Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Billing Alarm

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: CW-001

Set up a CloudWatch billing alarm to receive alerts when your AWS estimated charges exceed a threshold that you choose so you can decide whether to stop or reconfigure the AWS components that have reached the cost limit set. These alerts are triggered by AWS CloudWatch and sent to you using the AWS Simple Notification Service (SNS).

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Enabling AWS CloudWatch billing alarms will make it easier to track and manage the spending within your AWS account.

Note: You can specify a custom name for the alarm using the rule configuration settings available on Cloud Conformity dashboard. Otherwise, the default name used for this rule will be “BillingAlarm”.


Audit

To determine if AWS billing alerts are enabled within your account, perform the following:

Note: Verifying the AWS billing alerts feature status via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Billing and Cost Management dashboard at https://console.aws.amazon.com/billing/home.

03 In the left navigation panel, select Preferences and check the Receive Billing Alerts status. If the feature is disabled, i.e. its checkbox is unchecked:

Receive Billing Alerts

the AWS billing alerts are currently disabled in your account. In order to create CloudWatch billing alarms to track the resources costs you must enable this feature first (see 'Remediation/Resolution' section).

Remediation / Resolution

Step 1: To create a billing alarm using AWS CloudWatch and AWS SNS you must turn on Billing Alerts by performing the following actions

Note: Enabling AWS Billing Alerts feature status via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Billing and Cost Management dashboard at https://console.aws.amazon.com/billing/home.

03 In the left navigation panel, select Preferences.

04 Select Receive Billing Alerts checkbox.

05 Click Save Preferences to apply the changes.

Step 2: Create a Simple Notification Service (SNS) topic in order to send notifications whenever the CloudWatch billing alarm will fire

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the left navigation panel, select Topics and click the Create new topic button.

04 In the Create new topic dialog box, enter a name and a display name (optional) for the topic and click Create Topic.

05 Select the newly created SNS topic by clicking on its ARN name:

Select the newly created SNS topic by clicking on its ARN name

06 Under Subscription section, click Create Subscription.

07 Select Email as subscription protocol from the Protocol dropdown list.

08 Enter the email address where to receive the billing alarm notifications and click Create Subscription.

09 Use your email client application and open the message from AWS Notifications, then click on the appropriate link to confirm your subscription.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create a new SNS topic for sending notifications:

aws sns create-topic
		--name MySNSTopic

02 The command output should return the new SNS topic ARN (Amazon Resource Name):

{
    "TopicArn": "arn:aws:sns:us-east-1:123456789012:MySNSTopic"
}

03 Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification-endpoint (in this case email):

aws sns subscribe
		--topic-arn arn:aws:sns:us-east-1:123456789012:MySNSTopic
		--protocol email
		--notification-endpoint admin@domain.com

04 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the subscription by validating the token sent to the notification endpoint selected (the command does not return an output):

aws sns confirm-subscription
		--topic-arn arn:aws:sns:us-east-1:123456789012:MySNSTopic
		--token 4535392f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19325d036bc858d3c217426bcafa9c501a2cace93b83f1dd3797627467553dc438a8c974119496fc3eff026eaa5d14472ded6f9a5c43aec62d83ef5f49109da717322

Step 3: Create an AWS CloudWatch billing alarm that fires when your AWS charges exceed the threshold set

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/.

03 In the left navigation panel, select Alarms then click the Create Alarm button from the dashboard top menu to initiate the alarm setup.

04 In the Create Alarm dialog box, under Billing Metrics, click By Service link.

05 On the Select Metric page, under Billing > By Service section, select an AWS service that you want to monitor for estimated charges (e.g. AmazonEC2) and click Next.

06 On the Define Alarm page, provide the following information:

  1. In the Alarm Threshold section, enter a unique name and a short description for the billing alarm using the Name and Description fields.
  2. In the Whenever charges for section, select >= (greater than or equal to) from the is dropdown list and in the USD $ box enter the threshold limit value in USD that will trigger the alarm and send an email when this is exceeded.
  3. In the Actions section, click the + Notification button, select State is ALARM from the Whenever this alarm dropdown menu and choose the AWS SNS topic name created at Step 2 from the Send notification to dropdown list.

07 Click Create Alarm to finish the billing alarm setup. Once created, the billing alarm will be available on the CloudWatch Alarms page.

Using AWS CLI

01 Run put-metric-alarm command (OSX/Linux/UNIX) to create the required CloudWatch billing alarm using the AWS SNS topic ARN as command parameter (if successful, the command does not return an output):

aws cloudwatch put-metric-alarm
		--region us-east-1
		--alarm-name BillingAlarm
		--alarm-description "Billing Alarm for EC2 Monthly Estimated Charges"
		--metric-name EstimatedCharges
		--namespace AWS/Billing
		--statistic Maximum
		--comparison-operator GreaterThanOrEqualToThreshold
		--evaluation-periods 1
		--dimensions Name=Currency,Value=USD
		--period 21600
		--threshold 120
		--actions-enabled
		--alarm-actions arn:aws:sns:us-east-1:123456789012:MySNSTopic

References

Publication date Aug 16, 2016