Tuần 8 - Ngày 4: AWS Trusted Advisor
Mục tiêu học tập
- Hiểu Trusted Advisor: best practice recommendations
- Phân biệt 5 categories checks
- Nắm Support Plan tiers ảnh hưởng đến checks
- Áp dụng cho cost + security optimization
1. Tổng quan Trusted Advisor
AWS Trusted Advisor = online tool give real-time guidance để follow AWS best practices.
5 check categories
- Cost Optimization: identify wasted spending
- Performance: improve speed/throughput
- Security: identify security risks
- Fault Tolerance: improve availability
- Service Limits: usage approaching quotas
2. Check Categories Examples
Cost Optimization
- Low Utilization EC2 Instances (< 10% avg CPU 14 days)
- Underutilized EBS Volumes
- Idle Load Balancers
- Idle RDS DB Instances
- Reserved Instance optimization
- Savings Plans recommendations
Performance
- High Utilization EC2 (> 90% CPU)
- Large Number of Rules in SG (slow firewall)
- EBS Magnetic Volumes (consider gp3)
- CloudFront Content Delivery Optimization
- Overutilized EC2
Security
- Security Group with unrestricted access (0.0.0.0/0 on common ports)
- IAM password policy weak
- Root account without MFA
- S3 buckets with open permissions
- MFA on root account
- CloudTrail logging
- Exposed access keys
Fault Tolerance
- Not Multi-AZ RDS
- EBS snapshots missing
- Auto Scaling not configured
- VPN tunnel redundancy
- Direct Connect Single Connection
- Route 53 health checks missing
Service Limits
- Approaching limit on EC2 instances, EBS volumes, etc.
- 80% threshold warning
3. Support Plan Tiers
Basic / Developer plans
- Core checks only (7 checks):
- S3 bucket permissions
- IAM use
- MFA on root
- EBS public snapshots
- RDS public snapshots
- Service limits
Business / Enterprise plans
- All checks available (200+)
- Programmatic API access
- Weekly notifications
- Recommended actions automation via EventBridge
Recommendation
- Production workload: Business Support minimum ($100/month or 10% of usage)
- Get full Trusted Advisor + AWS Health API + 24/7 support
4. Trusted Advisor Console
Dashboard
- Shows checks pass/warning/error per category
- Drill down to specific resources
Refresh
- Auto-refresh weekly (some checks)
- Manual refresh available
Exclude items
- Mark items as "ignored" (e.g., known issue, intentional)
5. API and Automation
AWS Support API
- Programmatic access to Trusted Advisor (Business+ plans only)
- Query checks, refresh, exclude items
EventBridge integration
- Trusted Advisor check status change → EventBridge event
- → Lambda auto-remediate
Example automation
Trusted Advisor: "SG with 0.0.0.0/0 on port 22 (SSH)"
→ EventBridge
→ Lambda: remove the rule (or alert)
6. Compute Optimizer (related)
Định nghĩa
AWS Compute Optimizer = ML-based right-sizing recommendations for EC2, EBS, Lambda, ASG.
Đặc điểm
- More detailed than Trusted Advisor
- 14-day analysis window
- Provides specific instance type recommendations
- Cost savings projection
Use case
- Right-size EC2 (downgrade overprovisioned)
- Lambda memory tuning
- EBS gp2 → gp3 migration
Pricing
- Free
7. AWS Health Dashboard
Định nghĩa
Service health dashboard with personalized events affecting your AWS account.
2 views
- Public health dashboard: general AWS service status
- Personal Health Dashboard (PHD): events affecting YOUR resources
Events
- AWS-wide outages
- Scheduled maintenance (RDS patching, EC2 retirement)
- Security events
- Resource-specific alerts (e.g., your EBS volume will be migrated)
AWS Health API (Business+ plans)
- Programmatic access
- Integration with monitoring tools
- Automated incident response
8. Common Patterns
Pattern 1: Weekly security review
- Friday review Trusted Advisor security checks
- Document exceptions, fix violations
Pattern 2: Auto-remediate
Trusted Advisor: "S3 bucket public"
→ EventBridge event
→ Lambda → block public access
→ SNS notify team
Pattern 3: Cost saving sprint
- Monthly Cost Optimization checks
- Right-size underutilized EC2 (Compute Optimizer)
- Migrate gp2 → gp3 (Trusted Advisor + Compute Optimizer)
- Delete idle resources
Pattern 4: Service limit monitoring
- Trusted Advisor warns at 80%
- Auto-create AWS Support ticket to increase limit
- Avoid hitting limits in production
Câu hỏi ôn tập
-
5 categories của Trusted Advisor là gì?
Xem đáp án
(1) Cost Optimization — idle resources, underutilized EC2, unattached EBS. (2) Performance — CloudFront config, EC2 instance types. (3) Security — open security groups, IAM MFA, exposed access keys, S3 public buckets. (4) Fault Tolerance — Multi-AZ RDS, Auto Scaling, EBS snapshots. (5) Service Limits (Quotas) — alert khi usage > 80% của service limit.
-
Free tier có access đầy đủ checks không?
Xem đáp án
Không — Free tier (Basic/Developer Support) chỉ có access đến 7 core checks: S3 public buckets, Security Groups unrestricted ports, IAM use, MFA on root, EBS public snapshots, RDS public snapshots, và Service Limits. Để access tất cả ~400+ checks cần Business hoặc Enterprise Support plan ($100+/month). AWS Organizations có thể aggregate checks cross-account.
-
Compute Optimizer khác Trusted Advisor ở điểm gì?
Xem đáp án
Compute Optimizer: sử dụng ML analyze CloudWatch metrics 14 ngày để recommend optimal EC2 instance type, Lambda memory, EBS volume type, ECS on Fargate. Recommendations rất cụ thể với cost/performance impact estimates. Trusted Advisor: broad recommendations across 5 categories, không chỉ compute. Compute Optimizer deeper và ML-driven cho sizing; Trusted Advisor broader coverage. Cả hai miễn phí (Compute Optimizer free tier available).
-
AWS Health Dashboard show gì?
Xem đáp án
AWS Health Dashboard (Service Health Dashboard + Personal Health Dashboard) hiển thị: (1) AWS service health globally và per region, (2) Upcoming maintenance scheduled events ảnh hưởng resources của bạn, (3) Account-specific events — ví dụ EC2 instance của bạn đang trên hardware sắp được maintain. Khác với generic status page: Personal Health Dashboard chỉ show events relevant đến account của bạn.
-
Threshold warning cho service limit là bao nhiêu %?
Xem đáp án
80% — Trusted Advisor cảnh báo khi usage đạt 80% của service quota (limit). Cho phép bạn request increase trước khi hit hard limit và gây outage. Ví dụ: EC2 instance limit 1000, đang dùng 800 → warning. Request quota increase qua Service Quotas console trước khi reach 100%. Một số quotas có thể tự động increase (soft limits), một số cần AWS review (hard limits).
Bài tập thực hành
- Vào Trusted Advisor console, review tất cả checks
- Fix 1 Security finding (ví dụ: SG 0.0.0.0/0:22)
- Enable Compute Optimizer, review EC2 recommendations
- Check Service Limits, request increase nếu cần
- Setup EventBridge: Trusted Advisor security check fail → SNS
Tài liệu tham khảo chính thức
Tiếp theo: AWS Organizations Basics