Get started with AWS Trusted Advisor Priority - AWS Support

Get started with AWS Trusted Advisor Priority

Trusted Advisor Priority helps you secure and optimize your AWS account to follow AWS best practices. With Trusted Advisor Priority, your AWS account team can proactively monitor your account and create prioritized recommendations when they identify opportunities for you.

For example, your account team can identify if your root account doesn't have multi-factor authentication (MFA). Your account team can create a recommendation so that you take immediate action on a check, such as MFA on Root Account. The recommendation appears as an active prioritized recommendation on the Trusted Advisor Priority page of the Trusted Advisor console. You then follow the recommendations to resolve it.

Trusted Advisor Priority recommendations can come from either of two sources:

  • AWS services – Services such as Trusted Advisor, AWS Security Hub, and AWS Well-Architected automatically create recommendations. Your account team shares these recommendations with you, so that they appear in Trusted Advisor Priority.

  • Your account team – Your account team can create manual recommendations for risks that they identify in your account.

Trusted Advisor Priority helps you focus on the most important recommendations. You and your account team can keep track of the recommendation lifecycle, from when your account team shared the recommendation to when you accept, resolve, or reject it. You can use Trusted Advisor Priority to find recommendations for all member accounts in your organization.

Prerequisites

You must have the following requirements for Trusted Advisor Priority:

  • Your organization must have all features enabled for AWS Organizations. This adds Trusted Advisor as a trusted service with Organizations. You can enable trusted access from the Your organization page in the Trusted Advisor console or from Organizations. For more information, see Enabling all features in your organization in the AWS Organizations User Guide.

  • You must have an Enterprise Support plan and sign in to the organization's management account.

  • You must have AWS Identity and Access Management (IAM) permissions to access Trusted Advisor Priority. For information about controlling access to Trusted Advisor Priority, see AWS managed policies for AWS Trusted Advisor and Manage access for AWS Trusted Advisor.

Enable Trusted Advisor Priority

Contact your account team and ask that they enable this feature for you. You must have an Enterprise Support plan and be the management account owner for your organization.

View prioritized recommendations

After Trusted Advisor Priority is enabled for your account, you can view the latest recommendations for your organization.

To view your prioritized recommendations

  1. Sign in to the Trusted Advisor console at https://console.aws.amazon.com/trustedadvisor/home.

  2. On the Trusted Advisor Priority page, you can view the following:

    • Actions needed –The number of recommendations that are pending a response or in progress.

    • Overview – The number of recommendations for the following:

      • Rejected recommendations in the last 90 days

      • Resolved recommendations in the last 90 days

      • Recommendations without a status update in over 30 days

      • Average time to resolve recommendations

  3. On the Active tab, the Active prioritized recommendations show recommendations that your account team prioritized for you.

    To filter your results, use the following options:

    • Recommendation – Enter keywords to search by name. This can be a check name, or a custom name that your account team created.

    • Status – Whether the recommendation is pending a response, in progress, rejected, or resolved.

    • Source – The origin of a prioritized recommendation. The recommendation can come from AWS services, your AWS account team, or a planned service event.

    • Category – The recommendation category, such as security or cost optimization.

    • Age – When your account team shared the recommendation with you.

  4. Choose a recommendation to learn more about its risk details, affected resources and accounts, and the recommended actions that you should take to resolve it. You can then accept or reject the recommendation.

Example : Trusted Advisor Priority recommendations

The following example shows recommendations available in Trusted Advisor Priority.


                    Recommendation
                        summary
                        
                        on the Trusted Advisor Priority
                        console
                        page.

Accept a recommendation

On the Active tab, you can learn more about the recommendation and then decide if you want to accept it. When you accept a recommendation, you acknowledge the recommendation to your account and plan to address it.

To accept a recommendation

  1. Sign in to the Trusted Advisor console at https://console.aws.amazon.com/trustedadvisor/home.

  2. On the Trusted Advisor Priority page, on the Active tab, choose a recommendation name.

  3. On the recommendation detail page, review the information and the affected resources and accounts in your organization.

  4. Choose Accept.

  5. In the Accept recommendation dialog box, enter your name and title, and then choose Accept.

    The recommendation status changes to In progress. Recommendations in progress or pending a response appear in the Active tab on the Trusted Advisor Priority page.

  6. Follow the steps in the recommendation details to fix it. You can then resolve the recommendation. For more information, see Resolve a recommendation.

Example : Manual recommendation from Trusted Advisor Priority

The following image shows a recommendation that is pending a response.


                    Accepted
                        recommendation
                        on
                        the
                        Trusted Advisor Priority
                        console page.

Reject a recommendation

You can also reject a recommendation, which means that you acknowledge the risk, but won't fix it now. You can reject a recommendation if you don't think it's a risk, or if it's not relevant to your account.

To reject a recommendation

  1. Sign in to the Trusted Advisor console at https://console.aws.amazon.com/trustedadvisor/home.

  2. On the Trusted Advisor Priority page, on the Active tab, choose a recommendation name.

  3. On the recommendation detail page, review the information and the affected resources and accounts in your organization.

  4. If this isn't a risk for your account, choose Reject.

  5. In the Reject dialog box, specify one of the following:

    • Acknowledged – won't fix

    • Not a risk

  6. For Reason for rejection, enter a reason why you won't address the recommendation.

  7. Enter your name and title.

  8. Choose Reject. The recommendation status changes to Rejected and appears in the Closed tab on the Trusted Advisor Priority page.

    Trusted Advisor Priority also notifies your account team that you rejected the recommendation.

Example : Reject a recommendation from Trusted Advisor Priority

The following example shows a recommendation that isn't a risk to an account.


                    Dialog box with dropdown lists to reject a recommendation in
                        Trusted Advisor Priority.

Resolve a recommendation

After you accepted and fixed the risk, you can resolve the recommendation.

To resolve a recommendation

  1. Sign in to the Trusted Advisor console at https://console.aws.amazon.com/trustedadvisor/home.

  2. On the Trusted Advisor Priority page, select the recommendation, and then choose Resolve.

  3. In the Resolve recommendation dialog box, enter your name and title.

    Choose Resolve. Resolved recommendations appear in the Closed tab on the Trusted Advisor Priority page. Trusted Advisor Priority notifies your account team that you resolved the recommendation.

Example : Manual recommendation from Trusted Advisor Priority

The following example shows a resolved manual recommendation that your account team sent to your account.


                    Recommendation description in Trusted Advisor Priority console page.

Reopen a recommendation

After you resolve a recommendation, you can reopen the recommendation later. You or your account team can reopen a recommendation if there's another related risk to your account.

To reopen a recommendation

  1. On the Trusted Advisor Priority page, choose the Closed tab.

  2. Under Closed recommendations, select the recommendation, and then choose Reopen.

  3. In the Reopen recommendation dialog box, enter the following:

    • Why you're reopening the recommendation

    • Your name

    • Your title

  4. Choose Reopen. The recommendation status changes to In progress and appears in the Active tab.

  5. Follow the steps in the recommendation details to fix it.

Example : Reopen a recommendation from Trusted Advisor Priority

The following example shows a recommendation that you want to reopen.


                    Dialog box to reopen a recommendation in Trusted Advisor Priority.

Download recommendation details

You can also download the results of a prioritized recommendation from Trusted Advisor Priority.

Note

Currently, you can download only one recommendation at a time.

To download a recommendation

  1. Sign in to the Trusted Advisor console at https://console.aws.amazon.com/trustedadvisor/home.

  2. On the Trusted Advisor Priority page, select the recommendation, and then choose Download.

Register delegated administrators

You can add member accounts that are part of your organization as delegated administrators. Delegated administrator accounts can review, accept, resolve, reject, and reopen recommendations in Trusted Advisor Priority.

After you register an account, you must grant the delegated administrator the required IAM permissions to access Trusted Advisor Priority. For more information, see Manage access for AWS Trusted Advisor and AWS managed policies for AWS Trusted Advisor.

You can register up to five member accounts. Only the management account can add delegated administrators for the organization.

To register a delegated administrator

  1. Sign in to the Trusted Advisor console at https://console.aws.amazon.com/trustedadvisor/home.

  2. In the navigation pane, under Preferences, choose Your organization.

  3. Under Delegated administrator, choose Register new account.

  4. In the dialog box, enter the member account ID, and then choose Register.

  5. (Optional) To deregister an account, select an account and choose Deregister. In the dialog box, choose Deregister again.

Deregister delegated administrators

When you deregister a member account, that account won't have the same access to Trusted Advisor Priority as the management account. Accounts that are no longer delegated administrators won't receive email notifications from Trusted Advisor Priority.

To deregister a delegated administrator

  1. Sign in to the Trusted Advisor console at https://console.aws.amazon.com/trustedadvisor/home.

  2. In the navigation pane, under Preferences, choose Your organization.

  3. Under Delegated administrator, select an account and choose Deregister.

  4. In the dialog box, choose Deregister.

Manage Trusted Advisor Priority notifications

Trusted Advisor Priority delivers notifications through email. This email notification includes a summary of the recommendations that your account team prioritized for you. You can specify the frequency that you receive updates from Trusted Advisor Priority.

If you registered member accounts as delegated administrators, they can also set up their accounts to receive Trusted Advisor Priority email notifications.

Trusted Advisor Priority email notifications don't include check results for individual accounts and are separate from the Trusted Advisor dashboard weekly notification. For more information, see Set up notification preferences.

To manage your Trusted Advisor Priority notifications

  1. Sign in to the Trusted Advisor console at https://console.aws.amazon.com/trustedadvisor/home.

  2. In the navigation pane, under Preferences, choose Notifications.

  3. Under Trusted Advisor Priority, you can select the following options.

    1. Daily – Receive an email notification daily.

    2. Weekly – Receive an email notification once a week.

    3. Choose the notifications to receive:

      • Summary of prioritized recommendations

      • Resolution dates

  4. For Recipients, select other contacts to receive the email notifications. You can add and remove contacts from the Account Settings page in the AWS Billing and Cost Management console.

  5. For Language, choose the language for the email notification.

  6. Choose Save your preferences.

Note

Trusted Advisor Priority sends email notifications from the noreply@notifications.trustedadvisor.us-west-2.amazonaws.com address. You might need to verify that your email client doesn't identify these emails as spam.

Disable Trusted Advisor Priority

Contact your account team and ask that they disable this feature for you. After it's removed, prioritized recommendations won't appear in your Trusted Advisor console.

If you disable Trusted Advisor Priority and then enable it again later, you can still view the recommendations that your account team sent before you disabled Trusted Advisor Priority.