What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

How Billing Anomalies Lead to AWS Account Suspension

Most engineering teams assume AWS account suspension is caused by security violations. In practice, billing anomalies are a more frequent trigger — and they often arrive without the warnings teams expect.

What Counts as a Billing Anomaly?

A billing anomaly is any significant deviation from your normal spend pattern. In practice, the triggers include:

Absolute spend spikes — your monthly bill jumps from $500 to $5,000 in a single day
Proportional spikes — a specific service costs 5× more than your 7-day average
New service usage — you're being billed for a service you've never used before
Regional anomalies — resources appearing in regions you don't normally operate in

How Anomalies Escalate to Suspension

The path from anomaly to suspension typically follows this sequence:

A cost spike is generated — from compromised credentials, a misconfigured auto-scaling group, or forgotten development infrastructure
The spike exceeds your payment limit or causes a failed charge attempt
AWS sends an email notification — often to an unmonitored alias
The balance remains unpaid for 3–7 days
AWS restricts the account, then suspends it if the issue isn't resolved

The problem is that steps 1–3 often happen without anyone noticing until step 5.

AWS Native Billing Tools and Their Limitations

AWS provides Cost Anomaly Detection as a managed service. It uses machine learning to identify unusual spend patterns and can alert via SNS or email. It's a good starting point, but has meaningful gaps:

Detection typically has a 24–48 hour lag — by the time you're alerted, the spend has already occurred
Alerts are account-specific; cross-account correlation requires custom tooling
There is no built-in risk scoring or integration with other compliance signals like GuardDuty or IAM
It doesn't correlate billing anomalies with the security events that might explain them

The Most Common Sources of Unexpected Spend

In order of frequency, the billing anomalies that most often escalate to account issues are:

Compromised credentials — attackers using exposed access keys to mine cryptocurrency, typically on GPU instances in unexpected regions
Misconfigured data transfer — accidentally routing traffic between regions or out to the internet instead of keeping it within a VPC
Runaway development environments — large instances or databases left running in non-production accounts over weekends and holidays
Auto-scaling without a ceiling — scaling groups configured to scale up aggressively but without a maximum instance count
S3 storage accumulation — log files, backup snapshots, or versioned objects accumulating without lifecycle policies

Correlating Billing with Security Signals

The most important insight in billing anomaly detection is that spend spikes rarely happen in isolation. A billing spike that appears simultaneously with GuardDuty findings from an unfamiliar IP in an unexpected region is almost certainly credential compromise — not a legitimate workload change.

Treating these signals in isolation means slower detection, slower response, and a higher probability that the anomaly escalates to account restriction before your team has time to act. Effective monitoring correlates all of these signals in real time, surfaces the most likely root cause alongside the alert, and gives you a risk score that reflects the combined picture — not just a collection of individual data points.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Viktor B.

Co-founder & CEO