AWS Cost Anomaly Detection: Catch Spend Spikes Early
A cost spike caught on day 2 costs you two days. The same spike found on next month's invoice costs you thirty. AWS Cost Anomaly Detection is a free, machine-learning feature of AWS Cost Management that closes that gap — it learns your normal spend pattern per service/account and alerts you when reality diverges. It's one of the highest-leverage things you can switch on, and most teams haven't.
Set up a monitor (5 minutes)
In the console: Billing and Cost Management → Cost Anomaly Detection. Create a monitor — the thing being watched. The most useful types:
- AWS services — monitors every service separately (recommended default; catches a spike in one service even if the total looks normal).
- Linked account — one signal per member account, ideal in an Organization.
- Cost category / cost allocation tag — watch a team, product or environment you've tagged.
Then attach an alert subscription: who gets told, how often (individual alerts, or a daily/weekly summary), and the threshold that triggers it. From the CLI:
# 1) a monitor that watches each AWS service
aws ce create-anomaly-monitor --anomaly-monitor \
'{"MonitorName":"svc-monitor","MonitorType":"DIMENSIONAL","MonitorDimension":"SERVICE"}'
# 2) alert me when an anomaly's impact is over $100
aws ce create-anomaly-subscription --anomaly-subscription \
'{"SubscriptionName":"cost-alerts","Frequency":"DAILY",
"MonitorArnList":["<monitor-arn>"],
"Subscribers":[{"Type":"EMAIL","Address":"finops@example.com"}],
"ThresholdExpression":{"Dimensions":{"Key":"ANOMALY_TOTAL_IMPACT_ABSOLUTE",
"Values":["100"],"MatchOptions":["GREATER_THAN_OR_EQUAL"]}}}'
# review what it has found
aws ce get-anomalies --date-interval StartDate=2026-06-01,EndDate=2026-06-30
Pick a threshold you can explain
The fastest way to make anomaly alerts useless is to make them noisy. Set a threshold that maps to "worth a human looking" — an absolute dollar impact (e.g. ≥ $100) and/or a percentage deviation (e.g. ≥ 40%). Use a daily summary for most teams and reserve individual immediate alerts for large monitors. The goal is one credible alert you act on, not ten you mute.
Read the root-cause hints
Each detected anomaly comes with AWS's best guess at the driver — the service, linked account, Region and usage type involved, plus the expected vs. actual spend and total impact. That usually points you straight at the cause without spelunking through Cost Explorer.
The usual suspects behind a spike
- Data transfer / egress — a new cross-Region or internet path, a chatty NAT gateway, a CDN misconfiguration.
- A forgotten environment — a load test or dev stack left running, a big instance launched "just to try".
- Storage & requests — an S3 request surge, a runaway logging pipeline, snapshot sprawl.
- A runaway job — an unbounded batch run or an AI/Bedrock workload looping on expensive tokens.
- A commitment expiry — an RI or Savings Plan lapsed and usage fell back to on-demand. (Easy to miss; it looks like a "spike" but it's a coverage gap.)
It's reactive — pair it with two proactive habits
Anomaly detection tells you after something jumps. Wrap it with:
- AWS Budgets for hard ceilings and forecasted-overspend alerts — your guardrail with a number on it.
- A monthly cost review for the slow creep anomaly detection won't flag — a 5% month-on-month rise never trips an alert but compounds into a big number over a year.
Get the anomaly view in your assessment too. The CloudFinOpsKit AWS Tool includes a Trends & Forecast band: run it monthly and it tracks your spend and savings over time, flags any month that moved more than 20% versus the prior month, and forecasts next month — and its governance module checks whether you actually have budgets and anomaly alerting configured. Read-only, alongside 70+ Well-Architected cost checks.
FAQ
Does it cost anything?
No — Cost Anomaly Detection is free; you only pay for the AWS usage it watches.
How fast are alerts?
Typically within ~24 hours, limited by AWS billing-data latency. For instant ceilings, add AWS Budgets.
Where do alerts go?
Email or an Amazon SNS topic (so you can fan out to Slack, PagerDuty, a Lambda, etc.).
Related reading: the AWS cost optimization checklist for 2026 · Savings Plans vs Reserved Instances · Amazon Bedrock cost optimization