My bill is how much‽

One of the most common post by newcomers to AWS seems to be bill shock or unexpected charges.

Some of this is from using a service with out knowing the costs or forgetting to shut something down and incurring costs for longer than planned.

Some however is where accounts have been compromised and resources used by someone else.

So what can you do to prevent this?

This article will look at ways of securing your account and managing your costs. It is a high level article and doesn't go into every service mentioned in detail, however it should give you enough to protect yourself and point you to further resources.

Firstly, set up you account correctly

By that I mean follow AWS best practice.

If your not sure what to do take a look at my article on setting up your aws account. Specifically make sure you enable MFA on your root account, and create an IAM user with MFA for the work you do.

In my accounts I create 2 IAM accounts.
The first is my "Admin" account with full access. For this I only enable console and have MFA set. If you are using a new account which tries to default to Identity Centre (SSO) I do not create this account there. This is a traditional IAM user account.
The second is my "User" account. This is created via the Identity Centre (SSO) and allows me to access both the console and CLI.

More details on best practice for your root user can be found in the Identity and Access Management guide.

Root user best practices for your AWS account - AWS Identity and Access Management

Follow these best practices for using AWS Identity and Access Management (IAM) to help secure your AWS root user account.

AWS Identity and Access Management

Secondly, set up a budget.

If you are only planning on using free tier this is easy as you can set up a zero spend budget. If you are using a new account, just go to the cost management home page (console.aws.amazon.com/costmanagement) and follow the recommended action to create a budget. If an older account and the recommended action is not visible navigate to budgets on the cost management menu and then select create a budget.

The best way is to select Use a template (simplified), and then Zero spend budget. Change the budget name if you wish and enter your email address.

Now if your spend is over $1.00 you'll get an email.

If you know you will use more than free tier allowances you can use the Monthly cost budget template and enter the maximum you wish to spend. This template will then alert you via email when;
- your actual spend reaches 85%,
- your actual spend reaches 100%
- your forecasted spend is expected to reach 100%.

More information on AWS Budgets can be found in the Cost Management User Guide.

Managing your costs with AWS Budgets - AWS Cost Management

Track and take action on your AWS costs and usage with AWS Budgets.

AWS Cost Management

Third, set up cost anomaly detection.

As you start to use your account more and adjust your budgets the biggest issue is caused by unexpected costs.

This might be something you forgot to turn off, as well as hijacked account (we'll get to that next). To avoid this make sure you enable cost anomaly detection. New accounts seem to have this enabled by default which is a bonus, but check either way.  It's simple enough to enable if it isn't already, and once enabled create an "AWS Services" monitor. This reports based on services used where cost is not what's expected.

More information on AWS Cost Anomaly Detection can be found in the Cost Management User Guide.

Detecting unusual spend with AWS Cost Anomaly Detection - AWS Cost Management

Use AWS Cost Anomaly Detection in AWS Cost Management to monitor your cost and usage and to detect any abnormal spends.

AWS Cost Management

Fourth, secure your credentials/resources.

One of the most common causes of account hijack, and thus high bills is compromised credentials.

This can fall into one of two categories.

First is where AWS credentials exposed on the internet. Worryingly this seems more common than I'd like to think. The number of people who put CLI Keys in code and push to a public repository or paste an image with keys on social media is  unbelievable. I know credentials on GitHub is so frequent that AWS have tools that scan the platform to identify credentials leaks, and they may also do for other platforms. While I've seen them detect leaks in less than an hour, there is no SLA. so the only real solution is do not put credentials in code.

The second is where resources are breached. The most common method is EC2 instance profiles, although the same issue can occur on any resource with a role. In essence the resource is compromised which allows an attacker to gain control of the resource and use it's permissions for malicious intent. There are two ways to reduce the possibility of this. First to to only expose items externally that need to be, and only on needed ports. Ideally every compute resource should be in private subnet exposed to the internet via a load balancer. Second is to follow principle of least privilege. This ensures the role only has permissions to do what it needs to do. So a lambda that reads S3 only has s3:getobject. To often over permissive roles is the cause of bill shock from compromised resources.

More information on least privileges can be found in the Identity and Access Management user guide.

Security best practices in IAM - AWS Identity and Access Management

Follow these best practices for using AWS Identity and Access Management (IAM) to help secure your AWS account and resources.

AWS Identity and Access Management

Fifth, know the cost of services.

One of the biggest complaint of self inflicted costs is that "I didn't know it cost that much".

Now, lest firstly state that AWS does not hide it's cost. Every service has a pricing page showing a detailed breakdown of all the costs associated and examples to help you understand how charges will be incurred. I would allways recommend you take a good look at those pages before using a new service. This, along with the billing alerts above, will ensure you know expected costs and can respond if actual costs are higher.

If you do not know how much something will cost don't use it. Unfortunately while costs are per second or per minute billing has a delay. If you are not happy with the prospect of a bill for a service while you work out how much it might cost do not use it. Reach out to AWS if the billing examples are not clear and explain your use case and can they give a cost estimate.

Just because you might not have realised that EKS will charge you the $500 EC2 usage as well as the ~$73 cluster charge is not anyone else's fault. While AWS might be nice if you shut the cluster quickly and contact them they are not under any obligation to waive charges.

And finally,

Just to reiterate

Set up your account properly !!

Ensure you have MFA on all your accounts (root user and IAM).

Ensure you don't store your credentials, especially in code.

Make sure you only grant the permissions you need to the resource that needs it.

Don't use something you dont know the cost of.

For more information on these topics and others that will help you secure your account and avoid unwanted charges take a look at the AWS Security Essentials.

AWS Security Essentials

An essential guide to security best practices in the cloud.

Amazon Web Services, Inc.

I hope you've found this article of use and gives you the starting point of how to secure and manage your account. As always I'd love feedback and suggestions.