cloudcostdown.euAWS Cost Anomaly Detection · Setup Tutorial
AWS Cost Anomaly Detection: Stop Surprise Bills in 15 Minutes
AWS Cost Anomaly Detection uses machine learning to alert you when spending is unexpectedly high - before it becomes a large bill. It’s free to set up and takes 15 minutes. Every AWS account should have it enabled.
4-Step Setup Guide
Complete this in 15 minutes - you’ll never be surprised by a rogue resource again.
Create a cost monitor
5 minutesA cost monitor defines what scope AWS monitors for anomalies. You can monitor your entire AWS account, individual services, cost categories, or cost allocation tag values. Start with one monitor per logical environment or service.
Steps
- AWS Cost Management console → Anomaly Detection → Cost monitors → Create monitor
- Monitor type: AWS Services (monitors each service independently) - best for most startups
- Alternatively: Linked account (for Organizations) or Cost category (if you have categories set up)
- Give the monitor a descriptive name: 'Production Services Monitor' or 'All AWS Services'
- Click Create monitor - the monitor starts analyzing your historical spend patterns immediately
Note: AWS Services monitor type catches individual service anomalies (e.g., EC2 spending 3× normal) while filtering out correlated increases (e.g., EC2 and data transfer both spike from increased traffic - that’s expected).
Set up an alert subscription
5 minutesAlert subscriptions define who gets notified and at what threshold. AWS uses machine learning to detect anomalies - you set a minimum impact threshold (absolute or percentage) to filter out noise from small variations.
Steps
- Anomaly Detection → Alert subscriptions → Create subscription
- Subscription type: Individual alerts (immediate) or Daily/Weekly summary
- Set alert threshold: absolute amount ($100 minimum recommended) to avoid alert fatigue
- Add SNS topic or email recipients: add your on-call email and team Slack-to-email address
- Link to your cost monitor: select the monitor created in step 1
Note: Start with $100 minimum threshold - this filters noise while catching meaningful anomalies. For smaller AWS bills ($5K–$15K/month), use $50. Adjust after seeing which anomalies trigger alerts in the first month.
Configure anomaly thresholds
5 minutesAWS anomaly detection uses ML to learn your normal spend patterns. You configure the sensitivity by setting a minimum impact threshold. Lower thresholds catch more anomalies but generate more alerts.
Steps
- Threshold type: Absolute (fixed dollar amount) - simpler and more predictable
- Set to $100 for accounts spending $5K–$20K/month, $500 for accounts spending $20K+/month
- Alternatively: Percentage threshold - alerts if anomaly is 100%+ above expected spend
- Enable both email and SNS notifications: route SNS to your PagerDuty, OpsGenie, or Slack alert channel
- For multi-account Organizations: create monitors in the management account to see anomalies across all linked accounts
Note: Percentage thresholds can cause alert fatigue for services with naturally variable spend. Absolute thresholds are generally more useful - you care about $500 anomalies regardless of the percentage.
Investigate and respond to anomaly alerts
15–60 minutes per alertWhen an anomaly triggers, the alert includes a root cause analysis - the specific service, usage type, or linked account responsible. AWS identifies the top driver automatically, giving you a starting point for investigation.
Steps
- Receive alert email: it includes anomaly amount, time range, and top root cause
- Click the Cost Explorer link in the alert to see the anomalous spend breakdown
- Check CloudTrail for API calls that correlate with the anomaly start time
- Common causes: forgotten test resource, deployment that scaled unexpectedly, data pipeline reprocessing historical data
- After investigation: mark the anomaly as Expected or Resolved in the Anomaly Detection console
Note: Marking anomalies helps AWS improve the model over time - expected anomalies (e.g., month-end batch job) are learned and stop triggering alerts after a few cycles.
Frequently Asked Questions
Is AWS Cost Anomaly Detection free?
Yes. AWS Cost Anomaly Detection is a free feature in AWS Cost Management. There are no additional charges for creating monitors or receiving alerts. You pay only for SNS notifications if you route alerts through SNS (typically fractions of a cent per alert).
How quickly does AWS Cost Anomaly Detection detect anomalies?
AWS evaluates anomalies daily using the previous day’s cost data. For immediate anomalies, individual alerts notify you within 24 hours of the anomaly being detected. Daily and weekly summaries aggregate anomalies over the respective period.
What is the difference between Cost Anomaly Detection and billing alerts?
CloudWatch billing alerts trigger when total spend exceeds a fixed threshold (e.g., alert when monthly bill exceeds $10,000). Cost Anomaly Detection uses ML to detect unexpected spend patterns - it alerts when spending is anomalously high relative to your historical baseline, even if it hasn’t crossed a fixed threshold yet. Both are worth setting up.
Can Cost Anomaly Detection detect anomalies in specific services?
Yes. The AWS Services monitor type creates independent monitors for each service in your account. It will alert separately if EC2 is anomalously high, or if RDS is anomalously high - rather than just monitoring total account spend. You can also filter by cost allocation tag to monitor specific environments or teams.
What should I do when I get a Cost Anomaly Detection alert?
First, check the root cause in the alert email - it usually identifies the specific service and usage type responsible. Then: check CloudTrail for recent API calls, check recent deployments, and look for forgotten resources created during testing. If it’s expected (e.g., a planned load test), mark it as Expected in the console.