Back
AWS Cost Optimization, AWS,
May 4, 2026

AWS Cost Anomaly Detection: How to Set It Up and Actually Use It (2026)

Anastasiia Kuten
Anastasiia Kuten Marketing & Partnerships Department Manager
May 4, 2026
AWS Cost Anomaly Detection
AWS partner dedicated to startups

AWS partner dedicated to startups

  • 2000+ Clients
  • 5+ Years of Experience
  • $10M+ saved on AWS

Most teams find out about AWS bill shock the same way: an email from finance on the 5th of the month asking why last month’s invoice doubled. By then the damage is done, the money is spent, and someone is spending three days digging through CloudTrail to figure out what happened.

AWS Cost Anomaly Detection fixes this. It is a free service from AWS that uses machine learning to watch your spending and alert you within 24 hours when something looks wrong. Setup takes about 10 minutes. Most teams turn it on once and forget it exists, missing 80% of what makes it useful.

This guide covers the actual setup, the monitor types you should pick, the thresholds that work, and how to wire alerts into Slack so your team sees them in real time, not buried in someone’s inbox.

What Is AWS Cost Anomaly Detection?

AWS Cost Anomaly Detection (often shortened to CAD) is a feature inside AWS Cost Management that uses machine learning to identify unusual spending patterns in your AWS account.

It does three things:

  1. Learns your normal spending pattern over time, including weekly and monthly cycles
  2. Watches your actual spending against that baseline three times a day
  3. Alerts you when something deviates significantly, with a root cause analysis showing which service, account, region, or usage type drove the spike

The key word is pattern. Cost Anomaly Detection is not a static budget. A static budget alerts you when you cross a fixed dollar amount. CAD alerts you when your spending behavior changes, even if you are still under your overall budget.

Example: your EC2 costs always jump on Mondays when batch jobs run. CAD knows this and does not alert. But if your S3 costs triple at 2am on a Saturday because someone misconfigured a backup job, CAD catches it the same day.

Why You Should Set It Up Today

Three reasons.

  1. It is free. AWS does not charge for the service, the monitors, or the alerts. There is no reason not to have it on.
  2. The cost of not having it is huge. Common scenarios that CAD catches: a runaway Lambda function that loops forever, a forgotten p4d.24xlarge GPU instance left running over a weekend, a misconfigured CloudFront origin causing massive data transfer charges, or an autoscaling group that scales up and never scales back down. Any one of these can cost thousands per day. Without CAD, you find out 30 days later.
  3. It takes 10 minutes. The setup is straightforward and the defaults work for most teams.

How AWS Cost Anomaly Detection Works

The pipeline behind the scenes:

  1. Data collection: CAD pulls from your billing data and Cost Explorer history, including historical resource usage across all monitored services
  2. Baseline learning: the ML model studies your past spending to understand what normal looks like, including daily, weekly, and seasonal patterns
  3. Real-time monitoring: the service runs three times a day, comparing actual spend to predicted spend
  4. Anomaly identification: when actual spend deviates beyond the dynamic threshold, it flags an anomaly
  5. Root cause analysis: CAD identifies up to 10 contributing factors, ranked by dollar impact, broken down by service, account, region, or usage type
  6. Alert dispatch: alerts are sent via email, SNS, or chat (Slack, Microsoft Teams, Amazon Chime)

Detection happens within 24 hours of the anomaly occurring. New monitors take about 24 hours to start working. New AWS service subscriptions need 10 days of historical usage before CAD can detect anomalies on them.

The Four Monitor Types: Which Should You Use?

CAD lets you create different monitors for different views into your spending. You can have one AWS service monitor and up to 500 custom monitors per account.

1. AWS Services Monitor

Watches every AWS service in your account automatically. It picks up new services as you adopt them. No manual configuration needed.

Use this if: you are just getting started, you have a single account, or you do not need to segment by team or environment. Almost everyone should have this monitor enabled.

2. Linked Accounts Monitor

Watches a specific member account or a group of up to 10 linked accounts within an AWS Organization.

Use this if: you have multiple AWS accounts (one per environment, team, or product) and you want separate alerts for each. This is the right choice for any company using AWS Organizations.

3. Cost Allocation Tags Monitor

Watches spending grouped by a specific cost allocation tag, like Environment, Team, or Project.

Use this if: your accounts are shared across teams and you tag resources to track ownership. Requires that you have already set up cost allocation tags in Billing.

4. Cost Categories Monitor

Watches spending grouped by AWS Cost Categories (custom logical groupings of costs you define).

Use this if: you have built out Cost Categories for chargeback or showback. Niche but powerful for FinOps teams that have invested in cost allocation infrastructure.

Recommendation for most teams: start with the AWS Services monitor (catches everything) plus a Linked Accounts monitor if you have multiple accounts. Add tag-based monitors later as your tagging discipline improves.

Step by Step: Setting Up AWS Cost Anomaly Detection

Step 1: Enable AWS Cost Explorer

Cost Anomaly Detection is a feature inside Cost Explorer. If you have not already enabled Cost Explorer in your account, do that first.

  1. Sign in to the AWS Console with your management account
  2. Open the Billing and Cost Management console
  3. Click Cost Explorer in the left sidebar
  4. Click Launch Cost Explorer

Cost Explorer is also free. Enabling it kicks off the historical data backfill, which CAD needs to learn your spending patterns.

Step 2: Create Your First Monitor

Now create the AWS Services monitor that watches everything in your account.

  1. In the Billing and Cost Management console, click Cost Anomaly Detection in the left sidebar
  2. Click Get started or Create monitor
  3. For monitor type, select AWS services
  4. Give it a clear name like AccountWideServiceMonitor
  5. Click Next

Step 3: Configure Your Alert Subscription

Monitors detect anomalies. Subscriptions tell you about them. You need both.

  1. Choose Create a new subscription
  2. Give the subscription a name like FinanceTeamAlerts
  3. Set the alert frequency:
    • Individual alerts: get notified for every anomaly that exceeds your threshold (recommended for active monitoring)
    • Daily summary: one email per day grouping all anomalies (good for low-traffic accounts)
    • Weekly summary: one email per week (only for accounts with very stable spending)
  4. Set the threshold (more on this below)
  5. Add recipients (up to 10 email addresses, or one SNS topic)
  6. Click Create subscription

Step 4: Set the Right Threshold

This is where most teams get it wrong. Too low and you get alert fatigue. Too high and you miss real problems.

The threshold is a dollar amount that determines whether you get notified. Anomalies below the threshold are still detected and visible in the console, but you do not get an alert.

A practical rule: start at 2 to 5% of your monthly AWS spend.

  • $1,000/month bill: threshold $20 to $50
  • $10,000/month bill: threshold $200 to $500
  • $100,000/month bill: threshold $2,000 to $5,000

If you are getting too many alerts after a week, raise the threshold. If you are not catching real problems, lower it. Adjust quarterly or after major infrastructure changes.

For startups with AWS Activate credits, set the threshold as a percentage of your remaining credit balance, not your total spend. Burning through credits unexpectedly is a different kind of disaster than overpaying on a normal month.

Wiring Alerts Into Slack (or Microsoft Teams)

Email alerts get ignored. Slack alerts get acted on. Setting this up takes about 5 extra minutes.

The Architecture

Cost Anomaly Detection sends alerts to an Amazon SNS topic, which forwards them to AWS Chatbot (recently rebranded as Amazon Q Developer in chat applications), which posts them in your Slack channel.

Step by Step

  1. Create an SNS topic:aws sns create-topic --name cost-anomaly-alerts
  2. Add the AWS service permission so Cost Anomaly Detection can publish to it. In the SNS console, edit the topic’s access policy and allow costalerts.amazonaws.com to publish.
  3. In Slack, install the AWS Chatbot app and authorize it for your workspace
  4. In the AWS Chatbot console, configure a new Slack client and select your workspace
  5. Add a Slack channel configuration: pick the channel where alerts should land, and subscribe it to the SNS topic you created
  6. Back in Cost Anomaly Detection, edit your alert subscription and add the SNS topic as a recipient

The same flow works for Microsoft Teams (use the AWS Chatbot Teams integration) and Amazon Chime.

Channel Routing for Larger Teams

If you have multiple teams or environments, route alerts to specific channels:

  • #finops-alerts for general account-wide anomalies
  • #genai-costs for Bedrock and SageMaker monitors
  • #incidents for high-impact alerts (threshold above $1,000)

Create separate alert subscriptions for each, with different thresholds and SNS topics.

What to Do When You Get an Alert

An alert tells you something happened. The next 30 minutes determine whether it costs you $50 or $50,000.

The Investigation Checklist

  1. Click the anomalyDetailsLink in the alert. It takes you straight to the Cost Anomaly Detection console with the anomaly pre-filtered.
  2. Read the root cause analysis. CAD shows you up to 10 contributing factors with dollar attribution. Focus on the top 1 or 2.
  3. Check the time window. Did the spike start at a specific hour? That often points directly to a deployment, a cron job, or a misconfigured alarm.
  4. Open Cost Explorer with the same filters. Look at the trend over 7 days to confirm it is anomalous and not a new baseline.
  5. Check CloudTrail for changes. Filter to the time window of the anomaly and look for resource creation events.
  6. If it is real, fix it. Stop the runaway resource, roll back the deployment, or fix the configuration that caused it.
  7. Submit feedback. The CAD console has a “Was this helpful?” button. Use it. The ML model gets better when you tell it whether the alert was real.

Common Anomalies and What They Usually Mean

After running CAD for a year, you start to recognize patterns. The most common alerts and their typical causes:

Sudden EC2 spike usually means an autoscaling group scaled up and did not scale back down, a manually launched instance got forgotten, or a deployment changed instance types to something larger.

S3 spike usually means a misconfigured backup, a versioning explosion (lots of object versions piling up), or an unexpected data transfer pattern (someone synced a huge dataset out to the internet).

Lambda spike usually means a function is in an infinite loop, a downstream service is failing and Lambda is retrying constantly, or someone deployed a function with a much higher memory or timeout setting.

CloudFront or data transfer spike usually means a DDoS attack, a viral piece of content, or a misconfigured origin causing cache misses.

RDS spike usually means a new read replica was added, the instance was upsized, or storage auto-scaled up because a query was writing huge amounts of data.

Bedrock or SageMaker spike usually means a new model with higher token costs, a developer experimenting without rate limits, or a runaway agent making thousands of API calls.

Cost Anomaly Detection vs AWS Budgets: Which Do You Need?

Both, actually. They solve different problems.

AWS Budgets uses static thresholds. You define a fixed dollar limit, and Budgets alerts you when you cross it. Budgets are good for hard limits (“alert me when this account exceeds $5,000 this month”) and forecasting (“alert me when forecasted spend exceeds $10,000”).

Cost Anomaly Detection uses dynamic thresholds. It catches unusual patterns regardless of total spend. CAD is good for catching the things you would not have predicted.

Budgets catch the slow leaks. CAD catches the sudden spikes. You need both.

A typical setup:

  • Budgets for hard monthly limits per account or environment
  • Budgets with forecasted alerts to predict month-end overages
  • Cost Anomaly Detection for any spending pattern that deviates from normal

Limits and What CAD Cannot Do

Cost Anomaly Detection is powerful but it is not a complete FinOps solution. It does not:

  • Prevent overspending. CAD detects, it does not block. You still need budgets, IAM policies, and Service Control Policies to actually stop runaway resources.
  • Track unit economics. CAD does not show you cost per customer, cost per feature, or cost per team without significant additional setup.
  • Replace cost allocation tools. If you need detailed chargeback or showback reports, you still need Cost and Usage Reports plus a tool like AWS Cost and Usage Dashboards or a third-party FinOps platform.
  • Eliminate false positives. Tuning is required, especially for workloads with high natural variance.
  • Detect anomalies in real time. Detection has a 24-hour delay. For real-time alerting, use AWS Budgets with sub-daily evaluation or third-party tooling.

Best Practices for Production Use

Once your monitors are running, these habits separate teams that get value from CAD from teams that just get alert fatigue.

Start broad, then segment. Begin with the AWS Services monitor covering your whole account. After 2 to 4 weeks, add specific monitors for your highest-spending services or accounts.

Tag aggressively. The more cost allocation tags you have, the more useful tag-based monitors become. Implement Environment, Project, Owner, and CostCenter tags as a minimum.

Make alerts someone’s responsibility. Alerts that nobody owns get ignored. Assign one person on the platform team to triage CAD alerts within 24 hours. Rotate the responsibility weekly.

Submit feedback every time. The thumbs up or down button in the CAD console feeds back into the ML model. Teams that submit feedback consistently get better detection accuracy within a month.

Review thresholds quarterly. As your spend grows, your thresholds should grow with it. A $50 threshold made sense at $1,000/month; it is alert spam at $50,000/month.

Combine with Trusted Advisor. Trusted Advisor catches structural waste (idle instances, underutilized resources). CAD catches sudden changes. Together they cover most cost issues.

Frequently Asked Questions

Is AWS Cost Anomaly Detection free?
Yes, completely. The service, the monitors, and the alerts are all free. The only related service that may charge you is SNS, which costs fractions of a cent per notification.

How long until it starts catching anomalies?
24 hours minimum after creating a monitor. Accuracy improves over the first 2 to 4 weeks as the model learns your patterns. New AWS services need 10 days of historical data before CAD can monitor them.

Can I use it across multiple AWS accounts?
Yes. With AWS Organizations, the management account can create monitors that watch individual member accounts or all member accounts together.

How many monitors can I create?
One AWS Services monitor plus up to 500 custom monitors (linked accounts, cost allocation tags, or cost categories) per account. You can attach all of them to a single alert subscription.

Can I exclude certain services or accounts?
Not directly. The workaround is to create focused monitors for the services or accounts you do care about, instead of a single account-wide monitor.

Does it detect anomalies in real time?
No. Detection runs three times per day with up to a 24-hour delay. For true real-time alerts, use AWS Budgets with sub-daily evaluation periods.

What happens if I delete a monitor?
Historical anomalies detected by that monitor stay accessible in the console, but no new anomalies will be detected for the dimensions it covered.

Can it work with bill source accounts that use Billing Transfer?
No. Cost Anomaly Detection is not available for bill source accounts using billing transfer.

Summary

AWS Cost Anomaly Detection is the single highest-leverage 10 minutes you can spend on AWS cost management. It is free, it works automatically, and it catches the spikes that static budgets miss.

The setup checklist:

  1. Enable Cost Explorer if you have not already
  2. Create the AWS Services monitor for full account coverage
  3. Add a Linked Accounts monitor if you have multiple accounts
  4. Create an alert subscription with a threshold at 2 to 5% of monthly spend
  5. Wire it into Slack via SNS and AWS Chatbot
  6. Assign someone to triage alerts within 24 hours
  7. Review thresholds quarterly

Most teams that adopt this find at least one real cost issue in the first month. The rest of the time it is quiet, which is exactly what you want from a watchdog.

Share this article:
Need Help with AWS Cost Optimization?
Cloudvisor helps companies build cost-aware AWS architectures from day one and clean up spending issues in mature accounts. Whether you want help setting up a full FinOps practice, reviewing your current cost structure, or just figuring out where your money is going, our team of certified AWS experts can help.
Book a free consultation

Other news and articles

Explore more
What Is Amazon Bedrock AgentCore? The 2026 Guide for AWS Teams
AWSMay 1, 2026
What Is Amazon Bedrock AgentCore? The 2026 Guide for AWS Teams
Sovereignty as a Service: The AWS European Sovereign Cloud is Live
AWS ServicesApril 22, 2026
Sovereignty as a Service: The AWS European Sovereign Cloud is Live
AWS RDS Cost Optimization: Hidden Savings Most Teams Miss (2026)
AWSApril 20, 2026
AWS RDS Cost Optimization: Hidden Savings Most Teams Miss (2026)
Explore more