Building on AWS is powerful, but its pricing model is notoriously complex—and the bill rarely tells the full story. It’s not just about how much you spend, but what’s running, who owns it, and how it’s configured. To truly manage AWS cost, you need visibility into the resources behind the numbers.
This guide is your field manual for taming costs. We'll break down what makes up your bill, decode pricing models, and pinpoint the common gotchas that drain your budget, giving you practical advice to navigate the maze.
Get a Wiz AWS Risk Assessment
See how misconfigs, identities, and data exposures chain into real attack paths—plus the exact steps to close them.
What makes up your AWS bill?
An AWS bill can feel overwhelming, but most of your spending will likely fall into a few key categories. Let's break them down:
Compute
This is the engine of your application, the workhorse doing the actual processing. It's also often the biggest chunk of your bill.
EC2 (Elastic Compute Cloud): The OG of AWS services. You're essentially renting virtual servers. Your cost is a function of the instance type (e.g., general-purpose t3, compute-optimized c5), the instance size (.micro to .24xlarge), the region you run it in (Ohio is not the same price as Northern Virginia), and the pricing model you choose.
Lambda: Serverless functions. You're not paying for a server to sit idle; you're paying for execution. This is determined based on the duration of each execution (measured in milliseconds), the number of requests, and the amount of memory allocated to the function. A single function is cheap, but a high-volume API backend processing millions of requests can add up surprisingly fast.
Containers (ECS & EKS): Whether you're running Docker containers with ECS or Kubernetes with EKS, your cost model depends on the launch type. With the EC2 launch type, you're paying for the underlying EC2 instances that form your cluster. With Fargate, the serverless option, you pay for the vCPU and memory resources your containerized application requests, billed per second from the moment the image is pulled until the task terminates.
Storage
AWS charges you for every bit of storage that lives in its cloud.
S3 (Simple Storage Service): The internet's hard drive. The primary cost is for the volume of data stored (per GB/month). But the gotcha is the storage tier. S3 Standard is for frequently accessed data. Infrequent Access (IA) and Glacier tiers are progressively cheaper to store but more expensive to retrieve. Every GET, PUT, and LIST request also has a small cost, which can become significant for applications with chatty access patterns.
EBS (Elastic Block Store): These are the network-attached hard drives for your EC2 instances. You pay for the provisioned size (in GB/month), regardless of whether you use it all. The type of volume also matters. General Purpose SSDs (gp2/gp3) offer a balance of price and performance, while Provisioned IOPS SSDs (io1/io2) guarantee performance for a much higher price, ideal for I/O-intensive databases.
Snapshots and backups: Taking snapshots of your EBS volumes or RDS databases is a best practice, but those snapshots are stored in S3 and cost money. It's easy to forget about them and accumulate years of snapshots for long-dead instances, creating a slow, costly data creep.
Networking
Moving data around is not free. This is one of the most opaque and surprising parts of an AWS bill.
Data transfer: This is the big one. Data transfer into AWS from the internet is generally free. Data transfer out to the internet is where they get you. There are also charges for transferring data between availability zones (AZs) and between regions. A chatty microservices architecture with services spread across AZs for high availability can rack up thousands in data transfer costs if it’s not designed carefully.
Load balancers (ALB & NLB): You pay an hourly rate for each load balancer you run, plus a charge based on Load Balancer Capacity Units (LCUs), which is a complex metric based on new connections, active connections, and bandwidth processed.
NAT gateways: A managed NAT gateway is a lifesaver for allowing private instances to access the internet for tasks such as patching. It's also a notorious cost driver. You pay an hourly fee plus a per-GB charge for all data processed through it. A single NAT gateway handling a few terabytes of traffic can easily cost hundreds or thousands of dollars a month.
Monitoring & logging
You need visibility, but that visibility comes at a price.
CloudWatch: The native monitoring service. You pay for custom metrics, the volume of logs ingested into CloudWatch Logs, and the duration of log retention. Storing verbose debug logs from a fleet of a hundred instances for 90 days might seem like a good idea during an outage, but it's a recipe for a five-figure logging bill. You also pay for dashboards and alarms.
AWS Security Best Practices [Cheat Sheet]
This cheat sheet goes beyond the essential AWS security best practices and offers actionable step-by-step implementations, relevant code snippets, and industry- leading recommendations to fortify your AWS security posture.
AWS pricing models explained
Choosing the right pricing model for your workload is the single biggest lever you can pull to achieve significant cloud cost savings.
On-Demand: This is the default setting. There is no long-term commitment, and you pay for compute or database capacity as long as you use it, usually by the hour or second. It's the most flexible but also the most expensive.
When to use it: Best for unpredictable or low-volume workloads, dev/test environments, and applications with spiky traffic
Reserved Instances (RIs): The old guard of AWS discounts. You commit to a specific instance type (e.g., m5.large) in a specific region for a 1- or 3-year period. In exchange, you get a significant discount (up to 72%). The downside is the inflexibility, though Convertible RIs offer a path to change instance families.
When to use it: Good for stable, long-lived services with predictable usage, like a core production database
Savings Plans: The modern, more flexible successor to RIs. Rather than committing to a specific instance type, you commit to a certain amount of compute spend (e.g., $10/hour) for a 1- or 3-year term. It's the best of both worlds: the discounts of RIs with much more flexibility.
When to use it: When you need a flexible tradeoff between savings and coverage, ideal for most modern, dynamic environments
Spot Instances: The holy grail of cheap compute, with a catch. Spot Instances are spare EC2 capacity that AWS offers at massive discounts (up to 90%). The catch is that AWS can reclaim that capacity with just a two-minute warning.
When to use it: Great for fault-tolerant, interruptible jobs like batch processing, data analysis, or CI/CD pipelines
Free Tier: AWS's way of getting you hooked. For the first 12 months, you get a certain number of popular services for free. There's also an "always free" tier for some services like Lambda.
When to use it: Useful for experimentation, proofs-of-concept, and very low-traffic applications, but be careful—it's easy to accidentally exceed the limits
Common AWS cost drivers (and surprises)
So, where does the money actually go? It's often not in the obvious places, but in hidden forms of cloud waste:
Overprovisioned resources: The classic mistake. You provision an m5.2xlarge because you're worried about performance, but the application only ever uses 10% of the CPU. You're paying for capacity you don't need. This applies to EC2, RDS, EBS, and more.
Idle resources: That EC2 instance a developer spun up for a proof-of-concept three months ago and forgot about. The unattached EBS volume from a terminated instance. The idle load balancer from a decommissioned application. They're all sitting there, burning cash and contributing to cloud waste.
Logging & metrics overload: Storing high-resolution custom metrics or verbose debug logs for extended periods is a silent killer. A misconfigured agent can send terabytes of data to CloudWatch Logs, resulting in a shocking bill.
Cross-AZ data transfer: This is something that often gets overlooked in microservice architectures. If your services are constantly chatting with each other across different Availability Zones, that data transfer cost will bite you. It's only $0.01/GB, but it adds up with a vengeance.
NAT gateway black holes: As mentioned before, a poorly configured route that sends all your S3 traffic through an NAT gateway instead of a gateway endpoint can cost you thousands.
Untagged resources: This is less a direct cost and more a blocker to optimization. If you don't know who owns a resource or what project it belongs to, you can't ask if it's still needed. And you can't attribute costs back to the teams that incur them. The end result? A culture of zero accountability.
Who owns AWS cost?
In most organizations, AWS cost ownership is spread across three primary roles:
Platform teams, who care about performance and efficiency
Finance or FinOps, who care about budget and forecasting
Developers, who need awareness of the cost of the resources they deploy
The most effective teams adopt a shared-responsibility model that connects raw cost data from the bill to the technical reality of the infrastructure, giving each stakeholder the context to act confidently.
This is where a subtle but crucial shift in perspective comes in: The most optimized organizations use tools that tie together cost, configuration, and ownership. When a developer can see not just that a service is expensive but why it's expensive (it's overprovisioned, it's talking across AZs, it's untagged) and who owns it, they are empowered to fix it.
Tools for understanding and managing AWS cost
You can't manage what you can't measure. Thankfully, there are tools to help you with your cloud cost optimization efforts.
AWS native tools
AWS provides a suite of free tools that are a great starting point, but keep in mind that they often require significant effort to yield deep insights:
AWS Cost Explorer is the main dashboard for visualizing your spend. It's great for identifying high-level trends ("Our EC2 spend went up 20% last month") but struggles to explain the "why" behind the trend.
Cost and Usage Reports (CURs) are massive CSV files delivered to an S3 bucket that contain the most granular, raw data about your usage. It's the source of truth, but it's far too detailed for a human to parse directly.
AWS Budgets is a simple service that allows you to set usage budgets on your services and be alerted when those thresholds are exceeded. In other words, it’s your essential early warning system.
Trusted Advisor monitors your AWS account and services for best practices, which allows you to optimize your costs.
Engineering-centric platforms
While the native tools are a good start, they often fall short in complex environments. And as we’ve seen, they tell you what you spent but not always why. This has led to the rise of engineering-centric platforms for cloud spend management that provide deeper context. The landscape includes…
Kubecost: For teams running on Kubernetes, Kubecost offers granular, K8s-specific, workload-level cost visibility, helping you understand spend right down to the container level.
Harness, Vantage, and CloudZero: These platforms excel at mapping cloud costs back to business contexts, like specific teams, products, or features, making it easier to attribute spend and manage budgets.
Wiz: Going a step further, Wiz connects cost data with the rest of your cloud reality. It surfaces cost insights directly alongside cloud posture, identity, and ownership context. Simply put, it’s a game-changer: Instead of just seeing a costly idle resource, you see the costly idle resource, know it has a public IP and admin permissions, and can identify the developer who owns it—all in one place. This holistic view is what enables engineering teams to not just see costs but to take smart, secure, and swift action to optimize them.
Conclusion
Mastering AWS cost is an ongoing discipline, not a one-time project. It's a journey of understanding spend drivers, hunting down cloud waste, and fostering a culture where every engineer thinks about cost. In the modern cloud, cost optimization is a core architectural pillar, just as critical as performance and security.
Ready to optimize your AWS environment with full context?
Wiz connects your cost data with security, identity, and ownership insights—so you can eliminate waste, reduce risk, and empower your teams to take action faster. Discover how Wiz connects cost, risk, and ownership to drive smarter, faster action.
Agentless Full Stack coverage of your AWS Workloads in minutes
Learn why CISOs at the fastest growing companies choose Wiz to help secure their AWS environments.
