Cost governance · Azure & AWS · July 2026

Why Did My Cloud Bill Suddenly Increase? A Step-by-Step Investigation Playbook

By the CloudFinOpsKit team — we investigate these for a living. 9 min read.

A cloud bill that jumped overnight is a scavenger hunt with a deadline: money is leaving while you look for it. The instinct is to panic-scroll the invoice, but a bill is organized for accounting, not for diagnosis. This is the investigation we run every time — five steps, in order, using only the native Azure and AWS tools. It takes the spike from "the bill is up and I don't know why" to a named resource, a root cause, and a fix, usually in under half an hour. At the end: how to make sure the next one pages you on day one instead of surprising you on the invoice.

Step 1 — Confirm the increase is real (2 minutes)

Before you chase anything, rule out the three false alarms that account for a surprising share of "my bill spiked" reports:

If the increase survives all three — it's real usage, on settled days, not a one-time charge — proceed.

Step 2 — Isolate the service and the day it started

This is the step that collapses the search space. You want two facts: which service moved and which day it started. Everything after is drill-down.

On AWS — Cost Explorer → set Granularity: Daily, Group by: Service, and a date range covering ~30 days before the spike. Filter Charge type: Usage. You're looking for the service whose daily bars change shape — a step up, a spike, or a steadily climbing staircase. Sort by the delta over the window, not the total.

On Azure — Cost Management → Cost analysis → Daily view, Group by: Service name, scope set to the subscription (or management group if you're not sure which subscription). Same read: which service's daily line changed, and on what date.

The shape of the change is your first clue to the cause, before you even know the resource:

ShapeWhat it usually means
One-day spike then back to normalA runaway job, a load test, a bulk data transfer, a one-off backup or migration.
Step up that stays highA deployment, a scale-out that never scaled back, a tier/SKU change, a new always-on resource.
Steady climb over weeksCreep: log/storage growth, snapshot sprawl, an autoscaler with no ceiling. The class native anomaly tools miss.
New line from ~$0A newly enabled service, an accidental Region — or, if nobody owns it, possibly compromised credentials.

Step 3 — Drill to the resource (or usage type)

Now filter to the one service that moved and change the grouping to find the specific meter and resource.

AWS: keep the filter on that service, then Group by: Usage Type to see which meter jumped (e.g. DataTransfer-Out-Bytes, NatGateway-Bytes, BoxUsage:g5.xlarge). For resource-level detail, enable Group by: Resource — note it's opt-in and only covers the last 14 days, so turn it on early. Cost allocation tags let you group by team or environment if the resource alone isn't enough.

Azure: filter to the service, then Group by: Meter or Resource. For the offenders that hide inside a resource group, group by Resource group name first, then drill in. Azure Resource Graph is faster than the portal when you already suspect a resource type — one query returns every disk, public IP, or NAT gateway with its SKU.

By the end of this step you should be able to name it: "NAT gateway data-processing in eu-west-1 went from $4/day to $210/day starting the 3rd." That sentence is the whole investigation — the rest is explaining and fixing it.

Step 4 — Identify the cause: the usual suspects

Cost spikes are not infinitely varied. Match your finding to this shortlist and you've almost certainly found it:

SymptomLikely causeCheck / fix
Data-transfer / egress meter jumpedNew cross-AZ, cross-Region, or internet-egress path; a chatty new deployment; data exfiltrationTrace what changed in networking/deploys on that date; look for a new endpoint or replication.
Compute (VM/EC2/GPU) stepped upScale-out that didn't scale back; a bigger SKU; a forgotten dev/test or load environment; autoscaler with no maxCheck autoscale history and recent deploys; set/verify a max; shut down non-prod out of hours.
Storage or snapshot cost climbingLog/retention change, snapshot or backup sprawl, orphaned disks/volumes piling upSee orphaned disks (Azure) and unattached EBS (AWS); fix retention.
Log Analytics / CloudWatch spend upA new verbose log source, debug logging left on, or a retention bumpFind the high-ingest table/log group; cap retention; turn off debug.
AI / token spend jumpedPrompt loop or retry storm, a switch to a pricier model, output bloat, or an idle PTU commitmentToken spend needs its own detectors — see detecting AI cost anomalies.
Brand-new spend nobody ownsAccidental Region, unapproved service — or compromised credentials mining cryptoIf no legitimate owner: treat as a security incident — rotate keys, sweep all Regions, involve security.

Security first when spend appears from nowhere. A sudden burst of compute — especially GPU instances, or any spend in a Region you never use — with no owner is the classic signature of leaked access keys. Don't just delete the resources: rotate the exposed credentials, check every Region (attackers spread across them), and loop in security before you clean up the cost. A deleted crypto-miner with live keys comes straight back.

Step 5 — Stop the bleed, then prevent the next one

Fix the immediate cause — delete the orphan, scale back the deployment, cap the retention, rotate the key. Then close the loop so the same class of spike can't run silently for a full billing cycle again:

Skip the scavenger hunt next time. The CloudFinOpsKit Azure Tool and AWS Tool ship Cost Anomaly Watch: run it daily, and it isolates the service, the day, the resource, the projected monthly impact, and a plausible-cause hint for you — then pushes High-severity anomalies to Teams or Slack. It's steps 1–4 of this playbook, automated and auditable, on both clouds. Read-only, one-time from $40.

FAQ

Why did my Azure or AWS bill suddenly go up?

Almost always one of: a new or scaled-up resource left running, a data-transfer/egress blow-out, a storage or log-retention change, a forgotten test job, an expired credit or free tier, a commitment purchase (not usage), or compromised credentials. Isolate the single service and the day it started in Cost Explorer or Cost Management, then drill to the resource — the cause is usually obvious once you know which meter moved.

How do I find which service caused the spike?

Open the daily cost view grouped by service (AWS Cost Explorer or Azure Cost analysis), filter to Usage charges, and sort by the change over the spike window rather than the total. A service that doubled off a small base often matters more than your biggest steady line. Then group that service by usage type or meter to pinpoint the exact driver.

Could a bill spike be a security incident?

Yes — brand-new compute spend with no owner, especially GPU usage or spend in an unused Region, is a common signature of leaked keys mining crypto. If a spike is a new spend source nobody claims, treat it as a security incident first: rotate keys, sweep all Regions, involve security, then clean up the cost.

How do I stop this from happening again?

Enable the native anomaly alerts on both clouds, set a forecasted-budget alert, add a layer that catches gradual creep and new spend sources the native tools miss, and run a 10-minute monthly review of daily cost by service. Detection plus a habit is what turns a monthly surprise into a same-day fix.

Related reading: cross-cloud cost anomaly detection · Azure cost anomaly detection · AWS Cost Anomaly Detection · detecting AI cost anomalies · forecasting Azure spend