The following table lists the supported Trusted Advisor checks, SSM automation documents, preconfigured parameters, and the expected outcome of the automation documents. Review the expected outcome to help you understand possible risks based on your business requirements before you enable an SSM automation document for check remediation.
Trusted Advisor cost optimization checks supported by Trusted Remediator
| Check ID and name | SSM document name and expected outcome | Supported preconfigured parameters | Constraints |
|---|---|---|---|
|
Unassociated Elastic IP Addresses |
AWSManagedServices-TrustedRemediatorReleaseElasticIP Releases an elastic IP address that is not associated with any resource. |
No preconfigured parameters are allowed. |
No constraints |
|
Amazon ECR Repository Without Lifecycle Policy Configured |
AWSManagedServices-TrustedRemediatorPutECRLifecyclePolicy Creates a lifecycle policy for the specified repository if a lifecycle policy does not already exist. |
ImageAgeLimit: The maximum age limit in days (1-365) for 'any' image in the Amazon ECR repository. |
No constraints |
|
Underutilized Amazon EBS Volumes |
AWSManagedServices-DeleteUnusedEBSVolume Deletes underutilized Amazon EBS volumes if the volumes are unattached for the last 7 days. An Amazon EBS snapshot is created by default. |
|
No constraints |
|
Idle Load Balancers |
AWSManagedServices-DeleteIdleClassicLoadBalancer Deletes an idle Classic Load Balancer if it's unused and no instances are registered. |
IdleLoadBalancerDays: The number of days that the Classic Load Balancer has 0 requested connections before considering it idle. The default is 7 days. |
If auto execution is enabled, then the automation deletes idle Classic Load Balancers only if there are no active back-end instances. For all idle Classic Load Balancers that have active back-end instances, but don't have healthy back-end instances, auto remediation isn't used and OpsItems for manual remediation are created. |
|
Amazon RDS Idle DB Instances |
AWSManagedServices-StopIdleRDSInstance Amazon RDS DB instance that has been in an idle state for the last 7 days is stopped. |
No preconfigured parameters are allowed. |
No constraints |
|
AWS Lambda over-provisioned functions for memory size |
AWSManagedServices-ResizeLambdaMemory AWS Lambda function's memory size is resized to the recommended memory size provided by Trusted Advisor. |
RecommendedMemorySize: The recommended memory allocation for the Lambda function. Value range is between 128 and 10240. |
If the Lambda function size was modified before the automation runs, then the settings might be overwritten by this automation with the value recommended by Trusted Advisor. |
|
Low Utilization Amazon EC2 Instances |
AWSManagedServices-StopEC2Instance (Default SSM document for both auto and manual execution mode.) Amazon EC2 instances with low utilization are stopped. |
ForceStopWithInstanceStore: Set to |
No constraints |
|
Low Utilization Amazon EC2 Instances |
AWSManagedServices-ResizeInstanceByOneLevel Amazon EC2 instance is resized by one instance type down in the same instance family type. The instance is stopped and started during the resize operation and returned to the initial state after the SSM document run completes. This automation doesn't support resizing instances that are in an Auto Scaling Group. |
|
No constraints |
|
Low Utilization Amazon EC2 Instances |
AWSManagedServices-TerminateInstance Low utilized Amazon EC2 instances are terminated if not part of an Auto Scaling Group and termination protection isn't enabled. An AMI is created by default. |
CreateAMIBeforeTermination: Set this option to |
No constraints |
|
Underutilized Amazon Redshift Clusters |
AWSManagedServices-PauseRedshiftCluster The Amazon Redshift cluster is paused. |
No preconfigured parameters are allowed. |
No constraints |
|
Amazon S3 Incomplete Multipart Upload Abort Configuration |
AWSManagedServices-TrustedRemediatorEnableS3AbortIncompleteMultipartUpload Amazon S3 bucket is configured with a lifecycle rule to abort multipart uploads that remain incomplete after certain days. |
DaysAfterInitiation:The number of days after which Amazon S3 stops an incomplete multipart upload. Default is set to 7 days. |
No constraints |
Trusted Advisor security checks supported by Trusted Remediator
| Check ID and name | SSM document name and expected outcome | Supported preconfigured parameters | Constraints |
|---|---|---|---|
|
Exposed Access Keys |
AWSManagedServices-TrustedRemediatorDeactivateIAMAccessKey The exposed IAM access key is deactivated. |
No preconfigured parameters are allowed. |
Applications configured with an exposed IAM access key can't authenticate. |
|
Hs4Ma3G127 - API Gateway REST and WebSocket API execution logging should be enabled Corresponding AWS Security Hub check: APIGateway.1 |
AWSManagedServices-TrustedRemediatorEnableAPIGateWayExecutionLogging Execution logging is enabled on the API stage. |
LogLevel: Logging level to enable execution logging, |
You must grant API Gateway permission to read and write logs to CloudWatch for your account in order to enable execution log, refer to Set up CloudWatch logging for REST APIs in API Gateway for detail. |
Hs4Ma3G129 - API Gateway REST API stages should have AWS X-Ray tracing enabled Corresponding AWS Security Hub check: APIGateway.3 |
AWSManagedServices-EnableApiGateWayXRayTracing X-Ray tracing is enabled on the API stage. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G202 - API Gateway REST API cache data should be encrypted at rest Corresponding AWS Security Hub check: APIGateway.5 |
AWSManagedServices-EnableAPIGatewayCacheEncryption Enable encryption at rest for API Gateway REST API cache data if the API Gateway REST API stage has cache enabled. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G177 - Corresponding AWS Security Hub check - Auto scaling groups associated with a load balancer should use load balancer health checks AutoScaling.1 |
AWSManagedServices-TrustedRemediatorEnableAutoScalingGroupELBHealthCheck Elastic Load Balancing health checks are enabled for the Auto Scaling Group. |
HealthCheckGracePeriod: The amount of time, in seconds, that Auto Scaling waits before checking the health status of an Amazon Elastic Compute Cloud instance that has come into service. |
Turning on Elastic Load Balancing health checks might result in replacing a running instance if any of the Elastic Load Balancing load balancers attached to the Auto Scaling group report it as unhealthy. For more information, see Attach an Elastic Load Balancing load balancer to your Auto Scaling group |
Hs4Ma3G245 - AWS CloudFormation stacks should be integrated with Amazon Simple Notification Service Corresponding AWS Security Hub check: CloudFormation.1 |
AWSManagedServices-EnableCFNStackNotification Associate a CloudFormation stack with an Amazon SNS topic for notification. |
NotificationARNs: The ARNs of the Amazon SNS topics to be associated with selected CloudFormation stacks. |
To enable auto remediation, The |
Hs4Ma3G210 - CloudFront distributions should have logging enabled Corresponding AWS Security Hub check: CloudFront.2 |
AWSManagedServices-EnableCloudFrontDistributionLogging Logging is enabled for Amazon CloudFront distributions. |
|
To enable auto remediation, the following preconfigured parameters must be provided:
For this remediations constraints, see
How do I turn on logging for my CloudFront distribution? |
Hs4Ma3G109 - CloudTrail log file validation should be enabled Corresponding AWS Security Hub check: CloudTrail.4 |
AWSManagedServices-TrustedRemediatorEnableCloudTrailLogValidation Enables CloudTrail trail log validation. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G108 - CloudTrail trails should be integrated with Amazon CloudWatch Logs Corresponding AWS Security Hub check: CloudTrail.5 |
AWSManagedServices-IntegrateCloudTrailWithCloudWatch AWS CloudTrail is integrated with CloudWatch Logs. |
|
To enable auto remediation, the following preconfigured parameters must be provided:
|
Hs4Ma3G217 - CodeBuild project environments should have a logging AWS configuration Corresponding AWS Security Hub check: CodeBuild.4 |
AWSManagedServices-TrustedRemediatorEnableCodeBuildLoggingConfig Enables the logging for CodeBuild project. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G306 - Neptune DB clusters should have deletion protection enabled Corresponding AWS Security Hub check: DocumentDB.3 |
AWSManagedServices-TrustedRemediatorDisablePublicAccessOnDocumentDBSnapshot Removes public access from Amazon DocumentDB manual cluster snapshot. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G308 - Amazon DocumentDB clusters should have deletion protection enabled Corresponding AWS Security Hub check: DocumentDB.5 |
AWSManagedServices-TrustedRemediatorEnableDocumentDBClusterDeletionProtection Enables deletion protection for Amazon DocumentDB cluster. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G323 - DynamoDB tables should have deletion protection enabled Corresponding AWS Security Hub check: DynamoDB.6 |
AWSManagedServices-TrustedRemediatorEnableDynamoDBTableDeletionProtection Enables deletion protection for non-AMS DynamoDB tables. |
No preconfigured parameters are allowed. |
No constraints |
ePs02jT06w - Amazon EBS Public Snapshots |
AWSManagedServices-TrustedRemediatorDisablePublicAccessOnEBSSnapshot Public access for Amazon EBS snapshot is disabled. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G118 - VPC default security groups should not allow inbound or outbound traffic Corresponding AWS Security Hub check: EC2.2 |
AWSManagedServices-TrustedRemediatorRemoveAllRulesFromDefaultSG All ingress and egress rules in the default security group are removed. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G117 - Attached EBS volumes should be encrypted at-rest Corresponding AWS Security Hub check: EC2.3 |
AWSManagedServices-EncryptInstanceVolume The attached Amazon EBS volume on the instance is encrypted. |
|
The instance is rebooted as a part of the remediation and rollback is possible if |
Hs4Ma3G120 - Stopped EC2 instances should be removed after a specified time period Corresponding AWS Security Hub check: EC2.4 |
AWSManagedServices-TerminateInstance Amazon EC2 instances stopped for 30 days are terminated. |
CreateAMIBeforeTermination: Set this option to |
No constraints |
Hs4Ma3G121 - EBS default encryption should be enabled Corresponding AWS Security Hub check: EC2.7 |
AWSManagedServices-EncryptEBSByDefault Amazon EBS encryption by default is enabled for the specific AWS Region |
No preconfigured parameters are allowed. |
Encryption by default is a Region-specific setting. If you enable it for a Region, you can't disable it for individual volumes or snapshots in that Region. |
|
Hs4Ma3G124 - Amazon EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) Corresponding AWS Security Hub check: EC2.8 |
AWSManagedServices-TrustedRemediatorEnableEC2InstanceIMDSv2 Amazon EC2 instances use Instance Metadata Service Version 2 (IMDSv2). |
|
No constraints |
Hs4Ma3G207 - EC2 subnets should not automatically assign public IP addresses Corresponding AWS Security Hub check: EC2.15 |
AWSManagedServices-UpdateAutoAssignPublicIpv4Addresses VPC subnets are configured to not automatically assign public IP addresses. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G209 - Unused Network Access Control Lists are removed Corresponding AWS Security Hub check: EC2.16 |
AWSManagedServices-DeleteUnusedNACL Delete unused network ACL |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G215 - Unused Amazon EC2 security groups should be removed Corresponding AWS Security Hub check: EC2.22 |
AWSManagedServices-DeleteSecurityGroups Delete unused security groups. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G247 - Amazon EC2 Transit Gateway should not automatically accept VPC attachment requests Corresponding AWS Security Hub check: EC2.23 |
AWSManagedServices-TrustedRemediatorDisableTGWAutoVPCAttach - Disables the automatic acceptance of VPC attachment requests for the specified non-AMS Amazon EC2 Transit Gateway. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G235 - ECR private repositories should have tag immutability configured Corresponding AWS Security Hub check: ECR.2 |
AWSManagedServices-TrustedRemediatorSetImageTagImmutability Sets the image tag mutability settings to IMMUTABLE for the specified repository. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G216 - ECR repositories should have at least one lifecycle policy configured Corresponding AWS Security Hub check: ECR.3 |
AWSManagedServices-PutECRRepositoryLifecyclePolicy ECR repository has a lifecycle policy configured. |
LifecyclePolicyText: The JSON repository policy text to apply to the repository. |
To enable auto remediation, the following preconfigured parameters must be provided: LifecyclePolicyText |
Hs4Ma3G325 - EKS clusters should have audit logging enabled Corresponding AWS Security Hub check: EKS.8 |
AWSManagedServices-TrustedRemediatorEnableEKSAuditLog Audit log is enabled for EKS cluster. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G183 - Application load balancer should be configured to drop HTTP headers Corresponding AWS Security Hub check: ELB.4 |
AWSConfigRemediation-DropInvalidHeadersForALB Application Load Balancer is configured to invalid header fields. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G184 - Application Load Balancers and Classic Load Balancers logging should be enabled Corresponding AWS Security Hub check: ELB.5 |
AWSManagedServices-EnableELBLogging Application Load Balancer and Classic Load Balancer logging is enabled. |
|
To enable auto remediation, the following preconfigured parameters must be provided:
|
Hs4Ma3G326 - Amazon EMR block public access setting should be enabled Corresponding AWS Security Hub check: EMR.2 |
AWSManagedServices-TrustedRemediatorEnableEMRBlockPublicAccess Amazon EMR block public access settings is turned on for the account. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G135 - AWS KMS keys should not be deleted unintentionally Corresponding AWS Security Hub check: KMS.3 |
AWSManagedServices-CancelKeyDeletion AWS KMS key deletion is canceled. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G299 - Amazon DocumentDB manual cluster snapshots should not be public Corresponding AWS Security Hub check: Neptune.4 |
AWSManagedServices-TrustedRemediatorEnableNeptuneDBClusterDeletionProtection Enables deletion protection for Amazon Neptune cluster. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G319 - Network Firewall firewalls should have deletion protection enabled Corresponding AWS Security Hub check: NetworkFirewall.9 |
AWSManagedServices-TrustedRemediatorEnableNetworkFirewallDeletionProtection - Enables the delete protection for AWS Network Firewall. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G223 - OpenSearch domains should encrypt data sent between nodes Corresponding AWS Security Hub check: OpenSearch.3 |
AWSManagedServices-EnableOpenSearchNodeToNodeEncryption Node to Node encryption is enabled for the domain. |
No preconfigured parameters are allowed. |
After node-to-node encryption is enabled, you can't disable the setting. Instead, take a manual snapshot of the encrypted domain, create another domain, migrate your data, and then delete the old domain. |
Hs4Ma3G222 - OpenSearch domain error logging to CloudWatch Logs should be enabled Corresponding AWS Security Hub check: Opensearch.4 |
AWSManagedServices-EnableOpenSearchLogging Error logging is enabled for the OpenSearch domain. |
CloudWatchLogGroupArn: The ARN of anAmazon CloudWatch Logs log group. |
To enable auto remediation, the following preconfigured parameters must be provided: CloudWatchLogGroupArn Amazon CloudWatch resource policy must be configured with permissions. For more information, see Enabling audit logs in the Amazon OpenSearch Service User Guide |
Hs4Ma3G221 - OpenSearch domains should have audit logging enabled Corresponding AWS Security Hub check: Opensearch.5 |
AWSManagedServices-EnableOpenSearchLogging OpenSearch domains are configured with audit logging enabled. |
CloudWatchLogGroupArn: The ARN of the CloudWatch Logs group to publish logs to. |
To enable auto remediation, the following preconfigured parameters must be provided: CloudWatchLogGroupArn Amazon CloudWatch resource policy must be configured with permissions. For more information, see Enabling audit logs in the Amazon OpenSearch Service User Guide |
Hs4Ma3G220 - Connections to OpenSearch domains should be encrypted using TLS 1.2 Corresponding AWS Security Hub check: Opensearch.8 |
AWSManagedServices-EnableOpenSearchEndpointEncryptionTLS1.2 TLS policy is set to `Policy-Min-TLS-1-2-2019-07` and only encrypted connections over HTTPS (TLS) are allowed. |
No preconfigured parameters are allowed. |
Connections to OpenSearch domains are required to use TLS 1.2. Encrypting data in transit can affect performance. Test your applications with this feature to understand the performance profile and the impact of TLS. |
Hs4Ma3G194 - Amazon RDS snapshot should be private Corresponding AWS Security Hub check: RDS.1 |
AWSManagedServices-DisablePublicAccessOnRDSSnapshotV2 Public access for Amazon RDS snapshot is disabled. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G192 - RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible AWS Configuration Corresponding AWS Security Hub check: RDS.2 |
AWSManagedServices-TrustedRemediatorDisablePublicAccessOnRDSInstance Disable public access on RDS DB instance. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G189 - Enhanced monitoring are configured for Amazon RDS DB instances Corresponding AWS Security Hub check: RDS.6 |
AWSManagedServices-TrustedRemediatorEnableRDSEnhancedMonitoring Enable enhanced monitoring for Amazon RDS DB instances |
|
If enhanced monitoring is enabled before the automation execution, then the settings might be overwritten by this automation with the MonitoringInterval and MonitoringRoleName values configured in the preconfigured parameters. |
Hs4Ma3G190 - Amazon RDS clusters should have deletion protection enabled Corresponding AWS Security Hub check: RDS.7 |
AWSManagedServices-TrustedRemediatorEnableRDSDeletionProtection Deletion protection is enabled for Amazon RDS clusters. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G198 - Amazon RDS DB instances should have deletion protection enabled Corresponding AWS Security Hub check: RDS.8 |
AWSManagedServices-TrustedRemediatorEnableRDSDeletionProtection Deletion protection is enabled for Amazon RDS instances. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G199 - RDS DB instances should publish logs to CloudWatch Logs Corresponding AWS Security Hub check: RDS.9 |
AWSManagedServices-TrustedRemediatorEnableRDSLogExports RDS log exports is enabled for the RDS DB instance or RDS DB cluster. |
No preconfigured parameters are allowed. |
Service-linked role AWSServiceRoleForRDS is required. |
Hs4Ma3G160 - IAM authentication should be configured for RDS instances Corresponding AWS Security Hub check: RDS.10 |
AWSManagedServices-UpdateRDSIAMDatabaseAuthentication AWS Identity and Access Management authentication is enabled for the RDS instance. |
ApplyImmediately: Indicates if the modifications in this request and any pending modifications are asynchronously applied as soon as possible,
Choose |
No constraints |
Hs4Ma3G161 - IAM authentication should be configured for RDS clusters Corresponding AWS Security Hub check: RDS.12 |
AWSManagedServices-UpdateRDSIAMDatabaseAuthentication IAM authentication is enabled for the RDS cluster. |
ApplyImmediately: Indicates if the modifications in this request and any pending modifications are asynchronously applied as soon as possible,
Choose |
No constraints |
Hs4Ma3G162 - RDS automatic minor version upgrades should be enabled Corresponding AWS Security Hub check: RDS.13 |
AWSManagedServices-UpdateRDSInstanceMinorVersionUpgrade Automatic minor version upgrade configuration for Amazon RDS is enabled. |
No preconfigured parameters are allowed. |
The Amazon RDS instance must be in the |
Hs4Ma3G163 - RDS DB clusters should be configured to copy tags to snapshots Corresponding AWS Security Hub check: RDS.16 |
AWSManagedServices-UpdateRDSCopyTagsToSnapshots
|
No preconfigured parameters are allowed. |
Amazon RDS instances must be in available state for this remediation to happen. |
Hs4Ma3G164 - RDS DB instances should be configured to copy tags to snapshots Corresponding AWS Security Hub check: RDS.17 |
AWSManagedServices-UpdateRDSCopyTagsToSnapshots
|
No preconfigured parameters are allowed. |
Amazon RDS instances must be in available state for this remediation to happen. |
|
Amazon RDS Public Snapshots |
AWSManagedServices-DisablePublicAccessOnRDSSnapshotV2 Public access for Amazon RDS snapshot is disabled. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G103 - Amazon Redshift clusters should prohibit public access Corresponding AWS Security Hub check: Redshift.1 |
AWSManagedServices-DisablePublicAccessOnRedshiftCluster Public access on Amazon Redshift cluster is disabled. |
No preconfigured parameters are allowed. |
Disabling public access blocks all clients coming from the internet. And the Amazon Redshift cluster is in the modifying state for a few minutes while the remediation disables public access on the cluster. |
Hs4Ma3G106 - Amazon Redshift clusters should have audit logging enabled Corresponding AWS Security Hub check: Redshift.4 |
AWSManagedServices-TrustedRemediatorEnableRedshiftClusterAuditLogging Audit logging is enabled to your Amazon Redshift cluster during the maintenance window. |
No preconfigured parameters are allowed. |
To enable auto remediation, the following preconfigured parameters must be provided. BucketName: The bucket must be in the same AWS Region. The cluster must have read bucket and put object permissions. If Redshift cluster logging is enabled before the automation execution, then the logging settings might be overwritten by this automation with the |
Hs4Ma3G105 - Amazon Redshiftshould have automatic upgrades to major versions enabled Corresponding AWS Security Hub check: Redshift.6 |
AWSManagedServices-EnableRedshiftClusterVersionAutoUpgrade - Major version upgrades are applied automatically to the cluster during the maintenance window. There is no immediate downtime for the Amazon Redshift cluster, but your Amazon Redshift cluster might have downtime during its maintenance window if it upgrades to a major version. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G104 - Amazon Redshift clusters should use enhanced VPC routing Corresponding AWS Security Hub check: Redshift.7 |
AWSManagedServices-TrustedRemediatorEnableRedshiftClusterEnhancedVPCRouting Enhanced VPC routing is enabled for Amazon Redshift clusters. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G173 - S3 Block Public Access setting should be enabled at the bucket-level Corresponding AWS Security Hub check: S3.8 |
AWSManagedServices-TrustedRemediatorBlockS3BucketPublicAccess Bucket-level public access blocks are applied for the Amazon S3 bucket. |
No preconfigured parameters are allowed. |
This remediation might affect S3 object availability. For information on how Amazon S3 evaluates access, see Blocking public access to your Amazon S3 storage. |
Hs4Ma3G230 - S3 bucket server access logging should be enabled Corresponding AWS Security Hub check: S3.9 |
AWSManagedServices-EnableBucketAccessLogging Amazon S3 server access logging is enabled. |
|
To enable auto remediation, the following preconfigured parameters must be provided:
If access logging is enabled before the automation runs, then the settings might be overwritten by this automation with the |
|
Amazon S3 Bucket Permissions |
AWSManagedServices-TrustedRemediatorBlockS3BucketPublicAccess Block public access |
No preconfigured parameters are allowed. |
This check consists of multiple alert criteria. This automation remediates public access issues. Remediation for other configuration issues flagged by Trusted Advisor isn't supported. This remediation does support remediating AWS service created S3 buckets (for example, cf-templates-000000000000). |
Hs4Ma3G272 - Users should not have root access to SageMaker notebook instances Corresponding AWS Security Hub check: SageMaker.3 |
AWSManagedServices-TrustedRemediatorDisableSageMakerNotebookInstanceRootAccess Root access for users is disabled for SageMaker notebook instance. |
No preconfigured parameters are allowed. |
This remediation causes outage if the SageMaker notebook instance is in the InService state. |
Hs4Ma3G179 - SNS topics should be encrypted at-rest using AWS KMS Corresponding AWS Security Hub check: SNS.1 |
AWSManagedServices-EnableSNSEncryptionAtRest SNS topic is configured with server-side encryption. |
KmsKeyId: The ID of an AWS managed customer master key (CMK) for Amazon SNS or a custom CMK to be used for server-side encryption (SSE). Default is set to alias/aws/sns. |
If a custom AWS KMS key is used, it must be configured with the correct permissions. For more information, see Enabling server-side encryption (SSE) for an Amazon SNS topic |
Hs4Ma3G158 - SSM documents should not be public Corresponding AWS Security Hub check: SSM.4 |
AWSManagedServices-TrustedRemediatorDisableSSMDocPublicSharing - Disables the public sharing of SSM document. |
No preconfigured parameters are allowed. |
No constraints |
Hs4Ma3G136 - Amazon SQS queues should be encrypted at rest Corresponding AWS Security Hub check: SQS.1 |
AWSManagedServices-EnableSQSEncryptionAtRest Messages in Amazon SQS are encrypted. |
|
Anonymous SendMessage and ReceiveMessage requests to the encrypted queue are rejected. All requests to queues with SSE enabled must use HTTPS and S ignature Version 4. |
Trusted Advisor fault tolerance checks supported by Trusted Remediator
| Check ID and name | SSM document name and expected outcome | Supported preconfigured parameters | Constraints |
|---|---|---|---|
|
Amazon DynamoDB Point-in-time Recovery |
AWSManagedServices-TrustedRemediatorEnableDDBPITR Enables point-in-time recovery for DynamoDB tables. |
No preconfigured parameters are allowed. |
No constraints |
|
Amazon S3 Bucket Versioning |
AWSManagedServices-TrustedRemediatorEnableBucketVersioning Amazon S3 bucket versioning is enabled. |
No preconfigured parameters are allowed. |
This remediation doesn't support remediating AWS service created S3 buckets (for example cf-templates-000000000000). |
|
Amazon S3 Bucket Logging |
AWSManagedServices-EnableBucketAccessLogging Amazon S3 bucket logging is enabled. |
|
To enable auto remediation, the following preconfigured parameters must be provided:
If access logging was enabled before the automation runs, then the settings might be overwritten by this automation with the TargetBucket and TargetPrefix values configured in the preconfigured parameters. |
|
Amazon RDS Multi-AZ |
AWSManagedServices-TrustedRemediatorEnableRDSMultiAZ Multi-Availability Zone deployment is enabled. |
No preconfigured parameters are allowed. |
There is a possible performance degradation during this change. |
|
Amazon EBS Snapshots |
AWSManagedServices-TrustedRemediatorCreateEBSSnapshot Amazon EBSsnapshots are created. |
No preconfigured parameters are allowed. |
No constraints |
|
RDS Backups |
AWSManagedServices-EnableRDSBackupRetention Amazon RDS backup retention is enabled for the DB. |
|
If the |
|
Amazon RDS DB instances have storage autoscaling turned off |
AWSManagedServices-TrustedRemediatorEnableRDSInstanceStorageAutoScaling - Storage autoscaling is enabled for Amazon RDS DB instance. |
|
No constraints |
|
Classic Load Balancer Connection Draining |
AWSManagedServices-TrustedRemediatorEnableCLBConnectionDraining Connection draining is enabled for Classic Load Balancer. |
ConnectionDrainingTimeout: The maximum time, in seconds, to keep the existing connections open before deregistering the instances.
Default is set to |
No constraints |
|
Amazon EBS Not Included in AWS Backup Plan |
AWSManagedServices-TrustedRemediatorAddVolumeToBackupPlan Amazon EBS is included in AWS Backup Plan. |
Remediation tags the Amazon EBS volume with the following tag pair. The tag pair must match the tag-based resource selection criteria for AWS Backup.
|
No constraints |
|
Amazon DynamoDB Table Not Included in AWS Backup Plan |
AWSManagedServices-TrustedRemediatorAddDynamoDBToBackupPlan Amazon DynamoDB Table is included in AWS Backup Plan. |
Remediation tags the Amazon DynamoDB with the following tag pair. The tag pair must match the tag-based resource selection criteria for AWS Backup.
|
No constraints |
|
Amazon EFS Not Included in AWS Backup Plan |
AWSManagedServices-TrustedRemediatorAddEFSToBackupPlan Amazon EFS is included in AWS Backup Plan. |
Remediation tags the Amazon EFS with the following tag pair. The tag pair must match the tag-based resource selection criteria for AWS Backup.
|
No constraints |
|
Network Load Balancers Cross Load Balancing |
AWSManagedServices-TrustedRemediatorEnableNLBCrossZoneLoadBalancing Cross-zone load balancing is enabled on Network Load Balancer. |
No preconfigured parameters are allowed. |
No constraints |
|
Amazon RDS |
AWSManagedServices-TrustedRemediatorRemediateRDSParameterGroupParameter Parameter |
No preconfigured parameters are allowed. |
No constraints |
|
Amazon RDS |
AWSManagedServices-TrustedRemediatorRemediateRDSParameterGroupParameter Parameter |
No preconfigured parameters are allowed. |
No constraints |
|
Amazon RDS |
AWSManagedServices-TrustedRemediatorRemediateRDSParameterGroupParameter Parameter |
No preconfigured parameters are allowed. |
No constraints |
|
Amazon RDS |
AWSManagedServices-TrustedRemediatorRemediateRDSParameterGroupParameter Parameter |
No preconfigured parameters are allowed. |
No constraints |
|
Amazon EC2 Detailed Monitoring Not Enabled |
AWSManagedServices-TrustedRemediatorEnableEC2InstanceDetailedMonitoring Detailed Monitoring is enabled for Amazon EC2. |
No preconfigured parameters are allowed. |
No constraints |
Trusted Advisor performance checks supported by Trusted Remediator
| Check ID and name | SSM document name and expected outcome | Supported preconfigured parameters | Constraints |
|---|---|---|---|
|
AWS Lambda under-provisioned functions for memory size |
AWSManagedServices-ResizeLambdaMemory Lambda functionss memory size are resized to the recommended memory size provided by Trusted Advisor. |
RecommendedMemorySize: The recommended memory allocation for the Lambda function. Value range is between 128 and 10240. |
If Lambda function size is modified before the automation execution, then this automation might overwrite the settings with the value recommended by Trusted Advisor. |
|
High Utilization Amazon EC2 Instances |
AWSManagedServices-ResizeInstanceByOneLevel Amazon EC2 instances are resized by one instance type up in the same instance family type. The instances are stopped and started during the resize operation and returned to the initial state after the execution is complete. This automation doesn't support resizing instances that are in an Auto Scaling Group. |
|
No constraints |
|
Amazon RDS |
AWSManagedServices-TrustedRemediatorRemediateRDSParameterGroupParameter The value of |
No preconfigured parameters are allowed. |
No constraints |
|
Amazon RDS |
AWSManagedServices-TrustedRemediatorRemediateRDSParameterGroupParameter Parameter |
No preconfigured parameters are allowed. |
No constraints |
|
Amazon RDS |
AWSManagedServices-TrustedRemediatorRemediateRDSParameterGroupParameter Parameter |
No preconfigured parameters are allowed. |
No constraints |
|
Amazon RDS |
AWSManagedServices-TrustedRemediatorRemediateRDSParameterGroupParameter Parameter |
No preconfigured parameters are allowed. |
No constraints |
|
Amazon RDS |
AWSManagedServices-TrustedRemediatorRemediateRDSParameterGroupParameter Parameter |
No preconfigured parameters are allowed. |
No constraints |
|
Amazon RDS |
AWSManagedServices-TrustedRemediatorRemediateRDSParameterGroupParameter Parameter |
No preconfigured parameters are allowed. |
No constraints |
Trusted Advisor service limits checks supported by Trusted Remediator
| Check ID and name | SSM document name and expected outcome | Supported preconfigured parameters | Constraints |
|---|---|---|---|
|
EC2-VPC Elastic IP Address |
AWSManagedServices-UpdateVpcElasticIPQuota A new limit for EC2-VPC elastic IP addresses are requested. By default, the limit is be increased by 3. |
Increment: The number to increase the current quota. The default is |
If this automation is run multiple times before the Trusted Advisor check is updated with the |
|
VPC Internet Gateways |
AWSManagedServices-IncreaseServiceQuota - A new limit for VPC internet gateways are requested. By default, the limit is increased by 3. |
Increment: The number to increase the current quota. The default is |
If this automation is run multiple times before the Trusted Advisor check is updated with the |
|
VPC |
AWSManagedServices-IncreaseServiceQuota A new limit for VPC is requested. By default, the limit is increased by 3. |
Increment: The number to increase the current quota. The default is |
If this automation is run multiple times before the Trusted Advisor check is updated with the |
|
Auto Scaling Groups |
AWSManagedServices-IncreaseServiceQuota A new limit for Auto Scaling Groups is requested. By default, the limit is increased by 3. |
Increment: The number to increase the current quota. The default is |
If this automation is run multiple times before the Trusted Advisor check is updated with the |
|
RDS Option Groups |
AWSManagedServices-IncreaseServiceQuota A new limit for Amazon RDS option groups is requested. By default, the limit is increased by 3. |
Increment: The number to increase the current quota. The default is |
If this automation is run multiple times before the Trusted Advisor check is updated with the |
|
ELB Application Load Balancers |
AWSManagedServices-IncreaseServiceQuota A new limit for ELB Application Load Balancers is requested. By default, the limit is increased by 3. |
Increment: The number to increase the current quota. The default is |
If this automation is run multiple times before the Trusted Advisor check is updated with the |
|
ELB Network Load Balancers |
AWSManagedServices-IncreaseServiceQuota A new limit for ELB Network Load Balancers is requested. By default, the limit is increased by 3. |
Increment: The number to increase the current quota. The default is |
If this automation is run multiple times before the Trusted Advisor check is updated with the |
Trusted Advisor operational excellence checks supported by Trusted Remediator
| Check ID and name | SSM document name and expected outcome | Supported preconfigured parameters | Constraints |
|---|---|---|---|
|
Amazon API Gateway Not Logging Execution Logs |
AWSManagedServices-TrustedRemediatorEnableAPIGateWayExecutionLogging Execution logging is enabled on the API stage. |
No preconfigured parameters are allowed. |
You must grant API Gateway permission to read and write logs to CloudWatch for your account in order to enable execution log, refer to Set up CloudWatch logging for REST APIs in API Gateway for detail. |
|
Elastic Load Balancing Deletion Protection Not Enabled for Load Balancers |
AWSManagedServices-TrustedRemediatorEnableELBDeletionProtection - Deletion protection is turned on for the Elastic Load Balancer. |
No preconfigured parameters are allowed. |
No constraints |
|
Amazon RDS Performance Insights is turned off |
AWSManagedServices-TrustedRemediatorEnableRDSPerformanceInsights Performance Insights is turned on for Amazon RDS. |
|
No constraints |
