Change log for AWS Trusted Advisor
See the following topic for recent changes to Trusted Advisor checks.
Note
If you use the Trusted Advisor console or the AWS Support API, deprecated checks won't appear in check results. If you use a deprecated check, such as specifying the check ID in an AWS Support API operation or your code, then you receive API call errors. Remove these checks to avoid errors.
For more information about the available checks, see the AWS Trusted Advisor check reference.
| Change date | Check name | Change description |
|---|---|---|
|
December 18, 2025 |
Updated Amazon S3 Bucket Versioning |
Added a new Alert criteria:
|
|
December 17, 2025 |
Updated Amazon S3 Bucket Permissions |
Updated the Alert criteria section. |
|
November 21, 2025 |
Updated the Application Load Balancer security group alerts and recommendations. |
|
|
November 17, 2025 |
Updated AWS STS global endpoint usage across AWS Regions check description |
Updated the AWS STS global endpoint usage across AWS Regions check description to clarify when check results are refreshed. |
|
October 15, 2025 |
Updated multiple check descriptions |
A note was added to multiple check descriptions to indicate that the check reports all resources that are flagged by the criteria and the total number of resources evaluated, including |
|
September 11, 2025 |
Updated Yellow alert criterion to indicate that runtimes deprecating within at least 180 are included. |
|
|
August 19, 2025 |
Alert criteria updated: Trusted Advisor does not have permission to check the policy or ACL, or the policy or ACL could not be evaluated for other reasons changed from Yellow to Red. |
|
|
July 03, 2025 |
c1dfprch15: Amazon EC2 instances with Ubuntu LTS end of standard support |
Updated the note to indicate that this check refreshes at least once daily. |
|
July 02, 2025 |
Amazon ECS changed the default setting for awslogs driver logging configuration parameter mode from |
|
|
July 02, 2025 |
Added information indicating that member account root user credentials can be deleted centrally, removing the need to manage MFA on root user credentials. |
|
|
June 9, 2025 |
c1z7kmr17n: Amazon Aurora cost optimization recommendations for DB cluster storage |
New check |
|
June 09, 2025 |
c15m0mgld3: AWS STS global endpoint usage across AWS Regions |
Updated check: This check is now available for all AWS Support plans. |
|
April 30, 2025 |
Added a note indicating that this check applies to classic Amazon CloudFront distributions. |
|
|
April 30, 2025 |
N415c450f2: CloudFront Header Forwarding and Cache Hit Ratio |
Added a note indicating that this check applies to classic Amazon CloudFront distributions. |
|
April 02, 2025 |
c1dfprch02: Amazon EFS Throughput Mode Optimization |
The description of this check has changed. For more information, see Amazon EC2 instances with Microsoft Windows Server end of support. |
|
April 02, 2025 |
Qsdfp3A4L4: Amazon EC2 instances with Microsoft Windows Server end of support |
The description of this check has changed. For more information, see Amazon EFS Throughput Mode Optimization. |
Older updates
The following AWS Security Hub CSPM checks are deprecated:
| Check name | Check ID |
|---|---|
|
S3.10 - S3 general purpose buckets with versioning enabled should have lifecycle configurations |
|
|
S3.11 - S3 general purpose buckets should have event notifications enabled |
|
|
CodeBuild.5 - CodeBuild project environments should not have privileged mode enabled |
|
|
CloudFormation.1 - CloudFormation stacks should be integrated with Amazon Simple Notification Service (SNS) |
|
|
SNS.2 - Logging of delivery status should be enabled for notification messages sent to a topic |
|
|
Athena.1 - Athena workgroups should be encrypted at rest |
|
Added 1 new check
Trusted Advisor added 1 new check on November 22, 2024:
8604e947f2 - Application Load Balancer Security Groups
Updated 3 checks
Trusted Advisor updated 3 checks on November 7, 2024:
b92b83d667 - ELB Target Imbalance
8CNsSllI5v - Auto Scaling Group Resources
wuy7G1zxql - Amazon EC2 Availability Zone Balance
Added 4 checks
Trusted Advisor added 4 new checks on October 11, 2024:
07602fcad6 - IAM Access Analyzer - external access
528d6f5ee7 - GWLB - Endpoint AZ
c2vlfg0jp6 - Inactive VPC interface endpoints
c2vlfg0k35 - Inactive Gateway Load Balancer endpoints
Updated 3 checks
Trusted Advisor updated 3 checks on October 2, 2024:
Check ID 7040ea389a moved from Cost Optimization pillar to the Fault Tolerance pillar
Updated Check ID 7DAFEmoDos
-
Updated Check ID Cmsvnj8db2
Added 9 new checks
Trusted Advisor added 9 new checks on August 23, 2024:
c2vlfg0p86 - [IAM] - SAML 2.0 Identity Provider
7040ea389a - Network Firewall endpoint Cross-AZ Data Transfer
c2vlfg0bfw - Low utilization Network Firewall
c2vlfg0gqd - Network Firewall Multi-AZ
c2vlfg0p1w - Application Load Balancer Target Groups encrypted protocol
c2vlfg022t - [NAT Gateway] - Underutilized Resource
c243hjzrhn - AWS Outposts Single Rack deployment
b92b83d667 - ELB Target Imbalance
90046ff5b5 - MSK availability is limited to two zones
For more information, see the AWS Trusted Advisor check reference.
Updated 1 Security check and added 1 Security check
Trusted Advisor updated 1 Operational Excellence checks on August 22, 2024:
c1fd6b96l4
Trusted Advisor added 1 Security checks on August 22, 2024:
c2vlfg0f4h
For more information, see the AWS Trusted Advisor check reference.
Updated 6 Security checks
Trusted Advisor updated 6 Security checks on August 20, 2024:
nNauJisYIT
c9D319e7sG
a2sEc6ILx
HCP4007jGY
1iG5NDGVre
Yw2K9puPzl
For more information, see the AWS Trusted Advisor check reference.
Updated 1 fault tolerance checks
Trusted Advisor updated the 1 fault tolerance check and 1 security on August 12, 2024:
VPN Tunnel Redundancy
Amazon RDS engine minor version upgrade is required
For more information, see the AWS Trusted Advisor check reference.
Updated 9 checks
Trusted Advisor updated the 9 checks on July 21, 2024:
7qGXsKIUw
ZRxQlPsb6c
N425c450f2
7DAFEmoDos
Pfx0RwqBli
H7IgTzjTYb
C056F80cR3
Yw2K9puPzl
xSqX82fQu
For more information, see the AWS Trusted Advisor check reference.
Removed 5 checks and added 1 check
Trusted Advisor deprecated 3 Fault Tolerance checks, 1 Perfomance check, and 1 Security check on May 15, 2024:
IAM Use
ELB Cross-Zone Load Balancing
Overutilized Amazon EBS Magnetic Volumes
Large Number of EC2 Security Group Rules Applied to an Instance
Large Number of Rules in an EC2 Security Group
Trusted Advisor added 1 new security check on May 15, 2024:
-
Amazon S3 Server Access Logs Enabled
For more information, see the AWS Trusted Advisor check reference.
Removed fault tolerance checks
Trusted Advisor deprecated 3 Fault Tolerance check on April 25, 2024:
Direct Connect Connection Redundancy
Direct Connect Location Redundancy
Direct Connect Virtual Interface Redundancy
For more information, see the AWS Trusted Advisor check reference.
New fault tolerance check
Trusted Advisor added 1 Fault Tolerance check on February 29, 2024:
NLB - Internet-facing resource in private subnet
For more information, see the AWS Trusted Advisor check reference.
Updated fault tolerance and security checks
Trusted Advisor added 1 new Fault Tolerance check and amended 1 existing Fault tolerance and 1 Security check on March 28 2024:
Added AWS Resilience Hub Application Component check
Updated AWS Lambda VPC-enabled Functions without Multi-AZ Redundancy
Updated AWS Lambda Functions Using Deprecated Runtimes
For more information, see the AWS Trusted Advisor check reference.
New fault tolerance check
Trusted Advisor added 1 Fault Tolerance check on January 31, 2024:
Direct Connect Location Resiliency
For more information, see the AWS Trusted Advisor check reference.
Updated fault tolerance check
Trusted Advisor amended 1 Fault Tolerance check on January 08, 2024:
Amazon RDS innodb_flush_log_at_trx_commit parameter is not 1
For more information, see the AWS Trusted Advisor check reference.
Updated security check
Trusted Advisor amended 1 Security check on December 21, 2023:
AWS Lambda Functions Using Deprecated Runtimes
For more information, see the AWS Trusted Advisor check reference.
New security and performance checks
Trusted Advisor added 2 new Security checks and 2 new Performance checks on December 20, 2023:
Amazon EFS clients not using data-in-transit encryption
-
Amazon Aurora DB cluster under-provisioned for read workload
-
Amazon RDS instance under-provisioned for system capacity
-
Amazon EC2 instances with Ubuntu LTS end of standard support
For more information, see the AWS Trusted Advisor check reference.
New security check
Trusted Advisor added 1 new Security check on December 15, 2023:
Amazon RouteĀ 53 mismatching CNAME records pointing directly to S3 buckets
For more information, see the AWS Trusted Advisor check reference.
New fault tolerance and cost optimization checks
Trusted Advisor added 2 new Fault Tolerance checks and 1 new Cost Optimization check on December 07, 2023:
Amazon DocumentDB Single-AZ clusters
Amazon S3 Incomplete Multipart Upload Abort Configuration
Amazon ECS AWSLogs driver in blocking mode
For more information, see the AWS Trusted Advisor check reference.
Trusted Advisor check removal
| Check name | Check category | Check ID |
|---|---|---|
|
EBS volumes should be attached to EC2 instances |
Security |
|
|
S3 buckets should have server-side encryption enabled |
Security |
|
|
CloudFront distributions should have origin access identity enabled |
Security |
|
Updates to the Trusted Advisor integration with AWS Security Hub CSPM
Trusted Advisor made the following update on November 17, 2022.
If you disable Security Hub CSPM or AWS Config for an AWS Region, Trusted Advisor now removes your control findings for that AWS Region within 7-9 days. Previously, the time frame to remove your Security Hub CSPM data from Trusted Advisor was 90 days.
For more information, see the following sections in the Troubleshooting topic:
Update to the Trusted Advisor console
Trusted Advisor added the following change on November 16, 2022.
The Trusted Advisor Dashboard in the console is now Trusted Advisor Recommendations. The Trusted Advisor Recommendations page still shows the check results and the available checks for each category for your AWS account.
This name change only updates the Trusted Advisor console. You can continue to use the Trusted Advisor console and the Trusted Advisor operations in the Support API as usual.
For more information, see Get started with Trusted Advisor Recommendations.
Added Security Hub CSPM checks to Trusted Advisor
As of June 23, 2022, Trusted Advisor only supports Security Hub CSPM controls available through April 7, 2022. This release supports all controls in the AWS Foundational Security Best Practices security standard except for controls in the Category: Recover > Resilience. For more information, see Viewing AWS Security Hub CSPM controls in AWS Trusted Advisor.
For a list of supported controls, see AWS Foundational Security Best Practices controls in the AWS Security Hub CSPM User Guide.
Added checks from AWS Compute Optimizer
Trusted Advisor added the following checks on May 4, 2022.
| Check name | Check category | Check ID |
|---|---|---|
|
Amazon EBS over-provisioned volumes |
Cost optimization |
|
|
Amazon EBS under-provisioned volumes |
Performance |
|
|
AWS Lambda over-provisioned functions for memory size |
Cost optimization |
|
|
AWS Lambda under-provisioned functions for memory size |
Performance |
|
You must opt in your AWS account for Compute Optimizer so that these checks can receive data from your Lambda and Amazon EBS resources. For more information, see Opt in AWS Compute Optimizer for Trusted Advisor checks.
Updated checks for AWS Direct Connect
Trusted Advisor updated the following checks on March 29, 2022.
| Check name | Check category | Check ID |
|---|---|---|
|
AWS Direct Connect Connection Redundancy |
Fault tolerance |
|
|
AWS Direct Connect Location Redundancy |
Fault tolerance |
|
|
AWS Direct Connect Virtual Interface Redundancy |
Fault tolerance |
|
-
The value for the Region column now shows the AWS Region code instead of the full name. For example, resources in US East (N. Virginia) will now have the
us-east-1value. -
The value for the Time Stamp column now appears in the RFC 3339 format, such as
2022-03-30T01:02:27.000Z. -
Resources that don't have any detected problems will now appear in the check table. These resources will have a check mark icon (
) next to them.Previously, only resources that Trusted Advisor recommended that you investigate appeared in the table. These resources have a warning icon (
) next to them.
Updated check name for Amazon OpenSearch Service
Trusted Advisor updated the name for the Amazon OpenSearch Service Reserved Instance Optimization check on September 8, 2021.
The check recommendations, category, and ID are the same.
| Check name | Check category | Check ID |
|---|
Note
If you use Trusted Advisor for Amazon CloudWatch metrics, the metric name for this check is also updated. For more information, see Creating Amazon CloudWatch alarms to monitor AWS Trusted Advisor metrics.
Added checks for AWS Lambda
Trusted Advisor added the following checks on March 8, 2021.
| Check name | Check category | Check ID |
|---|---|---|
|
AWS Lambda Functions with Excessive Timeouts |
Cost optimization |
|
|
AWS Lambda Functions with High Error Rates |
Cost optimization |
|
|
AWS Lambda Functions Using Deprecated Runtimes |
Security |
|
|
AWS Lambda VPC-enabled Functions without Multi-AZ Redundancy |
Fault tolerance |
|
For more information about how to use these checks with Lambda, see Example AWS Trusted Advisor workflow to view recommendations in the AWS Lambda Developer Guide.
Trusted Advisor check removal
| Check name | Check category | Check ID |
|---|---|---|
|
EC2 Elastic IP Addresses |
Service limits |
|
Updated checks for Amazon Elastic Block Store
Trusted Advisor updated the unit of Amazon EBS volume from gibibyte (GiB) to tebibyte (TiB) for the following checks on March 5, 2021.
Note
If you use Trusted Advisor for Amazon CloudWatch metrics, the metric names for these five checks are also updated. For more information, see Creating Amazon CloudWatch alarms to monitor AWS Trusted Advisor metrics.
| Check name | Check category | Check ID | Updated CloudWatch metric for ServiceLimit |
|---|---|---|---|
|
EBS Cold HDD (sc1) Volume Storage |
Service limits |
|
Cold HDD (sc1) volume storage (TiB) |
|
EBS General Purpose SSD (gp2) Volume Storage |
Service limits |
|
General Purpose SSD (gp2) volume storage (TiB) |
|
EBS Magnetic (standard) Volume Storage |
Service limits |
|
Magnetic (standard) volume storage (TiB) |
|
EBS Provisioned IOPS SSD (io1) Volume Storage |
Service limits |
|
Provisioned IOPS (SSD) storage (TiB) |
|
EBS Throughput Optimized HDD (st1) Volume Storage |
Service limits |
|
Throughput Optimized HDD (st1) volume storage (TiB) |
Trusted Advisor check removal
Note
Trusted Advisor removed the following checks on November 18, 2020.
| Checks removed on November 18, 2020 | Check category | Check ID |
|---|---|---|
|
EC2Config Service for EC2 Windows Instances |
Fault tolerance |
|
|
ENA Driver Version for EC2 Windows Instances |
Fault tolerance |
|
|
NVMe Driver Version for EC2 Windows Instances |
Fault tolerance |
|
|
PV Driver Version for EC2 Windows Instances |
Fault tolerance |
|
You can monitor your Amazon EC2 instances and verify they are up to date by using AWS Systems Manager Distributor, other third-party tools, or write your own scripts to return driver information for Windows Management Instrumentation (WMI).
Trusted Advisor check removal
Trusted Advisor removed the following check on February 18, 2020.
| Check name | Check category | Check ID |
|---|---|---|
|
Service Limits |
Performance |
|