Automated Deployment - AWS Trusted Advisor Explorer

Automated Deployment

Before you launch the automated deployment, review the architecture, configuration, network security, and other considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy the AWS Trusted Advisor Explorer solution into your account.

Time to deploy: Approximately 5 minutes


Each member account must have a Business or Enterprise level AWS Support plan in order to gain access to the AWS Trusted Advisor cost optimization checks.

Each member account must have a cross-account role that trusts the Primary account. The name of this cross-account role must be identical (case sensitive) in all the member accounts.


When you create a member account in your organization, AWS Organizations automatically creates an AWS Identity and Access Management (IAM) role in the member account that enables IAM users in the Primary account to exercise full administrative control over the member account. This role is subject to any service control policies (SCPs) that apply to the member account. If you don't specify a name, AWS Organizations gives the role a default name: OrganizationAccountAccessRole.

See Appendix E for more information about creating the cross-account member role.

Launch the Stack

The automated AWS CloudFormation template deploys AWS Trusted Advisor Explorer in the AWS Cloud. Ensure that your member accounts have a Business or Enterprise level AWS Support plan, and that you have already deployed the cross-account role into the member accounts.


You are responsible for the cost of the AWS services used while running this solution. See the Cost section for more details. For full details, see the pricing webpage for each AWS service you will be using in this solution.

  1. Sign in to the AWS Management Console and click the button below to launch the aws-trusted-advisor-explorer AWS CloudFormation template.

                            AWS Trusted Advisor Explorer launch button

    You can also download the template as a starting point for your own implementation.

  2. The template launches in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the Region selector in the console navigation bar.

  3. On the Create stack page, verify that the correct template URL shows in the Amazon S3 URL text box and choose Next.

  4. On the Specify stack details page, assign a name to your solution stack.

  5. Under Parameters, review the parameters for the template and modify them as necessary. This solution uses the following default values.

    Parameter Default Description
    Cross Account Role Name <Requires input>

    Specify the cross-account role name that exists in all of the member accounts

    Language en

    English is the only supported language.

    Report Schedule cron(0 9 1 * ? *)

    Enter the frequency at which you would like to trigger the data collection and aggregation. For more information, see Cron Expressions in the Amazon CloudWatch Events User Guide.

    Interested Tag Keys optional input

    Enter the resource tags you would like to extract from the member accounts. For example: env, costcenter, asset_id, etc.

    Glue Crawler Schedule cron(0 11 1 * ? *)

    Enter the frequency for triggering the AWS Glue crawler to update the data lake. For more information, see Cron Expressions in the Amazon CloudWatch Events User Guide.


    Set this value for two hours past the report scheduler’s cron.

    Log Level ERROR

    Choose the log level for the Lambda functions. Enter either ERROR or INFO.

    Mask Account Information TRUE

    This value ensures that the Account ID, Account Name, and Account Email information is masked in the logs.

    SNS Email <Requires input>

    Enter an email address to receive a notification every time the solution successfully runs.

  6. Choose Next.

  7. On the Configure stack options page, choose Next.

  8. On the Review page, review and confirm the settings. Be sure to check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  9. Choose Create stack to deploy the stack.

    You can view the status of the stack in the AWS CloudFormation console in the Status column. You should see a status of CREATE_COMPLETE in approximately five minutes.

CloudFormation Output

This solution created the following resources.

Resource Description

The name of the Athena database.


The name of the bucket in which the raw Trusted Advisor check data & tag information will be stored.


The name of the SNS topic that will be notified after every data refresh.


Random, universally unique identifier for the deployment used for operational metrics.