I'd love it if at a glance I could see all of the AWS resources that I am using that cost me money, across all the regions.
Right now I feel like I would have to poke into every menu option in every region across the entire set of AWS services to find out exactly what I'm using.
The cynic in me wonders if this is not a priority for AWS because they make so much money from forgotten and hard to find resources that are being used and paid for but essentially lost in the interface.
When I saw the new product name I thought "maybe this is it!"
The billing API tells you about resources that have charged you, whereas I think the parent comment is talking about resources that are either “active” in some sense where they will charge you at some point in the future for the usage you’re accruing (but where this usage isn’t metered in a way visible to the billing API until it “commits” somehow); or, worse, resources which are “exposed” in some sense where they could charge you if they received a request, but happen to not have received any yet. (These resources are very easy to lose track of.)
Another way to think of this question is “what is my current exploitable attack surface, against the ‘attack’ of causing AWS to charge me lots of money?”
This isn't really true. Billing opacity scares off small clients (it's one of the biggest reasons that, as a consultant, my clients leaned away from AWS) and can make larger clients consider diversification or divestiture.
I had a key compromise. They spun up resources across the world. I had to go on a safari to hunt and kill all the things they created in each region. I would’ve loved to of had a single view to see all the resources running across all regions. That would’ve been super helpful.
This is one thing that GCP has done so brilliantly right - the projects structure. From an organisation point of view, this is the most seamless way of managing billing+access , instead of mucking about ARN crap.
It's puzzling that AWS has still not been able to roll this out. What's so hard ? roll out projects and put all existing customers in a default project.
This looks like a public facing version of a tool that AWS uses internally, which is great. Super easy tool to setup and govern AWS accounts, and also access the accounts to which you have access. I always wondered why they didn't sell it to their customers but I guess now they will!
AWS is pushing Organizations/Accounts as something like GCP's Projects and it mostly works, cross account iam works pretty good, so does many other services but sadly this is not reflected in the support subscriptions.
You want help with a problem in your staging account? pay for support, fair enough. You want help with your production? oh sorry, you have to pay again.
Business support has pricing that drops as a percentage as your spend goes up, like Enterprise, but does not allow you aggregate across accounts like enterprise.
It's only 10% for the first $10K. 7% for the portion up to $80K, 5% for the portion up to $250K, and 3% beyond that. (Enterprise has the same kind of %age ranges but cutoffs of $150K/$500K/$1M and the bottom range doesn't really matter because the hard minimum is $15K/mo.)
You do have that option at the Enterprise level (and since there is no cost curve at the Basic or Developer level, it would be meaningless there, so Business is the only level that lacks the option but would make it meaningful.)
This is like most other AWS products that end up being an automated bunch of scripts that wire up functionality for you rather than being a full-fledged product.
GCP organizations, folders, projects, and IAM system is far better than anything in AWS or Azure.
I find this aspect of aws annoying - it can be hard to cleanup after these products - they litter service accounts and templates everywhere. I tried gcp very early on and struggled to get IAM granularity but perhaps it has improved
As of now, GCP has some updated (more fine-grained) permissions, custom roles and has cleaned up how service accounts are created and used by GCP services. Using orgs/projects to cascade the correct permissions is now much easier.
AWS IAM can still give you more advanced rules but is just hard to manage, especially across lots of accounts.
I'll try GCP out again. Their App Engine runtimes also look to have been updated. I use AWS Fargate and like letting someone else worry about some of the nuts and bolts.
> You want help with a problem in your staging account? pay for support, fair enough. You want help with your production? oh sorry, you have to pay again.
That's not how it works for us. We have numerous accounts, all under the same support plan. We just let our rep know we have these accounts, and they add our existing support plan to it. After all, we are one client.
Edit: Occurred to me I should point out that we have Enterprise support.
Sorry but I've never felt that Amazon is completely operating in good faith with regards to allowing users to manage their costs. The proof of that is the fact that they still don't have a page where you can see the price of an ec2 instance alongside its stats. I've been wanting to see that for ten years and they still haven't added it.
Pricing is definitely a hard topic, and we can do more to make it easier. However, with regards to your second comment, are you looking for something more than this page [1]
I love that AWS is starting to care more about providing these services. For context, we have basically been building this for 2 years in our company internally to provide hundreds of “compliant by default” accounts. Every company seems to do it themselves.
What I personally find very frustrating is the lack of being able to migrate any existing organisations into this. I’d love to get rid of some of our account provisioning but this would basically mean starting over with a brand-new AWS Organization which is impossible for us.
It still is quite a hassle to manage many accounts (and resources you need in them) so I hope this service will sooner or later help us with this.
PS: if anyone is over at re:Inforce and wants to talk about anything AWS Orgs & accounts, feel free to mail me (profile)!
I also worked on a team that built something similar, and I've seen it done in other companies. With services like this, and others like Transit Gateway, it's getting a lot easier to manage multiple accounts and VPCs. I haven't tried AWS Control Tower yet, but I am hoping it gives easy visibility into all the accounts in one place. With Amazon accounts, once you assume a role into an account, you can't see other accounts without switching back into them.
This is one area where I think GCP got it right. By using organizations and projects within one account instead of having parent and child accounts, it's quite a bit easier to see what's going on. And a parent account has a very different role from child accounts, so it makes sense to treat them as separate things.
> You tried to use an account that is a member of an organization in AWS Organizations. To set up your AWS Control Tower landing zone, use an account that is not a member of an organization.
Looks like it’s only feasible if you’re starting from scratch.
Thank you AWS. In the meantime, if you could offer me just one basic setting that users have been asking for years (hard limit on your spending), it would be even better.
(Assuming no malicious intent from AWS) One of the reasons this is probably hard is probably because a lot of services didn't start out with having resource constraints.
So now if you support something like a "hard-billing-cap", every single service in AWS has to support it. That's a huge stone to move - it could even be in the works today.
There's also no good way for most services to support it since storing data costs money and presumably you don't want AWS to wipe your data when you hit your spending cap.
How would hard limits work? Do all your ec2 instances shut down? Do your s3 buckets and their data get deleted? Do you snapshots and EBS volumes get deleted? There's no way to pause these things since they still costs AWS money.
You don’t let people start up the service if it will exceed a cost quota. For ec2 that should be easy since the cost ticks at a constant rate and can be extrapolated in advance, but yeah other usage based services like s3 and network traffic that won’t work.
>but yeah other usage based services like s3 and network traffic that won’t work.
I think this is the major problem. It's conceptually easy to say 'Yeah no more spinning up ec2 instances' or whatever, but the only way to deal with hitting that cap for things like network traffic or storage services is just turning off network access or deleting the files. I can't imagine many businesses are going to go for "hey if you set a cap and you exceed it we fix it by deleting your stuff and taking down network availability." - that's going to be a total nonstarter in so many situations! But that's what would be required to actually set a spending cap on an account.
That sort of decision really needs to be made by a human as it's happening - is the spike in usage legitimate? Is it your customers driving the demand? Is it unwanted traffic? Is it an autoscaling group gone wrong? etc. etc. etc.
My suggestion is setting up CW billing alarms at several thresholds, to try and stay ahead of this before it reaches that point, with paging on the highest threshold where it's about at the point where you'd consider turning things off. Then you should hopefully be able to take care of unexpected expenses before they're problematic, but also ready to engage someone to make the tough decisions instead of just automatically taking yourself down.
Not really, that thread is asking for a limit on S3 traffic serving (ie: bandwidth used). That doesn't cap the account spend nor does it delete data (and you will continue to be charged for data storage, requests, etc.).
The thread has a limited and reasonable request which is totally separate from account spend limits.
> For ec2 that should be easy since the cost ticks at a constant rate and can be extrapolated in advance,
Only if you don't use auto-scaling of any kind and you can already set up budgets which will alert you if your usage is expected to go above some thresholds.
50 comments
[ 5.4 ms ] story [ 114 ms ] threadRight now I feel like I would have to poke into every menu option in every region across the entire set of AWS services to find out exactly what I'm using.
The cynic in me wonders if this is not a priority for AWS because they make so much money from forgotten and hard to find resources that are being used and paid for but essentially lost in the interface.
When I saw the new product name I thought "maybe this is it!"
Another way to think of this question is “what is my current exploitable attack surface, against the ‘attack’ of causing AWS to charge me lots of money?”
Don't see any missing functionality but our use case may not be complex enough.
https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/fi...
Regions and tags are optional, which will show you everything.
And several others.
This is one thing that GCP has done so brilliantly right - the projects structure. From an organisation point of view, this is the most seamless way of managing billing+access , instead of mucking about ARN crap.
It's puzzling that AWS has still not been able to roll this out. What's so hard ? roll out projects and put all existing customers in a default project.
It only works regionally, but it's better than nothing.
You want help with a problem in your staging account? pay for support, fair enough. You want help with your production? oh sorry, you have to pay again.
In a sense this is a good thing since support is percentage based and you may want a higher level for support for production than staging.
It's only 10% for the first $10K. 7% for the portion up to $80K, 5% for the portion up to $250K, and 3% beyond that. (Enterprise has the same kind of %age ranges but cutoffs of $150K/$500K/$1M and the bottom range doesn't really matter because the hard minimum is $15K/mo.)
GCP organizations, folders, projects, and IAM system is far better than anything in AWS or Azure.
AWS IAM can still give you more advanced rules but is just hard to manage, especially across lots of accounts.
That's not how it works for us. We have numerous accounts, all under the same support plan. We just let our rep know we have these accounts, and they add our existing support plan to it. After all, we are one client.
Edit: Occurred to me I should point out that we have Enterprise support.
Pricing is definitely a hard topic, and we can do more to make it easier. However, with regards to your second comment, are you looking for something more than this page [1]
[1] https://aws.amazon.com/ec2/pricing/on-demand/
It provides both pricing and product information, so you can build your own dashboard/tooling if you want to.
What I personally find very frustrating is the lack of being able to migrate any existing organisations into this. I’d love to get rid of some of our account provisioning but this would basically mean starting over with a brand-new AWS Organization which is impossible for us.
It still is quite a hassle to manage many accounts (and resources you need in them) so I hope this service will sooner or later help us with this.
PS: if anyone is over at re:Inforce and wants to talk about anything AWS Orgs & accounts, feel free to mail me (profile)!
This is one area where I think GCP got it right. By using organizations and projects within one account instead of having parent and child accounts, it's quite a bit easier to see what's going on. And a parent account has a very different role from child accounts, so it makes sense to treat them as separate things.
> You tried to use an account that is a member of an organization in AWS Organizations. To set up your AWS Control Tower landing zone, use an account that is not a member of an organization.
Looks like it’s only feasible if you’re starting from scratch.
So now if you support something like a "hard-billing-cap", every single service in AWS has to support it. That's a huge stone to move - it could even be in the works today.
I think this is the major problem. It's conceptually easy to say 'Yeah no more spinning up ec2 instances' or whatever, but the only way to deal with hitting that cap for things like network traffic or storage services is just turning off network access or deleting the files. I can't imagine many businesses are going to go for "hey if you set a cap and you exceed it we fix it by deleting your stuff and taking down network availability." - that's going to be a total nonstarter in so many situations! But that's what would be required to actually set a spending cap on an account.
That sort of decision really needs to be made by a human as it's happening - is the spike in usage legitimate? Is it your customers driving the demand? Is it unwanted traffic? Is it an autoscaling group gone wrong? etc. etc. etc.
My suggestion is setting up CW billing alarms at several thresholds, to try and stay ahead of this before it reaches that point, with paging on the highest threshold where it's about at the point where you'd consider turning things off. Then you should hopefully be able to take care of unexpected expenses before they're problematic, but also ready to engage someone to make the tough decisions instead of just automatically taking yourself down.
Nevertheless, that's exactly what people have been asking for several years. See this thread for example (and many others): https://forums.aws.amazon.com/thread.jspa?threadID=58127&sta...
The thread has a limited and reasonable request which is totally separate from account spend limits.
Only if you don't use auto-scaling of any kind and you can already set up budgets which will alert you if your usage is expected to go above some thresholds.