Cloud Cost Clinic

Every new CloudWatch log group defaults to "Never expire." So most accounts are one forgotten incident away from a permanent storage line. What retention default would you actually set for a small AWS account? - different per environment (short dev, longer prod) - same everywhere

For a while it was reactive: a spike would tip us off, then we'd run scripts across each env to catch anything in "available" state plus snapshots whose source volume was already gone, and clean from there. Works, but the charges already landed by then, and snapshots are the sneaky half since they're incremental and an AMI can pin one in place. That gap is why we're building continuous scanning into Cloud Cost Clinic, so the leftovers get caught as they accumulate instead of after the bill spikes.

AWS shipped the FinOps Agent, and it's genuinely useful: it watches Cost Anomaly Detection, traces a spike through CloudTrail, and names who caused it. The catch for small teams: it's reactive, and it assumes you already turned that cost stack on. What it does and doesn't: https://t.co/Z5XJ6NqgS6

Common AWS cost mistake: Turning on debug logging during an incident and never turning it off. The incident ends. The logs keep flowing. New log groups default to "Never expire," so the storage line only ever goes up. Safer check: sort log groups by stored bytes, then by incoming bytes. The first list shows old retention decisions. The second shows the noisy producers still adding to it.

the gateway endpoints for S3/DynamoDB are underrated since they're free. one thing worth doing before re-architecting: pull NATGateway-Bytes in Cost Explorer to check how much is data processing vs the flat hourly charge. sometimes the hourly baseline is the bigger line and endpoints won't touch that part

free tier catching people out is so common. honestly the thing that saves you isn't more credits, it's a $1 budget alert set on day one so a forgotten resource can't quietly run all month. for actual credits, AWS Activate or the GitHub Student pack are the legit routes if you qualify

CloudWatch Logs bills you twice: once to ingest, then every month to store. The useful split in Cost Explorer: DataProcessing-Bytes = ingestion (today's noise) TimedStorage-ByteHrs = storage (every "Never expire" decision you ever made) Quick review: - log groups with no retention set - biggest stored bytes - highest IncomingBytes this week - which of those are dev/staging

EBS snapshots bill on stored changed blocks, so the cost creeps as chains grow. Before deleting one, four checks: 1. AMI reference? Deregister-before-delete order matters. 2. AWS Backup or DLM policy managing it? 3. Restore expectation - is this someone's rollback path? 4. Approved next action written down? Age tells you where to look. The references tell you what is safe.