AWS Cost optimization: How did we reduce our AWS bill ?

Sudhir Kumar
4 min readSep 12, 2021

This post will cover few tips/solutions to reduce your AWS costs. These services costs few cents until you provision them to multiple accounts and starts using these services at large scale. We followed these tips and reduced our bills by six figures.

Setup cost anomalies alert for AWS accounts based on your estimated monthly expense — . You can also leverage Grafana and use Billing cloudwatch metrics to monitor it.

1. Use VPC Endpoints:

Use VPC Endpoints and S3 Gateway endpoints. This means that traffic remains local and you can access AWS public services using internal routes (via privatelink). It does not need Internet gateway/Nat Gateway/IPSEC to reach AWS public services.

Check all the services in your billing console that you are using actively and create VPC endpoint services.

2. S3 Lifecycle Policies:

S3 lifecycle policies are tricky to implement. If the object count is too high E.g:- in Million/Billions of files then it’s not good idea to create lifecycle policies. Reason is that AWS charges for transitioning cost per object i.e. from S3 to glacier etc.

3. AWS S3 KMS Charges:

Amazon S3 Bucket Keys reduce the cost of Amazon S3 server-side encryption using AWS Key Management Service (SSE-KMS). This new bucket-level key for SSE can reduce AWS KMS request costs by up to 99 percent by decreasing the request traffic from Amazon S3 to AWS KMS.

Workloads that access millions or billions of objects encrypted with SSE-KMS can generate large volumes of requests to AWS KMS. When you use SSE-KMS to protect your data without an S3 Bucket Key, Amazon S3 uses an individual AWS KMS data key for every object. It makes a call to AWS KMS every time a request is made against a KMS-encrypted object.

4. EBS volume migration from GP2 to GP3 can reduce 20% costs:

Migrate your EBS from general purpose2 (GP2) -> GP3 to avail this benefit.

5. S3 intelligent tiering:

S3 intelligent tiering will move your objects to different tiers (frequent and infrequent access) as and when needed. It follows object access pattern.

6. Trusted Advisor Reports and Right Sizing:

Setup AWS Trusted advisor report → Create Trusted advisor report ; upload results to S3 bucket and visualize Cost Optimization dashboard with AWS Quicksight/Athena.

You can integrate Quicksight with AWS SSO as well →

Rightsize Ec2 instance with cost Optimizer —>

7. Compute/RDS RI’s (Reserved Instances):

Reserving ec2/RDS is committing AWS and may charge upfront fees. If you commit for 3 years then costs will reduce by 1/3rd.

8. Instance Scheduler:

Instance scheduler can shutdown your non-prod resources during non-working hours.

9. Ec2 Spot Instances:

Amazon EC2 Spot Instances let you take advantage of unused EC2 capacity in the AWS cloud. Spot Instances are available at up to a 90% discount compared to On-Demand prices. Due to the operating scale of AWS, Spot Instances can offer the scale and cost savings to run hyper-scale workloads.

10. Billing alerts:

Set billing alerts for your AWS accounts and use Cost explorer for detailed explanations. Create AWS Cost and usage Reports/ AWS Budgets.

11. Service Control Policies:

You can attach Service control policies at AWS Organization.

→ You can allow specify ec2/rds type in Service control policies and attach to your OU/Org level.

→ Allow only specific regions in Service control policies.

and so on..

12. NAT Gateway Egress costs:

NAT Gateway traffic costs are huge. Try to run dependent services mirror in shared services account such as APT/YUM/Artifactory or so on. These internal services should be accessible via VPC endpoint services /NLB OR VPC peering (less preferred) . We don’t need to use DX or NAT GW for this dependent services traffic.

13. CUR (Cost and Usage) Reports :

Check your Cost and Usage Analysis Report and find which services can be optimized or other strategies like :

→ Stop non-production RDS (You can shut it down for week only). Removed unused EBS, EIP’s, ECR Repos, Lambda etc.

14. Adopt ECS/Spot instances (instead of Ec2):

Explore ECS with Fargate for your service (instead of Ec2 + autoscaling). It’s cost effective and secure option to deploy containers on spot instances as well.

15. S3 Guardduty protection:

If you have enabled Guardduty — S3 protection for all buckets then all S3 data access events (data plane) and control plane API’s will be monitored for any suspicious activities.

Findings —

If your bucket is private OR IP’s whitelisted with on-premises IP’s only then it’s better to disable it for particular bucket (Right now it’s not possible to control it with AWS UI/CLI. You can create AWS Support case to disable it).

If you have high traffic S3 buckets then it can sum up to thousands of dollars which is not needed if bucket is not meant for public access. Check it in your AWS billing (UsageType — Region:PaidS3DataEventsAnalyzed).

If this post was helpful, please click the clap 👏 button below a few times to show your support for the author 👇



Sudhir Kumar

Working as Cloud lead/Architect with security mindset.