AWS managed policies for AWS Trusted Advisor - AWS Support
AWSTrustedAdvisorPriorityFullAccess AWSTrustedAdvisorPriorityReadOnlyAccess AWSTrustedAdvisorServiceRolePolicy AWSTrustedAdvisorReportingServiceRolePolicy Policy updates

AWS managed policies for AWS Trusted Advisor

Trusted Advisor has the following AWS managed policies.

AWS managed policy: AWSTrustedAdvisorPriorityFullAccess

The AWSTrustedAdvisorPriorityFullAccess policy grants full access to Trusted Advisor Priority. This policy also allows the user to add Trusted Advisor as a trusted service with AWS Organizations and to specify the delegated administrator accounts for Trusted Advisor Priority.

Permissions details

In the first statement, the policy includes the following permissions for trustedadvisor:

  • Describes your account and organization.

  • Describes identified risks from Trusted Advisor Priority. The permissions allow you to download and update the risk status.

  • Describes your configurations for Trusted Advisor Priority email notifications. The permissions allow you to configure the email notifications and disable them for your delegated administrators.

  • Sets up Trusted Advisor so that your account can enable AWS Organizations.

In the second statement, the policy includes the following permissions for organizations:

  • Describes your Trusted Advisor account and organization.

  • Lists the AWS services that you enabled to use Organizations.

In the third statement, the policy includes the following permissions for organizations:

  • Lists the delegated administrators for Trusted Advisor Priority.

  • Enables and disables trusted access with Organizations.

In the fourth statement, the policy includes the following permissions for iam:

  • Creates the AWSServiceRoleForTrustedAdvisorReporting service-linked role.

In the fifth statement, the policy includes the following permissions for organizations:

  • Allows you to register and deregister delegated administrators for Trusted Advisor Priority.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AWSTrustedAdvisorPriorityFullAccess",
			"Effect": "Allow",
			"Action": [
				"trustedadvisor:DescribeAccount*",
				"trustedadvisor:DescribeOrganization",
				"trustedadvisor:DescribeRisk*",
				"trustedadvisor:DownloadRisk",
				"trustedadvisor:UpdateRiskStatus",
				"trustedadvisor:DescribeNotificationConfigurations",
				"trustedadvisor:UpdateNotificationConfigurations",
				"trustedadvisor:DeleteNotificationConfigurationForDelegatedAdmin",
				"trustedadvisor:SetOrganizationAccess"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowAccessForOrganization",
			"Effect": "Allow",
			"Action": [
				"organizations:DescribeAccount",
				"organizations:DescribeOrganization",
				"organizations:ListAWSServiceAccessForOrganization"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowListDelegatedAdministrators",
			"Effect": "Allow",
			"Action": [
				"organizations:ListDelegatedAdministrators",
				"organizations:EnableAWSServiceAccess",
				"organizations:DisableAWSServiceAccess"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"organizations:ServicePrincipal": [
						"reporting.trustedadvisor.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "AllowCreateServiceLinkedRole",
			"Effect": "Allow",
			"Action": "iam:CreateServiceLinkedRole",
			"Resource": "arn:aws:iam::*:role/aws-service-role/reporting.trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisorReporting",
			"Condition": {
				"StringLike": {
					"iam:AWSServiceName": "reporting.trustedadvisor.amazonaws.com"
				}
			}
		},
		{
			"Sid": "AllowRegisterDelegatedAdministrators",
			"Effect": "Allow",
			"Action": [
				"organizations:RegisterDelegatedAdministrator",
				"organizations:DeregisterDelegatedAdministrator"
			],
			"Resource": "arn:aws:organizations::*:*",
			"Condition": {
				"StringEquals": {
					"organizations:ServicePrincipal": [
						"reporting.trustedadvisor.amazonaws.com"
					]
				}
			}
		}
	]
}

AWS managed policy: AWSTrustedAdvisorPriorityReadOnlyAccess

The AWSTrustedAdvisorPriorityReadOnlyAccess policy grants read-only permissions to Trusted Advisor Priority, including permission to view the delegated administrator accounts.

Permissions details

In the first statement, the policy includes the following permissions for trustedadvisor:

  • Describes your Trusted Advisor account and organization.

  • Describes the identified risks from Trusted Advisor Priority and allows you to download them.

  • Describes the configurations for Trusted Advisor Priority email notifications.

In the second and third statement, the policy includes the following permissions for organizations:

  • Describes your organization with Organizations.

  • Lists the AWS services that you enabled to use Organizations.

  • Lists the delegated administrators for Trusted Advisor Priority

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AWSTrustedAdvisorPriorityReadOnlyAccess",
			"Effect": "Allow",
			"Action": [
				"trustedadvisor:DescribeAccount*",
				"trustedadvisor:DescribeOrganization",
				"trustedadvisor:DescribeRisk*",
				"trustedadvisor:DownloadRisk",
				"trustedadvisor:DescribeNotificationConfigurations"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowAccessForOrganization",
			"Effect": "Allow",
			"Action": [
				"organizations:DescribeOrganization",
				"organizations:ListAWSServiceAccessForOrganization"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowListDelegatedAdministrators",
			"Effect": "Allow",
			"Action": [
				"organizations:ListDelegatedAdministrators"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"organizations:ServicePrincipal": [
						"reporting.trustedadvisor.amazonaws.com"
					]
				}
			}
		}
	]
}

AWS managed policy: AWSTrustedAdvisorServiceRolePolicy

This policy is attached to the AWSServiceRoleForTrustedAdvisor service-linked role. It allows the service-linked role to perform actions for you. You can't attach the AWSTrustedAdvisorServiceRolePolicy to your AWS Identity and Access Management (IAM) entities. For more information, see Using service-linked roles for Trusted Advisor.

This policy grants administrative permissions that allow the service-linked role to access AWS services. These permissions allow the checks for Trusted Advisor to evaluate your account.

Permissions details

This policy includes the following permissions.

  • accessanalyzer – Describes AWS Identity and Access Management Access Analyzer resources

  • Auto Scaling – Describes Amazon EC2 Auto Scaling account quotas and resources

  • cloudformation – Describes AWS CloudFormation (CloudFormation) account quotas and stacks

  • cloudfront – Describes Amazon CloudFront distributions

  • cloudtrail – Describes AWS CloudTrail (CloudTrail) trails

  • dynamodb – Describes Amazon DynamoDB account quotas and resources

  • dynamodbaccelerator – Describes DynamoDB Accelerator resources

  • ec2 – Describes Amazon Elastic Compute Cloud (Amazon EC2) account quotas and resources

  • elasticloadbalancing – Describes Elastic Load Balancing (ELB) account quotas and resources

  • iam – Gets IAM resources, such as credentials, password policy, and certificates

  • networkfirewall – Describes AWS Network Firewall resources

  • kinesis – Describes Amazon Kinesis (Kinesis) account quotas

  • rds – Describes Amazon Relational Database Service (Amazon RDS) resources

  • redshift – Describes Amazon Redshift resources

  • route53 – Describes Amazon Route 53 account quotas and resources

  • s3 – Describes Amazon Simple Storage Service (Amazon S3) resources

  • ses – Gets Amazon Simple Email Service (Amazon SES) send quotas

  • sqs – Lists Amazon Simple Queue Service (Amazon SQS) queues

  • cloudwatch – Gets Amazon CloudWatch Events (CloudWatch Events) metric statistics

  • ce – Gets Cost Explorer Service (Cost Explorer) recommendations

  • route53resolver – Gets Amazon Route 53 Resolver Resolver Endpoints and resources

  • kafka – Gets Amazon Managed Streaming for Apache Kafka resources

  • ecs – Gets Amazon ECS resources

  • outposts – Gets AWS Outposts resources

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid" : "TrustedAdvisorServiceRolePermissions",
            "Effect": "Allow",
            "Action": [
                "access-analyzer:ListAnalyzers"
                "autoscaling:DescribeAccountLimits",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "ce:GetReservationPurchaseRecommendation",
                "ce:GetSavingsPlansPurchaseRecommendation",
                "cloudformation:DescribeAccountLimits",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStacks",
                "cloudfront:ListDistributions",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrailStatus",
                "cloudtrail:GetTrail",
                "cloudtrail:ListTrails",
                "cloudtrail:GetEventSelectors",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "dax:DescribeClusters",
                "dynamodb:DescribeLimits",
                "dynamodb:DescribeTable",
                "dynamodb:ListTables",
                "ec2:DescribeAddresses",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeInstances",
                "ec2:DescribeVpcs",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeImages",
                "ec2:DescribeNatGateways",
                "ec2:DescribeVolumes",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeRegions",
                "ec2:DescribeReservedInstancesOfferings",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSnapshots",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeVpnGateways",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:GetManagedPrefixListEntries",
                "ecs:DescribeTaskDefinition",
                "ecs:ListTaskDefinitions"
                "elasticloadbalancing:DescribeAccountLimits",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "iam:GenerateCredentialReport",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:GetCredentialReport",
                "iam:GetServerCertificate",
                "iam:ListServerCertificates",
                "iam:ListSAMLProviders",
                "kinesis:DescribeLimits",
                "kafka:DescribeClusterV2",
                "kafka:ListClustersV2",
                "kafka:ListNodes",
                "network-firewall:ListFirewalls",
                "network-firewall:DescribeFirewall",
                "outposts:GetOutpost",
                "outposts:ListAssets",
                "outposts:ListOutposts",
                "rds:DescribeAccountAttributes",
                "rds:DescribeDBClusters",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBSecurityGroups",
                "rds:DescribeDBSnapshots",
                "rds:DescribeDBSubnetGroups",
                "rds:DescribeEngineDefaultParameters",
                "rds:DescribeEvents",
                "rds:DescribeOptionGroupOptions",
                "rds:DescribeOptionGroups",
                "rds:DescribeOrderableDBInstanceOptions",
                "rds:DescribeReservedDBInstances",
                "rds:DescribeReservedDBInstancesOfferings",
                "rds:ListTagsForResource",
                "redshift:DescribeClusters",
                "redshift:DescribeReservedNodeOfferings",
                "redshift:DescribeReservedNodes",
                "route53:GetAccountLimit",
                "route53:GetHealthCheck",
                "route53:GetHostedZone",
                "route53:ListHealthChecks",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:ListResourceRecordSets",
                "route53resolver:ListResolverEndpoints",
                "route53resolver:ListResolverEndpointIpAddresses",
                "s3:GetAccountPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketVersioning",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetLifecycleConfiguration",
                "s3:ListBucket",
                "s3:ListAllMyBuckets",
                "ses:GetSendQuota",
                "sqs:GetQueueAttributes",
                "sqs:ListQueues"
            ],
            "Resource": "*"
        }
    ]
}

AWS managed policy: AWSTrustedAdvisorReportingServiceRolePolicy

This policy is attached to the AWSServiceRoleForTrustedAdvisorReporting service-linked role that allows Trusted Advisor to perform actions for the organizational view feature. You can't attach the AWSTrustedAdvisorReportingServiceRolePolicy to your IAM entities. For more information, see Using service-linked roles for Trusted Advisor.

This policy grants administrative permissions that allow the service-linked role to perform AWS Organizations actions.

Permissions details

This policy includes the following permissions.

  • organizations – Describes your organization and lists the service access, accounts, parents, children, and organizational units

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "organizations:DescribeOrganization",
                "organizations:ListAWSServiceAccessForOrganization",
                "organizations:ListAccounts",
                "organizations:ListAccountsForParent",
                "organizations:ListDelegatedAdministrators",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListChildren",
                "organizations:ListParents",
                "organizations:DescribeOrganizationalUnit",
                "organizations:DescribeAccount"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Trusted Advisor updates to AWS managed policies

View details about updates to AWS managed policies for AWS Support and Trusted Advisor since these services began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Document history page.

The following table describes important updates to the Trusted Advisor managed policies since August 10, 2021.

Trusted Advisor
Change Description Date

AWSTrustedAdvisorServiceRolePolicy

Update to an existing policy.

Trusted Advisor added new actions to grant the elasticloadbalancing:DescribeListeners, and elasticloadbalancing:DescribeRules permissions.

 October 30, 2024

AWSTrustedAdvisorServiceRolePolicy

Update to an existing policy.

Trusted Advisor added new actions to grant the access-analyzer:ListAnalyzers, cloudwatch:ListMetrics, dax:DescribeClusters, ec2:DescribeNatGateways, ec2:DescribeRouteTables, ec2:DescribeVpcEndpoints, ec2:GetManagedPrefixListEntries, elasticloadbalancing:DescribeTargetHealth, iam:ListSAMLProviders, kafka:DescribeClusterV2 network-firewall:ListFirewalls network-firewall:DescribeFirewall and sqs:GetQueueAttributes permissions.

 June 11, 2024

AWSTrustedAdvisorServiceRolePolicy

Update to an existing policy.

Trusted Advisor added new actions to grant the cloudtrail:GetTrail cloudtrail:ListTrails cloudtrail:GetEventSelectors outposts:GetOutpost, outposts:ListAssets and outposts:ListOutposts permissions.

 January 18, 2024

AWSTrustedAdvisorPriorityFullAccess

Update to an existing policy.

Trusted Advisor updated the AWSTrustedAdvisorPriorityFullAccess AWS managed policy to include statement IDs.

 December 6, 2023

AWSTrustedAdvisorPriorityReadOnlyAccess

Update to an existing policy.

Trusted Advisor updated the AWSTrustedAdvisorPriorityReadOnlyAccess AWS managed policy to include statement IDs.

 December 6, 2023

AWSTrustedAdvisorServiceRolePolicy – Update to an existing policy

Trusted Advisor added new actions to grant the ec2:DescribeRegions s3:GetLifecycleConfiguration ecs:DescribeTaskDefinition and ecs:ListTaskDefinitions permissions.

 November 9, 2023

AWSTrustedAdvisorServiceRolePolicy – Update to an existing policy

Trusted Advisor added new IAM actions route53resolver:ListResolverEndpoints, route53resolver:ListResolverEndpointIpAddresses, ec2:DescribeSubnets, kafka:ListClustersV2 and kafka:ListNodes to onboard new resilience checks.

 September 14, 2023

AWSTrustedAdvisorReportingServiceRolePolicy

V2 of managed policy attached on Trusted Advisor AWSServiceRoleForTrustedAdvisorReporting service-linked role

Upgrade AWS managed policy to V2 for the Trusted Advisor AWSServiceRoleForTrustedAdvisorReporting service-linked role. The V2 will add one more IAM action organizations:ListDelegatedAdministrators

Feb 28, 2023

AWSTrustedAdvisorPriorityFullAccess and AWSTrustedAdvisorPriorityReadOnlyAccess

New AWS managed policies for the Trusted Advisor

Trusted Advisor added two new managed policies that you can use to control access to Trusted Advisor Priority.

August 17, 2022

AWSTrustedAdvisorServiceRolePolicy – Update to an existing policy

Trusted Advisor added new actions to grant the DescribeTargetGroups and GetAccountPublicAccessBlock permissions.

The DescribeTargetGroup permission is required for the Auto Scaling Group Health Check to retrieve non-Classic Load Balancers that are attached to an Auto Scaling group.

The GetAccountPublicAccessBlock permission is required for the Amazon S3 Bucket Permissions check to retrieve the block public access settings for an AWS account.

 August 10, 2021

Change log published

Trusted Advisor started tracking changes for its AWS managed policies.

 August 10, 2021