AWS Trusted Advisor vs. AWS Config vs. AWS Inspector

Photo by Liam Tucker on Unsplash

AWS Inspector

Inspector provides an agent that goes onto EC2 instances. It provides packaged rules to check for unintended network accessibility of your Amazon EC2 instances and for vulnerabilities on those EC2 instances. It can check the patch level of the OS. Amazon Inspector evaluations are offered to you as characterized rules bundles mapped to normal security best practices and helplessness definitions. Instances of inherent tenets incorporate checking for access to your EC2 occasions from the web, remote root login being empowered, or powerless programming variants introduced.

AWS Config

AWS Trusted Advisor

Trusted Advisor

Trusted advisor does overlap with AWS Config rules a bit (they can both check things like open security groups for example, are RDS backups enabled etc). The big difference is with trusted adviser there is no customization (other than excluding resources): you just get the checks AWS has seen fit to add.

Config, on the other hand, can do cool things like reading CloudTrail logs and creating a timeline of changes made to tracked resources (so you can see how a resource like an S3 bucket has been modified over time). On top of it, you can create rules to detect whether your environment is in compliance with certain policies (e.g. all your EBS volumes are encrypted). You can also send notifications or take automated action with Lambda when a resource violates a rule.

AWS Config

With config there are no checks enabled out of the box — you have to select from the AWS managed rules what you want to enable (& most rules can be parametrized) and you can also develop your own lambda backed rules.

Here is useful info graphic from a LinkedIn post by Shekhar Londhe, Principal Cloud Architect at Hitachi Vantara:


If you need to know if your EC2 port configuration has been modified in the recent months, that’s something only AWS Config can do.

If you want to know if your EC2 instance is reachable over Internet Gateway or VWG or VPC peering on some ports, or if you need to know if your EC2 instance is connecting to another host for log-ins using insecure protocol instead of SSH, then you should use the AWS Inspector.

product manager and ex-management consultant focuses on data science.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store