What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

AWS Billing Anomaly Detection: Catch Runaway Costs Before They Escalate

A single misconfigured Auto Scaling group can generate tens of thousands of dollars in AWS charges overnight. A forgotten GPU instance running in a development account can silently accumulate costs for weeks before anyone notices. A compromised access key can spin up cryptocurrency mining infrastructure across multiple regions in minutes. In every case, the damage is done long before the monthly invoice arrives.

AWS billing anomaly detection is the practice of continuously monitoring cloud spending patterns, establishing baselines, and triggering alerts when costs deviate from expected behavior. This guide covers the native AWS tools available for cost anomaly detection, their limitations, and the architectural patterns required to build a detection system that catches billing anomalies before they become financial incidents.

The Anatomy of an AWS Billing Anomaly

Billing anomalies fall into several categories, each with distinct detection characteristics and response requirements.

Resource Provisioning Anomalies

These occur when compute, storage, or networking resources are provisioned beyond normal operational parameters. Common scenarios include Auto Scaling groups that scale out in response to a traffic spike but fail to scale back in due to misconfigured scale-in policies, manual instance launches in development or sandbox accounts that are never terminated, CloudFormation or Terraform deployments that create resources in unexpected regions, and instance type changes — upgrading from t3.medium to p4d.24xlarge — that dramatically increase hourly costs.

Resource provisioning anomalies typically produce step-function cost increases. The spend baseline shifts to a new, higher level and remains there until the underlying resource is identified and terminated.

Data Transfer Anomalies

AWS data transfer pricing is notoriously complex and frequently misunderstood. Data transfer between Availability Zones, between regions, and from AWS to the internet each carry different per-gigabyte costs. A misconfigured application that routes traffic across regions instead of using local endpoints can generate data transfer charges that dwarf the compute costs of the workload itself.

Data transfer anomalies are particularly dangerous because they are invisible in the EC2 or RDS console. The resources appear healthy and correctly sized, but the network topology is generating costs that only surface in the Cost and Usage Report (CUR) at the line-item level.

Third-Party Service Anomalies

AWS Marketplace subscriptions, SES sending volumes, and services with per-request pricing (API Gateway, Lambda, DynamoDB on-demand) can produce anomalies that correlate with application behavior rather than infrastructure provisioning. A viral marketing campaign that drives 10x normal API traffic will produce a corresponding spike in Lambda invocations and API Gateway requests — legitimate usage, but potentially far beyond budgeted costs.

Security-Related Anomalies

Compromised credentials represent the highest-severity billing anomaly scenario. Attackers with valid AWS access keys will provision maximum-size instances across every available region simultaneously, specifically targeting GPU and high-memory instance types for cryptocurrency mining. These attacks can generate six-figure bills within hours.

Security-related billing anomalies are distinguishable by their geographic distribution (resources appearing in regions the organization has never used), instance type selection (GPU instances in accounts that have no machine learning workloads), and velocity (hundreds of instances launched within minutes).

Native AWS Cost Anomaly Detection

AWS provides a native Cost Anomaly Detection service that uses machine learning to identify unusual spending patterns. Understanding its capabilities and limitations is essential for building an effective detection architecture.

How AWS Cost Anomaly Detection Works

The service analyzes historical spending data from AWS Cost Explorer to establish baselines for each monitored dimension. It segments spending by AWS service, linked account, cost allocation tag, or cost category, and applies ML models to identify deviations from expected patterns.

Monitors run approximately three times per day. When an anomaly is detected, the service generates an alert that includes the estimated impact in dollars, the root cause ranked by service, account, region, and usage type, and a confidence score indicating the model's certainty that the deviation is genuine.

Limitations of Native Detection

While AWS Cost Anomaly Detection is a valuable first layer, it has significant limitations that organizations must account for.

The most critical limitation is detection latency. Cost Explorer data — the foundation of anomaly detection — has a latency of up to 24 hours. Combined with the approximately eight-hour interval between detection runs, a billing anomaly can accumulate costs for 24 to 32 hours before the first alert fires. For a compromised account provisioning GPU instances across multiple regions, this latency can mean $50,000 or more in charges before detection.

The service also lacks granular control over detection sensitivity. You can set a minimum dollar threshold for alerts, but you cannot tune the ML model's sensitivity to specific resource types or spending categories. This means either accepting false positives on normal operational variations or setting thresholds high enough that smaller but still significant anomalies go undetected.

Finally, Cost Anomaly Detection operates at the billing level — it identifies that spending increased, but it does not directly correlate the increase with the specific resource, deployment, or event that caused it. Root cause analysis requires additional investigation using Cost Explorer, CloudTrail, and resource-level monitoring.

Building a Real-Time Billing Anomaly Detection Architecture

To address the latency and granularity gaps in native AWS tooling, organizations should implement a supplementary detection layer that operates at shorter intervals with more targeted detection logic.

Real-Time Cost Monitoring with CloudWatch and Billing Metrics

AWS publishes estimated charges to CloudWatch in the AWS/Billing namespace. While these metrics are not real-time — they update approximately every six hours — they provide a faster signal than Cost Explorer data. Create CloudWatch alarms on the EstimatedCharges metric filtered by service to detect when spending for a specific service exceeds a threshold within the current billing period.

For more granular monitoring, deploy a Lambda function on a scheduled trigger (every 15–60 minutes) that calls the Cost Explorer GetCostAndUsage API with hourly granularity. Compare the returned costs against a rolling baseline computed from the previous 7–30 days. Any deviation beyond a configurable threshold triggers an SNS notification.

Resource-Level Anomaly Detection

Rather than waiting for billing data to reflect a problem, monitor resource provisioning events directly. Configure EventBridge rules to capture EC2 RunInstances events, particularly filtering for instance types that your organization does not normally use (GPU instances, high-memory instances), regions where you do not operate, and launch volumes that exceed normal deployment patterns.

Similarly, monitor CloudTrail for API calls that create expensive resources — RDS instances, Redshift clusters, SageMaker endpoints — in accounts or regions where those services are not expected.

Budget-Based Automated Response

AWS Budgets supports automated actions that trigger when spending exceeds defined thresholds. Configure budget actions to apply a restrictive IAM policy that denies ec2:RunInstances and other resource-creation permissions when spending reaches a critical threshold. This provides an automated circuit-breaker that limits damage while the operations team investigates.

Multi-Account Cost Correlation

For organizations operating multiple AWS accounts through AWS Organizations, anomaly detection must operate at both the individual account level and the organization level. An anomaly that is small in the context of total organizational spend might be enormous relative to a single account's normal baseline.

Deploy cost monitoring at the member account level using account-specific CloudWatch alarms and Lambda-based checks. Aggregate findings at the management account level using a centralized monitoring dashboard that provides visibility into spending patterns across the entire organization.

Responding to Billing Anomalies

Detection without response is monitoring theater. Every billing anomaly alert must trigger a defined response process.

Triage and Classification

When an anomaly alert fires, the first step is classification. Determine whether the spending increase is a legitimate operational change (new deployment, traffic spike, planned scaling event) that should update the baseline, an operational misconfiguration (forgotten resources, incorrect instance types, misconfigured auto scaling) that requires remediation, or a security incident (compromised credentials, unauthorized resource provisioning) that requires incident response.

Classification determines the response urgency and the team responsible for resolution. Security incidents require immediate action — revoking compromised credentials, terminating unauthorized resources, and initiating a full incident response process.

Automated Remediation

For known anomaly patterns, implement automated remediation using AWS Systems Manager Automation documents or Lambda functions triggered by anomaly alerts. Common automation patterns include terminating EC2 instances that match specific criteria (wrong region, unexpected instance type, missing required tags), applying restrictive SCPs to compromised accounts pending investigation, and notifying account owners through integrated communication channels with specific details about the anomaly.

FAQ

How quickly can AWS Cost Anomaly Detection identify a billing spike?

AWS Cost Anomaly Detection relies on Cost Explorer data, which has a latency of up to 24 hours. Detection runs occur approximately three times per day. In practice, a billing anomaly may accumulate costs for 24–32 hours before the first native alert fires. Supplementing with CloudWatch billing alarms and resource-level event monitoring reduces this window significantly.

What are the most common causes of unexpected AWS charges?

The most frequent causes are forgotten resources in development and sandbox accounts, Auto Scaling groups that scale out but fail to scale in, data transfer costs from misconfigured cross-region or cross-AZ traffic patterns, and compromised credentials used to provision cryptocurrency mining infrastructure. Each category requires a different detection approach.

Is AWS Cost Anomaly Detection free?

Yes, AWS Cost Anomaly Detection is a free service. There is no charge for creating monitors, detecting anomalies, or receiving alerts through SNS email within free tier limits. However, costs may apply for SNS notifications beyond the free tier and for any custom monitoring infrastructure you build on top of the service.

How do I set up billing alerts for runaway EC2 instances?

Configure EventBridge rules to capture RunInstances API calls from CloudTrail, filtering for instance types and regions that are outside your normal operational parameters. Combine this with CloudWatch alarms on the EstimatedCharges metric for the EC2 service. For automated response, use AWS Budgets actions to apply restrictive IAM policies when EC2 spending exceeds defined thresholds.

Can billing anomalies indicate a security breach?

Yes. Unexpected cost spikes — particularly involving GPU instances, resources in unused regions, or rapid multi-region provisioning — are frequently the first observable indicator of a compromised AWS account. Any billing anomaly investigation should include a security assessment to rule out credential compromise.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Viktor B.

Co-founder & CEO