AWS Cost Anomaly Detection: Catch Billing Surprises Before They Happen
Nothing ruins a cloud journey faster than an unexpected $50,000 bill. AWS Cost Anomaly Detection uses machine learning to establish your spending patterns and alerts you when costs deviate—before the bill arrives.
How It Works
| Step | Description |
|---|---|
| 1. Learn | ML model learns your spending patterns over time |
| 2. Monitor | Continuously compares actual vs expected spend |
| 3. Detect | Identifies anomalies using statistical analysis |
| 4. Alert | Notifies via email, SNS, or Slack |
| 5. Analyze | Root cause analysis shows what changed |
Setting Up Cost Anomaly Detection
import boto3
ce = boto3.client('ce')
# Step 1: Create cost monitor
monitor = ce.create_anomaly_monitor(
AnomalyMonitor={
'MonitorName': 'production-costs',
'MonitorType': 'DIMENSIONAL',
'MonitorDimension': 'SERVICE' # Monitor by service
}
)
# Step 2: Create subscription for alerts
ce.create_anomaly_subscription(
AnomalySubscription={
'SubscriptionName': 'cost-alerts',
'MonitorArnList': [monitor['MonitorArn']],
'Subscribers': [
{
'Type': 'EMAIL',
'Address': 'finops@company.com'
},
{
'Type': 'SNS',
'Address': 'arn:aws:sns:us-east-1:123456789012:cost-alerts'
}
],
'Threshold': 100, # Alert if anomaly > $100
'Frequency': 'IMMEDIATE'
}
)
Monitor Types
# Available monitor types
1. AWS_SERVICES
- Monitors all AWS services in aggregate
- Good for overall spending awareness
2. DIMENSIONAL
- Monitor by: SERVICE, LINKED_ACCOUNT, or COST_CATEGORY
- Better for identifying specific cost drivers
3. CUSTOM
- Define custom cost filters
- Monitor specific tags, regions, or usage types
Real-World Catches
Anomalies Caught in 2025
- Runaway Lambda: Infinite loop detected, $12,000/day caught in 2 hours
- EBS snapshots: Forgotten backup script, $800/day caught in 1 day
- Data transfer: Misconfigured CDN, $5,000/day caught in 4 hours
- NAT Gateway: Traffic spike from bug, $2,000/day caught same day
Best Practices
- Multiple monitors: Create monitors per service, account, and team
- Right threshold: Start low ($50-100), adjust based on noise
- Slack integration: Use SNS → Lambda → Slack for real-time alerts
- Weekly review: Check anomaly history even without alerts
- Cost categories: Tag resources for granular monitoring
Cost Anomaly Detection is free. There’s no excuse not to enable it on every AWS account today.
