This chapter covers AWS Trusted Advisor and AWS Cost Explorer, two essential tools for cost optimization and operational excellence in the SOA-C02 exam. Trusted Advisor provides real-time guidance to provision resources following AWS best practices, while Cost Explorer enables you to visualize, understand, and manage your AWS costs and usage over time. Together, they account for approximately 5-8% of the exam questions, primarily in the Cost Management domain (Objective 6.2). Mastering these tools is critical for SysOps administrators who need to optimize spending and maintain a well-architected environment.
Jump to a section
Trusted Advisor is like a personal financial planner who periodically reviews your entire financial portfolio — investments, insurance, debt, and savings — against best practices. The planner doesn't execute trades but provides a checklist: 'You have too much credit card debt (overutilized RDS), you're missing an emergency fund (no MFA on root account), and you're paying for a gym membership you never use (idle load balancers).' The planner categorizes actions into green (on track), yellow (warning), and red (critical). You can schedule quarterly reviews (weekly checks) and customize which checks to run (enable/disable). In contrast, Cost Explorer is like your detailed monthly bank statement and spending analysis tool. It shows exactly where every dollar went — 'You spent $500 on AWS Lambda, $300 on EC2, and $200 on data transfer.' You can filter by date, service, or tag (like categorizing expenses as 'groceries' or 'entertainment'). Cost Explorer also provides forecasts: 'Based on your spending trend, next month you'll spend $1,200.' While the financial planner (Trusted Advisor) tells you if you're following best practices (e.g., 'you should have 6 months of expenses saved'), the bank statement (Cost Explorer) tells you the actual numbers and allows you to drill down into specific transactions. Both are essential: one for optimization guidance, the other for granular cost tracking and forecasting.
What is AWS Trusted Advisor?
AWS Trusted Advisor is an online tool that inspects your AWS environment and provides recommendations based on AWS best practices. It evaluates your account against five pillars: cost optimization, performance, security, fault tolerance, and service limits. Trusted Advisor continuously checks your resources — EC2 instances, RDS databases, S3 buckets, IAM configurations, and more — and compares them against proven best practices. The results are displayed as a dashboard with color-coded statuses: green (no issues detected), yellow (recommended investigation), and red (action recommended).
How Trusted Advisor Works Internally
Trusted Advisor operates through a set of predefined checks that run automatically. Each check evaluates a specific resource or configuration. For example, the 'Idle Load Balancers' check identifies Classic Load Balancers that have not had any traffic for a specified period (default 7 days). The check queries CloudWatch metrics (RequestCount) to determine if the sum of requests over the past 7 days is zero. Similarly, the 'Amazon RDS Idle DB Instances' check looks for RDS instances with zero connections for 7 days. The checks are performed by AWS internal services that aggregate data from CloudWatch, AWS Config, and other sources. The results are stored and displayed in the Trusted Advisor console. You can refresh checks manually (up to every 5 minutes for basic checks) or set up weekly email notifications.
Key Components of Trusted Advisor
Check Categories: Cost Optimization, Performance, Security, Fault Tolerance, Service Limits.
Check Statuses: Green (no problem), Yellow (recommended investigation), Red (action recommended).
Service Limits: Displays current usage and limits for services like EC2, VPC, IAM, etc. Useful for avoiding throttling.
Recommendations: Each check provides a description, status, and recommended action. For example, 'Underutilized Amazon EBS Volumes' recommends deleting or snapshotting volumes with low I/O.
Refresh Interval: Basic checks refresh every 5 minutes; full checks may take longer. You can manually request a refresh.
Permissions: Only users with the AWSSupportAccess managed policy (or equivalent) can view Trusted Advisor recommendations. Full access requires AWSAccountManagementFullAccess or custom policies.
Configuring Trusted Advisor
To access Trusted Advisor: Sign in to the AWS Management Console, navigate to the Trusted Advisor dashboard. You can enable/disable specific checks via the 'Preferences' tab. For example, you might disable the 'Amazon Route 53 Alias Resource Record Sets' check if you don't use Route 53. You can also set up weekly email notifications for all checks or specific categories. To programmatically access recommendations, use the AWS Support API's DescribeTrustedAdvisorChecks and DescribeTrustedAdvisorCheckResult operations.
Example CLI command to list all checks:
aws support describe-trusted-advisor-checks --language enExample to get result for a specific check:
aws support describe-trusted-advisor-check-result --check-id <check-id> --language enNote: The AWS Support API requires the support:* permissions and is not available in the default IAM policy; you must attach the AWSSupportAccess policy.
What is AWS Cost Explorer?
AWS Cost Explorer is a tool that allows you to visualize, understand, and manage your AWS costs and usage. It provides a default cost and usage report with charts and tables. You can apply filters, group by dimensions (e.g., service, region, linked account), and view data at daily, monthly, or hourly granularity. Cost Explorer also provides cost forecasting for the next 12 months based on historical data. It is the primary tool for analyzing cost trends and identifying cost drivers.
How Cost Explorer Works Internally
Cost Explorer queries the AWS Cost and Usage Reports (CUR) data, which is generated from billing records. The data is stored in Amazon S3 and processed by AWS to create aggregated views. When you apply filters or groupings, Cost Explorer generates a query against the CUR data and returns results in near real-time. The tool supports up to 500 filter values in a single query. Data is available within 24 hours of incurring the cost, with a typical delay of 12-24 hours. Cost Explorer includes predefined reports like 'Monthly costs by service' and 'Daily costs for the last 3 months'. You can also create custom reports and save them for later.
Key Components of Cost Explorer
Default Views: Monthly costs by service, daily costs for last 3 months, etc.
Filters: By date, service, region, linked account, tag, cost category, or charge type.
Group By: Service, region, linked account, instance type, etc.
Advanced Options: Include/exclude discounts, blended costs, and amortized costs.
Forecasting: Uses machine learning to predict future costs up to 12 months. You can set a budget in AWS Budgets and receive alerts when costs exceed thresholds.
Savings Plans: Cost Explorer also shows coverage and utilization for Savings Plans and Reserved Instances.
Cost Categories: Custom groupings of costs based on tags, accounts, or services.
Configuring Cost Explorer
To enable Cost Explorer: Open the Billing and Cost Management console, choose Cost Explorer, and click 'Enable Cost Explorer'. The first time you enable it, data may take up to 24 hours to populate. You can then create reports by selecting date ranges, filters, and groupings. To share Cost Explorer data with other users, you must grant them ce:* permissions in IAM. For example, a policy allowing read-only access:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ce:Describe*",
"ce:Get*",
"ce:List*"
],
"Resource": "*"
}
]
}Cost Explorer also integrates with AWS Budgets: you can create a budget based on a Cost Explorer report and receive alerts when actual or forecasted costs exceed a threshold.
Interaction Between Trusted Advisor and Cost Explorer
Trusted Advisor and Cost Explorer complement each other. Trusted Advisor identifies cost optimization opportunities (e.g., idle resources, reserved instance recommendations), while Cost Explorer provides the detailed cost data to quantify the savings. For example, Trusted Advisor might flag an underutilized EC2 instance, and Cost Explorer can show its exact cost over the last month. Together, they form a complete cost management workflow: identify inefficiencies (Trusted Advisor), analyze impact (Cost Explorer), and implement changes (e.g., terminate or resize instances).
Exam-Relevant Details
Trusted Advisor checks are specific: there are 115+ checks (as of 2025). The exam may ask about specific checks like 'Idle Load Balancers', 'Underutilized Amazon EBS Volumes', 'MFA on Root Account', 'S3 Bucket Permissions', 'Security Groups - Specific Ports Unrestricted', etc.
Cost Explorer data latency: up to 24 hours. This is a common exam point: you cannot see today's costs in real-time.
Cost Explorer supports hourly granularity for the last 14 days only; daily granularity is available for up to 1 year; monthly for up to 12 months.
Trusted Advisor recommendations are available for all AWS accounts, but full checks (including cost optimization) are only available to Business and Enterprise support plans. Basic and Developer plans get limited checks (service limits and some security checks).
The exam tests the difference between Cost Explorer and AWS Cost and Usage Reports (CUR). CUR provides the raw data, while Cost Explorer provides visualizations and queries.
Common CLI Commands for Trusted Advisor
# List all checks
aws support describe-trusted-advisor-checks --language en
# Get result for a specific check (e.g., check-id 'zXC0kxxxxxxx')
aws support describe-trusted-advisor-check-result --check-id zXC0kxxxxxxx --language en
# Refresh a check (requires support:RefreshTrustedAdvisorCheck permission)
aws support refresh-trusted-advisor-check --check-id zXC0kxxxxxxxCommon CLI Commands for Cost Explorer
# Get cost and usage for the last 3 months
aws ce get-cost-and-usage --time-period Start=2025-01-01,End=2025-04-01 --granularity MONTHLY --metrics BlendedCost --group-by Type=DIMENSION,Key=SERVICE
# Get cost forecast for next 3 months
aws ce get-cost-forecast --time-period Start=2025-04-01,End=2025-07-01 --granularity MONTHLY --metric BlendedCostBest Practices for SysOps
Enable Trusted Advisor notifications to receive weekly reports.
Use Cost Explorer to identify cost anomalies and set up AWS Budgets with alerts.
Regularly review Trusted Advisor's cost optimization checks (e.g., idle resources, underutilized instances, reserved instance recommendations).
Combine Trusted Advisor's recommendations with Cost Explorer data to prioritize actions based on potential savings.
For accounts with many resources, export Cost Explorer data to S3 for historical analysis using Athena or QuickSight.
Limitations
Trusted Advisor checks are not real-time; they refresh every ~5 minutes for basic checks and longer for full checks.
Cost Explorer does not include tax or credits in default views; you must enable 'Net unblended costs' in preferences.
Cost Explorer data is not available for the current day; wait at least 24 hours for complete data.
Trusted Advisor's full recommendations require Business or Enterprise support plan.
Enable Trusted Advisor and Cost Explorer
For Trusted Advisor, no explicit enablement is needed; it's automatically enabled for all accounts. However, full checks (cost optimization, performance, fault tolerance) require a Business or Enterprise support plan. For Cost Explorer, you must enable it in the Billing and Cost Management console. Go to 'Cost Explorer' and click 'Enable Cost Explorer'. It takes up to 24 hours for historical data to populate. IAM permissions: users need `ce:*` or specific read-only actions to view Cost Explorer data. For Trusted Advisor, attach the `AWSSupportAccess` managed policy.
Review Trusted Advisor Dashboard
Navigate to the Trusted Advisor console. The dashboard shows a summary of checks by category (Cost Optimization, Performance, Security, Fault Tolerance, Service Limits). Each category shows counts of green, yellow, and red checks. Click on a category to expand and see individual checks. For example, under 'Security', you might see 'MFA on Root Account' (red if not enabled). Each check provides a description, status, and recommended action. You can also manually refresh checks using the 'Refresh all checks' button or individual check refresh.
Analyze Cost Explorer Reports
In Cost Explorer, start with the default 'Monthly costs by service' report. Adjust the date range (e.g., last 6 months). Use filters to narrow down by region, linked account, or tag. Group by service to see which services cost the most. Apply advanced options like 'Amortized costs' for Reserved Instances or 'Net unblended costs' to exclude credits. Use the 'Forecast' tab to predict future costs. For granular analysis, use hourly granularity (only available for last 14 days). Save custom reports for recurring review.
Create AWS Budgets Based on Cost Explorer Data
From Cost Explorer, you can create a budget directly. Click 'Create budget' and choose 'Cost budget'. Set a monthly budget amount (e.g., $10,000). Define alert thresholds: for example, alert when actual costs exceed 80% of budget ($8,000) and forecasted costs exceed 100%. You can also create budgets based on specific filters (e.g., only production accounts). Budgets send email notifications or trigger actions (e.g., stop EC2 instances) via AWS Chatbot or SNS. Budgets are separate from Cost Explorer but tightly integrated.
Implement Trusted Advisor Recommendations
Identify red or yellow recommendations, such as 'Underutilized Amazon EBS Volumes'. For each recommendation, review the details: which resources are affected, the estimated monthly savings, and the recommended action. For EBS volumes, you might snapshot and delete unattached volumes or migrate to gp3. For idle RDS instances, consider stopping or resizing. Prioritize based on potential savings and risk. After implementing changes, refresh the Trusted Advisor check to confirm the status changes to green.
Monitor and Adjust Using Cost Explorer
After implementing cost-saving actions, monitor Cost Explorer to verify the expected cost reductions. Compare current month costs to previous months. Use the 'Daily costs' report to spot any unexpected spikes. If costs do not decrease as expected, investigate by drilling down into specific services or tags. Adjust budgets if necessary. Regularly review Trusted Advisor checks (weekly) and Cost Explorer reports (monthly) to maintain optimization.
In a large enterprise with hundreds of AWS accounts, a SysOps team uses Trusted Advisor and Cost Explorer to manage costs across the organization. The team sets up AWS Organizations with a master account that has a Business support plan, enabling full Trusted Advisor checks for all member accounts. They configure weekly email notifications to the cloud operations team for all cost optimization and security checks. For example, Trusted Advisor flags over 200 idle load balancers across multiple accounts, costing $5,000 per month. The team uses Cost Explorer to verify the cost impact by filtering by resource tags (e.g., 'Environment: dev') and confirms that most idle load balancers are in development accounts. They create a budget for development accounts with a 90% threshold alert. After deleting the idle load balancers, they monitor Cost Explorer to see a $4,500 monthly reduction. They also use Trusted Advisor's Reserved Instance recommendations to purchase 3-year all upfront RIs for steady-state EC2 instances, saving 40% compared to On-Demand. Cost Explorer's 'RI Utilization' report shows 95% utilization, confirming the purchase was effective.
Another scenario: A startup uses Cost Explorer to analyze costs by service and discovers that data transfer costs account for 30% of their monthly bill. They drill down into the 'Data Transfer' dimension and see that most costs are from inter-region data transfer between us-east-1 and eu-west-1. They decide to consolidate workloads into a single region or use VPC peering with private IPs to reduce costs. Trusted Advisor's 'Data Transfer' check (part of cost optimization) confirms that there are no CloudFront distributions or Direct Connect to optimize. They set up a budget alert to notify if data transfer costs exceed $2,000 per month. After moving some workloads, they see a 20% reduction in data transfer costs in Cost Explorer.
Common misconfigurations: A common mistake is not enabling Cost Explorer for new accounts, leaving the team blind to costs. Another is ignoring Trusted Advisor's service limits check: a team once hit the EC2 instance limit during a critical deployment because they hadn't checked the 'Service Limits' dashboard. Also, teams often forget to refresh Trusted Advisor checks manually after making changes, leading to outdated recommendations. Performance considerations: Cost Explorer queries can be slow for very large accounts with millions of line items; consider exporting data to S3 and using Athena for complex queries. Trusted Advisor checks are lightweight but can take several minutes to refresh for large environments.
The SOA-C02 exam tests Trusted Advisor and Cost Explorer in the Cost Management domain (Objective 6.2). Expect 3-5 questions that assess your ability to interpret recommendations and analyze cost data. The most common wrong answers involve confusing Cost Explorer with AWS Cost and Usage Reports (CUR). Candidates often choose 'Use CUR to create a cost report' when the question asks for a visualization tool; the correct answer is Cost Explorer because it provides charts and filters without needing to set up Athena. Another trap: assuming Trusted Advisor provides real-time data. The exam may ask about refresh intervals: basic checks refresh every 5 minutes, but full checks may take longer. Candidates incorrectly think it's instant. Also, many forget that full Trusted Advisor checks require Business or Enterprise support plan. A question might describe a scenario where an account has only Basic support and asks why cost optimization checks are missing; the correct answer is the support plan level.
Specific numbers to memorize:
Cost Explorer data latency: up to 24 hours.
Hourly granularity available only for the last 14 days.
Trusted Advisor checks: 115+ checks (but you don't need to memorize the count; know the categories).
Trusted Advisor refresh: every 5 minutes for basic checks, manual refresh possible.
Only Business and Enterprise support plans get full Trusted Advisor checks.
Edge cases: If a resource is newly created, Trusted Advisor may take up to 5 minutes to detect it. Cost Explorer may not show costs for the current day due to latency. The exam loves to test the difference between Cost Explorer and Budgets: Budgets are for alerts, Cost Explorer is for analysis. Another edge case: Trusted Advisor's 'Security Groups - Specific Ports Unrestricted' check flags security groups that allow unrestricted access (0.0.0.0/0) to ports like 22, 3389, etc. The exam might ask which port is considered high risk; common answer is SSH (22) or RDP (3389).
To eliminate wrong answers, focus on the mechanism: If the question is about historical cost analysis, Cost Explorer is the tool. If it's about best practice recommendations, Trusted Advisor is the tool. If it's about setting cost limits and alerts, it's AWS Budgets. Also, remember that Trusted Advisor recommendations are based on AWS best practices, not user-defined thresholds. A question might present a custom threshold scenario (e.g., 'I want to be alerted when my S3 bucket is publicly accessible'); that's more suited to AWS Config, not Trusted Advisor. Trusted Advisor checks are predefined.
Trusted Advisor provides best practice recommendations; it does not automatically fix issues.
Cost Explorer data has a latency of up to 24 hours; current day costs are not visible.
Full Trusted Advisor checks (cost optimization, fault tolerance, performance) require Business or Enterprise support plan.
Cost Explorer supports hourly granularity only for the last 14 days; daily for 1 year; monthly for 12 months.
Trusted Advisor checks refresh every 5 minutes for basic checks; manual refresh is available.
Use Cost Explorer for cost analysis and AWS Budgets for cost alerts.
Trusted Advisor's 'Service Limits' check shows current usage and limits for services like EC2, VPC, IAM.
These come up on the exam all the time. Here's how to tell them apart.
AWS Trusted Advisor
Provides best practice recommendations across five categories: cost optimization, performance, security, fault tolerance, service limits.
Checks are predefined by AWS; you cannot create custom checks.
Requires Business or Enterprise support plan for full checks.
Refreshes every ~5 minutes for basic checks; manual refresh available.
Output is a dashboard with color-coded statuses (green/yellow/red) and recommended actions.
AWS Cost Explorer
Provides cost and usage visualization and analysis.
Allows custom filters, groupings, and saved reports.
Available to all accounts with no support plan requirement.
Data latency up to 24 hours; near real-time queries on historical data.
Output is charts, tables, and forecasts; can export to CSV or S3.
Mistake
Trusted Advisor provides real-time recommendations.
Correct
Trusted Advisor checks refresh every 5 minutes for basic checks and longer for full checks. Recommendations are not real-time; there is a delay of several minutes.
Mistake
Cost Explorer shows current day costs instantly.
Correct
Cost Explorer data has a latency of up to 24 hours. You cannot see today's costs; the most recent data is from yesterday.
Mistake
All AWS accounts have full Trusted Advisor checks.
Correct
Only accounts with Business or Enterprise support plans have access to all Trusted Advisor checks (including cost optimization and fault tolerance). Basic and Developer plans see limited checks (service limits and some security).
Mistake
Trusted Advisor can automatically fix issues it detects.
Correct
Trusted Advisor only provides recommendations. It does not automatically apply changes. You must manually implement the suggested actions.
Mistake
Cost Explorer can be used to set cost alerts.
Correct
Cost Explorer is for analysis and visualization. To set cost alerts, you need AWS Budgets. However, you can create a budget from within Cost Explorer.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Cost optimization checks in Trusted Advisor are only available to accounts with a Business or Enterprise support plan. If you have a Basic or Developer plan, you will only see service limits and some security checks. To enable full checks, upgrade your support plan.
Trusted Advisor refreshes basic checks (like security and service limits) approximately every 5 minutes. Full checks may take longer. You can manually refresh any check by clicking the refresh button or using the AWS Support API's `RefreshTrustedAdvisorCheck` operation.
Cost Explorer is a visualization tool that provides charts, tables, and forecasts based on pre-aggregated data. CUR provides raw, detailed billing data in CSV format that you can query with Athena or other tools. Cost Explorer is easier for quick analysis; CUR is for advanced custom reporting.
No. Cost Explorer data has a latency of up to 24 hours. The most recent data available is from yesterday. For up-to-date cost tracking, use AWS Budgets with actual cost alerts, but note that budgets also have some delay.
Users need the `AWSSupportAccess` managed policy or equivalent permissions to view Trusted Advisor recommendations. This policy grants `support:Describe*` and `support:RefreshTrustedAdvisorCheck` actions. Without these, the Trusted Advisor console will show an error.
You can set up weekly email notifications from the Trusted Advisor dashboard. Go to 'Preferences' and choose which categories to receive notifications for. You can also use the AWS Support API to programmatically retrieve check results and integrate with your monitoring system.
By default, Cost Explorer shows unblended costs, which include taxes and exclude credits. You can change the view to 'Net unblended costs' to exclude taxes, or 'Amortized costs' to spread upfront fees for Reserved Instances. Go to 'Preferences' in Cost Explorer to adjust.
You've just covered Trusted Advisor and Cost Explorer — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?