When you create a hosted zone, Route 53 assigns a delegation set of four name servers. The names of these servers are ns-###.awsdns-##.com, .net, .org, and .co.uk, where ### and ## typically represent different numbers. Before Route 53 can route DNS queries for your domain, you must update your registrar's name server configuration to remove the name servers that the registrar assigned. Then, you must add all four name servers in the Route 53 delegation set. For maximum availability, you must add all four Route 53 name servers.
Hosted zones created by AWS services won't appear in your check results.
Check ID
cF171Db240
Amazon S3 Bucket Logging
Description
Checks the logging configuration of Amazon Simple Storage Service (Amazon S3) buckets.
When server access logging is enabled, detailed access logs are delivered hourly to a bucket that you choose. An access log record contains details about each request, such as the request type, the resources specified in the request, and the time and date the request was processed. By default, bucket logging is not enabled. You should enable logging if you want to perform security audits or learn more about users and usage patterns.
When logging is initially enabled, the configuration is automatically validated. However, future modifications can result in logging failures. This check examines explicit Amazon S3 bucket permissions, but it does not examine associated bucket policies that might override the bucket permissions.
Check ID
BueAdJ7NrP
Amazon S3 Bucket Versioning
Description
Checks for Amazon Simple Storage Service buckets that do not have versioning enabled, or that have versioning suspended.
Auto Scaling Group Health Check
When versioning is enabled, you can easily recover from both unintended user actions and
application failures. Versioning allows you to preserve, retrieve, and restore any version of any object stored in a bucket. You can use lifecycle rules to manage all versions of your objects, as well as their associated costs, by automatically archiving objects to the Glacier storage class. Rules can also be configured to remove versions of your objects after a specified period of time. You can also require multi-factor authentication (MFA) for any object deletions or configuration changes to your buckets.
Versioning can't be deactivated after it has been enabled. However, it can be suspended, which prevents new versions of objects from being created. Using versioning can increase your costs for Amazon S3, because you pay for storage of multiple versions of an object.
Check ID
R365s2Qddf
Auto Scaling Group Health Check
Description
Examines the health check configuration for Auto Scaling groups.
If Elastic Load Balancing is being used for an Auto Scaling group, the recommended configuration is to enable an Elastic Load Balancing health check. If an Elastic Load Balancing health check is not used, Auto Scaling can only act upon the health of the Amazon Elastic Compute Cloud (Amazon EC2) instance. Auto Scaling will not act on the application running on the instance.
Check ID
CLOG40CDO8
Auto Scaling Group Resources
Description
Checks the availability of resources associated with launch configurations and your Auto Scaling groups.
Auto Scaling groups that point to unavailable resources cannot launch new Amazon Elastic Compute Cloud (Amazon EC2) instances. When properly configured, Auto Scaling causes the number of Amazon EC2 instances to increase seamlessly during demand spikes, and decrease automatically during demand lulls. Auto Scaling groups and launch configurations that point to unavailable resources do not operate as intended.
Check ID
8CNsSllI5v
AWS Direct Connect Connection Redundancy
Description
Checks for AWS Regions that have only one AWS Direct Connect connection. Connectivity to your AWS resources should have two Direct Connect connections configured at all times to provide redundancy in case a device is unavailable.
NoteResults for this check are automatically refreshed several times daily, and refresh requests are not allowed. It might take a few hours for changes to appear.
Check ID
0t121N1Ty3
AWS Direct Connect Location Redundancy
Description
Checks for AWS Regions with one or more AWS Direct Connect connections and only one AWS Direct Connect location. Connectivity to your AWS resources should have Direct Connect connections configured to different Direct Connect locations to provide redundancy in case a location is unavailable.
Note
Results for this check are automatically refreshed several times daily, and refresh requests are not allowed. It might take a few hours for changes to appear.
Check ID
8M012Ph3U5
AWS Direct Connect Virtual Interface Redundancy
Description
Checks for virtual private gateways with AWS Direct Connect virtual interfaces (VIFs) that are not configured on at least two AWS Direct Connect connections. Connectivity to your virtual private gateway should have multiple VIFs configured across multiple Direct Connect connections and locations. This provides redundancy in case that a device or location is unavailable.
NoteResults for this check are automatically refreshed several times daily, and refresh requests are not allowed. It might take a few hours for changes to appear.
Check ID
4g3Nt5M1Th
AWS Lambda VPC-enabled Functions without Multi-AZ Redundancy
Description
Checks for VPC-enabled Lambda functions that are vulnerable to service interruption in a single Availability Zone. It is recommended for VPC-enabled functions to be connected to multiple Availability Zones for high availability.
Note
Results for this check are automatically refreshed several times daily, and refresh requests are not allowed. It might take a few hours for changes to appear.
Check ID
L4dfs2Q4C6
AWS Well-Architected high risk issues for reliability
AWS Well-Architected high risk issues for reliability
Description
Checks for high risk issues (HRIs) for your workloads in the reliability pillar. This check is based on your AWS-Well Architected reviews. Your check results depend on whether you completed the workload evaluation with AWS Well-Architected.
NoteResults for this check are automatically refreshed several times daily, and refresh requests are not allowed. It might take a few hours for changes to appear.
Check ID
Wxdfp4B1L4
ELB Connection Draining
Description
Checks for load balancers that do not have connection draining enabled.
When connection draining is not enabled and you deregister an Amazon EC2 instance from a load balancer, the load balancer stops routing traffic to that instance and closes the connection. When connection draining is enabled, the load balancer stops sending new requests to the deregistered instance but keeps the connection open to serve active requests.
Check ID 7qGXsKIUw
ELB Cross-Zone Load Balancing
Description
With cross-zone load balancing turned off, there is a risk of service unavailability due to uneven distribution of traffic or backend overloading. This problem can occur when clients incorrectly cache DNS information. The problem can also occur when there are an unequal number of instances in each Availability Zone (for example, if you have taken down some instances for maintenance).
Check ID xdeXZKIUy
Load Balancer Optimization
Description
Checks your load balancer configuration.
To help increase the level of fault tolerance in Amazon Elastic Compute Cloud (Amazon EC2) when using Elastic Load Balancing , we recommend running an equal number of instances across multiple Availability Zones in a Region. A load balancer that is configured accrues charges, so this is a cost-optimization check as well.
Check ID
iqdCTZKCUp
VPN Tunnel Redundancy
Description
Checks the number of tunnels that are active for each of your VPNs.
A VPN should have two tunnels configured at all times. This provides redundancy in case of outage or planned maintenance of the devices at the AWS endpoint. For some hardware, only one tunnel is active at a time. If a VPN has no active tunnels, charges for the VPN might still apply. For more information, see AWS Client VPN Administrator Guide.
Check ID
S45wrEXrLz
Service limits
See the following checks for the service limits (also known as quotas) category.
NoteValues are based on a snapshot, so your current usage might differ. Quota and usage data can take up to 24 hours to reflect any changes. In cases where quotas have been recently increased, you might temporarily see utilization that exceeds the quota.
Check names
• Auto Scaling Groups (p. 93)
• Auto Scaling Launch Configurations (p. 93)
• CloudFormation Stacks (p. 94)
• DynamoDB Read Capacity (p. 94)
• DynamoDB Write Capacity (p. 94)
• EBS Active Snapshots (p. 94)
• EBS Cold HDD (sc1) Volume Storage (p. 94)
• EBS General Purpose SSD (gp2) Volume Storage (p. 95)
• EBS General Purpose SSD (gp3) Volume Storage (p. 95)
• EBS Magnetic (standard) Volume Storage (p. 95)
• EBS Provisioned IOPS (SSD) Volume Aggregate IOPS (p. 95)
• EBS Provisioned IOPS SSD (io1) Volume Storage (p. 95)
• EBS Provisioned IOPS SSD (io2) Volume Storage (p. 96)
• EBS Throughput Optimized HDD (st1) Volume Storage (p. 96)
• EC2 On-Demand Instances (p. 96)
• EC2 Reserved Instance Leases (p. 96)
• EC2-Classic Elastic IP Addresses (p. 96)
• EC2-VPC Elastic IP Address (p. 97)
• ELB Application Load Balancers (p. 97)
• ELB Classic Load Balancers (p. 97)
• ELB Network Load Balancers (p. 97)
• IAM Group (p. 97)
Auto Scaling Groups
• IAM Instance Profiles (p. 97)
• IAM Policies (p. 98)
• IAM Roles (p. 98)
• IAM Server Certificates (p. 98)
• IAM Users (p. 98)
• Kinesis Shards per Region (p. 98)
• RDS Cluster Parameter Groups (p. 99)
• RDS Cluster Roles (p. 99)
• RDS Clusters (p. 99)
• RDS DB Instances (p. 99)
• RDS DB Manual Snapshots (p. 99)
• RDS DB Parameter Groups (p. 99)
• RDS DB Security Groups (p. 100)
• RDS Event Subscriptions (p. 100)
• RDS Max Auths per Security Group (p. 100)
• RDS Option Groups (p. 100)
• RDS Read Replicas per Master (p. 100)
• RDS Reserved Instances (p. 101)
• RDS Subnet Groups (p. 101)
• RDS Subnets per Subnet Group (p. 101)
• RDS Total Storage Quota (p. 101)
• Route 53 Hosted Zones (p. 101)