AWS · Cost governance · Updated June 2026

AWS Cost Anomaly Detection: Catch Spend Spikes Early


By the CloudFinOpsKit team — building the AWS tool's trends & anomaly band. 8 min read.

A cost spike caught on day 2 costs you two days. The same spike found on next month's invoice costs you thirty. AWS Cost Anomaly Detection is a free, machine-learning feature of AWS Cost Management that closes that gap — it learns your normal spend pattern per service/account and alerts you when reality diverges. It's one of the highest-leverage things you can switch on, and most teams haven't.

Set up a monitor (5 minutes)

In the console: Billing and Cost Management → Cost Anomaly Detection. Create a monitor — the thing being watched. The most useful types:

Then attach an alert subscription: who gets told, how often (individual alerts, or a daily/weekly summary), and the threshold that triggers it. From the CLI:

# 1) a monitor that watches each AWS service
aws ce create-anomaly-monitor --anomaly-monitor \
  '{"MonitorName":"svc-monitor","MonitorType":"DIMENSIONAL","MonitorDimension":"SERVICE"}'

# 2) alert me when an anomaly's impact is over $100
aws ce create-anomaly-subscription --anomaly-subscription \
  '{"SubscriptionName":"cost-alerts","Frequency":"DAILY",
    "MonitorArnList":["<monitor-arn>"],
    "Subscribers":[{"Type":"EMAIL","Address":"finops@example.com"}],
    "ThresholdExpression":{"Dimensions":{"Key":"ANOMALY_TOTAL_IMPACT_ABSOLUTE",
      "Values":["100"],"MatchOptions":["GREATER_THAN_OR_EQUAL"]}}}'

# review what it has found
aws ce get-anomalies --date-interval StartDate=2026-06-01,EndDate=2026-06-30

Pick a threshold you can explain

The fastest way to make anomaly alerts useless is to make them noisy. Set a threshold that maps to "worth a human looking" — an absolute dollar impact (e.g. ≥ $100) and/or a percentage deviation (e.g. ≥ 40%). Use a daily summary for most teams and reserve individual immediate alerts for large monitors. The goal is one credible alert you act on, not ten you mute.

Read the root-cause hints

Each detected anomaly comes with AWS's best guess at the driver — the service, linked account, Region and usage type involved, plus the expected vs. actual spend and total impact. That usually points you straight at the cause without spelunking through Cost Explorer.

The usual suspects behind a spike

It's reactive — pair it with two proactive habits

Anomaly detection tells you after something jumps. Wrap it with:

Get the anomaly view in your assessment too. The CloudFinOpsKit AWS Tool includes a Trends & Forecast band: run it monthly and it tracks your spend and savings over time, flags any month that moved more than 20% versus the prior month, and forecasts next month — and its governance module checks whether you actually have budgets and anomaly alerting configured. Read-only, alongside 70+ Well-Architected cost checks.

FAQ

Does it cost anything?

No — Cost Anomaly Detection is free; you only pay for the AWS usage it watches.

How fast are alerts?

Typically within ~24 hours, limited by AWS billing-data latency. For instant ceilings, add AWS Budgets.

Where do alerts go?

Email or an Amazon SNS topic (so you can fan out to Slack, PagerDuty, a Lambda, etc.).

Related reading: the AWS cost optimization checklist for 2026 · Savings Plans vs Reserved Instances · Amazon Bedrock cost optimization