I have to say AWS Trusted Advisor is a great tool! AWS keeps improving it by adding more useful new checks. Here is one that I got this morning:
I setup health checks for some new records, but forgot to decrease TTL to a low value (it is 300 seconds by default). Now trusted advisor reminds that it is better set a value lower than 60 seconds to allow the old DNS records expire soon. How sweet it is 🙂
Jackie Chen's IT Workshop 
You can also automate many tasks using CLI version of Trusted Adviser:
http://blog.zorangagic.com/2017/01/check-aws-service-limits.html?q=trusted+advisor
Here are all the checks:
aws support describe-trusted-advisor-checks –language en –output json –region us-east-1 | jq -r ‘.checks[] | “\(.category),\(.id),\(.description)”‘ | egrep “^security,|^fault_tolerance,|^cost_optimizing,|^performance,” | cut -c1-220 | sort
Example commands:
Rotation of IAM keys:
aws support describe-trusted-advisor-check-result –language en –check-id DqdJqYeRm5 –output json –region us-east-1 | jq -r ‘.result.flaggedResources[] | “\(.status),\(.resourceId),\(.metadata)”‘
S3 buckets open:
aws support describe-trusted-advisor-check-result –language en –check-id Pfx0RwqBli –output json –region us-east-1 | jq -r ‘.result.flaggedResources[] | “\(.status),\(.resourceId),\(.region),\(.metadata)”‘
Hey Zoran, it would be nice if AWS can make Trust Advisor event driven – instead of executing all those check jobs by ourselves, we only need to subscribe to the TA SNS. An alert will be triggered if TA found something abnormal.
Check out event driven Cloud Custodian – Policy based AWS management using Lambda:
https://github.com/capitalone/cloud-custodian
https://developer.capitalone.com/opensource-projects/cloud-custodian/