This chapter covers AWS Budgets and Cost Anomaly Detection, two critical cost management services for the SOA-C02 exam. These tools help you monitor, alert, and control AWS spending proactively. Expect 2-3 exam questions on budget creation, alerting thresholds, anomaly detection configuration, and integration with AWS Organizations and Cost Explorer. Mastering these topics is essential for the Cost domain (Objective 6.1) and for real-world SysOps responsibilities.
Jump to a section
Imagine you run a company with 50 department managers who each have their own project budgets. You need to track spending across all departments, receive alerts when any department is about to overspend, and detect unusual spending patterns that might indicate waste or fraud. AWS Budgets is like a centralized finance dashboard that you configure with specific budget amounts for each department (e.g., Marketing: $5,000/month, Engineering: $10,000/month). You set up alerts at 80% and 90% of each budget, so you get an email or Slack notification when spending hits those thresholds. Cost Anomaly Detection is like an AI-powered auditor that continuously learns each department's normal spending patterns—like Marketing typically spending $4,000/month with occasional spikes to $5,000 during product launches. If Marketing suddenly spends $8,000 in a day with no explanation, the anomaly detector flags that as suspicious and sends you an alert with the likely root cause (e.g., a new EC2 instance type was launched). You can then investigate and take action, such as adjusting budgets or stopping runaway spending. Just as you wouldn't wait for a quarterly financial report to catch overspending, AWS Budgets and Cost Anomaly Detection give you real-time visibility and proactive alerts to keep your cloud costs under control.
What Are AWS Budgets and Cost Anomaly Detection?
AWS Budgets allow you to set custom budgets to track your cost and usage, and receive alerts when you exceed (or are forecasted to exceed) your budget thresholds. Cost Anomaly Detection is an ML-based service that continuously monitors your cost and usage patterns to detect unusual spending and identify root causes.
Why They Exist
Cloud costs can easily spiral out of control without proper monitoring. Traditional cost management relies on post-hoc analysis via Cost Explorer, but budgets provide proactive alerts. Anomaly detection adds intelligence to detect unexpected spikes that may indicate misconfigurations, security issues, or inefficiencies.
How AWS Budgets Work Internally
AWS Budgets operates on a periodic evaluation cycle. When you create a budget, you define: - Budget type: Cost, Usage, Reservation, or Savings Plans - Period: Daily, Monthly, Quarterly, or Annually - Budget amount: A fixed amount or a monthly rolling amount - Filters: By service, linked account, tag, region, etc.
AWS evaluates the budget against actual cost and usage data from the AWS Cost and Usage Report (CUR). The evaluation happens multiple times per day (approximately every 8 hours) for actual costs, and once per day for forecasted costs.
Alerting Mechanism
You can set up to 5 alert thresholds per budget (e.g., 50%, 80%, 90%, 100%, and 120% of budgeted amount). Each alert can trigger an SNS topic, which can send email, SMS, or integrate with other services like AWS Chatbot or Lambda. You can also set alerts for forecasted spend (i.e., when the projected monthly spend exceeds a percentage of the budget).
Cost Anomaly Detection
Cost Anomaly Detection uses ML models to establish a baseline of your normal spending patterns. The service analyzes historical cost and usage data (at least 14 days of history required) and creates a model that accounts for seasonality (e.g., higher costs on weekdays, monthly spikes). When new cost data deviates from the expected range, it generates an anomaly alert.
Key components: - Monitor: Defines the scope of analysis (e.g., all costs, specific accounts, services, or tags) - Anomaly threshold: The sensitivity level (low, medium, high) that determines how far from baseline is considered anomalous - Root cause analysis: The service provides a list of potential root causes (e.g., a specific EC2 instance type, a new service usage)
Default Values and Limits
Maximum number of budgets per account: 20,000 (soft limit, can be increased)
Maximum number of alert subscribers per budget: 10 email addresses or one SNS topic
Budget evaluation frequency: Every 8 hours for actuals, daily for forecasts
Anomaly detection needs at least 14 days of historical data to establish baseline
Anomaly detection monitors are regional but can be configured to cover all regions
Configuration Steps
Creating a Budget via Console: 1. Go to AWS Budgets in the Billing and Cost Management console 2. Choose budget type: Cost, Usage, Reservation, or Savings Plans 3. Set budget details: name, amount, period, and start date 4. Add filters (optional) to narrow scope 5. Set alert thresholds and notification preferences 6. Review and create
Creating a Budget via AWS CLI:
aws budgets create-budget \
--account-id 123456789012 \
--budget file://budget.jsonExample budget.json:
{
"BudgetName": "Monthly-EC2-Cost",
"BudgetLimit": {
"Amount": "5000",
"Unit": "USD"
},
"CostFilters": {
"Service": ["AmazonEC2"]
},
"CostTypes": {
"IncludeTax": true,
"IncludeSubscription": true,
"UseBlended": false
},
"TimeUnit": "MONTHLY",
"TimePeriod": {
"Start": "2023-01-01T00:00:00Z",
"End": "2023-12-31T23:59:59Z"
},
"BudgetType": "COST"
}Creating a Budget Alert (Notification) via CLI:
aws budgets create-notification \
--account-id 123456789012 \
--budget-name Monthly-EC2-Cost \
--notification file://notification.json \
--subscribers file://subscribers.jsonExample notification.json:
{
"NotificationType": "ACTUAL",
"ComparisonOperator": "GREATER_THAN",
"Threshold": 80,
"ThresholdType": "PERCENTAGE"
}Cost Anomaly Detection Configuration
Creating a Monitor: 1. In the Cost Anomaly Detection console, click "Create monitor" 2. Choose monitor type: "Cost Monitor" or "Usage Monitor" 3. Define scope: all spend, specific accounts, services, or tags 4. Set anomaly threshold: Low (more alerts, may be noisy), Medium (balanced), High (fewer alerts, only significant anomalies) 5. Add alert subscriptions (SNS topic or email) 6. Review and create
CLI creation is not directly supported; use Console or SDK.
Integration with Related Technologies
AWS Organizations: Budgets can be applied at the organization level to track consolidated spending and delegate budget management to member accounts.
Cost Explorer: Provides historical data that budgets use for forecasting.
AWS Config: Can monitor budget configuration changes for compliance.
AWS Lambda: Can automate responses to budget alerts (e.g., stop EC2 instances when budget exceeded).
AWS Chatbot: Receive budget alerts in Slack or Chime channels.
Verification Commands
List all budgets:
aws budgets describe-budgets --account-id 123456789012Describe a specific budget:
aws budgets describe-budget --account-id 123456789012 --budget-name Monthly-EC2-CostList notifications for a budget:
aws budgets describe-notifications-for-budget --account-id 123456789012 --budget-name Monthly-EC2-CostList anomaly detection monitors (using Cost Explorer API):
aws ce get-anomaly-monitorsGet anomaly alerts:
aws ce get-anomalies --date-interval Start=2023-01-01,End=2023-01-31Define Budget Scope and Type
Begin by determining what you want to track. Choose between cost budget, usage budget, reservation budget, or Savings Plans budget. Cost budget tracks actual or forecasted spending in USD. Usage budget tracks usage in units (e.g., GB, hours). Reservation and Savings Plans budgets track utilization and coverage. Also decide the time period: daily, monthly, quarterly, or annually. Monthly is most common. You can optionally apply filters to narrow scope to specific services, linked accounts, tags, or regions. For example, you might create a monthly cost budget of $10,000 for the entire account, and a separate $2,000 budget for the 'production' tag.
Set Budget Amount and Time Period
Specify the budget amount as a numeric value in USD (for cost) or in units (for usage). The time period defines the start and end dates for the budget. For recurring budgets (e.g., monthly), you set a start date and the budget resets each period. For fixed budgets (e.g., one-time project), you set both start and end. AWS recommends using a monthly period for most scenarios. You can also set a 'monthly rolling budget' that adjusts each month based on previous spending.
Configure Alert Thresholds and Notifications
For each budget, you can define up to 5 alert thresholds. Each threshold has a percentage (e.g., 50%, 80%, 90%, 100%, 120%) and a comparison operator (ACTUAL or FORECASTED). ACTUAL triggers when real costs hit the threshold. FORECASTED triggers when the projected end-of-period cost hits the threshold. You must also specify one or more subscribers: up to 10 email addresses or an SNS topic. The SNS topic can fan out to Lambda, SMS, or other endpoints. It's a best practice to set alerts at 80% and 100% for both actual and forecasted.
Create Cost Anomaly Detection Monitor
Navigate to Cost Anomaly Detection in the Billing console. Click 'Create monitor'. Choose a name and scope: can be all spend, specific accounts, services, or tag values. The ML model needs at least 14 days of historical data to establish a baseline. Set the anomaly threshold: Low (sensitive, more alerts), Medium (balanced), High (less sensitive). The threshold determines the standard deviation from the baseline considered anomalous. You can also set alert preferences: email or SNS. The monitor will continuously evaluate new cost data and send alerts when anomalies are detected.
Monitor and Respond to Alerts
When a budget alert fires, you receive an email or SNS notification. For anomaly alerts, the notification includes root cause analysis (e.g., 'Unusual spend in EC2: m5.large instances in us-east-1'). You can then investigate using Cost Explorer or AWS Console to drill down. Common responses: adjust budget amounts, modify resource configurations, or automate remediation via Lambda (e.g., stop non-critical instances). For anomaly alerts, you can also suppress false positives by adjusting the threshold or adding a filter. Regularly review budget reports in the console to track trends and adjust budgets as needed.
Scenario 1: Startup Controlling Cloud Costs
A fast-growing startup uses AWS for its SaaS platform. The CTO sets a monthly cost budget of $50,000 for the entire AWS account, with alerts at 80% and 100%. They also create separate budgets for each major service: EC2 ($20,000), RDS ($10,000), and Lambda ($5,000). The alerts are sent to a Slack channel via AWS Chatbot. One month, the EC2 budget alert fires at 80% on the 15th. The team investigates and finds a developer accidentally launched a fleet of GPU instances for a test that was left running. They stop the instances and adjust the budget. Without budgets, they might have discovered the overspend only at month-end. They also use Cost Anomaly Detection with a medium threshold to catch unusual spikes, such as a sudden increase in data transfer costs due to a DDoS attack. The anomaly monitor sends an alert, and the team quickly mitigates by enabling AWS Shield Advanced. In production, they manage 50+ budgets across multiple accounts via AWS Organizations, with budget reports automated via Lambda that posts to a weekly Slack digest.
SOA-C02 Exam Focus for AWS Budgets and Cost Anomaly Detection
This topic falls under Domain 6: Cost Management, Objective 6.1: Implement and manage cost control measures. Expect 2-3 questions that test your ability to configure budgets and anomaly detection, interpret alerts, and integrate with other services.
Common Wrong Answers: 1. Using Cost Explorer instead of Budgets for proactive alerts. Candidates often think Cost Explorer provides alerts, but it is a reporting tool only. Budgets provide proactive notifications. 2. Setting budget alerts only on actual spend, ignoring forecasted alerts. The exam tests that forecasted alerts are critical to prevent overspending before it happens. 3. Thinking anomaly detection works without historical data. Many assume it works immediately, but it requires at least 14 days of data to establish a baseline. 4. Confusing anomaly detection monitors with budgets. They are separate services; budgets track against a fixed threshold, anomaly detection uses ML for pattern deviations.
Specific Numbers and Values: - Maximum 5 alert thresholds per budget. - Maximum 10 email subscribers per budget (or one SNS topic). - Budget evaluation frequency: every 8 hours for actuals, daily for forecasts. - Anomaly detection needs 14 days minimum historical data. - Anomaly threshold levels: Low, Medium, High. - Budget types: Cost, Usage, Reservation, Savings Plans. - Time units: DAILY, MONTHLY, QUARTERLY, ANNUALLY.
Edge Cases: - Budgets can be created for individual accounts or for the entire organization via AWS Organizations. - Budgets can include or exclude taxes, support charges, and discounts. - Anomaly detection can be scoped to specific tags or accounts, but not to specific budget amounts. - If you delete a budget, associated alerts are also deleted.
Eliminating Wrong Answers: Always look for the key differentiator: proactive vs. reactive. If a question asks for a way to be alerted before hitting a cost limit, the answer is Budgets with forecasted alerts. If the question mentions unusual spending patterns, it's Anomaly Detection. If it mentions historical reporting, it's Cost Explorer.
AWS Budgets allow up to 5 alert thresholds per budget, with actual and forecasted options.
Budget alerts can be sent to up to 10 email addresses or one SNS topic per budget.
Cost Anomaly Detection requires at least 14 days of historical data to establish a baseline.
Anomaly detection monitors have three sensitivity levels: Low (most alerts), Medium, High (least alerts).
Budgets are evaluated every 8 hours for actual costs and daily for forecasts.
Both services integrate with SNS for notifications and can trigger Lambda for automated remediation.
Budgets can be applied at the AWS Organization level to manage consolidated spend.
Cost Anomaly Detection provides root cause analysis in alert notifications.
These come up on the exam all the time. Here's how to tell them apart.
AWS Budgets
Tracks spending against a fixed dollar or usage threshold.
Provides proactive alerts when actual or forecasted spend exceeds set percentages.
Can be scoped to service, account, tag, region, or cost category.
Alerts are based on predefined thresholds (e.g., 80%, 100%).
Best for enforcing cost limits and preventing budget overruns.
Cost Anomaly Detection
Uses ML to detect unusual spending patterns without a fixed threshold.
Provides root cause analysis for anomalies (e.g., specific instance type).
Can be scoped to all spend, specific accounts, services, or tags.
Alerts are based on deviation from historical baseline (sensitivity setting).
Best for catching unexpected spikes, potential waste, or security incidents.
Mistake
AWS Budgets can automatically stop resources when budget is exceeded.
Correct
Budges only send alerts; they do not take automated actions. However, you can integrate with Lambda via SNS to trigger custom actions like stopping instances.
Mistake
Cost Anomaly Detection works immediately after enabling.
Correct
It requires at least 14 days of historical cost data to establish a baseline before it can detect anomalies.
Mistake
You can set a budget for a specific resource ARN.
Correct
Budgets cannot be scoped to individual resource ARNs; they can only be filtered by service, linked account, tag, region, or cost category.
Mistake
Anomaly detection alerts are sent via email by default.
Correct
You must configure an SNS topic or email subscription; there is no default notification. You set up alert preferences during monitor creation.
Mistake
Budget alerts are evaluated in real-time.
Correct
Actual cost data is updated every 8 hours, so alerts may have a delay. Forecasted alerts are updated once per day.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
When creating a budget alert, set the NotificationType to 'FORECASTED' instead of 'ACTUAL'. The threshold percentage will compare against the projected end-of-period spend. For example, a forecasted alert at 100% means you'll be alerted when the forecast predicts you'll hit the budget limit by the end of the month.
Yes, you can use AWS Chatbot to route SNS notifications to Slack or Chime. Create an SNS topic for your budget alert, then configure a Chatbot client that subscribes to that topic and posts messages to your Slack channel.
Nothing automatic. AWS Budgets only sends alerts; they do not block or throttle resource usage. To take action, you can set up a Lambda function triggered by the SNS topic to stop instances, modify permissions, or notify administrators.
The service continuously monitors cost and usage data as it becomes available in the Cost and Usage Report (CUR). New data is typically available within 8-12 hours. Anomaly evaluations occur shortly after new data is ingested.
Yes, you can create budgets in the management account that apply to the entire organization, or you can create budgets in individual member accounts (if they have the necessary permissions). Budgets in the management account can be filtered by linked account to track per-account spend.
Budgets track against a fixed dollar amount and alert when you exceed a percentage of that amount. Cost Anomaly Detection uses ML to detect unusual patterns without a preset threshold, and provides root cause analysis. Use budgets for cost control, anomaly detection for unexpected spikes.
You can adjust the anomaly threshold to a higher sensitivity (e.g., from Low to Medium) to reduce the number of alerts. Alternatively, you can add filters to exclude certain accounts, services, or tags that are known to have variable spending.
You've just covered AWS Budgets and Cost Anomaly Detection — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?