Cost and blast radius control in AWS

Topic: Cloud aws core

Limit cost overruns and blast radius with billing alerts, quotas, and organizational boundaries. Use billing alarms, service quotas, and separate accounts or OUs for prod vs non-prod. Use this when designing multi-account or when preventing runaway cost or impact.

Intent: How-to

Quick answer

  • Billing: enable Cost Explorer and set billing alarms (e.g. estimated charge above threshold). Use budgets to alert or restrict spend per account or per tag. Notifications to email or SNS so you react before the bill grows.
  • Blast radius: separate prod and non-prod (different accounts or VPCs); use IAM and SCPs to restrict what can be created (e.g. no large instance types in dev). Use quotas to cap concurrent resources (e.g. EC2 limit per region).
  • Tagging: tag resources with CostCenter, Environment, Project so you can track cost by team or project. Use tag-based policies to enforce tags and deny untagged resources where appropriate.

Steps

  1. Billing alerts and budgets

    Create billing alarm in CloudWatch (Billing -> Alarms) for estimated charge. Create budget in Cost Management with alert and optional limit (e.g. 100% of forecast). Send to email or SNS.

  2. Quotas and limits

    Review service quotas (e.g. EC2 instances per region); request increase only when needed. Use quotas to cap blast radius (e.g. limit dev account to small instance types via quota or IAM).

  3. Separate accounts or OUs

    Use separate accounts for prod and non-prod so a mistake or compromise in one does not affect the other. Use SCPs in Organizations to deny certain actions or regions in specific OUs.

  4. Tagging and cost allocation

    Tag all resources with Environment, CostCenter, Project. Use cost allocation tags in billing; enforce tags with policy or automation so cost reports are accurate.

Summary

Set billing alarms and budgets; use quotas and separate accounts/OUs to limit cost and blast radius. Tag resources for cost allocation and enforce tags. Use this to avoid surprise bills and to contain impact.

Prerequisites

None.

Steps

Step 1: Billing alerts and budgets

Create billing alarm and budget; send alerts to email or SNS.

Step 2: Quotas and limits

Review and use service quotas; request increases only when needed; use quotas to cap risk.

Step 3: Separate accounts or OUs

Use multiple accounts or OUs for prod vs non-prod; use SCPs to restrict actions.

Step 4: Tagging and cost allocation

Tag resources; enable cost allocation tags; enforce tagging with policy.

Verification

Billing alerts and budgets are set; quotas are known; prod and non-prod are separated; tags are applied and reported.

Troubleshooting

Unexpected charge — Check Cost Explorer by service and tag; identify resource and set budget or quota. Cannot create resource — Check service quota and request increase if legitimate.

Next steps

Continue to