- Newest
- Most votes
- Most comments
First of all I have to point out your statement is very misleading. If you ONLY turned on cost explorer, AWS will NEVER charge you even 1c. It is completely free service by default, if you only used the UI. That said, $1.52 is not a jump that justifies "way up", while I totally understand it's 75% of your current AWS spending.
Secondly, if you see 152k requests but are charged only $1.52, it is unlikely to be API charges. Because the API charge is $0.01 per request. That said, if you are sure, it must be either you, someone in your team or a 3rd party application that you authorized, that are making the request. AWS internal services will not making request on your behalf. You can search in CloudTrail for the CostExplorer API call to identify caller.
Lastly, based on your pricing it made me suspect you enabled Hourly and Resource Level Data Option. Again, that option is NEVER enabled by default, you must specifically Op-in. It cost $0.01 per 1,000 UsageRecords-month. That matched the bill you received. To disable, you go to Cost Explorer Console, go to Preferences (try this link), and uncheck the "Hourly and Resource Level Data" checkbox, then click the "Save preferences" button.
Hi! Good question. Keep in mind that for ce permissions, a policy attached that allows
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*:*"
],
"Resource": [
"*"
]
}
]
}
such as the AWS Managed AdministratorAccess policy also may allow for roles and users to run CE reports.
You can also use the Policy Simulator to check for access to CE: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html
There are 2 possible ways that CE charges:
- Cost Explorer API (0.01 per request)
- Cost Explorer Hourly and Resource level granularity ($0.01 per 1,000 UsageRecords month).
You can block access to CE by denying CE and applying that policy onto your users/roles such as:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ce:*"
],
"Resource": [
"*"
]
}
]
}
Hi, very good question
I would suggest you to look for any IAM policy with action as "ce:*". Once you find a policy, you could try disabling/remove it and see
For Example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ce:*"
],
"Resource": [
"*"
]
}
]
}
Relevant content
- asked 10 months ago
- asked 2 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Can you please provide an update on whether the question has been resolved? thanks.