Cost Management
Cloud costs can grow quickly if unmanaged. AWS provides tools for understanding, forecasting, and controlling costs. The most important practice is tagging — without tags, you can’t attribute costs to teams, projects, or environments.
AWS Billing Dashboard
Section titled “AWS Billing Dashboard”The billing dashboard (Billing and Cost Management in the console) provides:
- Month-to-date spend — Total and by-service breakdown.
- Forecasted month-end cost — Projection based on current usage.
- Free tier usage — Track how close you are to free tier limits.
- Bills — Detailed monthly invoices.
First thing to do on a new account: Set up a billing alarm so you get notified before costs surprise you.
# Create a billing alarm (CloudWatch, us-east-1 only)aws cloudwatch put-metric-alarm \ --alarm-name "MonthlyBillingAlarm" \ --metric-name EstimatedCharges \ --namespace AWS/Billing \ --statistic Maximum \ --period 21600 \ --threshold 100 \ --comparison-operator GreaterThanThreshold \ --evaluation-periods 1 \ --alarm-actions arn:aws:sns:us-east-1:123456789012:billing-alerts \ --dimensions Name=Currency,Value=USD \ --region us-east-1Cost Explorer
Section titled “Cost Explorer”Cost Explorer is the primary tool for analyzing AWS costs. It visualizes spend over time and lets you filter, group, and forecast.
Key Views
Section titled “Key Views”| View | What It Shows |
|---|---|
| Monthly costs by service | Which services cost the most |
| Daily costs | Spot spending spikes |
| Cost by account | In multi-account setups (AWS Organizations) |
| Cost by tag | Costs per team, project, environment |
| Forecast | Projected spend for the next 3–12 months |
| Reservation utilization | Are your Reserved Instances being used? |
Common Filters
Section titled “Common Filters”- Service — EC2, RDS, S3, Lambda, NAT Gateway, etc.
- Region — Identify costs by region.
- Tag — Filter by
Environment=production,Team=platform, etc. - Instance type — See cost per EC2 instance type.
- Usage type — Distinguish data transfer, storage, compute hours.
Enabling Cost Explorer
Section titled “Enabling Cost Explorer”# Enable (must be done from the management account)aws ce get-cost-and-usage \ --time-period Start=2026-02-01,End=2026-02-16 \ --granularity DAILY \ --metrics BlendedCost \ --group-by Type=DIMENSION,Key=SERVICEAWS Budgets
Section titled “AWS Budgets”Budgets let you set spending limits and receive alerts when you approach or exceed them.
Budget Types
Section titled “Budget Types”| Type | What It Tracks |
|---|---|
| Cost budget | Total spend (e.g. “Don’t exceed $5,000/month”) |
| Usage budget | Resource usage (e.g. “EC2 hours < 10,000”) |
| Reservation budget | RI/Savings Plan utilization and coverage |
| Savings Plans budget | Savings Plan utilization |
Creating a Budget
Section titled “Creating a Budget”aws budgets create-budget --account-id 123456789012 --budget '{ "BudgetName": "MonthlyTotal", "BudgetLimit": {"Amount": "5000", "Unit": "USD"}, "TimeUnit": "MONTHLY", "BudgetType": "COST"}' --notifications-with-subscribers '[{ "Notification": { "NotificationType": "ACTUAL", "ComparisonOperator": "GREATER_THAN", "Threshold": 80, "ThresholdType": "PERCENTAGE" }, "Subscribers": [{ "SubscriptionType": "EMAIL", "Address": "[email protected]" }]}]'This sends an email when actual spend exceeds 80% of the $5,000 budget.
Budget Actions
Section titled “Budget Actions”Budgets can trigger automated actions when thresholds are hit:
| Action | What It Does |
|---|---|
| Apply IAM policy | Deny certain actions (e.g. block launching new EC2 instances) |
| Apply SCP | Restrict an entire account via AWS Organizations |
| Notify via SNS | Send to Slack, PagerDuty, custom Lambda |
Tagging Strategy
Section titled “Tagging Strategy”Tags are the foundation of cost management. Without tags, you can’t answer “which team caused this bill?”
Required Tags
Section titled “Required Tags”Define a minimum set of tags that every resource must have:
| Tag Key | Purpose | Example Values |
|---|---|---|
Environment | Which environment | production, staging, development |
Team | Owning team | platform, backend, data |
Project | Project or product | payments, search, website |
CostCenter | Budget category | engineering, marketing, R&D |
ManagedBy | How it was created | terraform, manual, cloudformation |
Enforcing Tags
Section titled “Enforcing Tags”| Method | How It Works |
|---|---|
| Tag policies (AWS Organizations) | Define required tags and allowed values across accounts |
| SCP | Deny resource creation without required tags |
| Config rules | Detect non-compliant resources after creation |
| Terraform | Enforce tags via default_tags in the provider block |
| CI/CD checks | Lint Terraform/CloudFormation for tag compliance before apply |
Terraform default tags:
provider "aws" { region = "us-east-1"
default_tags { tags = { Environment = "production" Team = "platform" ManagedBy = "terraform" } }}Every resource created by this provider automatically gets these tags.
Cost Allocation Tags
Section titled “Cost Allocation Tags”After defining tags, activate them as cost allocation tags in the Billing console. This makes them available in Cost Explorer and billing reports.
# Activate cost allocation tagsaws ce create-cost-category-definition --name "Team" \ --rules '[{"Value":"platform","Rule":{"Tags":{"Key":"Team","Values":["platform"]}}}]' \ --rule-version 1Common Cost Traps
Section titled “Common Cost Traps”| Trap | Why It’s Expensive | How to Fix |
|---|---|---|
| Unattached EBS volumes | Pay for volumes not attached to any instance | Audit and delete unused volumes |
| Old snapshots | EBS snapshots accumulate over time | Lifecycle policies, retention limits |
| NAT Gateway data processing | $0.045/GB adds up with high traffic | Use VPC endpoints for S3/DynamoDB (free) |
| Idle EC2 instances | Running 24/7 but only used during business hours | Auto-stop schedules, right-size |
| Oversized instances | Running m5.4xlarge when m5.large is enough | Right-size with CloudWatch metrics |
| Unused Elastic IPs | Charged when not attached to a running instance | Release unused EIPs |
| Data transfer between AZs | $0.01/GB per direction | Minimize cross-AZ traffic where possible |
| CloudWatch Logs retention | Default is “never expire” — logs grow forever | Set retention periods (7, 30, 90 days) |
| Forgotten dev/test resources | Sandbox environments left running | Tagging + auto-shutdown schedules |
Cost Optimization Strategies
Section titled “Cost Optimization Strategies”Right-Sizing
Section titled “Right-Sizing”Match instance types to actual usage:
CloudWatch CPU/Memory metrics → consistently below 20%? → Downsize the instance type → Or switch to a smaller classAWS Compute Optimizer analyzes your usage and recommends right-size changes.
Reserved Instances and Savings Plans
Section titled “Reserved Instances and Savings Plans”| Option | Commitment | Flexibility | Discount |
|---|---|---|---|
| Reserved Instances | 1 or 3 years, specific instance type | Low (locked to instance family/region) | Up to 72% |
| Compute Savings Plans | 1 or 3 years, dollar amount | High (any instance type, region, OS) | Up to 66% |
| EC2 Instance Savings Plans | 1 or 3 years, specific instance family | Medium (locked to family + region) | Up to 72% |
Rule of thumb: If an instance has been running steadily for 3+ months, it’s a candidate for a Savings Plan.
Spot Instances
Section titled “Spot Instances”Use Spot for fault-tolerant workloads at up to 90% discount:
- CI/CD build runners
- Data processing / batch jobs
- Dev/test environments
- Kubernetes worker nodes (with mixed instance groups)
Other Optimizations
Section titled “Other Optimizations”| Strategy | Savings |
|---|---|
| S3 Intelligent-Tiering | Auto-moves objects to cheaper storage classes |
| VPC endpoints for S3/DynamoDB | Eliminates NAT Gateway data charges |
| Lambda right-sizing | More memory = faster = same or lower cost |
| Auto Scaling to zero | Scale dev/test to 0 at night and weekends |
| Graviton instances | ARM-based (t4g, m6g) — ~20% cheaper than x86 |
AWS Organizations and Multi-Account Strategy
Section titled “AWS Organizations and Multi-Account Strategy”For larger teams, use AWS Organizations to manage multiple accounts:
Management Account (billing) ├── Production OU │ ├── prod-app (account) │ └── prod-data (account) ├── Development OU │ ├── dev-app (account) │ └── sandbox (account) └── Security OU └── audit (account)Benefits:
- Consolidated billing — One bill, volume discounts apply across all accounts.
- SCPs — Restrict what accounts/OUs can do (e.g. block expensive instance types in dev).
- Blast radius — A compromised dev account can’t affect production.
Key Takeaways
Section titled “Key Takeaways”- Set up billing alerts and budgets immediately — don’t wait for a surprise bill.
- Tag everything with at least
Environment,Team, andProject. Activate tags as cost allocation tags. - Use Cost Explorer to understand where money goes. Filter by service, tag, and region.
- Right-size instances based on actual CloudWatch metrics. Use Compute Optimizer for recommendations.
- Commit to Savings Plans for steady workloads (1- or 3-year). Use Spot for fault-tolerant batch work.
- Eliminate waste: delete unused EBS volumes, set log retention, auto-stop dev environments, use VPC endpoints.
- Use AWS Organizations for multi-account billing consolidation and SCPs for guardrails.