Aggregate Trusted Advisor Events in a Multi-Account AWS Setup

Alex,

Trusted Advisor provides actionable insights across five categories: cost optimization, performance, security, fault tolerance, and service limits. While it works efficiently in a single account, aggregating events across multiple accounts becomes a priority in environments that rely on AWS Organizations. This guide outlines how to centralize Trusted Advisor event data effectively.

Why Aggregation Matters

Operating across dozens or hundreds of AWS accounts is standard in enterprise setups. Without a centralized view, tracking Trusted Advisor events like service limits or security gaps becomes scattered and error-prone. Aggregation ensures unified visibility, faster remediation, and compliance tracking across all organizational units.

Key Challenges in Multi-Account Aggregation

  • Trusted Advisor data resides in the management account
  • Accounts must be part of AWS Organizations
  • Not all checks are accessible without Business or Enterprise Support plans
  • AWS does not push these events natively to a centralized event bus

To create an effective aggregation pipeline, use a combination of AWS Organizations, EventBridge, AWS Lambda, and possibly AWS Config for cross-verification.

Step-by-Step Aggregation Architecture

1. Enable Trusted Advisor Organization Access

Before data can be aggregated, enable Trusted Advisor for all accounts under AWS Organizations:

  • Sign in as the management account.
  • Navigate to the Trusted Advisor console.
  • Enable organizational access in the settings.

This allows the management account to view results across all linked accounts.

2. Configure EventBridge Rules

Each account will need EventBridge rules that capture specific Trusted Advisor events. These include:

{
  "source": ["aws.trustedadvisor"],
  "detail-type": ["Trusted Advisor Check Item Refresh Notification"]
}

This pattern listens for updates such as resource status changes or check refreshes.

3. Set Up a Central Event Bus

In your management account or a designated logging account:

  • Create a custom EventBridge bus.
  • Grant permissions for each child account to send events to this bus using a resource-based policy.

Example policy:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::123456789012:root"},
      "Action": "events:PutEvents",
      "Resource": "arn:aws:events:us-east-1:111122223333:event-bus/OrgEvents"
    }
  ]
}

Replace 123456789012 with the member account ID and 111122223333 with the central account ID.

4. Forward Events to the Central Bus

In each member account:

  • Create a rule to match Trusted Advisor notifications.
  • Add a target pointing to the central bus in the management or logging account.

EventBridge does not allow cross-account rules directly, so forwarding is the cleanest path.

5. Process Events with Lambda or Pipe to S3

Once events arrive in the central bus, use one of the following approaches:

Option A: Process via Lambda

  • Parse event payloads for metadata like check-name, status, and resource.
  • Log or store them in a DynamoDB table for easy querying.

Option B: Pipe to S3 for Batch Processing

  • Use Firehose or Lambda to push events into an S3 bucket.
  • Run scheduled Athena queries to generate summaries or dashboards.

Best Practices

  • Filter for only relevant checks: Not all Trusted Advisor checks are actionable for every org. Focus on critical checks like exposed IAM keys or service limits.
  • Tag findings by account: Include the account ID in all logs and reports to ensure traceability.
  • Add metadata context: Enrich events with business unit or project tags where available.
  • Alert on critical findings: Use SNS or Slack integrations to notify teams of urgent issues.

Automating the Setup

To reduce manual steps across accounts:

  • Use AWS CloudFormation StackSets to deploy EventBridge rules.
  • Create a centralized Terraform module to standardize logging and processing.

You can also use AWS Config to monitor whether these aggregation rules exist and stay consistent across accounts.

Summary

Aggregating Trusted Advisor events in a multi-account AWS environment increases transparency, improves incident response, and aligns infrastructure with security and performance best practices. Use EventBridge, Lambda, and centralized logging to streamline the workflow without introducing unnecessary complexity.

Cloud & Infrastructure

Leave a Reply

Your email address will not be published. Required fields are marked *