Amazon AWS DevOps Engineer Professional – Policies and Standards Automation (Domain 4) Part 8
August 25, 2023

21. Trusted Advisor – Overview

So now let’s talk about trusted advisor. And Trusted Advisor for us is going to be a central service in automating the limits notifications in case you do reach them, and automating some secured events as well. So when you go into your account and you go to Trusted Advisor on the first time you visit it is going to refresh it and you can also manually refresh it by clicking on this button. But you can only click on this button once every five minutes. So there’s a refresh rate and you can only refresh at most once every five minutes. But the first time you go to Trusted Advisor, it’s going to refresh everything for you. So Trusted Advisor is going to have recommendations for your account on five categories.

It’s going to be cost optimization, performance, security, fault tolerance and service limits. And trusted advisor has two tiers. There is the free tier and if you buy into the support of aws, then there is the second tier of Trusted Advisor which has more recommendations for you. So, as we can see in the dashboard right now on security, there are four things that are going well. One thing that I should draw my attention on and one thing that is in action recommended. So if we look in the dashboard in here, we can see that I don’t have mfa on my root account and that is a red flag. So it does recommend for me to enable mfa and for my security groups.

Some ports are allow unrestricted access and so that could be a risk if it is for example, the port 22 and so on. And so it’s important for me also to look at these things altogether. But while we’re at it, let’s look into each category. So, cost Optimization is something that needs to upgrade your support plan to unlock all the recommendations, but yet you can still see all the optimization checks that are going on. For example, low utilization Amazon Et two instances, idol load balancers underutilized Amazon EBS volumes and so on. All these things could be items that you can get notifications on and recommendations about around your cost optimization.

So one thing we’ll see is that we’ll see we can automate some Trusted Advisor notifications with other services, for example cloudwatch events. And so therefore, for example, if we had the low utilization Amazon EC two instances, we could take an action and maybe terminate it or snapshot it or whatever. So that could be something we could do. Now in performance again, we need to upgrade the support plan to unlock all the recommendations, but high utilization EC Two instances could indicate a problem. Large number of roles in EC two security group could also be a problem and so on.So you can look at all the different items for security.

Thankfully a few are available on the free support plan. And so mfon, root account, security groups, port Unrestricted, EBS Snapshots and so on. But then in here for the support plan that’s going to be higher, then you get more information around im, password policy, rds, security group access risk and so on. And at the very bottom I want to draw your attention onto the last one which is exposed access keys, which is to check popular code repositories to see if your access keys have been exposed and then you could get a notification for it. So this is something similar than what the aws health feature would do, and we’ll see in the next lecture how we can automate on it as well.

Okay, then fault Tolerance, which is to show you how your fault tolerance is. So check the age of your snapshots and your EBS volume. So it recommends you to take snapshots very often to have backups just in case things go wrong, load balancer optimizations and so on. And there’s a lot of those for high availability and fault tolerance. And then finally service limits, which is super important. And this is something that’s free, which is checking the usage of your service limits and getting a notification whenever things reach more than 80% of your limits.

And therefore you could maybe automate something such as if a limit reaches 80%, then send yourself an email or something like this, again using cloudwatch events rules. So all of these things are descriptive, but you can look at auto, scaling groups, confirmation stacks, dynamodb, write capacity, EC, two instances and so on. And then finally for preferences here we have the option to disable Trusted Advisor and that would be something that you probably don’t want to do, but yet you can still do it. Trusted Advisor does have a service linked role, so there is an im role linked to Service Advisor and you have the option to get weekly email notifications.

And it’s important to remember, so you can only get weekly of them and you can get stuff for the billing contact, so if you get billing related notifications, operations, contacts for operation related notifications, and finally security for all the security related notifications and you can save the email preferences in here. So this is all very easy and very nice. So at a high level, Trusted Advisor is something that allows you to optimize your account and make sure you are running safe, apply some best recommended practice recommendations and so on. But then from a DevOps perspective, we’ll see in the next lecture how we can optimize and automate a few things using Trusted Advisors. So hope you like it and I will see you in the next lecture.

22. Trusted Advisor – Automations

So as we know, the DevOps exam is all about automation. So let’s look into a few kind of automations you can do with Trusted Advisor. And the first one is obviously going to be to integrate with Cloud Watch events. And so Cloudwatch events will declare some events whenever some trusted advisor check results appear. And that means that whenever a check is done, you could send some message to lambda functions, can you see streams sqs or building targets and so on. And some of the use cases are to use a lambda function to pass the notification to slack whenever a check status changes or push it out to a candidate stream to support comprehensive and real time status monitoring.

So let’s look at it, let’s go into Cloud Watch again. And we’ve been going to Cloud Watch events quite a bit in the exam, so I think you now realize the importance of cloudwatch events. So we can create a rule and that rule is going to be for trusted advisor. And as you can see here, no results are found. And the reason is that if you go back to trusted Advisor it is a global service and so therefore the region you have to be in to create a rule for trusted advisor is going to be Us East One or Northern Virginia. So back into event rules, then I can find trusted advisor and now I can create my event for this.

So you can match all event types or you can match check item refresh status and then you can have specific status such as error in four warren or okay, and then you can have specific checks and so on. So let’s do any status and then we can have specific checks. Although right now it doesn’t really work because you need a premium subscription to have this on. And you can also specify the type of resources you wanted. And so out of this, whenever we have a checked item refresh status we could have a lambda function and that lambda function could be sending a notification to slack for example, and that would represent the use case that was defined right here.

So that gives you an idea how Cloud Watch events can be used with trusted Advisor to automate maybe some notifications around the receiving the notifications of your trusted advisor dashboard so you don’t have to go and visit it every so often to see if anything has changed. There are some really, really cool examples that I like on this repository called Trusted Advisor Tools and it contains a bunch of use cases around trusted Advisor that you can use. For example, stop Amazon EC, two instances with low utilization, create snapshots for EBS volumes with no recent backups, delete exposed im keys and monitor usage, or enable s three bucket versioning.

And so this one for example, is to stop Amazon Easy, two instances with low utilization. So we can see here how trusted advisor will highlight low utilization, EC Two instances. And that is something we get out of cost optimization. This one. Low utilization. Amazon EC. Two instances. And so if we go here, we can see that whenever such thing will happen, a cloudwatch event rule will be triggered. So that would be the rule right here and then that would be a lambda function that would be the target of this Cloud Watch event. And the average lambda function would stop the load utilization EC Two Instances and your EC Two instances would be stopped. So that would be definitely a good workflow.

For example, if your EC two instance does nothing and is sitting at 0% utilization, that could be a nice way to automate cost savings. And if someone actually needs that easy to instance, they would turn it back on. So that’s one good use case. Then there is high utilization, easy to instances. So again, this would be to resize your instance type automatically based on its utilization. So this is a bit more advanced, but I really like this flow as well. So let’s have a look. We have our EC Two instances and we look at the performance in Trusted Advisor and it’s either low utilization or it’s either high utilization.

If you go to performance, there is high utilization, amazon EC Two instances, okay? And so in here we’re saying okay, if it’s high utilization, maybe the instance is actually running at its peak and you want to add in more capacity, or if it’s low utilization, maybe we need to decrease its capacity so that we have the right instance type and then we pay the right amount. So this collaboration event would trigger a lambda function and it would look at the instance type, figure out which type to resize to, and then start the automation execution. And then we would start an ssm automation document. So this is a nice way to look at ssm. And in ssm we have an approved step.

So there is definitely a way to ask for people to do a manual approval in ssm automation before anything happens. The approved document would go straight into SNS, which as we can approve it. So this is a similar flow to code pipeline, but this time it is in snsm, sorry. And then once we approve the function, then the resize would happen and the instance would be resized in here. And then automatically, obviously, Trusted Advisor over time will again monitor the performance of these EC Two instances and we do the loop all over again. So we get some nice way to do automated instance type resizing using for example Trusted Advisor, cloudless Events, Lambda, ssm, SNS and your EC Two instances. So I think this is a nice use case.

And finally we’ve seen how to do this with Health Dashboard, but there’s a way to do it with Trusted Advisor as well. This is to delete exposed key that are exposed in public repositories. So for example, the flow is that an Im key is publicly exposed, trusted Advisor sees it, and that was directly from the security tab at the very bottom, exposed access keys. So Trusted Advisor sees it, a cloudwatch event is emitted to a step function and that step function will do the exact same thing it did from before, delete the Im key, look at the cloud trail events to see if the key was used and how recently, and then finally go in SNS to notify us. And if you wanted to play an arm of this, you could click on launch stack and this would go ahead and launch the stack for you.

So I’m just going to show you what it does in a second so we can look at the cloudwatch event. So we have a real world example of how we can use cloudwatch events with Trusted Advisor that I really like. So I’m going to create the stack and get back to you. Okay, so my stack is fully created and it’s the same as before, but the only thing I want to really show you is the rule that we’ll have in cloudwatch events for the exposed credentials. So if you go to cloudwatch event, here it is. So the Trusted Advisor check item refresh notification of Source Trusted Advisor the check name is exposed access key which is the exact check name as here, and then finally the status should be error.

And in this case it will invoke the state machine. And the state machine is the same as before. It’s the state machine that was deleting stuff from iam and so on. So I just launched this confirmation stack just to show you how things worked. But it’s the exact same stack in idea to the one we had when we launched it in the health dashboard. So let me delete the stack now. And the last thing I want to show you for automation with Trusted Advisor is that you can have integration with Cloud Watch alarms for tracking the service limits. So the trick here is that if you are paying for business subscriptions, so business and enterprise support customer can view the new Cloud Watch metrics for free within Cloud Watch.

So if you are paying for this support level, then within your metrics you would be able to see your Trusted Advisor metrics in here and they would represent the value of your service limits. So if you go to service limits in here, you would get a graph for this service limit and though on top of the service limit you would be able to create a cloudwatch alarm that would alarm you whenever that service limit would reach some kind of level that you wanted to know. And so that would be it. So that’s it for all the automations that you can create on top of Trusted Advisor, I hope that makes sense to you. So remember, the most important one is going to be cloudwatch events for triggering notifications whenever things happen in trusted Advisor. And then finally cloudwatch alarms for tracking service limit usage. And I hope you like this one. I will see you in the next lecture.

23. Trusted Advisor – Automating Refreshes

So now let’s talk about how often trusted Advisor will do its checks and its refreshes. And to me, it’s a really, really weird service in so that you can do multiple things. So if you visit the trusted advisor page and you haven’t refreshed in one day, automatically, the page will refresh itself. So but you have to visit the console on the trusted advisor page, and then if it’s older than one day, it will refresh itself. Right now it’s been refreshed 24 minutes ago, so it will not refresh itself if I refresh the page. So there is a way for me though, to trigger a manual refresh, and that’s by clicking on this button, and they can click on this button and it will refresh all the checks. And as you can see, it’s happening right now. And I can do this once every five minutes.

So if I try to do it in 1 minute or right after this is done, then it will not work. I need to wait an extra five minutes before I can refresh this manually. And so if you go to the trusted Advisor and this page, which is the premium support, and then you type in refresh, you get some really interesting information. So there’s programmatic access. You can retrieve and refresh trusted Advisor results programmatically using the aws support API. And we’ll see this in a second. And then if I look for the next one in this refresh, it says you can refresh individual checks or refresh all at once by clicking the refresh all button. And it’s eligible for a five minutes refresh after it was last refreshed. Okay, now let’s have a look at the support API to understand what we can do.

And this is really weird, I’m showing this to you, but you have to remember the name of the apis at least at a high level. So there is available commands for you, which is going to be refresh trusted Advisor check. And this is coming from the support API. And this will basically cause the little thing in here to spin. So this is how you would trigger a refresh using the cli or the sdk. And so you just specify a check ID, and that will create a unique identifier for this to check. So you need to pass in the check that you want. And then finally in the support, you are able to describe the Trusted Advisor check status. You’re able to describe the check results, describe the check summaries and describe the checks. So just at a high level, remember what you need to do, you need to start a refresh, and then you describe the check results.

And then when it’s done, you can use one of these API to check the results of the checks. So that’s all I wanted to show you. You just need to remember these, at least at a high level, what they mean.  So it’s pretty obvious, refresh trusted Advisor check and describe trusted advisor check results. But I hope that makes sense. Now, as to how you can automate a trusted advisor refresh. For example, you would create a lambda function that would be triggered by a cloud watch event rule every 1 hour, and that lambda function every hour. Maybe would use this refresh trusted advisor check API to force trusted advisor to refresh itself every hour. That would be a way to automate trusted advisor. And this is why I’m sharing this to you. So hope that was helpful, and I will see you in the next lecture.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!