AWS Cost Anomaly Detection FAQs
General
What is AWS Cost Anomaly Detection (CAD) and how does it work?
AWS Cost Anomaly Detection (CAD) helps you detect and receive alerts on abnormal or sudden spend increases in your AWS account. This is possible by using machine learning to understand your spend patterns and trigger alerts when they seem abnormal.
Learn more about CAD from the product page and the user guide. To learn more about programmatic capabilities, read the AWS Cost Explorer API documentation.
How can I customize monitors to evaluate for anomalies?
CAD allows you to segment your spend by different dimensions (AWS Services, Linked Accounts, Cost Allocation Tags, and Cost Categories), to detect more granular anomalies and customize alerting preferences.
How many monitors can be attached to each alert subscription?
CAD allows you to create up to one AWS Service Monitor and 500 custom monitors (Linked Accounts, Cost Allocation Tags, Cost Categories). You can attach up to the maximum of all 501 monitors to an alert subscription.
How many recipients can be attached to each alert subscription?
For each alert subscription, you can have up to 10 email recipients or 1 SNS topic.
How does the alerting threshold work?
The alerting threshold is used to determine when an alert is sent for an anomaly. It does not impact the anomaly detection algorithms in any way. If an anomaly’s total cost impact meets or exceeds the alerting threshold on a subscription, an alert will be sent for the anomaly to the customer. If an anomaly’s total cost impact is below the alerting threshold, it will still be available on the console, but no alert will be sent.
How does a linked account monitor work?
A linked account monitor can track up to 10 different linked accounts. A linked account monitor tracks spending aggregated across all of the designated linked accounts. For example, if a linked account monitor tracks Account A and Account B, and then Account A’s usage spikes while Account B’s usage dips by the same amount, there will be no anomaly detected because it is a net neutral change.
What is the difference between a linked account monitor in a payer account, and a services monitor in a linked account?
A linked account monitor in a payer account will monitor the spend of all services, in total, for that linked account. A services monitor in a linked account will monitor the individual spend for each service for that linked account. For example, if there is a spike in S3 spending, but a dip in EC2 spending of the same amount (net neutral change), the linked account monitor in the payer account will not detect this because it is monitoring the total account spend across all services. However, the services monitor in the linked account would detect the S3 spike since it is monitoring each service spend individually.
If I create a monitor in a linked account and in a payer account, will I have the same anomaly show up twice?
Anomalies are only detected in the account that created the monitor. It's possible the same usage spike can show up in two different monitors in two different accounts. This would result in two anomalies - one anomaly showing in each account.
What is a root cause?
A root cause is our best estimate to the largest contributing factor to an anomaly’s total cost impact. The root cause does not explain the total anomaly impact, but only the impact from the largest contributing factor.
Why do I have an empty or incomplete root cause?
We are not always able to identify a single large contributing factor for each anomaly. In the event that there is no clear root cause for the anomaly, we recommend you use AWS Cost Explorer to view all of the contributing factors.
Why is the root cause impact very small compared to the total cost impact of the anomaly?
For the anomalies detected, we report up to two root causes. This is our best estimate of the largest contributing factors to the anomaly. Since we use machine learning models to select a maximum of two possible root causes, sometimes there are multiple, small contributors to the total impact, so the root cause explains only a small portion of it.
How often does CAD run?
CAD runs approximately three times a day after your billing data is processed.
What is the delay between anomalous usage and when the anomaly gets detected?
Anomaly detection relies on the data from Cost Explorer which has a latency of up to 24 hours. Therefore, it can take up to 24 hours to detect an anomaly after the anomalous usage happens.
What is the delay between creating a monitor and when it can first detect an anomaly?
If you have created a new monitor, it can take 24 hours to start detecting new anomalies.
How much historical data is required for a monitor to detect anomalies?
Any monitor requires at least 10 days of historical usage data for anomalies to be detected. For example, for a services monitor, anomalies for the spending on a new service will not be detected until there are 10 days of spend data.
Default configuration of Cost Anomaly Detection for new Cost Explorer users
What does the default configuration of CAD look like?
Starting March 27, 2023, all new Cost Explorer customer with a Payer or Regular account will benefit from an automatic configuration of CAD. The default configuration of CAD will help customers monitor and be alerted about unintended spend before it turns into billing surprises. The initial setup will include an AWS Services monitor and a daily email alert subscription. The AWS Services monitor will detect any cost anomalies across a customer’s deployed AWS services. Customers are encouraged and empowered to take advantage of additional (custom) monitor and alert configurations for their specific needs and organizational structure.
Why are you automatically enabling CAD for all new Cost Explorer customers?
The default configuration of CAD offers Payer and Regular accounts the benefit of having anomalous spend detection across all deployed AWS services with no effort or cost. If an anomaly is detected, a daily summary email with the top 10 anomalies ordered by their impact will be sent. The email will contain links that allow a customer to drill down and understand underlying drivers in the CAD console or API. Based on this information a customer can, if needed, take any necessary action to deal with the unintended spend.
If I am already an existing Cost Explorer user that does not have CAD, how can I get this service?
If you're an existing Cost Explorer user, you can access CAD through the AWS Cost Management Console. To start monitoring for anomalies you will need to create a cost monitor either in the CAD console or via the API. Similarly, to be alerted about anomalies, you will need to set up an alert subscription in the console or via the API.
What if I do not want CAD enabled on my account?
If you decide that you want to opt-out after being onboarded to the service, you can simply delete any monitor and alert subscriptions on your account in the console or via API. Deleting the monitor will stop processing of your data by the anomaly detection service and you will stop receiving alerts. Previously detected anomalies will still be available after monitor deletion.
How does the default setting of CAD relate to/work with other AWS services?
CAD integrates with Cost Explorer and is only available to customers that have Cost Explorer enabled. After a customer is onboarded to CAD, they will start receiving notification for any cost anomalies related to their deployed AWS services. In addition, customers can click the “View in Cost Explorer” button in the CAD console to further explore any anomaly using the Cost Explorer interface.
What if I do want to monitor for anomalies, but not receive daily email alerts?
You can configure or delete your alert subscription at any time in the CAD console or via the API. As long as you have a cost monitor, CAD will continue to monitor and report on any anomalies in the detection history and via the get Anomalies action in the API.
What if I only want CAD, but not Cost Explorer?
CAD integrates with the Cost Explorer service and requires customers to have it enabled. Today there is no way to enable CAD without Cost Explorer.
Why does the initial configuration only include an AWS Service Monitor and not any other type of monitor?
CAD allows customers to set up four different types of monitors: 1/ AWS service monitor to track spend across all deployed services, 2/ Linked account monitor(s) to track spend of individual, or group of, linked accounts, 3/ Cost category monitor(s) to track spend of different cost categories values, and 4/ Cost allocation tag monitor(s) to track spend of individual tag key-value pairs. An AWS service monitor will be applicable to all customers since it tracks and detects anomalies across any service they deploy. The other three are custom to each customer and it is difficult for us to predict what would be the right selection of linked accounts, cost categories, and cost allocation tags to monitor.
Why does the initial configuration set up a daily email alert, and not an immediate or weekly alert?
CAD offers customers three different options for alerts: 1/ Immediate alert via SNS channels, 2/ Daily summary via email, and 3/ Weekly summary via email. We believe daily email alerts is the best option and cadence for new customers. Weekly may be too delayed to provide sufficient value as a standalone alert; many customers and immediate alerts require an SNS channel that we do not have for accounts by default. After CAD is turned on, customers can change their alert preference at any time.
What email address will be used in the alert subscription?
We will use the root email associated with the AWS Payer or Regular account. Customers can access the CAD console and API to update what email(s) the want to use for their alert subscription(s).
What threshold will be used in the default configuration to determine which anomalies should generate alerts?
The default CAD configuration will generate alerts for all anomalies that will both exceed 40% of what is identified by the CAD ML model as expected spend as well as a minimal USD amount (a fixed amount threshold) of $100. The chosen percentage and fixed amount thresholds aim at producing valuable cost anomaly alerts across customer segments without overwhelming customers with alerts on potentially insignificant amounts. Customers can modify and refine these default thresholds at any time.
Which customer accounts will be eligible for CAD by default?
Payer and Regular accounts that enable Cost Explorer will be eligible. We will not include Linked, internal, and suspended accounts.
Are there any eligible new CE customers for whom we won’t enable CAD by default?
The auto configuration is available for new Cost Explorer customers who are payer or regular standalone account owners.
How will account changes (e.g., changing from Payer to Linked) impact a customer’s account?
If an account type changes (e.g., from Payer to Linked) after CAD has been enabled, the CAD monitor on the account will stop working. This is a known limitation and we are looking at ways to improve the customer experience for this scenario. The current workaround for this scenario requires the customers to recreate the monitor.
Will CAD be enabled for customers in both IAD and the China (ZHY) regions?
Yes, CAD will be enabled for customers in all Commercial Regions, including the Amazon Web Services China (Beijing) Region, operated by Sinnet and Amazon Web Services China (Ningxia) Region, operated by NWCD.