Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable AWS Billing Alerts

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that billing alerts are enabled in order to receive notifications when your AWS estimated charges exceed a threshold that you choose so that you can decide whether to stop or reconfigure the AWS resources that have reached the cost limit set. The AWS Billing & Cost Management service provides features that you can use to estimate and plan your AWS costs, receive alerts (when integrated with AWS CloudWatch and SNS) if your costs exceed a threshold that you set and assess your biggest investments in AWS resources and components. Prior to running this rule by the Cloud Conformity engine, the AWS CloudWatch billing alarm name needs to be configured in the rule settings, on your Cloud Conformity account dashboard.

Security

Enabling billing alerts will make it easier to track and manage the spending within your AWS account. Billing alerts can help prevent unexpected spend increases which may be due to unauthorized AWS account or EC2 instance usage, resources which have been provisioned in your account but are no longer in use or due to higher or unexpected traffic load that can increase the number of instances per auto-scaling group.

Audit

To determine if billing alerts are enabled for your AWS account, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Enable AWS Billing Alerts conformity rule settings and copy the name of the CloudWatch billing alarm configured for your AWS account (e.g. <billing_alarm_name>).

02 Sign in to the AWS Management Console.

03 Navigate to Billing & Cost Management dashboard at https://console.aws.amazon.com/billing/home.

04 In the left navigation panel, select Preferences and check the Receive Billing Alerts feature settings. If Receive Billing Alerts checkbox is unchecked, i.e.

Receive Billing Alerts

the AWS billing alerts feature is currently disabled within your account.

05 Navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

06 In the left navigation panel, click Alarms to access the CloudWatch alarms available in the current AWS region.

07 Paste the name of your billing alarm (e.g. <billing_alarm_name>), copied at step no. 1, into the Search Alarms search box and press Enter. If the search process does not return any results, there are no AWS CloudWatch billing alarms available in the selected region.

08 Change the AWS region from the navigation bar and repeat step no. 7 to check for any CloudWatch billing alarms available in other regions. If no CloudWatch billing alarms are found and the Receive Billing Alerts feature is not currently enabled, there are no AWS billing alerts enabled for the selected account.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Enable AWS Billing Alerts conformity rule settings and copy the name of the CloudWatch billing alarm configured for your AWS account (e.g. <billing_alarm_name>).

02 Run describe-alarms command (OSX/Linux/UNIX) using custom query filters to list the configuration metadata of the CloudWatch billing alarm created for your AWS account, in the selected region. Replace <billing_alarm_name> with your own CloudWatch alarm name: 

aws cloudwatch describe-alarms
	--region us-east-1
	--query "MetricAlarms[?AlarmName == '<billing_alarm_name>']"

03 The command output should return the requested alarm configuration metadata (including the alarm namespace which should be set to "AWS/Billing"): 

[]

If the describe-alarms command output returns an empty array (i.e. []), as shown in the example above, no AWS CloudWatch billing alarms created within the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat step no. 2 and 3 to check for any CloudWatch billing alarms available in other regions. If no CloudWatch billing alarms are found and the Receive Billing Alerts feature is not enabled (see Audit section part I to verify the feature status), there are no billing alerts enabled for the selected AWS account.

Remediation / Resolution

Step 1: To create a billing alarm using AWS CloudWatch and AWS SNS you need to turn on Receive Billing Alerts feature by performing the following actions:

Note: Enabling AWS Receive Billing Alerts feature via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Billing & Cost Management dashboard at https://console.aws.amazon.com/billing/home.

03 In the left navigation panel, select Preferences.

04 Select Receive Billing Alerts checkbox to enable the feature.

05 Click Save Preferences to apply the changes.

Step 2: Create an AWS Simple Notification Service (SNS) topic in order to send notifications whenever the CloudWatch billing alarm will fire:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the navigation panel, select Topics and click the Create new topic button.

04 In the Create new topic dialog box, enter a name and a display name for your new SNS topic then click Create Topic.

05 Open the newly created SNS topic configuration page by clicking on its ARN link.

06 Under Subscription section click Create Subscription.

07 Select Email as subscription protocol from the Protocol dropdown list.

08 In the Endpoint box, enter the email address where you want to receive the alarm notifications, then click Create Subscription to create the required subscription.

09 Use your preferred email client application to open the message received from AWS Notifications, then click on Confirm subscription link to confirm your new email subscription.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create a new SNS topic for sending database event notifications: 

aws sns create-topic
	--name cc-billing-alarm-topic

02 The command output should return the ARN for the newly created AWS SNS topic: 

{
   "TopicArn": "arn:aws:sns:us-east-1:12345678901:cc-billing-alarm-topic"
}

03 Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification endpoint (the email address provided as endpoint): 

aws sns subscribe
	--topic-arn arn:aws:sns:us-east-1:123456789012:cc-billing-alarm-topic
	--protocol email
	--notification-endpoint notifications@cloudconformity.com

04 The command output should return the following metadata: 

{
	"SubscriptionArn": "pending confirmation"
}

05 Use your preferred email client application to open the message received from AWS Notifications, then click on Confirm subscription link to confirm your new email subscription.

Step 3: Create an Amazon CloudWatch billing alarm that fires when your AWS charges exceed the threshold set:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Enable AWS Billing Alerts conformity rule settings and copy the name of the CloudWatch billing alarm configured for your AWS account.

02 Sign in to the AWS Management Console.

03 Navigate to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/.

04 In the left navigation panel, select Alarms then click the Create Alarm button from the dashboard top menu to initiate the alarm setup.

05 In the Create Alarm dialog box, under Billing Metrics, click Total Estimated Charge link.

06 On the Select Metric page, in the Billing > Total Estimated Charge, select EstimatedCharges (USD) metric and click Next.

07 On the Define Alarm page, provide the following information:

  1. In the Alarm Threshold section, paste the billing alarm name copied at step no. 1 in the Name box and provide a short description for the Description box.
  2. In the Whenever charges for section, select >= (greater than or equal to) from the is dropdown list and in the USD $ box enter the threshold limit value in USD that will trigger the alarm and send an email notification when the value is exceeded.
  3. In the Actions section, click the + Notification button, select State is ALARM from the Whenever this alarm dropdown menu and choose the AWS SNS topic name created at Step 2 from the Send notification to dropdown list.

08 Click Create Alarm to finish the billing alarm setup. Once created, the new billing alarm will be available on the AWS CloudWatch Alarms page.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Enable AWS Billing Alerts conformity rule settings and copy the name of the CloudWatch billing alarm configured for your AWS account.

02 Run put-metric-alarm command (OSX/Linux/UNIX) to create the required Amazon CloudWatch billing alarm using the ARN of the SNS topic created earlier as command parameter. Replace <billing_alarm_name> and <threshold_value> (USD) with your own configuration details (if successful, the command does not produce an output): 

aws cloudwatch put-metric-alarm
	--region us-east-1
	--alarm-name <billing_alarm_name>
	--alarm-description "Billing Alarm for AWS Estimated Charges"
	--metric-name EstimatedCharges
	--namespace AWS/Billing
	--statistic Maximum
	--comparison-operator GreaterThanOrEqualToThreshold
	--evaluation-periods 1
	--dimensions Name=Currency,Value=USD
	--period 21600
	--threshold <threshold_value>
	--actions-enabled
	--alarm-actions arn:aws:sns:us-east-1:123456789012:cc-billing-alarms-topic

References

Publication date Apr 20, 2018

Related CloudWatch rules