Manage access to AWS Trusted Advisor - AWS Support

Manage access to AWS Trusted Advisor

You can access AWS Trusted Advisor from the AWS Management Console. All AWS accounts have access to a select core Trusted Advisor checks. If you have a Business, Enterprise On-Ramp, or Enterprise Support plan, you can access all checks. for more information, see AWS Trusted Advisor check reference.

You can use AWS Identity and Access Management (IAM) to control access to Trusted Advisor.

Permissions for the Trusted Advisor console

To access the Trusted Advisor console, a user must have a minimum set of permissions. These permissions must allow the user to list and view details about the Trusted Advisor resources in your AWS account.

You can use the following options to control access to Trusted Advisor:

  • Use the tag filter feature of the Trusted Advisor console. The user or role must have permissions associated with the tags.

    You can use AWS managed policies or custom policies to assign permissions by tags. For more information, see Controlling access to and for IAM users and roles using tags.

  • Create an IAM policy with the trustedadvisor namespace. You can use this policy to specify permissions for actions and resources.

When you create a policy, you can specify the namespace of the service to allow or deny an action. The namespace for Trusted Advisor is trustedadvisor. However, you can't use the trustedadvisor namespace to allow or deny Trusted Advisor API operations in the AWS Support API. You must use the support namespace for AWS Support instead.

Note

If you have permissions to the AWS Support API, the Trusted Advisor widget in the AWS Management Console shows a summary view of your Trusted Advisor results. To view your results in the Trusted Advisor console, you must have permission to the trustedadvisor namespace.

Trusted Advisor actions

You can perform the following Trusted Advisor actions in the console. You can also specify these Trusted Advisor actions in an IAM policy to allow or deny specific actions.

Action Description

DescribeAccount

Grants permission to view the AWS Support plan and various Trusted Advisor preferences.

DescribeAccountAccess

Grants permission to view if the AWS account has enabled or disabled Trusted Advisor.

DescribeCheckItems

Grants permission to view details for the check items.

DescribeCheckRefreshStatuses

Grants permission to view the refresh statuses for Trusted Advisor checks.

DescribeCheckSummaries

Grants permission to view Trusted Advisor check summaries.

DescribeChecks

Grants permission to view details for Trusted Advisor checks.

DescribeNotificationPreferences

Grants permission to view the notification preferences for the AWS account.

ExcludeCheckItems

Grants permission to exclude recommendations for Trusted Advisor checks.

IncludeCheckItems

Grants permission to include recommendations for Trusted Advisor checks.

RefreshCheck

Grants permission to refresh a Trusted Advisor check.

SetAccountAccess

Grants permission to enable or disable Trusted Advisor for the account.

UpdateNotificationPreferences

Grants permission to update notification preferences for Trusted Advisor.

DescribeCheckStatusHistoryChanges

Grants permission to view the results and changed statuses for checks in the last 30 days.

Trusted Advisor actions for organizational view

The following Trusted Advisor actions are for the organizational view feature. For more information, see Organizational view for AWS Trusted Advisor.

Action Description

DescribeOrganization

Grants permission to view if the AWS account meets the requirements to enable the organizational view feature.

DescribeOrganizationAccounts

Grants permission to view the linked AWS accounts that are in the organization.

DescribeReports

Grants permission to view details for organizational view reports, such as the report name, runtime, date created, status, and format.

DescribeServiceMetadata

Grants permission to view information about organizational view reports, such as the AWS Regions, check categories, check names, and resource statuses.

GenerateReport

Grants permission to create a report for Trusted Advisor checks in your organization.

ListAccountsForParent

Grants permission to view, in the Trusted Advisor console, all of the accounts in an AWS organization that are contained by a root or organizational unit (OU).

ListOrganizationalUnitsForParent

Grants permission to view, in the Trusted Advisor console, all of the organizational units (OUs) in a parent organizational unit or root.

ListRoots

Grants permission to view, in the Trusted Advisor console, all of the roots that are defined in an AWS organization.

SetOrganizationAccess

Grants permission to enable the organizational view feature for Trusted Advisor.

Trusted Advisor Priority actions

If you have Trusted Advisor Priority enabled for your account, you can perform the following Trusted Advisor actions in the console. You can also add these Trusted Advisor actions in an IAM policy to allow or deny specific actions. For more information, see Example IAM policies for Trusted Advisor Priority.

Note

The risks that appear in Trusted Advisor Priority are recommendations that your technical account manager (TAM) has identified for your account. Recommendations from a service, such as a Trusted Advisor check, are created for you automatically. Recommendations from your TAM are created for you manually. Next, your TAM sends these recommendations so that they appear in Trusted Advisor Priority for your account.

For more information, see Get started with AWS Trusted Advisor Priority.

Action Description

DescribeRisks

Grants permission to view risks in Trusted Advisor Priority.

DescribeRisk

Grants permission to view risk details in Trusted Advisor Priority.

DescribeRiskResources

Grants permission to view affected resources for a risk in Trusted Advisor Priority.

DownloadRisk

Grants permission to download a file that contains details about the risk in Trusted Advisor Priority.

UpdateRiskStatus

Grants permission to update the risk status in Trusted Advisor Priority.

DescribeNotificationConfigurations

Grants permission to get your email notification preferences for Trusted Advisor Priority.

UpdateNotificationConfigurations

Grants permission to create or update your email notification preferences for Trusted Advisor Priority.

DeleteNotificationConfigurationForDelegatedAdmin

Grants permission to the organization management account to delete email notification preferences from a delegated administrator account for Trusted Advisor Priority.

Trusted Advisor Engage actions

If you have Trusted Advisor Engage enabled for your account, you can perform the following Trusted Advisor actions in the console. You can also add these Trusted Advisor actions in an IAM policy to allow or deny specific actions. For more information, see Example IAM policies for Trusted Advisor Engage .

For more information, see Get started with AWS Trusted Advisor Engage (Preview).

Action Description

CreateEngagement

Grants permission to create an engagement in Trusted Advisor Engage.

CreateEngagementAttachment

Grants permission to create an engagement attachment in Trusted Advisor Engage.

CreateEngagementCommunication

Grants permission to create an engagement communication in Trusted Advisor Engage.

GetEngagement

Grants permission to view an engagment in Trusted Advisor Engage.

GetEngagementAttachment

Grants permission to view an engagment attachment in Trusted Advisor Engage.

GetEngagementType

Grants permission to view a specific engagement type in Trusted Advisor Engage.

ListEngagementCommunications

Grants permission to view all communications for an engagement in Trusted Advisor Engage.

ListEngagements

Grants permission to view all engagements in Trusted Advisor Engage.

ListEngagementTypes

Grants permission to view all engagement types in Trusted Advisor Engage.

UpdateEngagement

Grants permission to update the details of an engagement in Trusted Advisor Engage.

UpdateEngagementStatus

Grants permission to update the status of an engagement in Trusted Advisor Engage.

IAM policy examples

The following policies show you how to allow and deny access to Trusted Advisor. You can use one of the following policies to create a customer managed policy in the IAM console. For example, you can copy an example policy, and then paste it into the JSON tab of the IAM console. Then, you attach the policy to your IAM user, group, or role.

For more information about how to create an IAM policy, see Creating IAM policies (console) in the IAM User Guide.

Full access to Trusted Advisor

The following policy allows users to view and take all actions on all Trusted Advisor checks in the Trusted Advisor console.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "trustedadvisor:*", "Resource": "*" } ] }

Read-only access to Trusted Advisor

The following policy allows users read-only access to the Trusted Advisor console. Users can't make changes, such as refresh checks or change notification preferences.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "trustedadvisor:Describe*", "trustedadvisor:Get*", "trustedadvisor:List*" ], "Resource": "*" } ] }

Deny access to Trusted Advisor

The following policy doesn't allow users to view or take actions for Trusted Advisor checks in the Trusted Advisor console.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "trustedadvisor:*", "Resource": "*" } ] }

Allow and deny specific actions

The following policy allows users to view all Trusted Advisor checks in the Trusted Advisor console, but doesn't allow them to refresh any checks.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "trustedadvisor:*", "Resource": "*" }, { "Effect": "Deny", "Action": "trustedadvisor:RefreshCheck", "Resource": "*" } ] }

Control access to the AWS Support API operations for Trusted Advisor

In the AWS Management Console, a separate trustedadvisor IAM namespace controls access to Trusted Advisor. You can't use the trustedadvisor namespace to allow or deny Trusted Advisor API operations in the AWS Support API. Instead, you use the support namespace. You must have permissions to the AWS Support API to call Trusted Advisor programmatically.

For example, if you want to call the RefreshTrustedAdvisorCheck operation, you must have permissions to this action in the policy.

Example : Allow Trusted Advisor API operations only

The following policy allows users access to the AWS Support API operations for Trusted Advisor, but not the rest of the AWS Support API operations. For example, users can use the API to view and refresh checks. They can't create, view, update, or resolve AWS Support cases.

You can use this policy to call the Trusted Advisor API operations programmatically, but you can't use this policy to view or refresh checks in the Trusted Advisor console.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "support:DescribeTrustedAdvisorCheckRefreshStatuses", "support:DescribeTrustedAdvisorCheckResult", "support:DescribeTrustedAdvisorChecks", "support:DescribeTrustedAdvisorCheckSummaries", "support:RefreshTrustedAdvisorCheck", "trustedadvisor:Describe*" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "support:AddAttachmentsToSet", "support:AddCommunicationToCase", "support:CreateCase", "support:DescribeAttachment", "support:DescribeCases", "support:DescribeCommunications", "support:DescribeServices", "support:DescribeSeverityLevels", "support:ResolveCase" ], "Resource": "*" } ] }

For more information about how IAM works with AWS Support and Trusted Advisor, see Actions.

Example IAM policies for Trusted Advisor Priority

You can use the following AWS managed policies to control access to Trusted Advisor Priority. For more information, see AWS managed policies for AWS Trusted Advisor and Get started with AWS Trusted Advisor Priority.

Example IAM policies for Trusted Advisor Engage

Note

Trusted Advisor Engage is in preview release and does not currently have any AWS managed policies. You can use one of the following policies to create a customer managed policy in the IAM console.

An example policy that grants read and write access in Trusted Advisor Engage:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "trustedadvisor:CreateEngagement*", "trustedadvisor:DescribeAccount*", "trustedadvisor:GetEngagement*", "trustedadvisor:ListEngagement*", "trustedadvisor:UpdateEngagement*" ], "Resource": "*" } ] }

An example policy that grants read-only access in Trusted Advisor Engage:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "trustedadvisor:DescribeAccount*", "trustedadvisor:GetEngagement*", "trustedadvisor:ListEngagement*" ], "Resource": "*" } ] }

An example policy that grants read and write access in Trusted Advisor Engage and the ability to enable trusted access to Trusted Advisor:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization", "trustedadvisor:CreateEngagement*", "trustedadvisor:DescribeAccount*", "trustedadvisor:DescribeOrganization", "trustedadvisor:GetEngagement*", "trustedadvisor:ListEngagement*", "trustedadvisor:SetOrganizationAccess", "trustedadvisor:UpdateEngagement*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess", "organizations:DisableAWSServiceAccess" ], "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "reporting.trustedadvisor.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/reporting.trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisorReporting", "Condition": { "StringLike": { "iam:AWSServiceName": "reporting.trustedadvisor.amazonaws.com" } } } ] }

See also

For more information about Trusted Advisor permissions, see the following resources: