AWS Trusted Advisor provides real time guidance to help users provision their resources following AWS best practices. You can now create configurable, rule-based events for automated remediation actions based on AWS Trusted Advisor’s library of best-practice checks using Amazon EventBridge Rules.
The sample functions or solutions provided here are proposals for remediation, they need to be tailored to your unique business need and tested on your environment. These sample leverage either lambda functions to trigger remediation actions or SSM automation.
Here is the documentation you need to read to get familiar with this approach: Monitoring AWS Trusted Advisor check results with Amazon EventBridge
If you are looking for a different* approach leveraging remediation at the Amazon Security Hub level**, we recommend you to check this AWS Solution: Automated Security Response on AWS.
(*) Remediation actions provided here still apply.
(**) AWS Trusted Advisor is integrated by default into AWS Security Hub.
Setup and usage instructions are present for each tool in its respective directory:
| Check Type | Check Name | Comment |
| Cost Optimization | Underutilized Amazon EBS Volumes | |
| Cost Optimization | Low Utilization Amazon EC2 Instances | |
| Cost Optimization | Unassociated Elastic IP Addresses | |
| Cost Optimization | Idle Load Balancers | |
| Cost Optimization | Amazon RDS Idle DB Instances | |
| Cost Optimization | Underutilized Amazon Redshift Clusters | Switches cluster state from "Active" to "Paused" to stop compute billing |
| Cost Optimization | Amazon EC2 Reserved Instances Optimization | |
| Cost Optimization | Amazon EC2 Reserved Instance Lease Expiration | |
| Cost Optimization | Amazon Route 53 Latency Resource Record Sets | |
| Fault Tolerance | Amazon EBS Snapshots | Creates EBS Snapshots for EBS Volumes which do not have a snapshot or non recent snapshot |
| Fault Tolerance | Amazon RDS Backups | |
| Fault Tolerance | Amazon EC2 Availability Zone Balance | |
| Fault Tolerance | EC2Config Service for EC2 Windows Instances | |
| Fault Tolerance | PV Driver Version for EC2 Windows Instances | |
| Fault Tolerance | Amazon S3 Bucket Logging | |
| Fault Tolerance | Amazon S3 Bucket Versioning | |
| Fault Tolerance | Auto Scaling Group Health Check | |
| Fault Tolerance | ELB Connection Draining | |
| Fault Tolerance | Amazon RDS Multi-AZ | |
| Fault Tolerance | VPN Tunnel Redundancy | |
| Fault Tolerance | ELB Cross-Zone Load Balancing | |
| Fault Tolerance | Load Balancer Optimization | |
| Fault Tolerance | ENA Driver Version for EC2 Windows Instances | |
| Fault Tolerance | NVMe Driver Version for EC2 Windows Instances | |
| Fault Tolerance | Amazon Route 53 Name Server Delegations | |
| Fault Tolerance | AWS Direct Connect Location Redundancy | |
| Fault Tolerance | AWS Direct Connect Virtual Interface Redundancy | |
| Fault Tolerance | Amazon Route 53 Deleted Health Checks | |
| Fault Tolerance | Amazon Route 53 Failover Resource Record Sets | |
| Fault Tolerance | Amazon Aurora DB Instance Accessibility | |
| Fault Tolerance | AWS Direct Connect Connection Redundancy | |
| Fault Tolerance | Auto Scaling Group Resources | |
| Fault Tolerance | Amazon Route 53 High TTL Resource Record Sets | |
| Performance | CloudFront Alternate Domain Names | |
| Performance | Large Number of EC2 Security Group Rules Applied to an Instance | |
| Performance | Large Number of Rules in an EC2 Security Group | |
| Performance | Amazon Route 53 Alias Resource Record Sets | |
| Performance | Service Limits | |
| Performance | CloudFront Header Forwarding and Cache Hit Ratio | |
| Performance | Amazon EBS Provisioned IOPS (SSD) Volume Attachment Configuration | |
| Performance | CloudFront Content Delivery Optimization | |
| Performance | Overutilized Amazon EBS Magnetic Volumes | |
| Performance | High Utilization Amazon EC2 Instances | |
| Performance | Amazon EC2 to EBS Throughput Optimization | |
| Security | Security Groups - Unrestricted Access | Please check remediation for "Security Groups - Specific Ports Unrestricted" Check |
| Security | AWS CloudTrail Logging | |
| Security | AWS Lambda Functions Using Deprecated Runtimes | Delete immutable published version and update runtime for $LATEST |
| Security | Security Groups - Specific Ports Unrestricted | Cleanup unused Security Groups or leverage AWS Firewall Manager and Security Group policy |
| Security | IAM Access Key Rotation | |
| Security | IAM Password Policy | |
| Security | Amazon S3 Bucket Permissions | |
| Security | ELB Listener Security | |
| Security | CloudFront SSL Certificate on the Origin Server | |
| Security | ELB Security Groups | |
| Security | Amazon Route 53 MX Resource Record Sets and Sender Policy Framework | |
| Security | IAM Use | |
| Security | MFA on Root Account | |
| Security | Exposed Access Keys | |
| Security | Amazon RDS Security Group Access Risk | |
| Security | Amazon EBS Public Snapshots | |
| Security | Amazon RDS Public Snapshots | |
| Security | CloudFront Custom SSL Certificates in the IAM Certificate Store | |
More information about Trusted Advisor is available here: https://aws.amazon.com/premiumsupport/trustedadvisor/