Cost Anomaly Detection Findings

Risk Level: Medium (should be achieved)

Rule ID: CostExplorer-002

Check for any spend anomaly identified by Amazon Cost Anomaly Detection within your AWS cloud account and analyze and determine the root cause of the anomaly, such as account, service, region, or usage type that is driving the cost increase. Anomaly Detection is a new feature within AWS Cost Explorer that uses custom-built machine learning (ML) models to continuously monitor your AWS cloud cost and usage to detect unusual spends.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity solution.

Cost
optimisation

Amazon Cost Anomaly Detection helps detect irregular AWS spend outside regular usage patterns. Through Cost Anomaly Detection findings, you can quickly identify the root cause of cost and usage spikes. This helps you save time in investigating anomalous spend and allows you to better understand your AWS cost drivers based on seasonally-aware patterns (e.g. weekly).

Audit

To check your AWS account for Cost Anomaly Detection findings, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to AWS Cost Management console at https://console.aws.amazon.com/cost-management/home.

03 In the navigation panel, under AWS Cost Management, choose Anomaly Detection to access the list of anomaly detection cost monitors available in your AWS account. If there are no monitors listed on the Anomaly Detection page, follow the steps outlined in the Cost Anomaly Detection Monitor in Use conformity rule to create Cost Anomaly Detection monitors. If one or more Cost Anomaly Detection monitors are listed in the Cost monitors section, click on the name of the cost monitor that you want to examine, to access the cost anomalies detected by the selected monitor.

04 On the selected monitor overview page, check the Anomalies detected section for the list of AWS cost anomalies (findings) detected in the last 90 days. If one or more cost anomalies are listed in the Anomalies detected section, there are one or more Amazon Cost Anomaly Detection findings that need to be analyzed and solved within your AWS account.

05 Repeat step no. 3 and 4 for each Cost Anomaly Detection monitor available in your AWS cloud account.

Using AWS CLI

01 Run get-anomaly-monitors command (OSX/Linux/UNIX) with custom query filters to retrieve the Amazon Resource Name (ARN) of each cost anomaly monitor created for your AWS account:

aws ce get-anomaly-monitors
    --query 'AnomalyMonitors[*].MonitorArn'

02 If the get-anomaly-monitors command output returns an empty array (i.e. []), there are no cost anomaly monitors currently available within your AWS account, therefore you can follow the steps outlined in the Cost Anomaly Detection Monitor in Use conformity rule to create Cost Anomaly Detection monitors. Otherwise, the command output should return the requested monitor ARN(s):

[
"arn:aws:ce::123456789012:anomalymonitor/aaaabbbb-cccc-aaaa-bbbb-aaaabbbbcccc",
"arn:aws:ce::123456789012:anomalymonitor/aabbccdd-abcd-abcd-abcd-aabbccddaabb"
]

03 Run get-anomalies command (OSX/Linux/UNIX) using the ARN of the Cost Anomaly Detection monitor that you want to examine as identifier parameter to retrieve the IDs of the cost anomalies detected within your account, during the time period specified by the --date-interval command parameter:

aws ce get-anomalies
    --monitor-arn arn:aws:ce::123456789012:anomalymonitor/aaaabbbb-cccc-aaaa-bbbb-aaaabbbbcccc
    --date-interval StartDate="2020-08-21",EndDate="2020-11-21"
    --query 'Anomalies[*].AnomalyId'

04 The command output should return the IDs of the cost anomalies detected by the selected monitor, or an empty array (i.e. []) if there are no cost anomalies found:

[
    "abcdabcd-1234-1234-1234-abcdabcdabcd",
    "abcd1234-abcd-1234-abcd-1234abcd1234"
]

If the array returned by the get-anomalies command output contains the ID of one or more cost anomalies (findings), as shown in the example above, there are one or more Amazon Cost Anomaly Detection findings that need to be analyzed and resolved within your AWS account.

05 Repeat step no. 3 and 4 for each Cost Anomaly Detection monitor created in your AWS cloud account.

Remediation / Resolution

To access, analyze and solve the Amazon Cost Anomaly Detection findings detected within your AWS cloud account, perform the following operations:

Note: As example, this section demonstrates how to analyze an AWS cost anomaly detected in your AWS account because the S3 STANDARD storage usage is much higher than expected due to incomplete multipart uploads in one of your Amazon S3 buckets. To solve the issue that caused the cost anomaly, an S3 bucket lifecycle rule is created and configured to automatically abort any incomplete multipart uploads older than a specified age.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to AWS Cost Management console at https://console.aws.amazon.com/cost-management/home.

03 In the navigation panel, under AWS Cost Management, choose Anomaly Detection to access the list of anomaly detection cost monitors available in your AWS account.

04 In the Cost monitors section, click on the name of the cost monitor that you want to access.

05 Choose the cost anomaly that you want to examine by clicking on the anomaly detection date, listed in the Anomalies detected section.

06 On the selected cost anomaly page, in the Anomaly details section, examine the cost anomaly finding by analyzing its details:

Summary – a succinct description of the selected cost anomaly which includes the detection date, the number of potential root causes, and the estimated cost impact.
Potential root cause #<n> – the root cause of the anomaly which indicates the name of the AWS service, the AWS Account ID, the AWS region, and the usage type that is driving that unusual spend increase. There may be multiple root causes occurring at once. In these cases, Amazon Cost Anomaly Detection service will provide the most prevalent two root causes.
Additional details – additional information provided by AWS for the detected anomaly such as the date of occurrence, the duration, and the name and type of the monitor that detected the cost anomaly.

07 Based on the information returned at the previous step you can analyze the selected cost anomaly finding and solve the root issue that caused the cost anomaly. In this case, the root issue that caused the AWS cost anomaly can be fixed by implementing an Amazon S3 bucket lifecycle policy rule that automatically removes any incomplete multipart uploads older than one day. An S3 lifecycle rule is used to define the actions that Amazon S3 can take during an object's lifetime such as transitioning objects to another storage class, archiving them, or deleting them after a specified period of time. To create and configure the lifecycle policy rule for the required Amazon S3 bucket, perform the following actions:

Navigate to Amazon S3 console at https://console.aws.amazon.com/s3.
Click on the name (link) of the S3 bucket that you want to reconfigure.
Select the Management tab, choose Lifecycle rules panel, and click on Create lifecycle rule to initiate the rule setup.
On the Create lifecycle rule configuration page, perform the following:
- For Lifecycle rule name, provide a unique name for the new lifecycle rule.
- For Choose a rule scope, choose This rule applies to all objects in the bucket to apply the new lifecycle rule to all the objects within the selected S3 bucket. Select I acknowledge that this rule will apply to all objects in the bucket checkbox for confirmation.
- Under Lifecycle rule actions, choose Delete expired delete markers or incomplete multipart uploads to remove all incomplete multipart uploads from the selected Amazon S3 bucket.
- Under Delete expired delete markers or incomplete multipart uploads, select Delete incomplete multipart uploads configuration checkbox. In the Number of days box, enter the number of days after which the incomplete multipart uploads are permanently deleted.
- Click Create to deploy the new Amazon S3 bucket lifecycle policy rule.

08 (Optional) As you evaluate your cost anomalies, you have the ability to submit feedback on each anomaly. This not only helps you keep track of which anomalies have you already evaluated, but also helps Amazon Cost Anomaly Detection improve to be more tailored to your assessments and preferences. To provide feedback, return to the selected cost anomaly page, choose Submit assessment, select the appropriate assessment, and choose Submit.

09 Repeat steps no. 5 – 8 for each cost anomaly finding detected by the selected cost monitor.

10 Repeat steps no. 4 – 9 for each Cost Anomaly Detection monitor available in your AWS cloud account.

Using AWS CLI

01 Run get-anomalies command (OSX/Linux/UNIX) using the ARN of the Cost Anomaly Detection monitor that you want to examine as identifier parameter to describe each cost anomaly finding detected within your AWS account, during the time period specified by the --date-interval command parameter:

aws ce get-anomalies
    --monitor-arn arn:aws:ce::123456789012:anomalymonitor/aaaabbbb-cccc-aaaa-bbbb-aaaabbbbcccc
    --date-interval StartDate="2020-08-21",EndDate="2020-11-21"

02 The command output should return all the cost anomaly findings detected in your AWS cloud account. Each anomaly includes information for the date of occurrence, duration, financial impact, and root cause (if this data is available):

{
    "Anomalies": [
        {
            "Impact": {
                "TotalImpact": 85.07,
                "MaxImpact": 85.07
            },
            "AnomalyId": "abcdabcd-1234-1234-1234-abcdabcdabcd",
            "MonitorArn": "arn:aws:ce::123456789012:anomalymonitor/aaaabbbb-cccc-aaaa-bbbb-aaaabbbbcccc",
            "AnomalyEndDate": "2020-11-18T00:00:00Z",
            "DimensionValue": "Amazon Simple Storage Service",
            "RootCauses": [
                {
                    "Region": "ap-southeast-2",
                    "UsageType": "APS2-TimedStorage-ByteHrs",
                    "LinkedAccount": "123456789012",
                    "Service": "Amazon Simple Storage Service"
                }
            ],
            "AnomalyStartDate": "2020-11-18T00:00:00Z",
            "AnomalyScore": {
                "CurrentScore": 0.91,
                "MaxScore": 0.91
            }
        },
        {
            "Impact": {
                "TotalImpact": 14.38,
                "MaxImpact": 14.38
            },
            "AnomalyId": "abcd1234-abcd-1234-abcd-1234abcd1234",
            "MonitorArn": "arn:aws:ce::123456789012:anomalymonitor/aaaabbbb-cccc-aaaa-bbbb-aaaabbbbcccc",
            "AnomalyEndDate": "2020-11-16T00:00:00Z",
            "DimensionValue": "Amazon Simple Email Service",
            "RootCauses": [
                {
                    "Service": "Amazon Simple Email Service"
                }
            ],
            "AnomalyStartDate": "2020-11-16T00:00:00Z",
            "AnomalyScore": {
                "CurrentScore": 0.15,
                "MaxScore": 0.15
            }
        }
    ]
}

03 For the get-anomalies command output returned at the previous step, examine each cost anomaly finding by analyzing its properties:

"Impact" – the estimated financial impact in USD.
"AnomalyEndDate" – the date of anomaly occurrence.
"DimensionValue" – the dimension for the cost anomaly.
"RootCauses" – the list of identified root causes for the anomaly. This includes the name of the AWS service, the AWS Account ID, the AWS region, and the usage type (e.g. "APS2-TimedStorage-ByteHrs") that is driving that unusual spend increase. There may be multiple root causes occurring at once. In these cases, Amazon Cost Anomaly Detection will list the most prevalent two root causes.
"AnomalyStartDate" – the first day the cost anomaly is detected.
"AnomalyScore" – the latest and maximum score for the anomaly.

04 Based on the information returned at the previous step choose to analyze one cost anomaly finding and solve the root issue that caused that anomaly. In this case, the root problem that caused the AWS cost anomaly can be mitigated by implementing an Amazon S3 bucket lifecycle policy rule that automatically removes any incomplete multipart uploads older than a specified age. To create the lifecycle policy rule for the required Amazon S3 bucket, run put-bucket-lifecycle-configuration command (OSX/Linux/UNIX). The following command request example creates an Amazon S3 lifecycle policy rule that deletes incomplete multipart uploads older than one day (the command does not produce an output):

aws s3api put-bucket-lifecycle-configuration
    --bucket cc-webapp-analytics
    --lifecycle-configuration '{
    "Rules": [
        {
            "Filter": {},
            "Status": "Enabled",
            "AbortIncompleteMultipartUpload": {
                "DaysAfterInitiation": 1
            },
            "Expiration": {
                "ExpiredObjectDeleteMarker": false
            },
            "ID": "cc-delete-incomplete-multipart-uploads"
        }
    ]
}'

05 Repeat steps no. 1 – 4 for each cost anomaly finding detected by the selected cost monitor.

06 Repeat steps no. 1 – 5 for each Cost Anomaly Detection monitor available within your AWS cloud account.

References

AWS Command Line Interface (CLI) Documentation
ce
get-anomaly-monitors
get-anomalies
s3api
put-bucket-lifecycle-configuration

Publication date Nov 24, 2020

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Cost Anomaly Detection Findings

Risk Level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related CostExplorer rules