routing (Wikipedia)",
+ "category": "security",
+ "metadata": [
+ "Region",
+ "Security Group Name",
+ "Security Group ID",
+ "Protocol",
+ "Status",
+ "Ports"
+ ]
+ },
+ {
+ "id": "1iG5NDGVre",
+ "name": "Security Groups - Unrestricted Access",
+ "description": "Checks security groups for rules that allow unrestricted access to a resource. Unrestricted access increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data).\n
\n
Note: Security groups created by AWS Directory Services are flagged as red, but do not pose a security risk and can be safely ignored or suppressed. Refer to Trusted Advisor FAQ for more details.\n
\n
\nAlert Criteria\n
\nRed: A security group rule has a source IP address with a /0 suffix for ports other than 25, 80, or 443.\n
\n
\nRecommended Action\n
\nRestrict access to only those IP addresses that require it. To restrict access to a specific IP address, set the suffix to /32 (for example, 192.0.2.10/32). Be sure to delete overly permissive rules after creating rules that are more restrictive.\n
\n
\nAdditional Resources\n
Amazon EC2 Security Groups
\nClassless Inter-Domain Routing (Wikipedia)",
+ "category": "security",
+ "metadata": [
+ "Region",
+ "Security Group Name",
+ "Security Group ID",
+ "Protocol",
+ "Port",
+ "Status",
+ "IP Range"
+ ]
+ },
+ {
+ "id": "zXCkfM1nI3",
+ "name": "IAM Use",
+ "description": "Checks for your use of AWS Identity and Access Management (IAM). You can use IAM to create users, groups, and roles in AWS, and you can use permissions to control access to AWS resources. \n
\n
\nAlert Criteria
\nYellow: No IAM users have been created for this account.\n
\n
\nRecommended Action
\nCreate one or more IAM users and groups in your account. You can then create additional users whose permissions are limited to perform specific tasks in your AWS environment. For more information, see Getting Started. \n
\nAdditional Resources
\nWhat Is IAM?",
+ "category": "security",
+ "metadata": []
+ },
+ {
+ "id": "Pfx0RwqBli",
+ "name": "Amazon S3 Bucket Permissions",
+ "description": "Checks buckets in Amazon Simple Storage Service (Amazon S3) that have open access permissions or allow access to any authenticated AWS user. Bucket permissions that grant List access can result in higher than expected charges if objects in the bucket are listed by unintended users at a high frequency. Bucket permissions that grant Upload/Delete access create potential security vulnerabilities by allowing users that to add, modify, or remove items in a bucket.
\n
\nAlert Criteria
\nYellow: The bucket ACL allows List access for \"Everyone\" or \"Any Authenticated AWS User\".
\nYellow: A bucket policy allows any kind of open access.
\nYellow: Bucket policy has statements that grant public access. The “Block public and cross-account access to buckets that have public policies” setting is turned on and has restricted access to only authorized users of that account until public statements are removed.
\nYellow: Trusted Advisor does not have permission to check the policy, or the policy could not be evaluated for other reasons.
\nRed: The bucket ACL allows Upload/Delete access for \"Everyone\" or \"Any Authenticated AWS User\".
\n
\nRecommended Action
\nIf a bucket allows open access, determine if open access is truly needed. If not, update the bucket permissions to restrict access to the owner or specific users. Use Amazon S3 Block Public Access to control the settings that allow public access to your data. See Setting Bucket and Object Access Permissions.
\n
\nAdditional Resources
\nManaging Access Permissions to Your Amazon S3 Resources",
+ "category": "security",
+ "metadata": [
+ "Region Name",
+ "Region API Parameter",
+ "Bucket Name",
+ "ACL Allows List",
+ "ACL Allows Upload/Delete",
+ "Status",
+ "Policy Allows Access",
+ "Ignored Bucket Name"
+ ]
+ },
+ {
+ "id": "7DAFEmoDos",
+ "name": "MFA on Root Account",
+ "description": "Checks the root account and warns if multi-factor authentication (MFA) is not enabled. For increased security, we recommend that you protect your account by using MFA, which requires a user to enter a unique authentication code from their MFA hardware or virtual device when interacting with the AWS console and associated websites.\n
\n
\nAlert Criteria
\nRed: MFA is not enabled on the root account.\n
\n
\nRecommended Action
\nLog in to your root account and activate an MFA device. See Checking MFA Status and Setting Up an MFA Device.\n
\n
\nAdditional Resources
\nUsing Multi-Factor Authentication (MFA) Devices with AWS",
+ "category": "security",
+ "metadata": []
+ },
+ {
+ "id": "Yw2K9puPzl",
+ "name": "IAM Password Policy",
+ "description": "Checks the password policy for your account and warns when a password policy is not enabled, or if password content requirements have not been enabled. Password content requirements increase the overall security of your AWS environment by enforcing the creation of strong user passwords. When you create or change a password policy, the change is enforced immediately for new users but does not require existing users to change their passwords. \n
\n
\nAlert Criteria
\nYellow: A password policy is enabled, but at least one content requirement is not enabled. \n
\nRed: No password policy is enabled. \n
\n
\nRecommended Action
\nIf some content requirements are not enabled, consider enabling them. If no password policy is enabled, create and configure one. See Setting an Account Password Policy for IAM Users. \n
\n
\nAdditional Resources
\nManaging Passwords",
+ "category": "security",
+ "metadata": [
+ "Password Policy",
+ "Uppercase",
+ "Lowercase",
+ "Number",
+ "Non-alphanumeric",
+ "Status",
+ "Reason"
+ ]
+ },
+ {
+ "id": "nNauJisYIT",
+ "name": "Amazon RDS Security Group Access Risk",
+ "description": "Checks security group configurations for Amazon Relational Database Service (Amazon RDS) and warns when a security group rule might grant overly permissive access to your database. Recommended configuration for any security group rule is to allow access from specific Amazon Elastic Compute Cloud (Amazon EC2) security groups or from a specific IP address. Data for Amazon Relational Database Service (Amazon RDS) instances created in the Asia Pacific (Seoul) region (sa-east-1) is not available. We are working to fix this issue as soon as possible.\n
\n
\nAlert Criteria
\nYellow: A DB security group rule references an Amazon EC2 security group that grants global access on one of these ports: 20, 21, 22, 1433, 1434, 3306, 3389, 4333, 5432, 5500.\n
\nYellow: A DB security group rule grants access to more than a single IP address (the CIDR rule suffix is not /0 or /32).\n
\nRed: A DB security group rule grants global access (the CIDR rule suffix is /0).\n
\n
\nRecommended Action
\nReview your security group rules and restrict access to authorized IP addresses or IP ranges. To edit a security group, use the AuthorizeDBSecurityGroupIngress API or the AWS Management Console. For more information, see Working with DB Security Groups.\n
\n
\nAdditional Resources
\nAmazon RDS Security Groups
\nClassless Inter-Domain Routing
\nList of TCP and UDP port numbers",
+ "category": "security",
+ "metadata": [
+ "Region",
+ "RDS Security Group Name",
+ "Ingress Rule",
+ "Status",
+ "Reason"
+ ]
+ },
+ {
+ "id": "H7IgTzjTYb",
+ "name": "Amazon EBS Snapshots",
+ "description": "Checks the age of the snapshots for your Amazon Elastic Block Store (Amazon EBS) volumes (available or in-use). Even though Amazon EBS volumes are replicated, failures can occur. Snapshots are persisted to Amazon Simple Storage Service (Amazon S3) for durable storage and point-in-time recovery.
\n
\nAlert Criteria
\nYellow: The most recent volume snapshot is between 7 and 30 days old.
\nRed: The most recent volume snapshot is more than 30 days old.
\nRed: The volume does not have a snapshot.
\n
\nRecommended Action
\nCreate weekly or monthly snapshots of your volumes. For more information, see Creating an Amazon EBS Snapshot.
\n
\nAdditional Resources
\nAmazon Elastic Block Store (Amazon EBS)",
+ "category": "fault_tolerance",
+ "metadata": [
+ "Region",
+ "Volume ID",
+ "Volume Name",
+ "Snapshot ID",
+ "Snapshot Name",
+ "Snapshot Age",
+ "Volume Attachment",
+ "Status",
+ "Reason"
+ ]
+ },
+ {
+ "id": "wuy7G1zxql",
+ "name": "Amazon EC2 Availability Zone Balance",
+ "description": "Checks the distribution of Amazon Elastic Compute Cloud (Amazon EC2) instances across Availability Zones in a region. Availability Zones are distinct locations that are designed to be insulated from failures in other Availability Zones and to provide inexpensive, low-latency network connectivity to other Availability Zones in the same region. By launching instances in multiple Availability Zones in the same region, you can help protect your applications from a single point of failure.
\n
\nAlert Criteria
\nYellow: The region has instances in multiple zones, but the distribution is uneven (the difference between the highest and lowest instance counts in utilized Availability Zones is greater than 20%).
\nRed: The region has instances only in a single Availability Zone.
\n
\nRecommended Action
\nBalance your Amazon EC2 instances evenly across multiple Availability Zones. You can do this by launching instances manually or by using Auto Scaling to do it automatically. For more information, see Launch Your Instance and Load Balance Your Auto Scaling Group.
\n
\nAdditional Resources
\nAuto Scaling Getting Started Guide
\nAuto Scaling Developer Guide",
+ "category": "fault_tolerance",
+ "metadata": [
+ "Region",
+ "Instances in Zone a",
+ "Instances in Zone b",
+ "Instances in Zone c",
+ "Instances in Zone d",
+ "Instances in Zone e",
+ "Instances in Zone f",
+ "Status",
+ "Reason"
+ ]
+ },
+ {
+ "id": "iqdCTZKCUp",
+ "name": "Load Balancer Optimization",
+ "description": "Checks your load balancer configuration. To help increase the level of fault tolerance in Amazon Elastic Compute Cloud (EC2) when using Elastic Load Balancing, we recommend running an equal number of instances across multiple Availability Zones in a region. A load balancer that is configured accrues charges, so this is a cost-optimization check as well.
\n
\nAlert Criteria
\nYellow: A load balancer is enabled for a single Availability Zone.
\nYellow: A load balancer is enabled for an Availability Zone that has no active instances.
\nYellow: The Amazon EC2 instances that are registered with a load balancer are unevenly distributed across Availability Zones. (The difference between the highest and lowest instance counts in utilized Availability Zones is more than 1, and the difference is more than 20% of the highest count.)
\n
\nRecommended Action
\nEnsure that your load balancer points to active and healthy instances in at least two Availability Zones. For more information, see Add Availability Zone.
\nIf your load balancer is configured for an Availability Zone with no healthy instances, or if there is an imbalance of instances across the Availability Zones, determine if all the Availability Zones are necessary. Omit any unnecessary Availability Zones and ensure there is a balanced distribution of instances across the remaining Availability Zones. For more information, see Remove Availability Zone.
\n
\nAdditional Resources
\nAvailability Zones and Regions
\nManaging Load Balancers
\nBest Practices in Evaluating Elastic Load Balancing",
+ "category": "fault_tolerance",
+ "metadata": [
+ "Region",
+ "Load Balancer Name",
+ "# of Zones",
+ "Instances in Zone a",
+ "Instances in Zone b",
+ "Instances in Zone c",
+ "Instances in Zone d",
+ "Instances in Zone e",
+ "Instances in Zone f",
+ "Status",
+ "Reason"
+ ]
+ },
+ {
+ "id": "S45wrEXrLz",
+ "name": "VPN Tunnel Redundancy",
+ "description": "Checks the number of tunnels that are active for each of your VPNs. A VPN should have two tunnels configured at all times to provide redundancy in case of outage or planned maintenance of the devices at the AWS endpoint. For some hardware, only one tunnel is active at a time (see the Amazon Virtual Private Cloud Network Administrator Guide). If a VPN has no active tunnels, charges for the VPN might still apply.
\n
\nAlert Criteria
\nYellow: A VPN has one active tunnel (this is normal for some hardware).
\nYellow: A VPN has no active tunnels.
\n
\nRecommended Action
\nBe sure that two tunnels are configured for your VPN connection, and that both are active if your hardware supports it. If you no longer need a VPN connection, you can delete it to avoid charges. For more information, see Your Customer Gateway or Deleting a VPN connection.
\n
\nAdditional Resources
\nAmazon Virtual Private Cloud Network Administrator Guide
\nAdding a Hardware Virtual Private Gateway to Your VPC",
+ "category": "fault_tolerance",
+ "metadata": [
+ "Region",
+ "VPN ID",
+ "VPC",
+ "Virtual Private Gateway",
+ "Customer Gateway",
+ "Active Tunnels",
+ "Status",
+ "Reason"
+ ]
+ },
+ {
+ "id": "ZRxQlPsb6c",
+ "name": "High Utilization Amazon EC2 Instances",
+ "description": "Checks the Amazon Elastic Compute Cloud (Amazon EC2) instances that were running at any time during the last 14 days and alerts you if the daily CPU utilization was more than 90% on 4 or more days. Consistent high utilization can indicate optimized, steady performance, but it can also indicate that an application does not have enough resources. To get daily CPU utilization data, download the report for this check.
\n
\nAlert Criteria
\nYellow: An instance had more than 90% daily average CPU utilization on at least 4 of the previous 14 days.\n
\nRecommended Action
\nConsider adding more instances. For information about scaling the number of instances based on demand, see What is Auto Scaling?\n
\nAdditional Resources
\nMonitoring Amazon EC2
\nInstance Metadata and User Data
\nAmazon CloudWatch Developer Guide
\nAuto Scaling Developer Guide",
+ "category": "performance",
+ "metadata": [
+ "Region/AZ",
+ "Instance ID",
+ "Instance Name",
+ "Instance Type",
+ "Day 1",
+ "Day 2",
+ "Day 3",
+ "Day 4",
+ "Day 5",
+ "Day 6",
+ "Day 7",
+ "Day 8",
+ "Day 9",
+ "Day 10",
+ "Day 11",
+ "Day 12",
+ "Day 13",
+ "Day 14",
+ "14-Day Average CPU Utilization",
+ "Number of Days over 90% CPU Utilization"
+ ]
+ },
+ {
+ "id": "8CNsSllI5v",
+ "name": "Auto Scaling Group Resources",
+ "description": "Checks the availability of resources associated with launch configurations and your Auto Scaling groups. Auto Scaling groups that point to unavailable resources cannot launch new Amazon Elastic Compute Cloud (Amazon EC2) instances. When properly configured, Auto Scaling causes the number of Amazon EC2 instances to increase seamlessly during demand spikes and decrease automatically during demand lulls. Auto Scaling groups and launch configurations that point to unavailable resources do not operate as intended.
\n
\nAlert Criteria
\nRed: An Auto Scaling group is associated with a deleted load balancer.
\nRed: A launch configuration is associated with a deleted Amazon Machine Image (AMI).
\n
\nRecommended Action
\nIf the load balancer has been deleted, either create a new load balancer and then create a new Auto Scaling group with the new load balancer, or create a new Auto Scaling group without the load balancer. For information about creating a new Auto Scaling group with a new load balancer, see Set Up an Auto-Scaled and Load-Balanced Application. For information about creating a new Auto Scaling group without a load balancer, see \"Create Auto Scaling Group\" in Getting Started With Auto Scaling Using the Console.
\nIf the AMI has been deleted, create a new launch configuration using a valid AMI and associate it with an Auto Scaling group. See \"Create Launch Configuration\" in Getting Started With Auto Scaling Using the Console.
\n
\nAdditional Resources
\nTroubleshooting Auto Scaling: Amazon EC2 AMIs
\nTroubleshooting Auto Scaling: Load Balancer Configuration
\nAuto Scaling Developer Guide",
+ "category": "fault_tolerance",
+ "metadata": [
+ "Region",
+ "Auto Scaling Group Name",
+ "Launch Configuration Name",
+ "Launch Type",
+ "Launch Name",
+ "Resource Type",
+ "Resource Name",
+ "Status",
+ "Reason"
+ ]
+ },
+ {
+ "id": "opQPADkZvH",
+ "name": "Amazon RDS Backups",
+ "description": "Checks for automated backups of Amazon RDS DB instances. By default, backups are enabled with a retention period of 1 day. Backups reduce the risk of unexpected data loss and allow for point-in-time recovery. Data for Amazon Relational Database Service (Amazon RDS) instances created in the Asia Pacific (Seoul) region (sa-east-1) is not available. We are working to fix this issue as soon as possible.
\n
\nAlert Criteria
\nRed: A DB instance has the backup retention period set to 0 days.
\n
\nRecommended Action
\nSet the retention period for the automated DB instance backup to 1 to 35 days as appropriate to the requirements of your application. See Working With Automated Backups.
\n
\nAdditional Resources
\nGetting Started with Amazon RDS",
+ "category": "fault_tolerance",
+ "metadata": [
+ "Region/AZ",
+ "DB Instance",
+ "VPC ID",
+ "Backup Retention Period",
+ "Status"
+ ]
+ },
+ {
+ "id": "f2iK5R6Dep",
+ "name": "Amazon RDS Multi-AZ",
+ "description": "Checks for DB instances that are deployed in a single Availability Zone. Multi-AZ deployments enhance database availability by synchronously replicating to a standby instance in a different Availability Zone. During planned database maintenance or the failure of a DB instance or Availability Zone, Amazon RDS automatically fails over to the standby so that database operations can resume quickly without administrative intervention. Because Multi-AZ deployments for the SQL Server engine use a different mechanism for synchronization, this check does not examine SQL Server instances.
Data for Amazon Relational Database Service (Amazon RDS) instances created in the Asia Pacific (Seoul) region (sa-east-1) is not available. We are working to fix this issue as soon as possible.
\n
\nAlert Criteria
\nYellow: A DB instance is deployed in a single Availability Zone.
\n
\nRecommended Action
\nIf your application requires high availability, modify your DB instance to enable Multi-AZ deployment. See High Availability (Multi-AZ).
\n
\nAdditional Resources
\nRegions and Availability Zones",
+ "category": "fault_tolerance",
+ "metadata": [
+ "Region/AZ",
+ "DB Instance",
+ "VPC ID",
+ "Multi-AZ",
+ "Status"
+ ]
+ },
+ {
+ "id": "CLOG40CDO8",
+ "name": "Auto Scaling Group Health Check",
+ "description": "Examines the health check configuration for Auto Scaling groups. If Elastic Load Balancing is being used for an Auto Scaling group, the recommended configuration is to enable an Elastic Load Balancing health check. If an Elastic Load Balancing health check is not used, Auto Scaling can only act upon the health of the Amazon Elastic Compute Cloud (Amazon EC2) instance and not on the application that is running on the instance.
\n
\nAlert Criteria
\nYellow: An Auto Scaling group has an associated load balancer, but the Elastic Load Balancing health check is not enabled.
\nYellow: An Auto Scaling group does not have an associated load balancer, but the Elastic Load Balancing health check is enabled.
\n
\nRecommended Action
\nIf the Auto Scaling group has an associated load balancer, but the Elastic Load Balancing health check is not enabled, see Add an Elastic Load Balancing Health Check to your Auto Scaling Group.
\nIf the Elastic Load Balancing health check is enabled, but no load balancer is associated with the Auto Scaling group, see Set Up an Auto-Scaled and Load-Balanced Application.
\n
\nAdditional Resources
\nAuto Scaling Developer Guide",
+ "category": "fault_tolerance",
+ "metadata": [
+ "Region",
+ "Auto Scaling Group Name",
+ "Load Balancer Associated",
+ "Health Check",
+ "Status"
+ ]
+ },
+ {
+ "id": "BueAdJ7NrP",
+ "name": "Amazon S3 Bucket Logging",
+ "description": "Checks the logging configuration of Amazon Simple Storage Service (Amazon S3) buckets. When server access logging is enabled, detailed access logs are delivered hourly to a bucket that you choose. An access log record contains details about each request, such as the request type, the resources specified in the request, and the time and date the request was processed. By default, bucket logging is not enabled; you should enable logging if you want to perform security audits or learn more about users and usage patterns.
\nWhen logging is initially enabled, the configuration is automatically validated; however, future modifications can result in logging failures. This check examines explicit Amazon S3 bucket permissions, but it does not examine associated bucket policies that might override the bucket permissions.
\n
\nAlert Criteria
\nYellow: The bucket does not have server access logging enabled.
\nYellow: The target bucket permissions do not include the root account, so Trusted Advisor cannot check it.
\nRed: The target bucket does not exist.
\nRed: The target bucket and the source bucket have different owners.
\nRed: The log deliverer does not have write permissions for the target bucket.
\n
\nRecommended Action
\nEnable bucket logging for most buckets. See Enabling Logging Using the Console and Enabling Logging Programmatically.
\nIf the target bucket permissions do not include the root account and you want Trusted Advisor to check the logging status, add the root account as a grantee. See Editing Bucket Permissions.
\nIf the target bucket does not exist, select an existing bucket as a target or create a new one and select it. See Managing Bucket Logging.
\nIf the target and source have different owners, change the target bucket to one that has the same owner as the source bucket. See Managing Bucket Logging.
\nIf the log deliverer does not have write permissions for the target (Write not enabled), grant Upload/Delete permissions to the Log Delivery group. See Editing Bucket Permissions.\n
\n
\nAdditional Resources
\nWorking with Buckets
\nServer Access Logging
\nServer Access Log Format
\nDeleting Log Files",
+ "category": "fault_tolerance",
+ "metadata": [
+ "Region",
+ "Bucket Name",
+ "Target Name",
+ "Target Exists",
+ "Same Owner",
+ "Write Enabled",
+ "Status",
+ "Reason"
+ ]
+ },
+ {
+ "id": "PPkZrjsH2q",
+ "name": "Amazon EBS Provisioned IOPS (SSD) Volume Attachment Configuration",
+ "description": "Checks for Provisioned IOPS (SSD) volumes that are attached to an Amazon EBS-optimizable Amazon Elastic Compute Cloud (Amazon EC2) instance that is not EBS-optimized. Provisioned IOPS (SSD) volumes in the Amazon Elastic Block Store (Amazon EBS) are designed to deliver the expected performance only when they are attached to an EBS-optimized instance.
\n
\nAlert Criteria
\nYellow: An Amazon EC2 instance that can be EBS-optimized has an attached Provisioned IOPS (SSD) volume but the instance is not EBS-optimized.
\n
\nRecommended Action
\nCreate a new instance that is EBS-optimized, detach the volume, and reattach the volume to your new instance. For more information, see Amazon EBS-Optimized Instances and Attaching an Amazon EBS Volume to an Instance.
\n
\nAdditional Resources
\nAmazon EBS Volume Types
\nAmazon EBS Volume Performance",
+ "category": "performance",
+ "metadata": [
+ "Region/AZ",
+ "Volume ID",
+ "Volume Name",
+ "Volume Attachment",
+ "Instance ID",
+ "Instance Type",
+ "EBS Optimized",
+ "Status"
+ ]
+ },
+ {
+ "id": "tfg86AVHAZ",
+ "name": "Large Number of Rules in an EC2 Security Group",
+ "description": "Checks each Amazon Elastic Compute Cloud (EC2) security group for an excessive number of rules. If a security group has a large number of rules, performance can be degraded.\n
\nFor more information, see Amazon EC2 Security Groups.\n
\n
\nAlert Criteria\n
\nYellow: An Amazon EC2-VPC security group has more than 50 rules.\n
\nYellow: An Amazon EC2-Classic security group has more than 100 rules.\n
\n
\nRecommended Action\n
\nReduce the number of rules in a security group by deleting unnecessary or overlapping rules. For more information, see Deleting Rules from a Security Group.\n
\n
\nAdditional Resources\n
\nAmazon EC2 Security Groups",
+ "category": "performance",
+ "metadata": [
+ "Region",
+ "Security Group Name",
+ "Group ID",
+ "Description",
+ "Instance Count",
+ "VPC ID",
+ "Total Inbound Rules",
+ "Total Outbound Rules"
+ ]
+ },
+ {
+ "id": "j3DFqYTe29",
+ "name": "Large Number of EC2 Security Group Rules Applied to an Instance",
+ "description": "Checks for Amazon Elastic Compute Cloud (EC2) instances that have a large number of security group rules. Performance can be degraded if an instance has a large number of rules.
\n
\nAlert Criteria
\nYellow: An Amazon EC2-VPC instance has more than 50 security group rules.
\nYellow: An Amazon EC2-Classic instance has more than 100 security group rules.
\n
\nRecommended Action
\nReduce the number of rules associated with an instance by deleting unnecessary or overlapping rules. For more information, see Deleting Rules from a Security Group.
\n
\nAdditional Resources
\nAmazon EC2 Security Groups",
+ "category": "performance",
+ "metadata": [
+ "Region",
+ "Instance ID",
+ "Instance Name",
+ "VPC ID",
+ "Total Inbound Rules",
+ "Total Outbound Rules"
+ ]
+ },
+ {
+ "id": "Ti39halfu8",
+ "name": "Amazon RDS Idle DB Instances",
+ "description": "Checks the configuration of your Amazon Relational Database Service (Amazon RDS) for any DB instances that appear to be idle. If a DB instance has not had a connection for a prolonged period of time, you can delete the instance to reduce costs. If persistent storage is needed for data on the instance, you can use lower-cost options such as taking and retaining a DB snapshot. Manually created DB snapshots are retained until you delete them. Data for Amazon RDS instances created in the Asia Pacific (Seoul) region (sa-east-1) is not available. We are working to fix this issue as soon as possible.
\n
\nAlert Criteria
\nYellow: An active DB instance has not had a connection in the last 7 days.
\n
\nRecommended Action
\nConsider taking a snapshot of the idle DB instance and then either stopping it or deleting it. Stopping the DB instance removes some of the costs for it, but does not remove storage costs. A stopped instance keeps all automated backups based upon the configured retention period. Stopping a DB instance usually incurs additional costs when compared to deleting the instance and then retaining only the final snapshot. See and Deleting a DB Instance with a Final Snapshot.
\n
\nAdditional Resources
\nBack Up and Restore",
+ "category": "cost_optimizing",
+ "metadata": [
+ "Region",
+ "DB Instance Name",
+ "Multi-AZ",
+ "Instance Type",
+ "Storage Provisioned (GB)",
+ "Days Since Last Connection",
+ "Estimated Monthly Savings (On Demand)"
+ ]
+ },
+ {
+ "id": "B913Ef6fb4",
+ "name": "Amazon Route 53 Alias Resource Record Sets",
+ "description": "Checks for resource record sets that can be changed to alias resource record sets to improve performance and save money. An alias resource record set routes DNS queries to an AWS resource (for example, an Elastic Load Balancing load balancer or an Amazon S3 bucket) or to another Route 53 resource record set. When you use alias resource record sets, Route 53 routes your DNS queries to AWS resources free of charge.
\n
\nAlert Criteria
\nYellow: A resource record set is a CNAME to an Amazon S3 website.
\nYellow: A resource record set is a CNAME to an Amazon CloudFront distribution.
\nYellow: A resource record set is a CNAME to an Elastic Load Balancing load balancer.
\n
\nRecommended Action
\nReplace the listed CNAME resource record sets with alias resource record sets; see Choosing Between Alias and Non-Alias Resource Record Sets. You also need to change the record type from CNAME to A or AAAA, depending on the AWS resource; see Values that You Specify When You Create or Edit Amazon Route 53 Resource Record Sets.
\n
\nAdditional Resources
\nRouting Queries to AWS Resources",
+ "category": "performance",
+ "metadata": [
+ "Hosted Zone Name",
+ "Hosted Zone ID",
+ "Resource Record Set Name",
+ "Resource Record Set Type",
+ "Resource Record Set Identifier",
+ "Alias Target",
+ "Status"
+ ]
+ },
+ {
+ "id": "cF171Db240",
+ "name": "Amazon Route 53 Name Server Delegations",
+ "description": "Checks for Amazon Route 53 hosted zones for which your domain registrar or DNS is not using the correct Route 53 name servers. When you create a hosted zone, Route 53 assigns a delegation set of four name servers. The names of these servers are ns-###.awsdns-##.com, .net, .org, and .co.uk, where ### and ## typically represent different numbers. Before Route 53 can route DNS queries for your domain, you must update your registrar's name server configuration to remove the name servers that the registrar assigned and add all four name servers in the Route 53 delegation set. For maximum availability, you must add all four Route 53 name servers.
\n
\nAlert Criteria
\nYellow: A hosted zone for which the registrar for your domain does not use all four of the Route 53 name servers in the delegation set.
\n
\nRecommended Action
\nAdd or update name server records with your registrar or with the current DNS service for your domain to include all four of the name servers in your Route 53 delegation set. To find these values, see Getting the Name Servers for a Hosted Zone. For information about adding or updating name server records, see Creating and Migrating Domains and Subdomains to Amazon Route 53.
\n
\nAdditional Resources
\nWorking with Hosted Zones
",
+ "category": "fault_tolerance",
+ "metadata": [
+ "Hosted Zone Name",
+ "Hosted Zone ID",
+ "Number of Name Server Delegations Used"
+ ]
+ },
+ {
+ "id": "C056F80cR3",
+ "name": "Amazon Route 53 High TTL Resource Record Sets",
+ "description": "Checks for resource record sets that can benefit from having a lower time-to-live (TTL) value. TTL is the number of seconds that a resource record set is cached by DNS resolvers. When you specify a long TTL, DNS resolvers take longer to request updated DNS records, which can cause unnecessary delay in rerouting traffic (for example, when DNS Failover detects and responds to a failure of one of your endpoints).
\n
\nAlert Criteria
\nYellow: A resource record set whose routing policy is Failover has a TTL greater than 60 seconds.
\nYellow: A resource record set with an associated health check has a TTL greater than 60 seconds.
\n
\nRecommended Action
\nEnter a TTL value of 60 seconds for the listed resource record sets. For more information, see Working with Resource Record Sets.
\n
\nAdditional Resources
\nAmazon Route 53 Health Checks and DNS Failover",
+ "category": "fault_tolerance",
+ "metadata": [
+ "Hosted Zone Name",
+ "Hosted Zone ID",
+ "Resource Record Set Name",
+ "Resource Record Set Type",
+ "Resource Record Set ID",
+ "TTL",
+ "Status"
+ ]
+ },
+ {
+ "id": "k3J2hns32g",
+ "name": "Overutilized Amazon EBS Magnetic Volumes",
+ "description": "Checks for Amazon Elastic Block Store (EBS) Magnetic volumes that are potentially overutilized and might benefit from a more efficient configuration. A Magnetic volume is designed for applications with moderate or bursty I/O requirements, and the IOPS rate is not guaranteed. It delivers approximately 100 IOPS on average, with a best-effort ability to burst to hundreds of IOPS. For consistently higher IOPS, you can use a Provisioned IOPS (SSD) volume. For bursty IOPS, you can use a General Purpose (SSD) volume. For more information, see Amazon EBS Volume Types.
\n
\nFor a list of instance types that support EBS-optimized behavior, see Amazon EBS-Optimized Instances.\n
\nTo get daily utilization metrics, download the report for this check. The detailed report shows a column for each of the last 14 days. If there is no active EBS volume, the cell is empty. If there is insufficient data to make a reliable measurement, the cell contains \"N/A\". If there is sufficient data, the cell contains the daily median and the percentage of the variance in relation to the median (for example, \"256 / 20%\").
\nAlert Criteria
\nYellow: An Amazon EBS Magnetic volume is attached to an instance that can be EBS-optimized or is part of a cluster compute network with a daily median of more than 95 IOPS, and varies by less than 10% of the median value for at least 7 of the past 14 days.
\n
\nRecommended Action
\nFor consistently higher IOPS, you can use a Provisioned IOPS (SSD) volume. For bursty IOPS, you can use a General Purpose (SSD) volume. For more information, see Amazon EBS Volume Types.
\n
\nAdditional Resources
\nAmazon Elastic Block Store (Amazon EBS)",
+ "category": "performance",
+ "metadata": [
+ "Region",
+ "Volume ID",
+ "Volume Name",
+ "Day 1",
+ "Day 2",
+ "Day 3",
+ "Day 4",
+ "Day 5",
+ "Day 6",
+ "Day 7",
+ "Day 8",
+ "Day 9",
+ "Day 10",
+ "Day 11",
+ "Day 12",
+ "Day 13",
+ "Day 14",
+ "Number of Days Over",
+ "Max Daily Median",
+ "Status"
+ ]
+ },
+ {
+ "id": "796d6f3D83",
+ "name": "CloudFront Content Delivery Optimization",
+ "description": "Checks for cases where data transfer from Amazon Simple Storage Service (Amazon S3) buckets could be accelerated by using Amazon CloudFront, the AWS global content delivery service. When you configure CloudFront to deliver your content, requests for your content are automatically routed to the nearest edge location where content is cached, so it can be delivered to your users with the best possible performance. A high ratio of data transferred out to the data stored in the bucket indicates that you could benefit from using Amazon CloudFront to deliver the data. \n
\nTo estimate the retrieval activity of users, only data transferred by using a GET request is counted for this check. In addition, the transfer activity from the last 24 hours is not included. \n
\n
\nAlert Criteria
\nYellow: The amount of data transferred out of the bucket to your users by GET requests in the 30 days preceding the check is at least 25 times greater than the average amount of data stored in the bucket.
\nRed: The amount of data transferred out of the bucket to your users by GET requests in the 30 days preceding the check is at least 10 TB and at least 25 times greater than the average amount of data stored in the bucket.\n
\n
\nRecommended Action
\nConsider using CloudFront for better performance; see Amazon CloudFront Product Details. \n
\nIf the data transferred is 10 TB per month or more, see Amazon CloudFront Pricing to explore possible cost savings.\n
\n
\nAdditional Resources
\nAmazon CloudFront Developer Guide
\nAWS Case Study: PBS",
+ "category": "performance",
+ "metadata": [
+ "Region",
+ "Bucket Name",
+ "S3 Storage (GB)",
+ "Data Transfer Out (GB)",
+ "Ratio of Transfer to Storage",
+ "Status"
+ ]
+ },
+ {
+ "id": "51fC20e7I2",
+ "name": "Amazon Route 53 Latency Resource Record Sets",
+ "description": "Checks for Amazon Route 53 latency record sets that are configured inefficiently. To allow Amazon Route 53 to route queries to the region with the lowest network latency, you should create latency resource record sets for a particular domain name (such as example.com) in different regions. If you create only one latency resource record set for a domain name, all queries are routed to one region, and you pay extra for latency-based routing without getting the benefits.\n
\n
\nAlert Criteria\n
\nYellow: Only one latency resource record set is configured for a particular domain name.\n
\n
\nRecommended Action\n
\nIf you have resources in multiple regions, be sure to define a latency resource record set for each region; see Latency-Based Routing.
\nIf you have resources in only one region, consider creating resources in more than one region and define latency resource record sets for each; see Latency-Based Routing.
\nIf you don't want to use multiple regions, you should use a simple resource record set; see Working with Resource Record Sets.\n
\n
\nAdditional Resources\n
\nAmazon Route 53 Developer Guide
\nAmazon Route 53 Pricing",
+ "category": "cost_optimizing",
+ "metadata": [
+ "Hosted Zone Name",
+ "Hosted Zone ID",
+ "Resource Record Set Name",
+ "Resource Record Set Type"
+ ]
+ },
+ {
+ "id": "c9D319e7sG",
+ "name": "Amazon Route 53 MX Resource Record Sets and Sender Policy Framework",
+ "description": "For each MX resource record set, checks for a TXT resource record set that contains a corresponding SPF value. The SPF (Sender Policy Framework) value specifies the servers that are authorized to send email for your domain. This helps reduce spam by detecting and stopping email address spoofing. (Resource record sets that use the experimental SPF type are no longer recommended.)\n
\n
\nAlert Criteria\n
\nYellow: An MX resource record set does not have a TXT resource record set that contains a corresponding SPF value.\n
\nRecommended Action\n
\nFor each MX resource record set, create a TXT resource record set that contains an SPF value; see Sender Policy Framework: SPF Record Syntax and Creating Resource Record Sets By Using the Amazon Route 53 Console.\n
\nAdditional Information\n
\nSender Policy Framework (Wikipedia)
\nMX record (Wikipedia)",
+ "category": "security",
+ "metadata": [
+ "Hosted Zone Name",
+ "Hosted Zone ID",
+ "Resource Record Set Name",
+ "Status"
+ ]
+ },
+ {
+ "id": "b73EEdD790",
+ "name": "Amazon Route 53 Failover Resource Record Sets",
+ "description": "Checks for Amazon Route 53 failover resource record sets that are misconfigured. When Amazon Route 53 health checks determine that the primary resource is unhealthy, Amazon Route 53 responds to queries with a secondary, backup resource record set. You must create correctly configured primary and secondary resource record sets for failover to work.\n
\n
\nAlert Criteria
\nYellow: A primary failover resource record set does not have a corresponding secondary resource record set.
\nYellow: A secondary failover resource record set does not have a corresponding primary resource record set.
\nYellow: Primary and secondary resource record sets that have the same name are associated with the same health check.\n
\nRecommended Action
\nIf a failover resource set is missing, create the corresponding resource record set; see Creating Failover Resource Record Sets.
\nIf your resource record sets are associated with the same health check, create separate health checks for each one; see Creating, Updating, and Deleting Health Checks.\n
\n
\nAdditional Information
\nAmazon Route 53 Health Checks and DNS Failover",
+ "category": "fault_tolerance",
+ "metadata": [
+ "Hosted Zone Name",
+ "Hosted Zone ID",
+ "Resource Record Set Name",
+ "Resource Record Set Type",
+ "Reason"
+ ]
+ },
+ {
+ "id": "Cb877eB72b",
+ "name": "Amazon Route 53 Deleted Health Checks",
+ "description": "Checks for resource record sets that are associated with health checks that have been deleted. Amazon Route 53 does not prevent you from deleting a health check that is associated with one or more resource record sets. If you delete a health check without updating the associated resource record sets, the routing of DNS queries for your DNS failover configuration will not work as intended.\n
\n
\nAlert Criteria
\nYellow: A resource record set is associated with a health check that has been deleted.\n
\nRecommended Action
\nCreate a new health check and associate it with the resource record set; see Creating, Updating, and Deleting Health Checks and Adding Health Checks to Resource Record Sets.\n
\n
\nAdditional Information
\nAmazon Route 53 Health Checks and DNS Failover
\nHow Health Checks Work in Simple Amazon Route 53 Configurations",
+ "category": "fault_tolerance",
+ "metadata": [
+ "Hosted Zone Name",
+ "Hosted Zone ID",
+ "Resource Record Set Name",
+ "Resource Record Set Type",
+ "Resource Record Set Identifier"
+ ]
+ },
+ {
+ "id": "vjafUGJ9H0",
+ "name": "AWS CloudTrail Logging",
+ "description": "Checks for your use of AWS CloudTrail. CloudTrail provides increased visibility into activity in your AWS account by recording information about AWS API calls made on the account. You can use these logs to determine, for example, what actions a particular user has taken during a specified time period or which users have taken actions on a particular resource during a specified time period. Because CloudTrail delivers log files to an Amazon Simple Storage Service (Amazon S3) bucket, CloudTrail must have write permissions for the bucket. If a trail applies to all regions (the default when creating a new trail), the trail appears multiple times in the Trusted Advisor report.
\nAlert Criteria
\nYellow: CloudTrail reports log delivery errors for a trail.
\nRed: A trail has not been created for a region, or logging is turned off for a trail.\n
\nRecommended Action
\nTo create a trail and start logging from the console, go to the AWS CloudTrail console.
\nTo start logging, see Stopping and Starting Logging for a Trail.
\nIf you receive log delivery errors, check to make sure that the bucket exists and that the necessary policy is attached to the bucket; see Amazon S3 Bucket Policy.\n
\nAdditional Resources
\nAWS CloudTrail User Guide
\nSupported Regions
\nSupported Services",
+ "category": "security",
+ "metadata": [
+ "Region",
+ "Trail Name",
+ "Logging Status",
+ "Bucket Name",
+ "Last Delivery Error",
+ "Status"
+ ]
+ },
+ {
+ "id": "a2sEc6ILx",
+ "name": "ELB Listener Security",
+ "description": "Checks for load balancers with listeners that do not use recommended security configurations for encrypted communication. AWS recommends using a secure protocol (HTTPS or SSL), up-to-date security policies, and ciphers and protocols that are secure.
\nWhen you use a secure protocol for a front-end connection (client to load balancer), the requests are encrypted between your clients and the load balancer, which is more secure.
\nElastic Load Balancing provides predefined security policies with ciphers and protocols that adhere to AWS security best practices. New versions of predefined policies are released as new configurations become available.
\nAlert Criteria
\nYellow: A load balancer has no listener that uses a secure protocol (HTTPS or SSL).
\nYellow: A load balancer listener uses an outdated predefined SSL security policy.
\nYellow: A load balancer listener uses a cipher or protocol that is not recommended.
\nRed: A load balancer listener uses an insecure cipher or protocol.
\nRecommended Action\n- If the traffic to your load balancer must be secure, use either the HTTPS or the SSL protocol for the front-end connection.
\n- Upgrade your load balancer to the latest version of the predefined SSL security policy.
\n- Use only the recommended ciphers and protocols.
\nFor more information, see Listener Configurations for Elastic Load Balancing.
\nAdditional Resources
\nListener Configurations Quick Reference
\nUpdate SSL Negotiation Configuration of Your Load Balancer
\nSSL Negotiation Configurations for Elastic Load Balancing
\nSSL Security Policy Table
\n",
+ "category": "security",
+ "metadata": [
+ "Region",
+ "Load Balancer Name",
+ "Load Balancer Port",
+ "Status",
+ "Reason"
+ ]
+ },
+ {
+ "id": "xSqX82fQu",
+ "name": "ELB Security Groups",
+ "description": "Checks for load balancers configured with a missing security group or a security group that allows access to ports that are not configured for the load balancer. If a security group associated with a load balancer is deleted, the load balancer does not work as expected. If a security group allows access to ports that are not configured for the load balancer, the risk of loss of data or malicious attacks increases.
\nAlert Criteria
\nYellow: The inbound rules of an Amazon VPC security group associated with a load balancer allow access to ports that are not defined in the load balancer's listener configuration.
\nRed: A security group associated with a load balancer does not exist.
\nRecommended Action
\nConfigure the security group rules to restrict access to only those ports and protocols that are defined in the load balancer listener configuration, plus the ICMP protocol to support Path MTU Discovery. See Listeners for Your Classic Load Balancer and Security Groups for Load Balancers in a VPC.
\nIf a security group is missing, apply a new security group to the load balancer. Create security group rules that restrict access to only those ports and protocols that are defined in the load balancer listener configuration. See Security Groups for Load Balancers in a VPC.
\nAdditional Resources
\nElastic Load Balancing User Guide
\nConfigure Your Classic Load Balancer",
+ "category": "security",
+ "metadata": [
+ "Region",
+ "Load Balancer Name",
+ "Status",
+ "Security Group IDs",
+ "Reason"
+ ]
+ },
+ {
+ "id": "xdeXZKIUy",
+ "name": "ELB Cross-Zone Load Balancing",
+ "description": "With Cross-zone load balancing turned off, there is a risk of service unavailability due to uneven distribution of traffic or backend overloading. This problem can occur when clients incorrectly cache DNS information, or when there are an unequal number of instances in each Availability Zone (for example, if you have taken down some instances for maintenance).\n
\nAlert Criteria
\nYellow: Cross-zone load balancing is not enabled for a load balancer.
\nRecommended Action
\nConfirm that the Amazon EC2 instances registered with the load balancer are launched in multiple Availability Zones, and then enable cross-zone load balancing for the load balancer. For more information, see Availability Zones and Regions and Enable or Disable Cross-Zone Load Balancing for Your Load Balancer.
\nAdditional Resources
\nRequest Routing
\nElastic Load Balancing Concepts",
+ "category": "fault_tolerance",
+ "metadata": [
+ "Region",
+ "Load Balancer Name",
+ "Status",
+ "Reason"
+ ]
+ },
+ {
+ "id": "7qGXsKIUw",
+ "name": "ELB Connection Draining",
+ "description": "Checks for load balancers that do not have connection draining enabled. When connection draining is not enabled and you remove (deregister) an Amazon EC2 instance from a load balancer, the load balancer stops routing traffic to that instance and closes the connection. When connection draining is enabled, the load balancer stops sending new requests to the deregistered instance but keeps the connection open to serve active requests.
\nAlert Criteria
\nYellow: Connection draining is not enabled for a load balancer.
\nRecommended Action
\nEnable connection draining for the load balancer. For more information, see Connection Draining and Enable or Disable Connection Draining for Your Load Balancer.
\nAdditional Resources
\nElastic Load Balancing Concepts",
+ "category": "fault_tolerance",
+ "metadata": [
+ "Region",
+ "Load Balancer Name",
+ "Status",
+ "Reason"
+ ]
+ },
+ {
+ "id": "N415c450f2",
+ "name": "CloudFront Header Forwarding and Cache Hit Ratio",
+ "description": "Checks the HTTP request headers that CloudFront currently receives from the client and forwards to your origin server. Some headers, such as Date or User-Agent, significantly reduce the cache hit ratio (the proportion of requests that are served from a CloudFront edge cache). This increases the load on your origin and reduces performance because CloudFront must forward more requests to your origin.
\n
\nAlert Criteria
\nYellow: One or more request headers that CloudFront forwards to your origin might significantly reduce your cache hit ratio.
\n
\nRecommended Action
\nConsider whether the request headers provide enough benefit to justify the negative effect on the cache hit ratio. If your origin returns the same object regardless of the value of a given header, we recommend that you don't configure CloudFront to forward that header to the origin. For more information, see Configuring CloudFront to Cache Objects Based on Request Headers.
\n
\nAdditional Resources
\nIncreasing the Proportion of Requests that Are Served from CloudFront Edge Caches
\nCloudFront Cache Statistics Reports
\nHTTP Request Headers and CloudFront Behavior",
+ "category": "performance",
+ "metadata": [
+ "Status",
+ "Distribution ID",
+ "Distribution Domain Name",
+ "Cache Behavior Path Pattern",
+ "Headers"
+ ]
+ },
+ {
+ "id": "N425c450f2",
+ "name": "CloudFront Custom SSL Certificates in the IAM Certificate Store",
+ "description": "Checks the SSL certificates for CloudFront alternate domain names in the IAM certificate store and alerts you if the certificate is expired, will soon expire, uses outdated encryption, or is not configured correctly for the distribution. When a custom certificate for an alternate domain name expires, browsers that display your CloudFront content might show a warning message about the security of your website. Certificates that are encrypted by using the SHA-1 hashing algorithm are being deprecated by web browsers such as Chrome and Firefox. If a certificate doesn't contain any domain names that match either Origin Domain Name or the domain name in the Host header of viewer requests, CloudFront returns an HTTP status code 502 (bad gateway) to the user. For more information, see Using Alternate Domain Names and HTTPS.
\n
\nAlert Criteria
\nRed: A custom SSL certificate is expired.
\nYellow: A custom SSL certificate expires in the next seven days.
\nYellow: A custom SSL certificate was encrypted by using the SHA-1 hashing algorithm.
\nYellow: One or more of the alternate domain names in the distribution don't appear either in the Common Name field or the Subject Alternative Names field of the custom SSL certificate.
\n
\nRecommended Action
\nRenew an expired certificate or a certificate that is about to expire.
\nReplace a certificate that was encrypted by using the SHA-1 hashing algorithm with a certificate that is encrypted by using the SHA-256 hashing algorithm.
\nReplace the certificate with a certificate that contains the applicable values in the Common Name or Subject Alternative Domain Names fields.
\n
\nAdditional Resources
\nUsing an HTTPS Connection to Access Your Objects",
+ "category": "security",
+ "metadata": [
+ "Status",
+ "Distribution ID",
+ "Distribution Domain Name",
+ "Certificate Name",
+ "Reason"
+ ]
+ },
+ {
+ "id": "N430c450f2",
+ "name": "CloudFront SSL Certificate on the Origin Server",
+ "description": "Checks your origin server for SSL certificates that are expired, about to expire, missing, or that use outdated encryption. If a certificate is expired, CloudFront responds to requests for your content with HTTP status code 502, Bad Gateway. Certificates that were encrypted by using the SHA-1 hashing algorithm are being deprecated by web browsers such as Chrome and Firefox. Depending on the number of SSL certificates that you have associated with your CloudFront distributions, this check might add a few cents per month to your bill with your web hosting provider, for example, AWS if you're using EC2 or ELB as the origin for your CloudFront distribution. This check does not validate your origin certificate chain or certificate authorities; you can check these in your CloudFront configuration.
\n
\nAlert Criteria
\nRed: An SSL certificate on your origin has expired or is missing.
\nYellow: An SSL certificate on your origin expires in the next seven days.
\nYellow: An SSL certificate on your origin was encrypted by using the SHA-1 hashing algorithm.
\nYellow: An SSL certificate on your origin can't be located. The connection might have failed due to timeout, unmatched CNAME and hostname, or other HTTPS connection problems.
\n
\nRecommended Action
\nRenew the certificate on your origin if it has expired or is about to expire.
\nAdd a certificate if one does not exist.
\nReplace a certificate that was encrypted by using the SHA-1 hashing algorithm with a certificate that is encrypted by using the SHA-256 hashing algorithm.
\n
\nAdditional Resources
\nUsing Alternate Domain Names and HTTPS",
+ "category": "security",
+ "metadata": [
+ "Status",
+ "Distribution ID",
+ "Distribution Domain Name",
+ "Origin",
+ "Reason"
+ ]
+ },
+ {
+ "id": "Bh2xRR2FGH",
+ "name": "Amazon EC2 to EBS Throughput Optimization",
+ "description": "Checks for Amazon EBS volumes whose performance might be affected by the maximum throughput capability of the Amazon EC2 instance they are attached to. \r\nTo optimize performance, you should ensure that the maximum throughput of an EC2 instance is greater than the aggregate maximum throughput of the attached EBS volumes. \r\nThis check computes the total EBS volume throughput for each five-minute period in the preceding day (UTC) for each EBS-optimized instance and alerts you if usage in more than half of those periods was greater than 95% of the maximum throughput of the EC2 instance.
\r\nAlert Criteria
Yellow: In the preceding day (UTC), the aggregate throughput (megabytes/sec) of the EBS volumes attached to the EC2 instance exceeded 95% of the published throughput between the instance and the EBS volumes more than 50% of time.
\r\nRecommended Action
Compare the maximum throughput of your EBS volumes \r\n(see Amazon EBS Volume Types) \r\nwith the maximum throughput of the EC2 instance they are attached to \r\n(see Instance Types That Support EBS Optimization). \r\nConsider attaching your volumes to an instance that supports higher throughput to EBS for optimal performance.
\r\nAdditional Resources
Amazon EBS Volume Types
\r\nAmazon EBS-Optimized Instances
\r\nMonitoring the Status of Your Volumes
\r\nAttaching an Amazon EBS Volume to an Instance
\r\nDetaching an Amazon EBS Volume from an Instance
\r\nDeleting an Amazon EBS Volume ",
+ "category": "performance",
+ "metadata": [
+ "Region",
+ "Instance ID",
+ "Instance Type",
+ "Status",
+ "Time Near Maximum"
+ ]
+ },
+ {
+ "id": "N420c450f2",
+ "name": "CloudFront Alternate Domain Names",
+ "description": "Checks Amazon CloudFront distributions for alternate domain names (CNAMES) that have incorrectly configured DNS settings. If a CloudFront distribution includes alternate domain names, the DNS configuration for the domains must route DNS queries to that distribution.
\n
\nAlert Criteria
\nRed: A CloudFront distribution includes alternate domain names, but the DNS configuration is not correctly set up with a CNAME record or an Amazon Route 53 alias resource record.
\nYellow: A CloudFront distribution includes alternate domain names, but Trusted Advisor could not evaluate the DNS configuration because there were too many redirects.
\nYellow: A CloudFront distribution includes alternate domain names, but Trusted Advisor could not evaluate the DNS configuration for some other reason, most likely because of a timeout.\n
\nRecommended Action
\nUpdate the DNS configuration to route DNS queries to the CloudFront distribution; see Using Alternate Domain Names (CNAMEs). If you're using Amazon Route 53 as your DNS service, see Routing Traffic to an Amazon CloudFront Web Distribution by Using Your Domain Name. If the check timed out, try refreshing the check.
\n
\nAdditional Resources
\nAmazon CloudFront Developer Guide",
+ "category": "performance",
+ "metadata": [
+ "Status",
+ "Distribution ID",
+ "Distribution Domain Name",
+ "Alternate Domain Name",
+ "Reason"
+ ]
+ },
+ {
+ "id": "DqdJqYeRm5",
+ "name": "IAM Access Key Rotation",
+ "description": "Checks for active IAM access keys that have not been rotated in the last 90 days. When you rotate your access keys regularly, you reduce the chance that a compromised key could be used without your knowledge to access resources. For the purposes of this check, the last rotation date and time is when the access key was created or most recently activated. The access key number and date come from the access_key_1_last_rotated and access_key_2_last_rotated information in the most recent IAM credential report. Because the regeneration frequency of a credential report is restricted, refreshing this check might not reflect recent changes (for details, see Getting Credential Reports for Your AWS Account).
\nIn order to create and rotate access keys, a user must have the appropriate permissions. For more information, see Allow Users to Manage Their Own Passwords, Access Keys, and SSH Keys.
\nAlert Criteria
\nGreen: The access key is active and has been rotated in the last 90 days.
\nYellow: The access key is active and has been rotated in the last 2 years, but more than 90 days ago.
\nRed: The access key is active and has not been rotated in the last 2 years.
\nRecommended Action
\nRotate access keys on a regular basis. See Rotating Access Keys and Managing Access Keys for IAM Users.
\nAdditional Resources
\nIAM Best Practices
\nHow to rotate access keys for IAM users (AWS blog)",
+ "category": "security",
+ "metadata": [
+ "Status",
+ "IAM User",
+ "Access Key",
+ "Key Last Rotated",
+ "Reason"
+ ]
+ },
+ {
+ "id": "12Fnkpl8Y5",
+ "name": "Exposed Access Keys",
+ "description": "Checks popular code repositories for access keys that have been exposed to the public and for irregular Amazon Elastic Compute Cloud (Amazon EC2) usage that could be the result of a compromised access key. An access key consists of an access key ID and the corresponding secret access key. Exposed access keys pose a security risk to your account and other users, could lead to excessive charges from unauthorized activity or abuse, and violate the AWS Customer Agreement. If your access key is exposed, take immediate action to secure your account. To protect your account from excessive charges, AWS temporarily limits your ability to create certain AWS resources when exposed access keys are identified. This does not make your account secure; it only partially limits the unauthorized usage for which you could be charged. Note: This check does not guarantee the identification of exposed access keys or compromised EC2 instances. You are ultimately responsible for the safety and security of your access keys and AWS resources.
\nIf a deadline is shown for an access key, AWS may suspend your AWS account if the unauthorized usage is not stopped by that date. If you believe an alert is in error, contact AWS Support.
\nThe information displayed in Trusted Advisor may not reflect the most recent state of your account. No exposed access keys are marked as resolved until all exposed access keys on the account have been resolved. This data synchronization can take up to one week.
\nAlert Criteria
\nRed: Potentially compromised - AWS has identified an access key ID and corresponding secret access key that have been exposed on the Internet and may have been compromised (used).
\nRed: Exposed - AWS has identified an access key ID and corresponding secret access key that have been exposed on the Internet.
\nRed: Suspected - Irregular Amazon EC2 usage indicates that an access key may have been compromised, but it has not been identified as exposed on the Internet.
\nRecommended Action
\nDelete the affected access key as soon as possible. If the key is associated with an IAM user, see Managing Access Keys for IAM Users.
\nCheck your account for unauthorized usage. Log in to the AWS Management Console and check each service console for suspicious resources. Pay special attention to running Amazon EC2 instances, Spot Instance requests, access keys, and IAM users. You can also check overall usage on the Billing & Cost Management Dashboard.
\nAdditional Resources
\nBest Practices for Managing AWS Access Keys
\nAWS Security Audit Guidelines",
+ "category": "security",
+ "metadata": [
+ "Access Key ID",
+ "User Name (IAM or Root)",
+ "Fraud Type",
+ "Case ID",
+ "Time Updated",
+ "Location",
+ "Deadline",
+ "Usage (USD per Day)"
+ ]
+ },
+ {
+ "id": "G31sQ1E9U",
+ "name": "Underutilized Amazon Redshift Clusters",
+ "description": "Checks your Amazon Redshift configuration for clusters that appear to be underutilized. If an Amazon Redshift cluster has not had a connection for a prolonged period of time or is using a low amount of CPU, you can use lower-cost options such as downsizing the cluster or shutting down the cluster and taking a final snapshot. Final snapshots are retained even after you delete your cluster.
\nAlert Criteria
\nYellow: A running cluster has not had a connection in the last 7 days.
\nYellow: A running cluster had less than 5% cluster-wide average CPU utilization for 99% of the last 7 days.
\nRecommended Action
\nConsider shutting down the cluster and taking a final snapshot, or downsizing the cluster. See Shutting Down and Deleting Clusters and Resizing a Cluster.
\nAdditional Resources
\nAmazon CloudWatch Developer Guide",
+ "category": "cost_optimizing",
+ "metadata": [
+ "Status",
+ "Region",
+ "Cluster",
+ "Instance Type",
+ "Reason",
+ "Estimated Monthly Savings"
+ ]
+ },
+ {
+ "id": "1e93e4c0b5",
+ "name": "Amazon EC2 Reserved Instance Lease Expiration",
+ "description": "Checks for Amazon EC2 Reserved Instances that are scheduled to expire within the next 30 days or have expired in the preceding 30 days. Reserved Instances do not renew automatically; you can continue using an EC2 instance covered by the reservation without interruption, but you will be charged On-Demand rates. New Reserved Instances can have the same parameters as the expired ones, or you can purchase Reserved Instances with different parameters.
\r\nThe estimated monthly savings we show is the difference between the On-Demand and Reserved Instance rates for the same instance type.
\r\nAlert Criteria
\r\nYellow: The Reserved Instance lease expires in less than 30 days.
\r\nYellow: The Reserved Instance lease expired in the preceding 30 days.
\r\nRecommended Action
\r\nConsider purchasing a new Reserved Instance to replace the one that is nearing the end of its term. For more information, see How to Purchase Reserved Instances and Buying Reserved Instances.
\r\nAdditional Resources
\r\nReserved Instances
\r\nInstance Types",
+ "category": "cost_optimizing",
+ "metadata": [
+ "Status",
+ "Zone",
+ "Instance Type",
+ "Platform",
+ "Instance Count",
+ "Current Monthly Cost",
+ "Estimated Monthly Savings",
+ "Expiration Date",
+ "Reserved Instance ID",
+ "Reason"
+ ]
+ },
+ {
+ "id": "R365s2Qddf",
+ "name": "Amazon S3 Bucket Versioning",
+ "description": "Checks for Amazon Simple Storage Service buckets that do not have versioning enabled, or have versioning suspended. When versioning is enabled, you can easily recover from both unintended user actions and application failures. Versioning allows you to preserve, retrieve, and restore any version of any object stored in a bucket. You can use lifecycle rules to manage all versions of your objects as well as their associated costs by automatically archiving objects to the Glacier storage class or removing them after a specified time period. You can also choose to require multi-factor authentication (MFA) for any object deletions or configuration changes to your buckets.
\nVersioning cannot be disabled after it has been enabled, but it can be suspended, which prevents new versions of objects from being created. Using versioning can increase your costs for Amazon S3, because you pay for storage of multiple versions of an object.
\nAlert Criteria
\nGreen: Versioning is enabled for the bucket.
\nYellow: Versioning is not enabled for the bucket.
\nYellow: Versioning is suspended for the bucket.
\nRecommended Action
\nEnable bucket versioning on most buckets to prevent accidental deletion or overwriting. See Using Versioning and Enabling Versioning Programmatically.
\nIf bucket versioning is suspended, consider reenabling versioning. For information on working with objects in a versioning-suspended bucket, see Managing Objects in a Versioning-Suspended Bucket.
\nWhen versioning is enabled or suspended, you can define lifecycle configuration rules to mark certain object versions as expired or to permanently remove unneeded object versions. For more information, see Object Lifecycle Management.
\nMFA Delete requires additional authentication when the versioning status of the bucket is changed or when versions of an object are deleted. It requires the user to enter credentials and a code from an approved authentication device. For more information, see MFA Delete.
\nAdditional Resources
\nWorking with Buckets",
+ "category": "fault_tolerance",
+ "metadata": [
+ "Region",
+ "Bucket Name",
+ "Versioning",
+ "MFA Delete Enabled",
+ "Status"
+ ]
+ },
+ {
+ "id": "0t121N1Ty3",
+ "name": "AWS Direct Connect Connection Redundancy",
+ "description": "Checks for regions that have only one AWS Direct Connect connection. Connectivity to your AWS resources should have two Direct Connect connections configured at all times to provide redundancy in case a device is unavailable.
\nNote: Results for this check are automatically refreshed several times daily, and refresh requests are not allowed. It might take a few hours for changes to appear.
\nAlert Criteria
\nYellow: The region has only one Direct Connect connection.
\nRecommended Action
\nConfigure an additional Direct Connect connection in this region to protect against device unavailability. For more information, see Configure Redundant Connections with AWS Direct Connect. To protect against site unavailability and add location redundancy, configure the additional Direct Connect connection to a different Direct Connect location.
\nAdditional Resources
\nGetting Started with AWS Direct Connect
\nAWS Direct Connect FAQs ",
+ "category": "fault_tolerance",
+ "metadata": [
+ "Status",
+ "Region",
+ "Timestamp",
+ "Location",
+ "Connection ID"
+ ]
+ },
+ {
+ "id": "8M012Ph3U5",
+ "name": "AWS Direct Connect Location Redundancy",
+ "description": "Checks for regions with one or more AWS Direct Connect connections and only one AWS Direct Connect location. Connectivity to your AWS resources should have Direct Connect connections configured to different Direct Connect locations to provide redundancy in case a location is unavailable.
\nNote: Results for this check are automatically refreshed several times daily, and refresh requests are not allowed. It might take a few hours for changes to appear.
\nAlert Criteria
\nYellow: The Direct Connect connections in the region are not configured to different locations.
\nRecommended Action
\nConfigure a Direct Connect connection that uses a different Direct Connect location to protect against location unavailability. For more information, see Getting Started with AWS Direct Connect.
\nAdditional Resources
\nGetting Started with AWS Direct Connect
\nAWS Direct Connect FAQs",
+ "category": "fault_tolerance",
+ "metadata": [
+ "Status",
+ "Region",
+ "Timestamp",
+ "Location",
+ "Connection Details"
+ ]
+ },
+ {
+ "id": "4g3Nt5M1Th",
+ "name": "AWS Direct Connect Virtual Interface Redundancy",
+ "description": "Checks for virtual private gateways with Direct Connect virtual interfaces (VIFs) that are not configured on at least two Direct Connect connections. Connectivity to your virtual private gateway should have multiple virtual interfaces configured across multiple Direct Connect connections and locations to provide redundancy in case a device or location is unavailable.
\nNote: Results for this check are automatically refreshed several times daily, and refresh requests are not allowed. It might take a few hours for changes to appear.
\nAlert Criteria
\nYellow: A virtual private gateway has less than two virtual interfaces, or the interfaces are not configured to multiple Direct Connect connections.
\nRecommended Action
\nConfigure at least two virtual interfaces that are configured to two Direct Connect connections to protect against device or location unavailability. See Create a Virtual Interface.
\nAdditional Resources
\nGetting Started with AWS Direct Connect
\nAWS Direct Connect FAQs \n
\nWorking With AWS Direct Connect Virtual Interfaces",
+ "category": "fault_tolerance",
+ "metadata": [
+ "Status",
+ "Region",
+ "Timestamp",
+ "Gateway ID",
+ "Location for VIF",
+ "Connection ID for VIF"
+ ]
+ },
+ {
+ "id": "xuy7H1avtl",
+ "name": "Amazon Aurora DB Instance Accessibility",
+ "description": "Checks for cases where an Amazon Aurora DB cluster has both private and public instances. When your primary instance fails, a replica can be promoted to a primary instance. If that replica is private, users who have only public access would no longer be able to connect to the database after failover. It's best practice for all the DB instances in a cluster to have the same accessibility.
\nAlert Criteria
\nYellow: The instances in an Aurora DB cluster have different accessibility (a mix of public and private).
\nRecommended Action
\nModify the Publicly Accessible setting of the instances in the DB cluster so that they are all either public or private. For details, see the instructions for MySQL instances at Modifying a DB Instance Running the MySQL Database Engine.
\nAdditional Resources
\nFault Tolerance for an Aurora DB Cluster",
+ "category": "fault_tolerance",
+ "metadata": [
+ "Status",
+ "Region",
+ "Cluster",
+ "Public DB Instances",
+ "Private DB Instances",
+ "Reason"
+ ]
+ },
+ {
+ "id": "ePs02jT06w",
+ "name": "Amazon EBS Public Snapshots",
+ "description": "Checks the permission settings for your Amazon Elastic Block Store (Amazon EBS) volume snapshots and alerts you if any snapshots are marked as public. When you make a snapshot public, you give all AWS accounts and users access to all the data on the snapshot. If you want to share a snapshot with particular users or accounts, mark the snapshot as private, and then specify the user or accounts you want to share the snapshot data with. Note: Results for this check are automatically refreshed several times daily, and refresh requests are not allowed. It might take a few hours for changes to appear.
\r\nAlert Criteria
\r\nRed: The EBS volume snapshot is marked as public.
\r\nRecommended Action
\r\nUnless you are certain you want to share all the data in the snapshot with all AWS accounts and users, modify the permissions: mark the snapshot as private, and then specify the accounts that you want to give permissions to. For more information, see Sharing an Amazon EBS Snapshot. Note: For temporary technical reasons, items in this check cannot be excluded from view in the Trusted Advisor console.
\r\nAdditional Resources
\r\nAmazon EBS Snapshots",
+ "category": "security",
+ "metadata": [
+ "Status",
+ "Region",
+ "Volume ID",
+ "Snapshot ID",
+ "Description"
+ ]
+ },
+ {
+ "id": "rSs93HQwa1",
+ "name": "Amazon RDS Public Snapshots",
+ "description": "Checks the permission settings for your Amazon Relational Database Service (Amazon RDS) DB snapshots and alerts you if any snapshots are marked as public. When you make a snapshot public, you give all AWS accounts and users access to all the data on the snapshot. If you want to share a snapshot with particular users or accounts, mark the snapshot as private, and then specify the user or accounts you want to share the snapshot data with. Note: Results for this check are automatically refreshed several times daily, and refresh requests are not allowed. It might take a few hours for changes to appear.
\r\nAlert Criteria
\r\nRed: The RDS snapshot is marked as public.
\r\nRecommended Action
\r\nUnless you are certain you want to share all the data in the snapshot with all AWS accounts and users, modify the permissions: mark the snapshot as private, and then specify the accounts that you want to give permissions to. For more information, see Sharing a DB Snapshot or DB Cluster Snapshot. Note: For temporary technical reasons, items in this check cannot be excluded from view in the Trusted Advisor console.
\r\nAdditional Resources
\r\nBacking Up and Restoring Amazon RDS DB Instances",
+ "category": "security",
+ "metadata": [
+ "Status",
+ "Region",
+ "DB Instance or Cluster ID",
+ "Snapshot ID"
+ ]
+ },
+ {
+ "id": "0Xc6LMYG8P",
+ "name": "EC2 On-Demand Instances",
+ "description": "Checks for usage that is more than 80% of the EC2 On-Demand Instances Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nEC2 Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "hJ7NN0l7J9",
+ "name": "SES Daily Sending Quota",
+ "description": "Checks for usage that is more than 80% of the SES Daily Sending Quota Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nSES Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "tV7YY0l7J9",
+ "name": "EBS Provisioned IOPS (SSD) Volume Aggregate IOPS",
+ "description": "Checks for usage that is more than 80% of the EBS Provisioned IOPS (SSD) Volume Aggregate IOPS Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nEBS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "gI7MM0l7J9",
+ "name": "EBS Provisioned IOPS SSD (io1) Volume Storage",
+ "description": "Checks for usage that is more than 80% of the EBS Provisioned IOPS SSD (io1) Volume Storage Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nEBS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "eI7KK0l7J9",
+ "name": "EBS Active Snapshots",
+ "description": "Checks for usage that is more than 80% of the EBS Active Snapshots Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nEBS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "dH7RR0l6J9",
+ "name": "EBS General Purpose SSD (gp2) Volume Storage",
+ "description": "Checks for usage that is more than 80% of the EBS General Purpose SSD (gp2) Volume Storage Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nEBS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "cG7HH0l7J9",
+ "name": "EBS Magnetic (standard) Volume Storage",
+ "description": "Checks for usage that is more than 80% of the EBS Magnetic (standard) Volume Storage Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nEBS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "aW9HH0l8J6",
+ "name": "EC2-Classic Elastic IP Addresses",
+ "description": "Checks for usage that is more than 80% of the EC2-Classic Elastic IP Addresses Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nEC2 Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "iH7PP0l7J9",
+ "name": "EC2 Reserved Instance Leases",
+ "description": "Checks for usage that is more than 80% of the EC2 Reserved Instance Leases Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nEC2 Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "bW7HH0l7J9",
+ "name": "Kinesis Shards per Region",
+ "description": "Checks for usage that is more than 80% of the Kinesis Shards per Region Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nKinesis Streams Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "gW7HH0l7J9",
+ "name": "CloudFormation Stacks",
+ "description": "Checks for usage that is more than 80% of the CloudFormation Stacks Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nCloudFormation Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "aW7HH0l7J9",
+ "name": "Auto Scaling Launch Configurations",
+ "description": "Checks for usage that is more than 80% of the Auto Scaling Launch Configurations Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nAuto Scaling Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "fW7HH0l7J9",
+ "name": "Auto Scaling Groups",
+ "description": "Checks for usage that is more than 80% of the Auto Scaling Groups Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nAuto Scaling Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "jL7PP0l7J9",
+ "name": "VPC",
+ "description": "Checks for usage that is more than 80% of the VPC Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nVPC Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "kM7QQ0l7J9",
+ "name": "VPC Internet Gateways",
+ "description": "Checks for usage that is more than 80% of the VPC Internet Gateways Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nVPC Gateway Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "lN7RR0l7J9",
+ "name": "EC2-VPC Elastic IP Address",
+ "description": "Checks for usage that is more than 80% of the EC2-VPC Elastic IP Address Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nVPC Elastic IP Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "nO7SS0l7J9",
+ "name": "IAM Instance Profiles",
+ "description": "Checks for usage that is more than 80% of the IAM Instance Profiles Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nIAM Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "oQ7TT0l7J9",
+ "name": "IAM Roles",
+ "description": "Checks for usage that is more than 80% of the IAM Roles Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nIAM Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "pR7UU0l7J9",
+ "name": "IAM Policies",
+ "description": "Checks for usage that is more than 80% of the IAM Policies Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nIAM Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "qS7VV0l7J9",
+ "name": "IAM Users",
+ "description": "Checks for usage that is more than 80% of the IAM Users Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nIAM Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "rT7WW0l7J9",
+ "name": "IAM Server Certificates",
+ "description": "Checks for usage that is more than 80% of the IAM Server Certificates Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nIAM Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "sU7XX0l7J9",
+ "name": "IAM Group",
+ "description": "Checks for usage that is more than 80% of the IAM Group Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nIAM Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "iK7OO0l7J9",
+ "name": "ELB Classic Load Balancers",
+ "description": "Checks for usage that is more than 80% of the ELB Classic Load Balancers. Application Load Balancers and Network Load Balancers have a separate limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nAWS Service Limits - Elastic Load Balancing default service limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "7fuccf1Mx7",
+ "name": "RDS Cluster Roles",
+ "description": "Checks for usage that is more than 80% of the RDS Cluster Roles Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nRDS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "jtlIMO3qZM",
+ "name": "RDS Cluster Parameter Groups",
+ "description": "Checks for usage that is more than 80% of the RDS Cluster Parameter Groups Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nRDS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "gjqMBn6pjz",
+ "name": "RDS Clusters",
+ "description": "Checks for usage that is more than 80% of the RDS Clusters Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nRDS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "UUDvOa5r34",
+ "name": "RDS Reserved Instances",
+ "description": "Checks for usage that is more than 80% of the RDS Reserved Instances Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nRDS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "jEhCtdJKOY",
+ "name": "RDS Subnets per Subnet Group",
+ "description": "Checks for usage that is more than 80% of the RDS Subnets per Subnet Group Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nRDS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "dYWBaXaaMM",
+ "name": "RDS Subnet Groups",
+ "description": "Checks for usage that is more than 80% of the RDS Subnet Groups Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nRDS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "3Njm0DJQO9",
+ "name": "RDS Option Groups",
+ "description": "Checks for usage that is more than 80% of the RDS Option Groups Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nRDS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "keAhfbH5yb",
+ "name": "RDS Event Subscriptions",
+ "description": "Checks for usage that is more than 80% of the RDS Event Subscriptions Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nRDS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "dV84wpqRUs",
+ "name": "RDS DB Manual Snapshots",
+ "description": "Checks for usage that is more than 80% of the RDS DB Manual Snapshots Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nRDS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "P1jhKWEmLa",
+ "name": "RDS Total Storage Quota",
+ "description": "Checks for usage that is more than 80% of the RDS Total Storage Quota Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nRDS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "jEECYg2YVU",
+ "name": "RDS DB Parameter Groups",
+ "description": "Checks for usage that is more than 80% of the RDS DB Parameter Groups Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nRDS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "pYW8UkYz2w",
+ "name": "RDS Read Replicas per Master",
+ "description": "Checks for usage that is more than 80% of the RDS Read Replicas per Master Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nRDS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "gfZAn3W7wl",
+ "name": "RDS DB Security Groups",
+ "description": "Checks for usage that is more than 80% of the RDS DB Security Groups Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nRDS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "XG0aXHpIEt",
+ "name": "RDS DB Instances",
+ "description": "Checks for usage that is more than 80% of the RDS DB Instances Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nRDS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "dBkuNCvqn5",
+ "name": "RDS Max Auths per Security Group",
+ "description": "Checks for usage that is more than 80% of the RDS Max Auths per Security Group Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nRDS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "wH7DD0l3J9",
+ "name": "EBS Throughput Optimized HDD (st1) Volume Storage",
+ "description": "Checks for usage that is more than 80% of the EBS Throughput Optimized HDD (st1) Volume Storage Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nEBS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "gH5CC0e3J9",
+ "name": "EBS Cold HDD (sc1) Volume Storage",
+ "description": "Checks for usage that is more than 80% of the EBS Cold HDD (sc1) Volume Storage Limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nEBS Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "6gtQddfEw6",
+ "name": "DynamoDB Read Capacity",
+ "description": "Checks for usage that is more than 80% of the DynamoDB Provisioned Throughput Limit for Reads per Account. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nDynamoDB Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "c5ftjdfkMr",
+ "name": "DynamoDB Write Capacity",
+ "description": "Checks for usage that is more than 80% of the DynamoDB Provisioned Throughput Limit for Writes per Account. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nDynamoDB Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "ru4xfcdfMr",
+ "name": "Route 53 Max Health Checks",
+ "description": "Checks for usage that is more than 80% of the Route 53 Health Checks Limit per account. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nRoute 53 Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "dx3xfcdfMr",
+ "name": "Route 53 Hosted Zones",
+ "description": "Checks for usage that is more than 80% of the Route 53 Hosted Zones Limit per account. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nRoute 53 Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "ty3xfcdfMr",
+ "name": "Route 53 Reusable Delegation Sets",
+ "description": "Checks for usage that is more than 80% of the Route 53 Reusable Delegation Sets Limit per account. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nRoute 53 Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "dx3xfbjfMr",
+ "name": "Route 53 Traffic Policies",
+ "description": "Checks for usage that is more than 80% of the Route 53 Traffic Policies Limit per account. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nRoute 53 Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "dx8afcdfMr",
+ "name": "Route 53 Traffic Policy Instances",
+ "description": "Checks for usage that is more than 80% of the Route 53 Traffic Policy Instances Limit per account. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nRoute 53 Limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "EM8b3yLRTr",
+ "name": "ELB Application Load Balancers",
+ "description": "Checks for usage that is more than 80% of the ELB Application Load Balancers Limit. Classic Load Balancers and Network Load Balancers have separate limits. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nAWS Service Limits - Elastic Load Balancing default service limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ },
+ {
+ "id": "8wIqYSt25K",
+ "name": "ELB Network Load Balancers",
+ "description": "Checks for usage that is more than 80% of the ELB Network Load Balancers Limit. Classic Load Balancers and Application Load Balancers have separate limits. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes. In cases where limits have been recently increased, you may temporarily see utilization that exceeds the limit.
\n
\nAlert Criteria
\nYellow: 80% of limit reached.
\nRed: 100% of limit reached.
\nBlue: Trusted Advisor was unable to retrieve utilization or limits in one or more regions.
\n
\nRecommended Action
\nIf you anticipate exceeding a service limit, open a case in Support Center to request a limit increase.
\n
\nAdditional Resources
\nAWS Service Limits - Elastic Load Balancing default service limits",
+ "category": "service_limits",
+ "metadata": [
+ "Region",
+ "Service",
+ "Limit Name",
+ "Limit Amount",
+ "Current Usage",
+ "Status"
+ ]
+ }
+ ]
+}
diff --git a/moto/support/responses.py b/moto/support/responses.py
new file mode 100644
index 00000000..9b1d5f21
--- /dev/null
+++ b/moto/support/responses.py
@@ -0,0 +1,20 @@
+from __future__ import unicode_literals
+from moto.core.responses import BaseResponse
+from .models import support_backends
+import json
+
+
+class SupportResponse(BaseResponse):
+ SERVICE_NAME = "support"
+
+ @property
+ def support_backend(self):
+ return support_backends[self.region]
+
+ def describe_trusted_advisor_checks(self):
+ language = self._get_param("language")
+ checks = self.support_backend.describe_trusted_advisor_checks(
+ language=language,
+ )
+
+ return json.dumps({"checks": checks})
diff --git a/moto/support/urls.py b/moto/support/urls.py
new file mode 100644
index 00000000..52633eef
--- /dev/null
+++ b/moto/support/urls.py
@@ -0,0 +1,11 @@
+from __future__ import unicode_literals
+from .responses import SupportResponse
+
+url_bases = [
+ "https?://support.(.+).amazonaws.com",
+]
+
+
+url_paths = {
+ "{0}/$": SupportResponse.dispatch,
+}
diff --git a/moto/utilities/utils.py b/moto/utilities/utils.py
index 6bd5e8b8..58e493ba 100644
--- a/moto/utilities/utils.py
+++ b/moto/utilities/utils.py
@@ -1,3 +1,4 @@
+import json
import random
import string
@@ -8,3 +9,14 @@ def random_string(length=None):
[random.choice(string.ascii_letters + string.digits) for i in range(n)]
)
return random_str
+
+
+def load_resource(filename):
+ """
+ Open a file, and return the contents as JSON.
+ Usage:
+ from pkg_resources import resource_filename
+ load_resource(resource_filename(__name__, "resources/file.json"))
+ """
+ with open(filename, "r") as f:
+ return json.load(f)
diff --git a/tests/test_support/__init__.py b/tests/test_support/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/tests/test_support/test_server.py b/tests/test_support/test_server.py
new file mode 100644
index 00000000..82f28156
--- /dev/null
+++ b/tests/test_support/test_server.py
@@ -0,0 +1,60 @@
+from __future__ import unicode_literals
+import sure # noqa
+
+import moto.server as server
+
+"""
+Test the different server responses for support
+"""
+
+
+def test_describe_trusted_advisor_checks_returns_check_names():
+ """
+ Check that the correct names of checks are returned
+ """
+
+ backend = server.create_backend_app("support")
+ test_client = backend.test_client()
+
+ res = test_client.get("/?Action=DescribeTrustedAdvisorChecks&Version=2015-12-01")
+
+ res.data.should.contain(b"Low Utilization Amazon EC2 Instances")
+ res.data.should.contain(b"ELB Application Load Balancers")
+
+
+def test_describe_trusted_advisor_checks_does_not_return_wrong_check_names():
+ """
+ Check that the wrong names of checks are not returned
+ """
+
+ backend = server.create_backend_app("support")
+ test_client = backend.test_client()
+
+ res = test_client.get("/?Action=DescribeTrustedAdvisorChecks&Version=2015-12-01")
+
+ res.data.doesnot.contain(b"Low Utilization Amazon Foo Instances")
+ res.data.doesnot.contain(b"ELB Application Bar Balancers")
+
+
+def test_describe_trusted_advisor_checks_returns_check_ids():
+ """
+ Check that some random ids of checks are returned
+ """
+ backend = server.create_backend_app("support")
+ test_client = backend.test_client()
+
+ res = test_client.get("/?Action=DescribeTrustedAdvisorChecks&Version=2015-12-01")
+ res.data.should.contain(b"DAvU99Dc4C")
+ res.data.should.contain(b"zXCkfM1nI3")
+
+
+def test_describe_trusted_advisor_checks_does_not_return_wrong_id():
+ """
+ Check that some wrong ids of checks are not returned
+ """
+ backend = server.create_backend_app("support")
+ test_client = backend.test_client()
+
+ res = test_client.get("/?Action=DescribeTrustedAdvisorChecks&Version=2015-12-01")
+ res.data.doesnot.contain(b"DAvU99DcBAR")
+ res.data.doesnot.contain(b"zXCkfM1nFOO")
diff --git a/tests/test_support/test_support.py b/tests/test_support/test_support.py
new file mode 100644
index 00000000..6f6b8418
--- /dev/null
+++ b/tests/test_support/test_support.py
@@ -0,0 +1,45 @@
+from __future__ import unicode_literals
+
+import boto3
+import sure # noqa
+from moto import mock_support
+
+
+@mock_support
+def test_describe_trusted_advisor_checks_returns_amount_of_checks():
+ """
+ test that the 104 checks that are listed under trusted advisor currently
+ are returned
+ """
+ client = boto3.client("support", "us-east-1")
+ response = client.describe_trusted_advisor_checks(language="en",)
+
+ response["checks"].should.be.length_of(104)
+
+
+@mock_support
+def test_describe_trusted_advisor_checks_returns_an_expected_id():
+ """
+ test that a random check id is returned
+ """
+ client = boto3.client("support", "us-east-1")
+ response = client.describe_trusted_advisor_checks(language="en",)
+ check_ids = []
+ for check in response["checks"]:
+ check_ids.append(check["id"])
+
+ check_ids.should.contain("zXCkfM1nI3")
+
+
+@mock_support
+def test_describe_trusted_advisor_checks_returns_an_expected_check_name():
+ """
+ test that a random check name is returned
+ """
+ client = boto3.client("support", "us-east-1")
+ response = client.describe_trusted_advisor_checks(language="en",)
+ check_names = []
+ for check in response["checks"]:
+ check_names.append(check["name"])
+
+ check_names.should.contain("Unassociated Elastic IP Addresses")