This chapter covers AWS Trusted Advisor, a service that provides real-time guidance to help you provision your resources following AWS best practices. For the CLF-C02 exam, Trusted Advisor is a key topic under Domain 4: Billing, Pricing, and Support (Objective 4.3 – Identify AWS services for billing and cost management). This objective typically represents about 12% of the exam. Understanding Trusted Advisor helps you answer questions about cost optimization, security checks, and support tier capabilities. We will explore what Trusted Advisor does, how it works, its five categories of checks, and how to use it effectively.
Jump to a section
Imagine you own a large commercial building. You have tenants (your applications), utilities (compute, storage, databases), and safety systems (security groups, IAM). You want to ensure everything runs efficiently, safely, and cost-effectively. You hire a building inspector who walks through every floor, checks for fire hazards (security risks), looks for leaking pipes (underutilized resources), examines utility bills for waste (cost optimization), and tests backup generators (fault tolerance). The inspector doesn't fix anything—they just give you a detailed report with recommendations. AWS Trusted Advisor is exactly that inspector for your AWS environment. It continuously scans your AWS resources against AWS best practices and produces a dashboard of checks across five categories: cost optimization, performance, security, fault tolerance, and service limits. Just as a building inspector uses a checklist of building codes, Trusted Advisor uses a set of rules defined by AWS engineers. It doesn't automatically remediate issues (unless you use AWS Systems Manager Automation with it), but it flags problems like 'You have 10 idle EC2 instances costing $500/month' or 'Your S3 bucket is publicly accessible.' You then decide whether to act. The analogy holds because both inspectors are proactive—they find issues before they become disasters—and both provide actionable recommendations tailored to your specific setup.
What is AWS Trusted Advisor and the Problem It Solves
AWS Trusted Advisor is an online tool that inspects your AWS environment and provides recommendations to help you follow AWS best practices. It acts as a personalized cloud consultant that continuously evaluates your resources across five pillars: cost optimization, performance, security, fault tolerance, and service limits. The problem it solves is the complexity of managing a large AWS infrastructure. Without Trusted Advisor, you would need to manually review each resource—EC2 instances, RDS databases, S3 buckets, IAM policies, etc.—to find inefficiencies, security gaps, or potential failures. This is tedious and error-prone, especially as your environment grows. Trusted Advisor automates this inspection, surfacing issues in a centralized dashboard.
How It Works – The Mechanism
Trusted Advisor works by running a set of predefined checks against your AWS resources. Each check is a rule that evaluates a specific condition. For example, one check looks for EC2 instances that are idle (low CPU utilization) and recommends stopping or rightsizing them. Another check scans S3 buckets for public read/write access. The checks are executed periodically (typically every 24 hours) and results are displayed in the Trusted Advisor console. The service uses AWS APIs to gather data about your resources—it does not require agents or additional software. It categorizes results into three statuses: green (no problems detected), yellow (recommendation to investigate), and red (action recommended). For each red or yellow item, Trusted Advisor provides a description, estimated cost savings (for cost checks), and a link to take action.
Key Tiers, Configurations, and Pricing Models
Trusted Advisor is available at no additional cost for all AWS accounts, but the number of checks you can access depends on your AWS Support plan:
Basic Support (Free): You get access to the Service Limits check only. This check shows your current usage and limits for services like EC2, VPC, IAM, etc.
Developer Support: Same as Basic – Service Limits only.
Business Support: Full access to all Trusted Advisor checks across all five categories. This is the most common plan for production workloads.
Enterprise On-Ramp Support: Full access, plus programmatic access via AWS Support API.
Enterprise Support: Full access, plus programmatic access and integration with AWS Systems Manager Automation to automatically remediate some findings.
For the CLF-C02 exam, remember that full Trusted Advisor checks require a Business or Enterprise support plan. The free tier only gives you service limits. This is a frequent exam trap.
Comparison to On-Premises or Competing Approaches
In an on-premises data center, you might use monitoring tools like Nagios or SolarWinds to check server health, but these typically focus on performance and uptime, not cost optimization or security best practices. Trusted Advisor is unique because it combines cost, security, performance, and fault tolerance in one view. A competing AWS service is AWS Compute Optimizer, which focuses specifically on rightsizing EC2 instances and Auto Scaling groups using machine learning. Trusted Advisor provides simpler, rule-based recommendations, while Compute Optimizer offers more detailed, ML-driven suggestions. For security, AWS Security Hub aggregates findings from multiple security services (like GuardDuty, Inspector, Macie) and provides a broader security posture. Trusted Advisor's security checks are more basic (e.g., open ports, IAM use). Trusted Advisor is best as a starting point for quick wins.
When to Use Trusted Advisor vs Alternatives
Use Trusted Advisor when you need a quick, high-level overview of your AWS environment's health. It's ideal for: - New AWS users who want to ensure they are following best practices. - Regular cost reviews – the cost optimization checks can identify idle resources, underutilized instances, and reserved instance opportunities. - Pre-deployment checks – run Trusted Advisor before launching a production workload to catch common mistakes. - Monthly audits – many organizations run Trusted Advisor reports monthly as part of their governance.
For deeper analysis, use AWS Compute Optimizer for instance rightsizing, AWS Security Hub for comprehensive security, and AWS Health Dashboard for service health events. Trusted Advisor complements these services.
Detailed Walkthrough of Trusted Advisor Categories
Cost Optimization: Checks for idle EC2 instances, underutilized EBS volumes, unassociated Elastic IP addresses, and opportunities to purchase Reserved Instances. It estimates potential monthly savings. For example, if you have an m5.large instance running 24/7 with 5% CPU utilization, Trusted Advisor flags it as underutilized and suggests a smaller instance type.
Performance: Checks for over-utilized instances (high CPU), over-provisioned EBS volumes, and EC2 instances that could benefit from a better instance type. Also checks CloudFront for alternative SSL certificates.
Security: Checks for security groups with unrestricted access (0.0.0.0/0) to specific ports like SSH (22) or RDP (3389), S3 buckets with public read/write access, IAM key rotation, and MFA on the root account. This is critical for exam questions about security best practices.
Fault Tolerance: Checks for resources that lack redundancy, such as EC2 instances in a single Availability Zone, RDS databases without Multi-AZ, and missing EBS snapshots. Also checks for Auto Scaling groups that have only one instance.
Service Limits: Shows your current usage against AWS service limits (e.g., number of VPCs, number of EC2 instances, number of IAM roles). This is the only category available in the free tier.
How to Access and Use Trusted Advisor
You can access Trusted Advisor via the AWS Management Console under the 'Trusted Advisor' section. The dashboard shows a summary of all checks with counts of green, yellow, and red items. Clicking a category expands the list. Each check has an 'Action' link that may take you directly to the relevant service console. For example, clicking an idle EC2 instance check might open the EC2 console with that instance selected. You can also download reports in CSV or PDF format. For programmatic access, use the AWS Support API (requires Business or Enterprise support). Trusted Advisor does not support AWS CLI natively, but you can use the aws support CLI commands to describe checks and refresh them.
Limitations and Considerations
Trusted Advisor checks are refreshed about every 24 hours. You can manually refresh a check, but there is a rate limit.
Some checks require specific resource configurations to be evaluated. For example, the 'Idle EC2 Instances' check only looks at instances that have been running for at least 7 days.
Trusted Advisor does not automatically fix issues unless you use AWS Systems Manager Automation with Enterprise support. You must manually apply recommendations.
The service is regional? Actually, Trusted Advisor is a global service – it aggregates data from all regions. However, some checks (like service limits) are per-region.
Exam Relevance
For CLF-C02, you need to know:
The five categories of Trusted Advisor checks.
That full checks require Business or Enterprise support.
That the free tier only includes service limits.
That Trusted Advisor provides cost optimization recommendations with estimated savings.
That it can help with security by flagging open security groups and public S3 buckets.
That it is not a replacement for AWS Config (which tracks configuration changes) or Security Hub (which aggregates security findings).
Access the Trusted Advisor Dashboard
Log in to the AWS Management Console. In the top search bar, type 'Trusted Advisor' and select the service. The dashboard appears, showing a summary of all checks across five categories. For first-time users, you may see a welcome screen. The dashboard displays the number of green (no problem), yellow (recommendation), and red (action recommended) items. You can filter by category. This is the central view for all recommendations. Note that if you are on a Basic or Developer support plan, you will only see the 'Service Limits' category; other categories will show a lock icon with a message to upgrade.
Review Cost Optimization Checks
Click on the 'Cost Optimization' category. Trusted Advisor lists checks like 'Idle EC2 Instances', 'Underutilized Amazon EBS Volumes', 'Unassociated Elastic IP Addresses', and 'Amazon RDS Idle DB Instances'. Each check shows the number of resources affected, estimated monthly savings, and a status. Click on a specific check, e.g., 'Idle EC2 Instances'. You'll see a table of instances with metrics like average CPU utilization and network I/O. Trusted Advisor marks instances with CPU under 10% and network under 5 MB for 7 days as idle. It recommends stopping or rightsizing. The estimated savings are calculated based on the instance's hourly cost.
Investigate Security Recommendations
Navigate to the 'Security' category. Common checks include 'Security Groups – Specific Ports Unrestricted', 'Amazon S3 Bucket Permissions', 'IAM Use', and 'MFA on Root Account'. For example, the 'Security Groups – Specific Ports Unrestricted' check lists security group rules that allow inbound traffic from 0.0.0.0/0 on ports like 22 (SSH), 3389 (RDP), or 3306 (MySQL). Click on the check to see the specific security group IDs and the ports. The recommendation is to restrict access to specific IP addresses. This is a high-priority finding because it exposes your instances to the internet. The check also shows the region and VPC.
Examine Fault Tolerance Checks
Click 'Fault Tolerance'. Checks include 'Amazon EC2 Availability Zone Balance', 'Amazon RDS Backups', 'Amazon EBS Snapshots', and 'Auto Scaling Group Health Check'. For instance, 'Amazon EC2 Availability Zone Balance' checks if your EC2 instances are distributed across multiple Availability Zones. If all instances are in one AZ, Trusted Advisor warns you to spread them out to avoid a single point of failure. Another check, 'Amazon RDS Backups', verifies that automated backups are enabled for RDS instances. If disabled, it flags the instance. These checks help ensure your architecture is resilient.
Check Service Limits
The 'Service Limits' category shows your current usage against AWS service limits. For example, it lists the number of VPCs in each region compared to the default limit (5 per region). It also shows EC2 instance limits, IAM role limits, etc. This is the only category available in the free tier. If you are near a limit (e.g., 80% usage), Trusted Advisor marks it yellow. If you have exceeded a limit (e.g., you have 6 VPCs when the limit is 5), it shows red. You can request a limit increase directly from the check by clicking the link. This helps prevent service disruptions.
Scenario 1: Startup Cost Optimization
A startup launched a web application on AWS using several EC2 instances and an RDS database. After a few months, they noticed their AWS bill was higher than expected. They had Business Support, so they accessed Trusted Advisor. The Cost Optimization category showed they had three idle EC2 instances that were left running after a previous test, costing $150/month. It also flagged an underutilized RDS db.t2.medium instance that could be downsized to db.t2.small, saving another $50/month. The startup stopped the idle instances and modified the RDS instance. They also saw a recommendation to purchase a Reserved Instance for their production EC2 instance, which would save 40% over On-Demand pricing. By acting on these recommendations, they reduced their monthly bill by $250. Without Trusted Advisor, they might have missed these savings for months.
Scenario 2: Security Audit for Compliance
A financial services company needed to comply with PCI DSS, which requires strict network access controls. Their security team used Trusted Advisor's Security checks to identify security groups with unrestricted inbound access. They found three security groups that allowed SSH from 0.0.0.0/0. One was a development server that had been mistakenly left open. Another was a legacy group that was no longer in use. They also found an S3 bucket with public read access containing log files. The team immediately restricted the security group rules to specific IP addresses and made the S3 bucket private. They also enabled MFA on the root account after Trusted Advisor flagged it. This proactive check prevented potential data breaches and helped pass their compliance audit.
Scenario 3: High Availability for E-commerce
An e-commerce platform experienced downtime during a promotion because all their EC2 instances were in a single Availability Zone. After the incident, they reviewed Trusted Advisor's Fault Tolerance checks. The dashboard showed a red alert for 'EC2 Availability Zone Balance' and 'Auto Scaling Group Health Check'. They reconfigured their Auto Scaling group to launch instances in two additional AZs and set up an Application Load Balancer. They also enabled RDS Multi-AZ for their database. Trusted Advisor then showed green for these checks. This architecture prevented future outages. However, they initially ignored Trusted Advisor's warnings because they thought it was just a suggestion. The downtime cost them thousands in lost sales. This highlights the importance of acting on Trusted Advisor's recommendations.
What CLF-C02 Tests on This Objective
The exam tests your understanding of AWS Trusted Advisor as a tool for cost optimization and best practices under Domain 4: Billing, Pricing, and Support (Objective 4.3). You need to know:
The five categories of checks: Cost Optimization, Performance, Security, Fault Tolerance, Service Limits.
That full access to all checks requires a Business or Enterprise support plan.
That the free tier only provides Service Limits checks.
That Trusted Advisor provides recommendations, not automatic remediation (unless using AWS Systems Manager Automation with Enterprise support).
That it can estimate cost savings for idle or underutilized resources.
That it can identify security risks like open security groups and public S3 buckets.
Common Wrong Answers and Why Candidates Choose Them
'Trusted Advisor automatically fixes issues.' Candidates choose this because they assume AWS services are fully automated. Reality: Trusted Advisor only recommends; you must manually take action. The only exception is with AWS Systems Manager Automation, but that's an advanced feature not typically tested.
'Trusted Advisor is available to all support plans with full features.' Candidates see 'free' and assume everything is free. Reality: Only Service Limits is free; full checks require Business or Enterprise.
'Trusted Advisor replaces AWS Config.' Candidates confuse configuration tracking (AWS Config) with best-practice recommendations (Trusted Advisor). AWS Config records resource changes; Trusted Advisor checks current state against best practices.
'Trusted Advisor provides real-time alerts for every change.' Candidates think it's a monitoring tool. Reality: Checks refresh every ~24 hours, not real-time.
Specific Terms and Values That Appear on the Exam
Service Limits: The only check in free tier.
Business Support: Minimum plan for full Trusted Advisor.
Cost Optimization: Category that includes idle instances, underutilized EBS volumes, unassociated Elastic IPs.
Security: Category that checks for open security groups, public S3 buckets, IAM key rotation, MFA on root.
Fault Tolerance: Category that checks for single-AZ resources, missing backups.
Performance: Category that checks for over-utilized instances, CloudFront SSL.
Tricky Distinctions
Trusted Advisor vs AWS Compute Optimizer: Both recommend rightsizing, but Compute Optimizer uses ML and provides more granular recommendations. Trusted Advisor is rule-based. Exam may ask which service to use for 'quick, rule-based cost checks' vs 'ML-driven recommendations'.
Trusted Advisor vs AWS Security Hub: Security Hub aggregates findings from multiple security services; Trusted Advisor has its own basic security checks. If the question mentions 'aggregated security findings from GuardDuty, Inspector, etc.,' the answer is Security Hub, not Trusted Advisor.
Decision Rule for Multiple-Choice Questions
If the question asks about a service that 'provides best-practice recommendations for cost, security, and fault tolerance' and mentions 'support plan,' think Trusted Advisor. If it mentions 'continuous monitoring of resource configurations' or 'compliance auditing,' think AWS Config. If it mentions 'ML-based rightsizing,' think Compute Optimizer. If it mentions 'centralized security findings,' think Security Hub.
Trusted Advisor provides best-practice recommendations across five categories: Cost Optimization, Performance, Security, Fault Tolerance, and Service Limits.
Full access to all Trusted Advisor checks requires a Business or Enterprise support plan; the free tier only includes Service Limits.
Trusted Advisor does not automatically remediate issues; you must manually apply recommendations.
Cost Optimization checks can identify idle EC2 instances, underutilized EBS volumes, and unassociated Elastic IPs with estimated monthly savings.
Security checks flag security groups with unrestricted access, public S3 buckets, IAM key rotation issues, and missing MFA on root accounts.
Fault Tolerance checks help ensure high availability by identifying single-AZ resources and missing backups.
Trusted Advisor is not a replacement for AWS Config (configuration history) or AWS Compute Optimizer (ML-based rightsizing).
You can access Trusted Advisor via the AWS Management Console or programmatically via the AWS Support API (requires Business or Enterprise).
These come up on the exam all the time. Here's how to tell them apart.
AWS Trusted Advisor
Rule-based checks using AWS best practices.
Covers five categories: cost, performance, security, fault tolerance, service limits.
Available with Business or Enterprise support for full features.
Provides estimated cost savings for idle/underutilized resources.
Does not use machine learning; simple threshold-based.
AWS Compute Optimizer
Machine learning-based recommendations for EC2, Auto Scaling, and EBS.
Focuses only on compute optimization (rightsizing).
Available to all accounts at no extra cost.
Provides detailed metrics and utilization history.
Generates recommendations based on historical usage patterns.
AWS Trusted Advisor
Basic security checks (open ports, public S3, IAM use, MFA on root).
Part of a broader best-practice tool covering cost, performance, etc.
Does not aggregate findings from other security services.
Available with Business or Enterprise support.
Checks are simple and rule-based.
AWS Security Hub
Aggregates security findings from multiple AWS services (GuardDuty, Inspector, Macie, etc.).
Provides a comprehensive security posture score.
Integrates with custom security standards and frameworks.
Available to all accounts with a free tier (up to 30 days of findings).
Uses automated compliance checks based on CIS benchmarks.
Mistake
Trusted Advisor is a free service with all features available to everyone.
Correct
Only the Service Limits check is free. Full access to all five categories requires a Business or Enterprise support plan. This is a common exam trap.
Mistake
Trusted Advisor automatically resolves issues it finds.
Correct
Trusted Advisor only provides recommendations. You must manually take action, such as stopping an EC2 instance or modifying a security group. Automatic remediation is possible only with AWS Systems Manager Automation and Enterprise support, but that is an advanced integration.
Mistake
Trusted Advisor checks are real-time and update instantly.
Correct
Checks are refreshed approximately every 24 hours. You can manually request a refresh, but there is a rate limit. It is not a real-time monitoring tool.
Mistake
Trusted Advisor can be used to track configuration changes over time.
Correct
That is the job of AWS Config. Trusted Advisor takes a point-in-time snapshot and compares it against best practices. It does not track history of changes.
Mistake
Trusted Advisor only covers cost optimization.
Correct
It covers five categories: Cost Optimization, Performance, Security, Fault Tolerance, and Service Limits. Cost is just one pillar.
AWS Trusted Advisor is a service that inspects your AWS environment and provides recommendations to help you follow AWS best practices. It checks resources across five categories: Cost Optimization, Performance, Security, Fault Tolerance, and Service Limits. It identifies issues like idle instances, open security groups, and missing backups, and provides estimated cost savings where applicable. It is available in the AWS Management Console and requires a Business or Enterprise support plan for full access. For the CLF-C02 exam, remember that the free tier only gives you Service Limits checks.
AWS Trusted Advisor is included with your AWS account at no additional cost, but the level of access depends on your support plan. With Basic (free) or Developer support, you only get the Service Limits check. With Business, Enterprise On-Ramp, or Enterprise support, you get full access to all checks. There is no separate fee for Trusted Advisor itself; it is a feature of your support plan. For the exam, know that full checks require Business or Enterprise.
No, Trusted Advisor only provides recommendations. You must manually take action, such as stopping an EC2 instance or modifying a security group. However, if you have Enterprise Support, you can integrate Trusted Advisor with AWS Systems Manager Automation to automatically remediate some findings. This is an advanced feature and not typically tested on the CLF-C02 exam. The exam expects you to know that Trusted Advisor is advisory only.
The five categories are: Cost Optimization, Performance, Security, Fault Tolerance, and Service Limits. Cost Optimization identifies idle or underutilized resources to save money. Performance checks for over-utilized resources. Security flags open access and missing best practices. Fault Tolerance ensures redundancy and backups. Service Limits shows your usage against AWS limits. Memorize these five categories for the exam.
Yes, you can access Trusted Advisor programmatically using the AWS Support API. This requires a Business, Enterprise On-Ramp, or Enterprise support plan. You can use the AWS CLI with commands like `aws support describe-trusted-advisor-checks` to list checks and `aws support refresh-trusted-advisor-check` to refresh a check. For the exam, know that programmatic access is available with paid support plans.
Trusted Advisor provides best-practice recommendations by inspecting your current resource configuration against AWS rules. It is a point-in-time assessment. AWS Config records configuration changes over time and allows you to evaluate resources against custom rules. Trusted Advisor is for quick wins and cost savings; AWS Config is for compliance and change tracking. On the exam, if the question mentions 'configuration history' or 'compliance rules,' the answer is AWS Config.
Trusted Advisor refreshes its checks approximately every 24 hours. You can manually request a refresh from the console or via the API, but there is a rate limit. It is not real-time. For the exam, know that checks are not instantaneous.
You've just covered AWS Trusted Advisor — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?