Cloud Cost Optimization
Checklist

Pull your compute metrics from CloudWatch / Azure Monitor / Cloud Monitoring. Any instance running below 20% average CPU for two weeks is a downsizing candidate. A single m5.xlarge → m5.large saves ~$70/month. Filter by "CPU utilization < 0.20" and sort by cost descending — focus on the top 10.

If dev instances run 24/7 but your team works 8 hrs/day, you're paying for 16 hrs of idle time daily. AWS Instance Scheduler, Azure Auto-shutdown, or a simple cron → Lambda can cut non-production compute cost by 50–65%. Set: off at 8 PM, on at 7 AM weekdays; off all weekend.

A stopped EC2 doesn't charge for compute, but the attached EBS volumes keep billing at ~$0.10/GB/month. Filter instances by state "stopped" with stop date older than 30 days. Snapshot and terminate the ones nobody has touched. Check for gp2 volumes you can upgrade to gp3 (20% cheaper, faster I/O) while you're there.

If any instance type has run at 70%+ utilization for the past 60 days, it's a Savings Plan candidate. Compute Savings Plans give 66% discount vs. on-demand with flexibility across instance families. Do not buy RIs for oversized instances — right-size first, then commit. 1-year no-upfront pays back in month 1.

AWS Graviton3 (m7g, c7g) costs 10–20% less than equivalent x86 instances and often delivers better performance. Most modern language runtimes (Python, Go, Node, JVM) work without code changes. Check your AMI, dependencies, and container images for ARM compatibility — migration is usually a config change, not a rewrite.

S3 Standard: $0.023/GB/month. S3 Glacier Instant Retrieval: $0.004/GB/month — 83% cheaper with the same millisecond access. Rule of thumb: any object not accessed in 90 days should move to Glacier IR. Objects not accessed in 180+ days → Glacier Flexible. Enable S3 Intelligent-Tiering for buckets with unknown access patterns — it auto-optimizes at no retrieval cost.

Filter EC2 → Volumes by state "available" (not attached to any instance). These are billing with no workload behind them. Before deleting, take a final snapshot if uncertain. Then audit snapshots: anything older than 90 days not referenced by an AMI or backup policy is safe to delete. Use AWS Backup or DLM to enforce automatic snapshot lifecycle going forward.

RDS Multi-AZ doubles your database instance cost for automatic failover — a feature dev and staging don't need. A db.m5.large Multi-AZ runs ~$140/month; Single-AZ is ~$70. If you have 3 non-prod environments each running Multi-AZ, that's $210/month wasted. Check your RDS instances: filter by environment tag and toggle off Multi-AZ for anything that isn't production.

RDS Enhanced Monitoring shows CPU, memory, connections, and I/O. If your database is using <30% CPU and fewer than 20% of its max_connections, it's oversized. RDS Performance Insights (free tier for 7-day retention) gives you per-query load data. Common find: a db.r5.2xlarge that's actually bottlenecked on a single slow query, not hardware — query optimization, not bigger iron, is the fix.

Cross-AZ transfer is invisible until your bill arrives. In Cost Explorer, filter by "Usage Type Group: Data Transfer" and look for "EC2-Other: Data Transfer - Region to Region" and "InterZone" entries. Tightly coupled services (app server → database, app → cache) should be in the same AZ. ECS services and target groups can be AZ-pinned. This is often a $200–2,000/month silent line item in mid-size setups.

Every byte your private subnet resources send to S3 or DynamoDB through a NAT Gateway costs $0.045/GB. Gateway-type VPC endpoints for S3 and DynamoDB are free — traffic routes directly through AWS's backbone. If you process 10TB/month through NAT to S3, that's $450/month you can eliminate with a 10-minute config change. Create the endpoint, add it to your route tables, done.

AWS charges $0.005/hr (~$3.65/month) for each Elastic IP not associated with a running instance. EC2 → Elastic IPs → filter "Not Associated" and release them. For load balancers: ELB charges $0.008/hr per ALB (~$5.84/month) plus LCU fees, even with zero traffic. Check LB CloudWatch metrics — any ALB with near-zero request count and no active targets is a candidate for deletion.

CloudWatch Logs charges $0.50/GB ingested and $0.03/GB/month for storage. Log groups default to "Never Expire," meaning they accumulate forever. Go to CloudWatch → Log Groups → sort by "Stored bytes." Set 30-day retention for most application logs; 90 days for audit/compliance; 7 days for debug logs. This alone commonly removes $50–300/month in silent storage cost from mature accounts.

AWS Cost Anomaly Detection uses ML to detect unusual spend — no configuration beyond setting a threshold and an SNS email. Enable it in Cost Explorer → Anomaly Detection → Create Monitor. Add a monitor for each linked account and one for specific services (EC2, RDS, Lambda). Set alert threshold at $50 and daily impact at 20%. This is the fastest free win in cost observability.

Cost Explorer is only useful if resources are tagged. Minimum useful tag set: Environment (prod/staging/dev), Team, Service, Owner. Enable AWS Tag Policies through Organizations to prevent untagged resources from being created. Use Cost Allocation Tags (activate in Billing) to split costs by tag. Untagged spend typically represents 20–40% of most accounts — invisible to any chargeback or rightsizing analysis.

AWS Budgets: $0.02/day per budget (first two budgets free). Create one budget per team or environment using cost allocation tags. Set actions at 80% (notify) and 100% (notify + optionally restrict IAM). Azure Cost Management and GCP Budget Alerts offer the same. Teams that see their own spend data cut costs faster than those that don't — this is as much behavioral governance as it is technical.

The AWS console is limited for cost analysis — CUR gives you every line item at resource-ID level, hourly or daily, with usage type, pricing type, reservation details, and tags. Set up CUR export to S3 + Athena integration (one-click in Cost Explorer → Data Exports). This enables SQL queries like "show me top 20 resources by cost this month" that the console can't do. Critical once your bill exceeds $5k/month.

Lambda charges per invocation + GB-second. A function set to 15-minute max timeout that's erroring and retrying asynchronously can silently run up thousands of dollars overnight. In CloudWatch → Lambda → Errors and Throttles, look for functions with error rate >5% and high concurrent executions. Set max retry attempts to 1 or 2 for async invocations. Review Dead Letter Queues — if they're filling up, something upstream is flooding your function.

DynamoDB provisioned mode charges for what you reserve, not what you use. If your table is consuming 10% of provisioned RCUs/WCUs, you're paying for 90% of idle capacity. In DynamoDB → Metrics → Consumed vs. Provisioned, look for tables where consumed is consistently below 30% of provisioned. Switch them to on-demand pricing if traffic is unpredictable, or adjust provisioned capacity to match the P95 of actual usage.

AWS Marketplace charges appear on your AWS bill and are easy to forget. Go to Billing → AWS Marketplace → Subscriptions and export the list. Look for active subscriptions where the software is no longer deployed or was replaced. Also audit your accounts' SaaS tooling tied to cloud usage (monitoring, logging, security) — after a migration or tool swap, old subscriptions often run for 6–12 months with nobody noticing. Cancel with one click in the Marketplace console.