Login/Register
Does AWS cloud provides an option to cap the billing amount? [closed]
Asked Answered
Solved securityamazon-web-servicescloudbilling
M

4

8

We had a bill shock scare in our corporate account when someone got access to the secure keys and started a lot of m3.large spot instances (50+) on the aws account.

The servers ran overnight before it was found and the bill went over $7000 for the day.

We have several security practices set up on the account after the incident including

key rotation
password minimum length
password expiry
Billing alerts
Cloudwatch
Git precommit hooks to look for AWS keys

I am yet to find a way to cap the bill amount to a desired top threshold.

Does AWS provide a method of setting a cap on the bill(daily/monthly) ? Is there any best practices on this front which can be added to the measures pointed out above to prevent unauthorized use ?

Mask answered 11/2, 2016 at 23:23 Comment(0)
B
7

Amazon does not have a mechanism to "take action" in cases where bills skyrocket. You can do what you've already done:

  • Setup billing alerts to monitor for a skyrocketing bill
  • Setup good security practices to ensure that people cannot mess with your AWS account

But also, you can:

  • Setup internal company policies so that employees don't accidentally cause unnecessary charges
  • Ensure you're using IAM roles and policies appropriately so that no one can do the wrong thing

There's a good reason why AWS won't do anything active: what exactly would you expect them to do? Doing anything that isn't inline with your business practices could totally damage your company.

For example, you have an autoscaling group managing a small fleet of EC2 instances. One day, your company gets some unexpected good press and your website activity goes through the roof, launching new EC2 instances to meet the demand, and blasts past your billing alert. If AWS were to terminate or stop EC2 instances to prevent your bill from going nuts, then your customers wouldn't be able to access your website. This could cause damage to your company reputation, or worse.

If you want to take action, you can setup a trigger on the billing alert and handle it yourself according to your business needs. That's how AWS is built: it gives you the tools; you need to use those tools in a way that best suit your business.

Brittaniebrittany answered 12/2, 2016 at 2:25 Comment(2)
Yes I understand. The cap is not good for production setup. But we need to have a cap for other environments so that someone who got a backdoor will not eat the budget overnight(by running high power compute) and halt the project. Thank you for confirming that this is the least we can do.Mask
Is there a good alternative service that provides a cap?Steelmaker
C
2

You can definitely setup Billing Alerts to receive a notification when this kind of thing happens:

http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/monitor-charges.html

Also take a look at:
http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/checklistforunwantedcharges.html

Crystallize answered 11/2, 2016 at 23:38 Comment(2)
These are all about monitoring and getting alerted. The trouble is that we will be informed only when the incident has happened. Is there something like a script or code that will look for the bills and take real action and not just alerting?Mask
Not that Amazon provides. Your best bet is to write your own to do exactly what you want.Westering
P
0

Although AWS does not support a cap on billing, it does support caps on services including a cap on the number of EC2 instances - see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html. By default new accounts are caped at 20 EC2 instances, but this limit can be changed.

Pourpoint answered 15/9, 2016 at 22:41 Comment(0)
M
0

AWS allows you to runs SCPs or IAM policies using AWS Budgets that can shut down EC2s or RDS - see https://docs.aws.amazon.com/cost-management/latest/userguide/billing-example-policies.html#example-budgets-applySCP

Milagrosmilam answered 26/2, 2024 at 10:56 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.