Change log for AWS Trusted Advisor - AWS Support

Change log for AWS Trusted Advisor

See the following topic for recent changes to Trusted Advisor checks.

Note

If you use the Trusted Advisor console or the AWS Support API, checks that were removed won't appear in check results. If you use any of the removed checks such as specifying the check ID in an AWS Support API operation or your code, you must remove these checks to avoid API call errors.

For more information about the available checks, see the AWS Trusted Advisor check reference.

New fault tolerance check

Trusted Advisor added 1 Fault Tolerance check on February 29, 2024:

  • NLB - Internet-facing resource in private subnet

For more information, see the AWS Trusted Advisor check reference.

New fault tolerance check

Trusted Advisor added 1 Fault Tolerance check on January 31, 2024:

  • AWS Direct Connect Location Resiliency

For more information, see the AWS Trusted Advisor check reference.

Updated fault tolerance check

Trusted Advisor amended 1 Fault Tolerance check on January 08, 2024:

  • Amazon RDS innodb_flush_log_at_trx_commit parameter is not 1

For more information, see the AWS Trusted Advisor check reference.

Updated security check

Trusted Advisor amended 1 Security check on December 21, 2023:

  • AWS Lambda Functions Using Deprecated Runtimes

For more information, see the AWS Trusted Advisor check reference.

New security and performance checks

Trusted Advisor added 2 new Security checks and 2 new Performance checks on December 20, 2023:

  • Amazon EFS clients not using data-in-transit encryption

  • Amazon Aurora DB cluster under-provisioned for read workload

  • Amazon RDS instance under-provisioned for system capacity

  • Amazon EC2 instances with Ubuntu LTS end of standard support

For more information, see the AWS Trusted Advisor check reference.

New security check

Trusted Advisor added 1 new Security check on December 15, 2023:

  • Amazon Route 53 mismatching CNAME records pointing directly to S3 buckets

For more information, see the AWS Trusted Advisor check reference.

New fault tolerance and cost optimization checks

Trusted Advisor added 2 new Fault Tolerance checks and 1 new Cost Optimization check on December 07, 2023:

  • Amazon DocumentDB Single-AZ clusters

  • Amazon S3 Incomplete Multipart Upload Abort Configuration

  • Amazon ECS AWSLogs driver in blocking mode

For more information, see the AWS Trusted Advisor check reference.

New fault tolerance checks

Trusted Advisor added 3 new fault tolerance checks on November 17, 2023:

  • ALB Multi-AZ

  • NLB Multi-AZ

  • VPC interface endpoint network interfaces in multiple AZs

For more information, see the AWS Trusted Advisor check reference.

New checks for Amazon RDS

Trusted Advisor added 37 new checks for Amazon RDS on November 15, 2023.

For more information, see the AWS Trusted Advisor check reference.

New AWS Trusted Advisor API

AWS Trusted Advisor introduces new APIs to enable you to programmatically access Trusted Advisor best practice checks, recommendations, and prioritized recommendations. Trusted Advisor APIs enable you to programmatically integrate Trusted Advisor with your preferred operational tool to automate and optimize your workloads at scale. Available to Business, Enterprise On-Ramp, or Enterprise Support customers, the new APIs provide access to Trusted Advisor recommendations for your account or all the linked accounts within a payer account. Enterprise Support customers with access to management or delegated administrator accounts can additionally programmatically retrieve prioritized recommendations across their organization.

The new Trusted Advisor APIs will replace the 3 functionalities previously offered through AWS Support API (SAPI). SAPI will continue to offer case and other support information.

Trusted Advisor APIs are generally available in the US East (Ohio), US East (N. Virginia), US West (Oregon), Asia Pacific (Seoul), Asia Pacific (Sydney), and Europe (Ireland) Regions.

To learn more, please visit the AWS Trusted Advisor API page.

Trusted Advisor check removal

Trusted Advisor removed the following checks on November 9, 2023.

Check name Check category Check ID

EBS volumes should be attached to EC2 instances

Security

Hs4Ma3G119

S3 buckets should have server-side encryption enabled

Security

Hs4Ma3G167

CloudFront distributions should have origin access identity enabled

Security

Hs4Ma3G195

Integration of AWS Config checks into Trusted Advisor

Trusted Advisor added 64 new checks powered by AWS Config on October 30, 2023.

For more information, see the View AWS Trusted Advisor checks powered by AWS Config.

New fault tolerance checks

Trusted Advisor added the following checks on October 12, 2023.

  • Amazon RDS ReplicaLag

  • Amazon RDS FreeStorageSpace

  • Amazon RDS DiskQueueDepth

  • Amazon Route 53 Resolver Endpoint Availability Zone Redundancy

  • Auto Scaling available IPs in Subnets

  • Amazon MSK brokers hosting too many partitions

For more information, see the Fault tolerance category.

New service limits check

Trusted Advisor added the following check on August 17, 2023.

  • Lambda Code Storage Usage

For more information, see the Service limits category.

New fault tolerance check

Trusted Advisor added the following check on August 3, 2023.

  • AWS Lambda On Failure Event Destinations

For more information, see the Fault tolerance category.

New fault tolerance and performance checks

Trusted Advisor added the following checks on June 1, 2023.

  • Amazon EFS No Mount Target Redundancy

  • Amazon EFS Throughput Mode Optimization

  • ActiveMQ Availability Zone Redundancy

  • RabbitMQ Availability Zone Redundancy

For more information, see the Fault tolerance category and Performance category.

New fault tolerance checks

Trusted Advisor added the following checks on May 16, 2023.

  • NAT Gateway AZ Independence

  • Single AZ Application Check

For more information, see the Fault tolerance category.

New fault tolerance checks

Trusted Advisor added the following checks on April 27, 2023.

  • Number of AWS Regions in an Incident Manager replication set

  • AWS Resilience Hub assessment age

For more information, see the Fault tolerance category.

Region Expansion of Amazon ECS Fault Tolerance Checks

Trusted Advisor expanded the following checks into additional regions on April 27, 2023. Trusted Advisor checks for Amazon ECS are now available in all regions where Amazon ECS is generally available.

  • Amazon ECS service using a single AZ

  • Amazon ECS Multi-AZ placement strategy

Regions expanded into include Africa (Cape Town), Asia Pacific (Hong Kong), Asia Pacific (Hyderabad), Asia Pacific (Jakarta), Asia Pacific (Melbourne), Europe (Milan), Europe (Spain), Europe (Zurich), Middle East (Bahrain), Middle East (UAE).

New fault tolerance checks

Trusted Advisor added the following checks on March 30, 2023.

  • Amazon ECS service using a single AZ

  • Amazon ECS Multi-AZ placement strategy

For more information, see the Fault tolerance category.

New fault tolerance checks

Trusted Advisor added the following checks on December 15, 2022.

  • AWS CloudHSM clusters running HSM instances in a single AZ

  • Amazon ElastiCache Multi-AZ clusters

  • Amazon MemoryDB Multi-AZ clusters

To receive results in Trusted Advisor for your AWS CloudHSM, ElastiCache, and MemoryDB clusters, you must have clusters in your Availability Zones. For more information, see the following documentation:

Trusted Advisor updated the following check information on December 15, 2022.

  • AWS Resilience Hub policy breached – App Name was updated to Application Name

  • AWS Resilience Hub resilience scores – App Name and App Resilience Score were updated to Application Name and Application Resilience Score

For more information, see the Fault tolerance category.

Updates to the Trusted Advisor integration with AWS Security Hub

Trusted Advisor made the following update on November 17, 2022.

If you disable Security Hub or AWS Config for an AWS Region, Trusted Advisor now removes your control findings for that AWS Region within 7-9 days. Previously, the time frame to remove your Security Hub data from Trusted Advisor was 90 days.

For more information, see the following sections in the Troubleshooting topic:

New fault tolerance checks for AWS Resilience Hub

Trusted Advisor added the following checks on November 17, 2022.

  • AWS Resilience Hub policy breached

  • AWS Resilience Hub resilience scores

You can use these checks to view the latest resilience policy status and resilience score for your applications. Resilience Hub provides you with a central place to define, track, and manage the resiliency and availability of your applications.

To receive results in Trusted Advisor for your Resilience Hub applications, you must deploy an AWS application and use Resilience Hub to track the resiliency posture of the application. For more information, see the AWS Resilience Hub User Guide.

To receive results in Trusted Advisor for your ElastiCache and MemoryDB clusters, you must have clusters in your Availability Zones. For more information, see the following documentation:

For more information, see the Fault tolerance category.

Update to the Trusted Advisor console

Trusted Advisor added the following change on November 16, 2022.

The Trusted Advisor Dashboard in the console is now Trusted Advisor Recommendations. The Trusted Advisor Recommendations page still shows the check results and the available checks for each category for your AWS account.

This name change only updates the Trusted Advisor console. You can continue to use the Trusted Advisor console and the Trusted Advisor operations in the AWS Support API as usual.

For more information, see Get started with Trusted Advisor Recommendations.

New checks for Amazon EC2

Trusted Advisor added the following check on September 1, 2022.

  • Amazon EC2 instances with Microsoft Windows Server end of support

For more information, see the Security category.

Added Security Hub checks to Trusted Advisor

As of June 23, 2022, Trusted Advisor only supports Security Hub controls available through April 7, 2022. This release supports all controls in the AWS Foundational Security Best Practices security standard except for controls in the Category: Recover > Resilience. For more information, see Viewing AWS Security Hub controls in AWS Trusted Advisor.

For a list of supported controls, see AWS Foundational Security Best Practices controls in the AWS Security Hub User Guide.

Added checks from AWS Compute Optimizer

Trusted Advisor added the following checks on May 4, 2022.

Check name Check category Check ID

Amazon EBS over-provisioned volumes

Cost optimization

COr6dfpM03

Amazon EBS under-provisioned volumes

Performance

COr6dfpM04

AWS Lambda over-provisioned functions for memory size

Cost optimization

COr6dfpM05

AWS Lambda under-provisioned functions for memory size

Performance

COr6dfpM06

You must opt in your AWS account for Compute Optimizer so that these checks can receive data from your Lambda and Amazon EBS resources. For more information, see Opt in AWS Compute Optimizer for Trusted Advisor checks.

Updates to the Exposed Access Keys check

Trusted Advisor updated the following check on April 25, 2022.

Check name Check category Check ID

Exposed Access Keys

Security

12Fnkpl8Y5

Trusted Advisor now refreshes this check for you automatically. This check can't be refreshed manually from the Trusted Advisor console or the AWS Support API. If your application or code refreshes this check for your AWS account, we recommend that you update it to no longer refresh this check. Otherwise, you will receive the InvalidParameterValue error.

Any access keys that you excluded before this update will no longer be excluded and will appear as affected resources. You can't exclude access keys from your check results. For more information, see Exposed Access Keys.

Note

If you created your AWS account after April 25, 2022, the check results for Exposed Access Keys initially shows the gray icon ( ) even for unexposed access keys. This means that Trusted Advisor hasn't identified any changes to the check.

If Trusted Advisor identifies a resource at risk, the status changes to the action recommended icon ( ). After you fix or delete the resource, the check result shows the check mark icon ( ).

Updated checks for AWS Direct Connect

Trusted Advisor updated the following checks on March 29, 2022.

Check name Check category Check ID

AWS Direct Connect Connection Redundancy

Fault tolerance

0t121N1Ty3

AWS Direct Connect Location Redundancy

Fault tolerance

8M012Ph3U5

AWS Direct Connect Virtual Interface Redundancy

Fault tolerance

4g3Nt5M1Th

  • The value for the Region column now shows the AWS Region code instead of the full name. For example, resources in US East (N. Virginia) will now have the us-east-1 value.

  • The value for the Time Stamp column now appears in the RFC 3339 format, such as 2022-03-30T01:02:27.000Z.

  • Resources that don't have any detected problems will now appear in the check table. These resources will have a check mark icon ( ) next to them.

    Previously, only resources that Trusted Advisor recommended that you investigate appeared in the table. These resources have a warning icon ( ) next to them.

AWS Security Hub controls added to the AWS Trusted Advisor console

AWS Trusted Advisor added 111 Security Hub controls to the Security category on January 18, 2022.

You can view your findings for Security Hub controls from the AWS Foundational Security Best Practices security standard. This integration doesn't include controls that have the Category: Recover > Resilience.

For more information about this feature, see Viewing AWS Security Hub controls in AWS Trusted Advisor.

New checks for Amazon EC2 and AWS Well-Architected

Trusted Advisor added the following checks on December 20, 2021.

  • Amazon EC2 instances consolidation for Microsoft SQL Server

  • Amazon EC2 instances over-provisioned for Microsoft SQL Server

  • Amazon EC2 instances with Microsoft SQL Server end of support

  • AWS Well-Architected high risk issues for cost optimization

  • AWS Well-Architected high risk issues for performance

  • AWS Well-Architected high risk issues for security

  • AWS Well-Architected high risk issues for reliability

For more information, see the AWS Trusted Advisor check reference.

Updated check name for Amazon OpenSearch Service

Trusted Advisor updated the name for the Amazon OpenSearch Service Reserved Instance Optimization check on September 8, 2021.

The check recommendations, category, and ID are the same.

Check name Check category Check ID

Amazon OpenSearch Service Reserved Instance Optimization

Cost optimization

7ujm6yhn5t

Note

If you use Trusted Advisor for Amazon CloudWatch metrics, the metric name for this check is also updated. For more information, see Creating Amazon CloudWatch alarms to monitor AWS Trusted Advisor metrics.

Added checks for Amazon Elastic Block Store volume storage

Trusted Advisor added the following checks on June 8, 2021.

Check name Check category Check ID

EBS General Purpose SSD (gp3) Volume Storage

Service limits

dH7RR0l6J3

EBS Provisioned IOPS SSD (io2) Volume Storage

Service limits

gI7MM0l7J2

Added checks for AWS Lambda

Trusted Advisor added the following checks on March 8, 2021.

Check name Check category Check ID

AWS Lambda Functions with Excessive Timeouts

Cost optimization

L4dfs2Q3C3

AWS Lambda Functions with High Error Rates

Cost optimization

L4dfs2Q3C2

AWS Lambda Functions Using Deprecated Runtimes

Security

L4dfs2Q4C5

AWS Lambda VPC-enabled Functions without Multi-AZ Redundancy

Fault tolerance

L4dfs2Q4C6

For more information about how to use these checks with Lambda, see Example AWS Trusted Advisor workflow to view recommendations in the AWS Lambda Developer Guide.

Trusted Advisor check removal

Trusted Advisor removed the following check for the AWS GovCloud (US) Region on March 8, 2021.

Check name Check category Check ID

EC2 Elastic IP Addresses

Service limits

aW9HH0l8J6

Updated checks for Amazon Elastic Block Store

Trusted Advisor updated the unit of Amazon EBS volume from gibibyte (GiB) to tebibyte (TiB) for the following checks on March 5, 2021.

Note

If you use Trusted Advisor for Amazon CloudWatch metrics, the metric names for these five checks are also updated. For more information, see Creating Amazon CloudWatch alarms to monitor AWS Trusted Advisor metrics.

Check name Check category Check ID Updated CloudWatch metric for ServiceLimit

EBS Cold HDD (sc1) Volume Storage

Service limits

gH5CC0e3J9

Cold HDD (sc1) volume storage (TiB)

EBS General Purpose SSD (gp2) Volume Storage

Service limits

dH7RR0l6J9

General Purpose SSD (gp2) volume storage (TiB)

EBS Magnetic (standard) Volume Storage

Service limits

cG7HH0l7J9

Magnetic (standard) volume storage (TiB)

EBS Provisioned IOPS SSD (io1) Volume Storage

Service limits

gI7MM0l7J9

Provisioned IOPS (SSD) storage (TiB)

EBS Throughput Optimized HDD (st1) Volume Storage

Service limits

wH7DD0l3J9

Throughput Optimized HDD (st1) volume storage (TiB)

Trusted Advisor check removal

Note

Trusted Advisor removed the following checks on November 18, 2020.

Checks removed on November 18, 2020 Check category Check ID

EC2Config Service for EC2 Windows Instances

Fault tolerance

V77iOLlBqz

ENA Driver Version for EC2 Windows Instances

Fault tolerance

TyfdMXG69d

NVMe Driver Version for EC2 Windows Instances

Fault tolerance

yHAGQJV9K5

PV Driver Version for EC2 Windows Instances

Fault tolerance

Wnwm9Il5bG

EBS Active Volumes

Service limits

fH7LL0l7J9

Amazon Elastic Block Store no longer has a limit on the number of volumes that you can provision.

You can monitor your Amazon EC2 instances and verify they are up to date by using AWS Systems Manager Distributor, other third-party tools, or write your own scripts to return driver information for Windows Management Instrumentation (WMI).

Trusted Advisor check removal

Trusted Advisor removed the following check on February 18, 2020.

Check name Check category Check ID

Service Limits

Performance

eW7HH0l7J9