This chapter covers AWS Budgets Actions, a powerful feature that automates responses when your AWS costs or usage exceed predefined thresholds. For the SAA-C03 exam, understanding Budgets Actions is critical for the Cost Optimized domain (Objective 4.4). Approximately 5-10% of exam questions touch on cost management tools, and Budgets Actions are a key component. You will be tested on how to configure them, what actions are available, and how they integrate with IAM, SNS, and Service Control Policies.
Jump to a section
Imagine you run a small business with a monthly budget for office supplies. You set a budget of $1,000. You also set two automatic actions: when spending reaches $800, send an email to the accountant; when it hits $1,000, automatically block any further purchases. In AWS, Budgets Actions work similarly. You define a budget (e.g., $10,000 monthly cost). Then you create an action with a threshold (e.g., 80% of budget). When actual or forecasted cost reaches that threshold, AWS triggers the action. The action can be: send a notification via SNS (like emailing the accountant) or apply an IAM policy or Service Control Policy (SCP) to restrict permissions (like blocking purchases). The mechanism is event-driven: AWS Budgets evaluates your costs periodically (usually every 6 hours for actual costs, daily for forecasts). When the threshold is breached, it executes the action. The action can target a specific IAM user/role or an entire AWS account. For example, you could set an action to apply an IAM policy that denies launching new EC2 instances when cost exceeds 90% of budget. This is analogous to the business example: the budget is the spending limit, the threshold is the trigger point, and the action is the automated response.
What Are AWS Budgets Actions?
AWS Budgets Actions allow you to define automated responses when your actual or forecasted costs exceed your budget thresholds. They are part of AWS Budgets, a cost management service that lets you set custom budgets and receive alerts. With Actions, you can automate cost control by sending notifications, applying IAM policies, or restricting permissions via Service Control Policies (SCPs).
Why They Exist
Organizations often struggle with unexpected cloud costs. Traditional budgets only send alerts, requiring manual intervention. Budgets Actions automate remediation, reducing the risk of cost overruns. They enable proactive cost governance without human latency.
How It Works Internally
AWS Budgets continuously evaluates your cost and usage data against your budget thresholds. The evaluation frequency depends on the type of budget:
Actual costs: Evaluated approximately every 6 hours.
Forecasted costs: Evaluated daily.
When a threshold is breached, the corresponding action is triggered. Actions are defined with: - Threshold: A percentage of the budget amount (e.g., 80%, 100%). - Action type: Choose from: - Apply IAM policy: Attach a customer-managed IAM policy to a user or role. - Apply SCP: Attach a service control policy to an AWS account (requires AWS Organizations). - Send SNS alert: Publish a message to an SNS topic. - Target: The IAM user/role or AWS account to apply the policy to. - Approval model: Either Immediate (action executes immediately) or Deferred (requires approval via a separate approval workflow).
Key Components, Values, Defaults, and Timers
Budget Types: Cost budget, usage budget, RI utilization coverage budget, Savings Plans coverage budget.
Threshold Types: Actual or forecasted.
Threshold Value: Must be a percentage (0-1000) of the budget amount. Common values: 50%, 80%, 100%, 150%.
Notification Settings: You can configure multiple thresholds per budget, each triggering different actions.
Action Execution: Actions are executed within minutes of threshold breach detection. There is no guaranteed execution time, but typically within 15 minutes.
IAM Policy Actions: The policy you attach must be a customer-managed policy (not AWS managed). The policy can deny or allow actions.
SCP Actions: You can attach an SCP to an entire AWS account. The SCP must be a customer-managed SCP.
SNS Alert: The SNS topic must exist in the same AWS account and region as the budget. The message includes budget details and threshold information.
Approval Workflow: For deferred actions, you must set up an SNS topic to receive approval requests. The approver must have IAM permissions to approve the action via the Budgets console or API.
Configuration and Verification
You can configure Budgets Actions via the AWS Management Console, AWS CLI, or SDK. Here is a CLI example:
aws budgets create-budget-action \
--account-id 123456789012 \
--budget-name "MonthlyCostBudget" \
--action-type APPLY_IAM_POLICY \
--action-threshold \
Threshold=80,ThresholdType=ACTUAL \
--approval-model IMMEDIATE \
--definition \
IamActionDefinition="{PolicyArn=arn:aws:iam::123456789012:policy/DenyEC2Launch,Users=[user1],Roles=[role1]}" \
--execution-role-arn arn:aws:iam::123456789012:role/BudgetsActionRoleTo verify an action, use:
aws budgets describe-budget-actions-for-budget \
--account-id 123456789012 \
--budget-name "MonthlyCostBudget"Interaction with Related Technologies
AWS Organizations: Budgets Actions can apply SCPs to member accounts. This requires the budget to be created in the management account.
IAM: The IAM policy action attaches a policy to a user or role. The policy must be customer-managed. The execution role must have permissions to attach policies.
SNS: The SNS alert action sends messages to a topic. The SNS topic must have the appropriate subscription (e.g., email, Lambda).
AWS Cost Explorer: Budget data is sourced from Cost Explorer. Accurate cost data is essential for budget accuracy.
Trap Patterns on the Exam
Wrong answer: "Budgets Actions can apply AWS managed policies." Reality: Only customer-managed policies are supported.
Wrong answer: "Actions are triggered immediately when cost exceeds threshold." Reality: There is a delay (up to 6 hours for actual costs).
Wrong answer: "You can attach an action to any budget." Reality: Actions are only available for cost budgets and usage budgets, not RI or Savings Plans coverage budgets.
Wrong answer: "SCP actions can be applied to IAM users." Reality: SCPs apply to AWS accounts, not individual users.
Define Budget and Thresholds
First, create a budget in AWS Budgets. Specify the budget amount, time period (monthly, quarterly, yearly), and scope (e.g., all costs or specific services). Then define threshold values as percentages of the budget. For example, you might set two thresholds: 80% (warning) and 100% (critical). The threshold type can be ACTUAL (current costs) or FORECASTED (predicted costs). AWS evaluates actual costs every ~6 hours and forecasted costs daily. This step is crucial because actions are tied to thresholds; without a threshold, no action can be triggered.
Create Budget Action
In the Budgets console, navigate to the budget and choose 'Create action'. Select the action type: Apply IAM policy, Apply SCP, or Send SNS alert. For IAM policy, specify the customer-managed policy ARN and the target IAM users or roles. For SCP, specify the SCP ARN and target AWS account ID. For SNS, provide the SNS topic ARN. Choose the approval model: Immediate (executes automatically) or Deferred (requires manual approval). Also specify an execution role with permissions to perform the action (e.g., to attach policies). This role must have an IAM trust policy allowing budgets to assume it.
Configure Approval Workflow (if Deferred)
If you chose Deferred approval, you must set up an SNS topic to receive approval requests. The budget action will send a message to that topic when the threshold is breached. An approver (e.g., a cloud administrator) receives the message and must approve or reject the action via the AWS Management Console or API. The approval workflow prevents unintended actions. The approver must have IAM permissions to execute budget actions. Note: The approval request includes details like budget name, threshold, and proposed action.
Action Execution and Monitoring
Once the threshold is breached and (if deferred) approved, the action executes. For IAM policy actions, the specified policy is attached to the target users/roles. For SCP actions, the SCP is attached to the target account. For SNS alerts, a message is published to the topic. The action status can be monitored in the Budgets console under 'Actions history'. You can see when the action was triggered, its status (success/failure), and any error messages. If an action fails (e.g., due to permissions), you must manually remediate.
Review and Adjust
After actions are executed, review the impact. For example, if an IAM policy denies launching EC2 instances, verify that the restriction is appropriate. You may need to adjust the budget threshold or action definition. AWS Budgets provides historical data on cost trends and action triggers. Use this to fine-tune your budgets and actions. Also, remember that actions are not reversible automatically; you must manually detach policies or remove SCPs if needed. Plan for a rollback process.
Enterprise Scenario 1: Cost Control for Development Accounts
A large enterprise uses multiple AWS accounts for development teams. They want to prevent developers from overspending on EC2 instances. They create a monthly cost budget of $5,000 per account. They set an action with a threshold of 100% of actual costs. The action applies an IAM policy that denies ec2:RunInstances and ec2:StartInstances to the developer IAM role. The approval model is Immediate. When a team exhausts their budget, new instances cannot be launched. This prevents unexpected charges. However, a common issue is that the action applies to all users in the role, including those who may need to launch instances for critical tasks. To mitigate, they set a higher threshold (e.g., 150%) for emergency approvals. They also monitor action history to detect false positives.
Scenario 2: Service Control Policy for Compliance
A financial services company uses AWS Organizations with hundreds of accounts. They need to enforce cost limits across all accounts. They create a budget in the management account with a threshold of 80% of forecasted cost. The action applies an SCP that denies ec2:RunInstances for instance types larger than t3.medium. This ensures cost control without breaking existing workloads. The SCP is attached to the entire account. A challenge is that SCPs affect all users, including administrators. To avoid lockout, they exclude the admin account from the SCP target. They also use a deferred approval model so that a central team can review the action before it applies.
Scenario 3: Automated Notifications for Finance Team
A mid-sized company wants to alert the finance team when costs exceed 80% of budget. They create a budget with an SNS alert action. The SNS topic sends an email to the finance team. They set multiple thresholds: 50% (info), 80% (warning), 100% (critical). Each threshold triggers a different SNS topic with different subscribers. This is simple to set up but requires manual action. The main pitfall is that SNS topics must be created in the same region as the budget. Also, if the budget is deleted, actions are lost. They must ensure the budget is recreated if needed.
What SAA-C03 Tests on This Topic
The exam focuses on Objective 4.4: "Implement cost control and governance mechanisms." Specifically, you need to know:
How to define Budgets Actions (thresholds, action types, targets).
The difference between Immediate and Deferred approval.
Which action types are supported (IAM policy, SCP, SNS).
Limitations: Actions only for cost/usage budgets, not RI/Savings Plans coverage budgets.
IAM policy actions require customer-managed policies.
SCP actions require AWS Organizations.
Execution role permissions.
Common Wrong Answers and Why
"Actions can be triggered in real-time." Wrong. There is a delay (up to 6 hours for actual, daily for forecasted). Candidates confuse Budgets Actions with CloudWatch alarms which can be near real-time.
"You can apply AWS managed policies." Wrong. Only customer-managed policies are allowed. Candidates often think any policy works.
"Actions can be applied to IAM groups." Wrong. Targets are users/roles (for IAM policy) or accounts (for SCP). Groups are not supported.
"Budgets Actions can stop resources." Wrong. Actions do not directly stop resources; they only apply policies. To stop resources, you need to combine with AWS Config or Lambda.
Specific Numbers and Terms
Threshold values: percentages (0-1000).
Evaluation frequency: ~6 hours actual, daily forecasted.
Action types: APPLY_IAM_POLICY, APPLY_SCP, SNS_ALERT.
Approval models: IMMEDIATE, DEFERRED.
IAM policy must be customer-managed.
SCP requires AWS Organizations.
Edge Cases
If the budget is deleted, all associated actions are also deleted.
Actions are region-specific; budgets are global but actions are tied to the budget's region.
For SCP actions, the budget must be created in the management account.
The execution role must have permissions to attach policies and must trust budgets.amazonaws.com.
How to Eliminate Wrong Answers
Use the mechanism: Understand that actions are not instant, they only apply policies (not modify resources), and they require specific permissions. If an answer implies real-time resource termination, it is wrong. If it mentions attaching an AWS managed policy, it is wrong. If it says actions can be applied to an IAM group, it is wrong.
Budgets Actions automate responses when cost/usage exceeds budget thresholds.
Three action types: Apply IAM policy, Apply SCP, Send SNS alert.
Thresholds are percentages (0-1000) of budget amount, actual or forecasted.
Actual costs evaluated ~6 hours; forecasted costs daily.
Approval models: Immediate (no approval) or Deferred (requires approval via SNS).
IAM policy actions require customer-managed policies, not AWS managed.
SCP actions require AWS Organizations and are attached to accounts.
Actions only available for cost and usage budgets, not RI/Savings Plans coverage budgets.
Execution role must trust budgets.amazonaws.com and have permissions to perform the action.
Actions are not reversible automatically; plan for manual rollback.
These come up on the exam all the time. Here's how to tell them apart.
Budgets Actions
Triggers based on cost/usage thresholds (percentage of budget).
Actions: Apply IAM policy, Apply SCP, Send SNS alert.
Evaluation frequency: ~6 hours for actual, daily for forecasted.
Requires execution role with specific permissions.
Primarily for cost governance, not real-time operations.
CloudWatch Alarms
Triggers based on any CloudWatch metric (e.g., CPU utilization).
Actions: SNS, Auto Scaling, EC2 actions (stop, terminate, reboot).
Evaluation frequency: as low as 1 minute.
No execution role needed; uses alarm actions directly.
Used for operational monitoring and auto-remediation.
Mistake
Budgets Actions can be triggered in real-time when cost exceeds threshold.
Correct
There is a delay: actual costs are evaluated approximately every 6 hours, forecasted costs daily. It is not real-time like CloudWatch alarms.
Mistake
You can use AWS managed policies with Apply IAM Policy action.
Correct
Only customer-managed policies are supported. AWS managed policies are not allowed.
Mistake
Budgets Actions can directly stop or terminate resources.
Correct
Actions only apply IAM policies, SCPs, or send SNS alerts. They cannot directly stop resources. You would need a Lambda function triggered by SNS to stop resources.
Mistake
Budgets Actions can be applied to IAM groups.
Correct
Targets for IAM policy actions are users and roles, not groups. For SCP actions, targets are AWS accounts.
Mistake
Budgets Actions work with any budget type including RI coverage.
Correct
Actions are only available for cost budgets and usage budgets. RI utilization and coverage budgets, and Savings Plans coverage budgets do not support actions.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, Budgets Actions cannot directly terminate resources. They can only apply IAM policies, SCPs, or send SNS alerts. To terminate instances, you would need to create a Lambda function subscribed to an SNS topic that is triggered by a Budgets Action. The Lambda function can then call the EC2 TerminateInstances API. This is a common pattern but not a built-in feature.
The execution role must have permissions to perform the action. For Apply IAM Policy, it needs `iam:AttachUserPolicy` and `iam:AttachRolePolicy`. For Apply SCP, it needs `organizations:AttachPolicy`. For SNS, it needs `sns:Publish`. Additionally, the role must have a trust policy that allows `budgets.amazonaws.com` to assume it.
No, Budgets Actions are only supported for cost budgets and usage budgets. RI utilization and coverage budgets, and Savings Plans coverage budgets do not support actions. You can still set up notifications for those budgets, but not automated actions.
There is no guaranteed execution time, but typically within minutes of the threshold breach detection. However, detection itself is not real-time: actual costs are evaluated every ~6 hours, and forecasted costs daily. So the total delay from the actual cost incurrence to action execution can be up to 6 hours plus a few minutes.
No, the target for an IAM policy action must be an IAM user or role. Groups are not supported. If you need to affect multiple users, you can attach the policy to a role that users assume, or create separate actions for each user.
If an action fails (e.g., due to permissions errors or missing target), the action status is marked as 'Failed' in the action history. You can view the error message in the console or via API. You must manually investigate and fix the issue, then retry the action if needed. AWS does not automatically retry failed actions.
Yes, but only for SCP actions. You can create a budget in the management account and set an SCP action that targets a member account. IAM policy actions are limited to the account where the budget is created. SNS alerts can be sent to any SNS topic, but the topic must be in the same account and region as the budget.
You've just covered AWS Budgets Actions — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?