Top 15 tips to reduce your AWS Costs

This post will cover few tips/solutions to reduce your AWS costs. These services costs few cents until you provision them to multiple accounts and starts using these services at large scale.

Setup cost anomalies alert for AWS accounts based on your estimated monthly expense — https://aws.amazon.com/aws-cost-management/aws-cost-anomaly-detection/ . You can also leverage Grafana and use Billing cloudwatch metrics to monitor it.

Use VPC Endpoints and S3 Gateway endpoints. This means that traffic remains local and you can access AWS public services using internal routes (via privatelink). It does not need Internet gateway/Nat Gateway/IPSEC to reach AWS public services.

Check all the services in your billing console that you are using actively and create VPC endpoint services.

S3 lifecycle policies are tricky to implement. If the object count is too high E.g:- in Million/Billions of files then it’s not good idea to create lifecycle policies. Reason is that AWS charges for transitioning cost per object i.e. from S3 to glacier etc.

Amazon S3 Bucket Keys reduce the cost of Amazon S3 server-side encryption using AWS Key Management Service (SSE-KMS). This new bucket-level key for SSE can reduce AWS KMS request costs by up to 99 percent by decreasing the request traffic from Amazon S3 to AWS KMS.

Workloads that access millions or billions of objects encrypted with SSE-KMS can generate large volumes of requests to AWS KMS. When you use SSE-KMS to protect your data without an S3 Bucket Key, Amazon S3 uses an individual AWS KMS data key for every object. It makes a call to AWS KMS every time a request is made against a KMS-encrypted object.

Migrate your EBS from general purpose2 (GP2) -> GP3 to avail this benefit.

S3 intelligent tiering will move your objects to different tiers (frequent and infrequent access) as and when needed. It follows object access pattern.

Setup AWS Trusted advisor report → Create Trusted advisor report ; upload results to S3 bucket and visualize Cost Optimization dashboard with AWS Quicksight/Athena.

You can integrate Quicksight with AWS SSO as well → https://www.wellarchitectedlabs.com/cost/200_labs/200_cloud_intelligence/trusted-advisor-dashboards/

Rightsize Ec2 instance with cost Optimizer —> https://aws.amazon.com/aws-cost-management/aws-cost-optimization/right-sizing/

Reserving ec2/RDS is committing AWS and may charge upfront fees. If you commit for 3 years then costs will reduce by 1/3rd.

Instance scheduler can shutdown your non-prod resources during non-working hours.

https://aws.amazon.com/solutions/implementations/instance-scheduler-on-aws/

Amazon EC2 Spot Instances let you take advantage of unused EC2 capacity in the AWS cloud. Spot Instances are available at up to a 90% discount compared to On-Demand prices. Due to the operating scale of AWS, Spot Instances can offer the scale and cost savings to run hyper-scale workloads.

Set billing alerts for your AWS accounts and use Cost explorer for detailed explanations. Create AWS Cost and usage Reports/ AWS Budgets.

You can attach Service control policies at AWS Organization.

→ You can allow specify ec2/rds type in Service control policies and attach to your OU/Org level.

→ Allow only specific regions in Service control policies.

and so on..

NAT Gateway traffic costs are huge. Try to run dependent services mirror in shared services account such as APT/YUM/Artifactory or so on. These internal services should be accessible via VPC endpoint services /NLB OR VPC peering (less preferred) . We don’t need to use DX or NAT GW for this dependent services traffic.

Check your Cost and Usage Analysis Report and find which services can be optimized or other strategies like :

→ Stop non-production RDS (You can shut it down for week only). Removed unused EBS, EIP’s, ECR Repos, Lambda etc.

Explore ECS with Fargate for your service (instead of Ec2 + autoscaling). It’s cost effective and secure option to deploy containers on spot instances as well.

If you have enabled Guardduty — S3 protection for all buckets then all S3 data access events (data plane) and control plane API’s will be monitored for any suspicious activities.

Findings — https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html

If your bucket is private OR IP’s whitelisted with on-premises IP’s only then it’s better to disable it for particular bucket (Right now it’s not possible to control it with AWS UI/CLI. You can create AWS Support case to disable it).

If you have high traffic S3 buckets then it can sum up to thousands of dollars which is not needed if bucket is not meant for public access. Check it in your AWS billing (UsageType — Region:PaidS3DataEventsAnalyzed).

If this post was helpful, please click the clap 👏 button below a few times to show your support for the author 👇

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store