Manage access to Amazon Trusted Advisor
You can access Amazon Trusted Advisor from the Amazon Web Services Management Console. All Amazon Web Services accounts have access to a
select core Trusted Advisor
checks
You can use Amazon Identity and Access Management (IAM) to control access to Trusted Advisor.
Permissions for the Trusted Advisor console
To access the Trusted Advisor console, a user must have a minimum set of permissions. These permissions must allow the user to list and view details about the Trusted Advisor resources in your Amazon Web Services account.
You can use the following options to control access to Trusted Advisor:
-
Use the tag filter feature of the Trusted Advisor console. The user or role must have permissions associated with the tags.
You can use Amazon managed policies or custom policies to assign permissions by tags. For more information, see Controlling access to and for IAM users and roles using tags.
-
Create an IAM policy with the
trustedadvisor
namespace. You can use this policy to specify permissions for actions and resources.
When you create a policy, you can specify the namespace of the service to allow or
deny an action. The namespace for Trusted Advisor is trustedadvisor
. However, you
can't use the trustedadvisor
namespace to allow or deny Trusted Advisor API
operations in the Amazon Web Services Support API. You must use the support
namespace for Amazon Web Services Support
instead.
Note
If you have permissions to the Amazon Web Services Support API,
the Trusted Advisor widget in the Amazon Web Services Management Console shows a summary view of your Trusted Advisor results.
To view your results in the Trusted Advisor console, you must have permission to the
trustedadvisor
namespace.
Trusted Advisor actions
You can perform the following Trusted Advisor actions in the console. You can also specify these Trusted Advisor actions in an IAM policy to allow or deny specific actions.
Action | Description |
---|---|
|
Grants permission to view the Amazon Web Services Support plan and various Trusted Advisor preferences. |
|
Grants permission to view if the Amazon Web Services account has enabled or disabled Trusted Advisor. |
|
Grants permission to view details for the check items. |
|
Grants permission to view the refresh statuses for Trusted Advisor checks. |
|
Grants permission to view Trusted Advisor check summaries. |
|
Grants permission to view details for Trusted Advisor checks. |
|
Grants permission to view the notification preferences for the Amazon account. |
|
Grants permission to exclude recommendations for Trusted Advisor checks. |
|
Grants permission to include recommendations for Trusted Advisor checks. |
|
Grants permission to refresh a Trusted Advisor check. |
|
Grants permission to enable or disable Trusted Advisor for the account. |
|
Grants permission to update notification preferences for Trusted Advisor. |
|
Grants permission to view the results and changed statuses for checks in the last 30 days. |
Trusted Advisor actions for organizational view
The following Trusted Advisor actions are for the organizational view feature. For more information, see Organizational view for Amazon Trusted Advisor.
Action | Description |
---|---|
|
Grants permission to view if the Amazon Web Services account meets the requirements to enable the organizational view feature. |
|
Grants permission to view the linked Amazon accounts that are in the organization. |
|
Grants permission to view details for organizational view reports, such as the report name, runtime, date created, status, and format. |
|
Grants permission to view information about organizational view reports, such as the Amazon Web Services Regions, check categories, check names, and resource statuses. |
|
Grants permission to create a report for Trusted Advisor checks in your organization. |
|
Grants permission to view, in the Trusted Advisor console, all of the accounts in an Amazon organization that are contained by a root or organizational unit (OU). |
|
Grants permission to view, in the Trusted Advisor console, all of the organizational units (OUs) in a parent organizational unit or root. |
|
Grants permission to view, in the Trusted Advisor console, all of the roots that are defined in an Amazon organization. |
|
Grants permission to enable the organizational view feature for Trusted Advisor. |
Trusted Advisor Priority actions
If you have Trusted Advisor Priority enabled for your account, you can perform the following Trusted Advisor actions in the console. You can also add these Trusted Advisor actions in an IAM policy to allow or deny specific actions. For more information, see Example IAM policies for Trusted Advisor Priority.
Note
The risks that appear in Trusted Advisor Priority are recommendations that your technical account manager (TAM) has identified for your account. Recommendations from a service, such as a Trusted Advisor check, are created for you automatically. Recommendations from your TAM are created for you manually. Next, your TAM sends these recommendations so that they appear in Trusted Advisor Priority for your account.
For more information, see Get started with Amazon Trusted Advisor Priority.
Action | Description |
---|---|
|
Grants permission to view risks in Trusted Advisor Priority. |
|
Grants permission to view risk details in Trusted Advisor Priority. |
|
Grants permission to view affected resources for a risk in Trusted Advisor Priority. |
|
Grants permission to download a file that contains details about the risk in Trusted Advisor Priority. |
|
Grants permission to update the risk status in Trusted Advisor Priority. |
|
Grants permission to get your email notification preferences for Trusted Advisor Priority. |
|
Grants permission to create or update your email notification preferences for Trusted Advisor Priority. |
|
Grants permission to the organization management account to delete email notification preferences from a delegated administrator account for Trusted Advisor Priority. |
Trusted Advisor Engage actions
If you have Trusted Advisor Engage enabled for your account, you can perform the following Trusted Advisor actions in the console. You can also add these Trusted Advisor actions in an IAM policy to allow or deny specific actions. For more information, see Example IAM policies for Trusted Advisor Engage .
For more information, see Get started with Amazon Trusted Advisor Engage (Preview).
Action | Description |
---|---|
|
Grants permission to create an engagement in Trusted Advisor Engage. |
|
Grants permission to create an engagement attachment in Trusted Advisor Engage. |
|
Grants permission to create an engagement communication in Trusted Advisor Engage. |
|
Grants permission to view an engagment in Trusted Advisor Engage. |
|
Grants permission to view an engagment attachment in Trusted Advisor Engage. |
|
Grants permission to view a specific engagement type in Trusted Advisor Engage. |
|
Grants permission to view all communications for an engagement in Trusted Advisor Engage. |
|
Grants permission to view all engagements in Trusted Advisor Engage. |
|
Grants permission to view all engagement types in Trusted Advisor Engage. |
|
Grants permission to update the details of an engagement in Trusted Advisor Engage. |
|
Grants permission to update the status of an engagement in Trusted Advisor Engage. |
IAM policy examples
The following policies show you how to allow and deny access to Trusted Advisor. You can use one of the following policies to create a customer managed policy in the IAM console. For example, you can copy an example policy, and then paste it into the JSON tab of the IAM console. Then, you attach the policy to your IAM user, group, or role.
For more information about how to create an IAM policy, see Creating IAM policies (console) in the IAM User Guide.
Examples
- Full access to Trusted Advisor
- Read-only access to Trusted Advisor
- Deny access to Trusted Advisor
- Allow and deny specific actions
- Control access to the Amazon Web Services Support API operations for Trusted Advisor
- Example IAM policies for Trusted Advisor Priority
- Example IAM policies for Trusted Advisor Engage
Full access to Trusted Advisor
The following policy allows users to view and take all actions on all Trusted Advisor checks in the Trusted Advisor console.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "trustedadvisor:*", "Resource": "*" } ] }
Read-only access to Trusted Advisor
The following policy allows users read-only access to the Trusted Advisor console. Users can't make changes, such as refresh checks or change notification preferences.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "trustedadvisor:Describe*", "trustedadvisor:Get*", "trustedadvisor:List*" ], "Resource": "*" } ] }
Deny access to Trusted Advisor
The following policy doesn't allow users to view or take actions for Trusted Advisor checks in the Trusted Advisor console.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "trustedadvisor:*", "Resource": "*" } ] }
Allow and deny specific actions
The following policy allows users to view all Trusted Advisor checks in the Trusted Advisor console, but doesn't allow them to refresh any checks.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "trustedadvisor:*", "Resource": "*" }, { "Effect": "Deny", "Action": "trustedadvisor:RefreshCheck", "Resource": "*" } ] }
Control access to the Amazon Web Services Support API operations for Trusted Advisor
In the Amazon Web Services Management Console, a separate trustedadvisor
IAM namespace controls
access to Trusted Advisor. You can't use the trustedadvisor
namespace to allow
or deny Trusted Advisor API operations in the Amazon Web Services Support API. Instead, you use the
support
namespace. You must have permissions to the Amazon Web Services Support API to
call Trusted Advisor programmatically.
For example, if you want to call the RefreshTrustedAdvisorCheck operation, you must have permissions to this action in the policy.
Example : Allow Trusted Advisor API operations only
The following policy allows users access to the Amazon Web Services Support API operations for Trusted Advisor, but not the rest of the Amazon Web Services Support API operations. For example, users can use the API to view and refresh checks. They can't create, view, update, or resolve Amazon Web Services Support cases.
You can use this policy to call the Trusted Advisor API operations programmatically, but you can't use this policy to view or refresh checks in the Trusted Advisor console.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "support:DescribeTrustedAdvisorCheckRefreshStatuses", "support:DescribeTrustedAdvisorCheckResult", "support:DescribeTrustedAdvisorChecks", "support:DescribeTrustedAdvisorCheckSummaries", "support:RefreshTrustedAdvisorCheck", "trustedadvisor:Describe*" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "support:AddAttachmentsToSet", "support:AddCommunicationToCase", "support:CreateCase", "support:DescribeAttachment", "support:DescribeCases", "support:DescribeCommunications", "support:DescribeServices", "support:DescribeSeverityLevels", "support:ResolveCase" ], "Resource": "*" } ] }
For more information about how IAM works with Amazon Web Services Support and Trusted Advisor, see Actions.
Example IAM policies for Trusted Advisor Priority
You can use the following Amazon managed policies to control access to Trusted Advisor Priority. For more information, see Amazon Web Services managed policies for Amazon Trusted Advisor and Get started with Amazon Trusted Advisor Priority.
Example IAM policies for Trusted Advisor Engage
Note
Trusted Advisor Engage is in preview release and does not currently have any Amazon managed policies. You can use one of the following policies to create a customer managed policy in the IAM console.
An example policy that grants read and write access in Trusted Advisor Engage:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "trustedadvisor:CreateEngagement*", "trustedadvisor:DescribeAccount*", "trustedadvisor:GetEngagement*", "trustedadvisor:ListEngagement*", "trustedadvisor:UpdateEngagement*" ], "Resource": "*" } ] }
An example policy that grants read-only access in Trusted Advisor Engage:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "trustedadvisor:DescribeAccount*", "trustedadvisor:GetEngagement*", "trustedadvisor:ListEngagement*" ], "Resource": "*" } ] }
An example policy that grants read and write access in Trusted Advisor Engage and the ability to enable trusted access to Trusted Advisor:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization", "trustedadvisor:CreateEngagement*", "trustedadvisor:DescribeAccount*", "trustedadvisor:DescribeOrganization", "trustedadvisor:GetEngagement*", "trustedadvisor:ListEngagement*", "trustedadvisor:SetOrganizationAccess", "trustedadvisor:UpdateEngagement*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess", "organizations:DisableAWSServiceAccess" ], "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "reporting.trustedadvisor.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/reporting.trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisorReporting", "Condition": { "StringLike": { "iam:AWSServiceName": "reporting.trustedadvisor.amazonaws.com" } } } ] }
See also
For more information about Trusted Advisor permissions, see the following resources:
-
Actions defined by Amazon Trusted Advisor in the IAM User Guide.