General

AWS Cost Anomaly Detection (CAD) helps you detect and receive alerts on abnormal or sudden spend increases in your AWS account. This is possible by using machine learning to understand your spend patterns and trigger alerts when they seem abnormal.

Learn more about CAD from the product page and the user guide. To learn more about programmatic capabilities, read the AWS Cost Explorer API documentation.

CAD allows you to segment your spend by different dimensions (AWS Services, Linked Accounts, Cost Allocation Tags, and Cost Categories), to detect more granular anomalies and customize alerting preferences.

CAD allows you to create up to one AWS Service Monitor and 500 custom monitors (Linked Accounts, Cost Allocation Tags, Cost Categories). You can attach up to the maximum of all 501 monitors to an alert subscription.

For each alert subscription, you can have up to 10 email recipients or 1 SNS topic.

The alerting threshold is used to determine when an alert is sent for an anomaly. It does not impact the anomaly detection algorithms in any way. If an anomaly’s total cost impact meets or exceeds the alerting threshold on a subscription, an alert will be sent for the anomaly to the customer. If an anomaly’s total cost impact is below the alerting threshold, it will still be available on the console, but no alert will be sent.

A linked account monitor can track up to 10 different linked accounts. A linked account monitor tracks spending aggregated across all of the designated linked accounts. For example, if a linked account monitor tracks Account A and Account B, and then Account A’s usage spikes while Account B’s usage dips by the same amount, there will be no anomaly detected because it is a net neutral change.

A linked account monitor in a payer account will monitor the spend of all services, in total, for that linked account. A services monitor in a linked account will monitor the individual spend for each service for that linked account. For example, if there is a spike in S3 spending, but a dip in EC2 spending of the same amount (net neutral change), the linked account monitor in the payer account will not detect this because it is monitoring the total account spend across all services. However, the services monitor in the linked account would detect the S3 spike since it is monitoring each service spend individually. 

Anomalies are only detected in the account that created the monitor. It's possible the same usage spike can show up in two different monitors in two different accounts. This would result in two anomalies - one anomaly showing in each account.

A root cause is our best estimate to the largest contributing factor to an anomaly’s total cost impact. The root cause does not explain the total anomaly impact, but only the impact from the largest contributing factor.

We identify up to 10 contributing factors for each anomaly. However, some anomalies result from complex interactions of multiple small changes, making it difficult to isolate significant root causes. For example, numerous minor cost increases across various services could trigger an anomaly without any single factor standing out. In such cases, or when identified root causes do not fully explain the anomaly, we recommend using AWS Cost Explorer for a more comprehensive analysis of all contributing factors.

Some anomalies result from numerous small changes rather than a few large ones. For example, a $1,000 anomaly might comprise 20 different increases of around $50 each across various contributors. In such cases, even the total of the up to 10 root causes we identify could account for only a small percentage of the overall anomaly. For instance, 20 root causes contributing $50 each would total $1,000, but each individual root cause would only explain 5% of the anomaly. When this occurs, examining all identified root causes collectively provides a more complete picture of the distributed nature of the cost increase, though some minor contributors may not be captured within the top 10.

CAD runs approximately three times a day after your billing data is processed.

Anomaly detection relies on the data from Cost Explorer which has a latency of up to 24 hours. Therefore, it can take up to 24 hours to detect an anomaly after the anomalous usage happens.

If you have created a new monitor, it can take 24 hours to start detecting new anomalies.

Any monitor requires at least 10 days of historical usage data for anomalies to be detected. For example, for a services monitor, anomalies for the spending on a new service will not be detected until there are 10 days of spend data. 

When Cost Anomaly Detection detects an anomaly, it identifies the most significant contributors to your cost increase, considering factors like AWS service, account, region, and usage type. We provide up to 10 root causes, with estimated dollar attributions to the overall anomaly impact. These attributions are approximations designed to help you identify areas for investigation. We recommend using this information to guide your investigation, focusing on the root causes you find most significant. This approach will help you efficiently address the most important factors contributing to your cost anomalies.

The sum of individual root causes impacts can be lower or higher than the total anomaly impact for two reasons:

  1. Higher sum: The anomaly impact represents a net change in cost, including both increases and decreases. Root cause analysis shows only the increases, which may exceed the net change in cost.
  2. Lower sum: An anomaly can result from many small factors. We display only the most significant increases to help focus your investigation.

Default configuration of Cost Anomaly Detection for new Cost Explorer users

Starting March 27, 2023, all new Cost Explorer customer with a Payer or Regular account will benefit from an automatic configuration of CAD. The default configuration of CAD will help customers monitor and be alerted about unintended spend before it turns into billing surprises. The initial setup will include an AWS Services monitor and a daily email alert subscription. The AWS Services monitor will detect any cost anomalies across a customer’s deployed AWS services. Customers are encouraged and empowered to take advantage of additional (custom) monitor and alert configurations for their specific needs and organizational structure.

The default configuration of CAD offers Payer and Regular accounts the benefit of having anomalous spend detection across all deployed AWS services with no effort or cost. If an anomaly is detected, a daily summary email with the top 10 anomalies ordered by their impact will be sent. The email will contain links that allow a customer to drill down and understand underlying drivers in the CAD console or API. Based on this information a customer can, if needed, take any necessary action to deal with the unintended spend.

If you're an existing Cost Explorer user, you can access CAD through the AWS Cost Management Console. To start monitoring for anomalies you will need to create a cost monitor either in the CAD console or via the API. Similarly, to be alerted about anomalies, you will need to set up an alert subscription in the console or via the API.

If you decide that you want to opt-out after being onboarded to the service, you can simply delete any monitor and alert subscriptions on your account in the console or via API. Deleting the monitor will stop processing of your data by the anomaly detection service and you will stop receiving alerts. Previously detected anomalies will still be available after monitor deletion. 

CAD integrates with Cost Explorer and is only available to customers that have Cost Explorer enabled. After a customer is onboarded to CAD, they will start receiving notification for any cost anomalies related to their deployed AWS services. In addition, customers can click the “View in Cost Explorer” button in the CAD console to further explore any anomaly using the Cost Explorer interface.

You can configure or delete your alert subscription at any time in the CAD console or via the API. As long as you have a cost monitor, CAD will continue to monitor and report on any anomalies in the detection history and via the get Anomalies action in the API.

CAD integrates with the Cost Explorer service and requires customers to have it enabled. Today there is no way to enable CAD without Cost Explorer.

CAD allows customers to set up four different types of monitors: 1/ AWS service monitor to track spend across all deployed services, 2/ Linked account monitor(s) to track spend of individual, or group of, linked accounts, 3/ Cost category monitor(s) to track spend of different cost categories values, and 4/ Cost allocation tag monitor(s) to track spend of individual tag key-value pairs. An AWS service monitor will be applicable to all customers since it tracks and detects anomalies across any service they deploy. The other three are custom to each customer and it is difficult for us to predict what would be the right selection of linked accounts, cost categories, and cost allocation tags to monitor.

CAD offers customers three different options for alerts: 1/ Immediate alert via SNS channels, 2/ Daily summary via email, and 3/ Weekly summary via email. We believe daily email alerts is the best option and cadence for new customers. Weekly may be too delayed to provide sufficient value as a standalone alert; many customers and immediate alerts require an SNS channel that we do not have for accounts by default. After CAD is turned on, customers can change their alert preference at any time.

We will use the root email associated with the AWS Payer or Regular account. Customers can access the CAD console and API to update what email(s) the want to use for their alert subscription(s).

The default CAD configuration will generate alerts for all anomalies that will both exceed 40% of what is identified by the CAD ML model as expected spend as well as a minimal USD amount (a fixed amount threshold) of $100. The chosen percentage and fixed amount thresholds aim at producing valuable cost anomaly alerts across customer segments without overwhelming customers with alerts on potentially insignificant amounts. Customers can modify and refine these default thresholds at any time.

Payer and Regular accounts that enable Cost Explorer will be eligible. We will not include Linked, internal, and suspended accounts.

The auto configuration is available for new Cost Explorer customers who are payer or regular standalone account owners.

If an account type changes (e.g., from Payer to Linked) after CAD has been enabled, the CAD monitor on the account will stop working. This is a known limitation and we are looking at ways to improve the customer experience for this scenario. The current workaround for this scenario requires the customers to recreate the monitor.

Yes, CAD will be enabled for customers in all Commercial Regions, including the Amazon Web Services China (Beijing) Region, operated by Sinnet and Amazon Web Services China (Ningxia) Region, operated by NWCD.