Back to Course

Introduction to AWS Security

0% Complete
0/0 Steps
  1. Introduction

    About the course and authors
  2. AWS cloud architecture
  3. Security concerns with our architecture
  4. Regions and Availability Zones (AZs)
  5. Shared responsibility in the cloud
  6. [Cheat Sheet] AWS Security Services
  7. [LAB] Create a billing alert to avoid surprise bills
  8. Infrastructure Security
    VPC networks
  9. Default VPCs
  10. [DEMO] Creating VPCs and Subnets
  11. How many VPCs should you use?
  12. [DEMO] Subnet, Route Table, and Gateway Configurations
  13. [LAB] [Challenge] Create a VPC with public and private subnets
  14. [LAB] Launching an EC2 instance
  15. [DEMO] Security Groups (SGs)
  16. Security Groups Best Practices
  17. [DEMO] Network Access Control Lists (NACLs)
  18. [Cheat Sheet] SGs vs. NACLs
  19. [LAB] [Challenge] Configure security groups and NACLs to specific requirements
  20. Elastic Load Balancers
  21. [DEMO] AWS WAF
  22. [LAB] [Challenge] Deploy AWS WAF ACL for Application Load Balancer
  23. [DEMO] AWS Network Firewall - Part 1
  24. [DEMO] AWS Network Firewall - Part 2
  25. AWS Shield for DDoS Protection
  26. AWS Firewall Manager
  27. Identity and Access Management (IAM)
    Key Concepts of IAM in AWS
  28. [DEMO] Getting started with IAM in AWS
  29. [DEMO] Creating our first admin user
  30. Assigning permissions with policies
  31. [Cheat Sheet] Anatomy of an AWS IAM Policy
  32. [DEMO] Using Identity Center AWS SSO
  33. IAM Roles
  34. [DEMO] Creating a role for EC2 instances to access S3 buckets
  35. End-User Management with Amazon Cognito
  36. Data Protection
    Data protection in the cloud
  37. EBS Data Protection and Encryption
  38. Amazon RDS Data Protection and Encryption
  39. Key Management with AWS KMS
  40. [DEMO] Creating a Symmetric Encryption KMS Key
  41. Amazon S3 Bucket Protection
    Understanding Bucket Ownership
  42. Managing Access to Buckets
  43. [Cheat Sheet] S3 Bucket Policies vs. ACLs vs. IAM Policies
  44. [LAB] [Challenge] Create an IAM role for secure access to S3 based on a scenario
  45. Using Signed URLs
  46. Encrypting S3 Data
  47. [DEMO] Enable S3 Object Versioning
  48. [Cheat Sheet] Amazon S3 Protection Summary
  49. [Cheat Sheet] Create a least privilege S3 bucket policy
  50. Logging, Monitoring, and Incident Response
    AWS Log Types and Auditing Options
  51. [DEMO] Enable S3 Server Access Logs
  52. AWS CloudTrail
  53. Amazon CloudWatch
  54. [DEMO] CloudTrail Security Automation with CloudWatch Logs and SNS
  55. [DEMO] Amazon VPC Flow Logs
  56. Proper Logging and Monitoring
  57. Amazon GuardDuty
  58. [LAB] [DEMO] Enable Threat Detection with GuardDuty
  59. [DEMO] Amazon EventBridge
  60. AWS Config
  61. AWS Systems Manager
  62. [LAB] Secure EC2 Access with SSM Session Manager and KMS
  63. [DEMO] AWS Config Automated Remediation with SSM
  64. Amazon Detective
  65. [LAB] [DEMO] Amazon Inspector
  66. [DEMO] Amazon Macie
  67. [DEMO] AWS Security Hub
  68. [DEMO] Must-have AWS monitoring and alerting with SSK
  69. Multi-Account Security
    [DEMO] AWS Organizations
  70. [DEMO] AWS SCPs and Management Policies
  71. AWS Control Tower
  72. Wrap-up and Key Takeaways
    What now?
Lesson 7 of 72
In Progress

[LAB] Create a billing alert to avoid surprise bills

Christophe January 30, 2023

Lab Details 👨‍🔬

  • Length of time: < 10 minutes
  • Cost: $0.00
  • Difficulty: Easy

Scenario 🧪

Before you complete any of our labs in this course, we highly recommend that you spend a few minutes going through this lab because it will teach you how to configure billing monitoring and alerting to notify you if your AWS bill ever exceeds what you expect to pay.

Some of our labs are free, while others can cost some amount of money. This will be clearly noted in each lab before you start so that there are no surprises and you can choose to skip the labs that cost money if you want.

With that said, sometimes, resources can continue to cost you money if you forget to turn them off or delete them, in which case you could end up with a surprise bill. These are the scary stories you’ve heard about on social media in regards to the cloud. This lab is designed specifically to help prevent that.

For example, if you are OK with spending up to $5.00 on labs for this course, then you could set an alert that notifies you when you reach $5.00, or when you get close to that (say $4.00) that way you can investigate and see if something was left running before you exceed $5.00. This is just an example number, and you can select whatever dollar value you’re comfortable with.

Let’s get started by following the below steps.

Enable Budgets (new and best way)

AWS has made it easier than ever to enable budgets that will notify you if your costs either exceed your set budget, or are estimated to exceed your budget.

You can create different kinds of budgets, like:

  • Zero spend budget – create a budget that notifies once your spending exceed $0.01
  • Monthly cost budget – create a budget that notifies if you exceed or are forecasted to exceed the budget amount, each month

There are a couple of other options but those are the two I would recommend for this course.

To enable, search for and click on “Budgets.”

You’ll then be able to select what kind of budget you want, and how you want to configure it:

These are my recommended settings, but if you don’t want to spend any money at all you would select a different option, or if you are OK with spending more than $30, you can increase the “Enter your budgeted amount ($)” value.

Then click on “Create budget” and you’re good to go!

Enable billing alerts (old and supplemental way)

This is how we used to create budget alarms before Budgets were an available feature in AWS. Feel free to still go through these steps if you’d like to learn about CloudWatch billing alerts — but this is optional.

  1. Log into your AWS account
  2. Pull up the billing dashboard (you can search for “billing”)
  3. Click on Billing Preferences in the left-bar menu
  4. Enable “Receive CloudWatch billing alerts”
  5. Save changes

Creating an alarm

  1. Search for the service “CloudWatch” and click on it
  2. Make sure your region is set to “N. Virginia” (billing metrics are stored in this region, so this is necessary)
  3. Click on “All alarms” in the left-bar menu
  4. Click on “Create alarm”
  5. Click on “Select metric”
  6. You should see a “Billing” option under “Metrics” but if you don’t, you can search for it in the search bar below “Metrics”
  7. Select “Total Estimated Charge”
  8. Select the row with the metric name “EstimatedCharges” and then click on “Select metric” in the bottom right
  9. Choose “Maximum” for the “Statistic” option if it’s not already
  10. You can keep the “Period” at “6 hours”
  11. For the “Threshold type” under “Conditions” you will want to select “Static”
  12. For the “Whenever EstimatedCharges is…” option, you can select whatever you’d like between Greater and Greater/Equal
    1. If you want to get notified when charges reach or exceed $5.00, then you would select “Greater/Equal”
    2. If you want to get notified when charges exceed $5.00, then you would select “Greater”
  13. Set your dollar value in the “than…” input box
  14. Expand the “Additional configuration” and make sure that you see:
    1. “Datapoints to alarm” “1 out of 1”
    2. “Missing data treatment” set to “Treat missing data as missing”
  15. Click on “Next”
  16. Under notification, make sure it’s set to “In alarm” and “Create new topic” for the SNS topic
  17. You can leave the default topic name if you’d like, then add your preferred email to receive the notification (you can add multiple emails)
  18. Click on “Create Topic”
  19. You should receive an email shortly after from “AWS Notification – Subscription Confirmation” → you will need to click on “Confirm subscription” which is their way of preventing spam.
    1. You should see a page that says “Subscription confirmed!”
    2. (If you don’t have the email yet, wait a few minutes and check you didn’t misspell the email or check your spam folder)
  20. Back to the AWS console, you can click on “Next”
  21. You can now name it something like “Billing threshold alarm” and you don’t have to put in a description
  22. Review your settings to make sure they look right, then “Create alarm”
Step 2: Make sure you’re in US East region for this to work
Step 6: Billing Metric
Step 7: Look for “Total Estimated Charge” -> Select it -> Click on “Select Metric”

You will now see your brand-new alarm. Initially, it will say that the state is “insufficient data” but give it a minute or two, and it will change to “OK.” If you don’t see it after a couple of minutes, you can refresh the page.

Now that you have a billing alert, you will get notified based on the dollar value you set, and based on whether you set it to greater or greater than/equal to.

Reviewing your costs

Of course, you don’t have to wait for an alarm to come through to check on how much you’re spending in AWS. You can go back to the Billing dashboard and you will see a summary on the main dashboard. It will show you:

  • Current month’s total forecast
  • Current MTD (Month-to-date) balance
  • Prior month for the same period with trend

You can also see additional breakdowns further down on this page, or in the “Cost explorer.” Feel free to check that out if you’re interested, but otherwise, let’s complete this lab!

If you have any issues with this lab, please comment below and we’ll take a look!


Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. Hello, I am stacked at step 6, search for bill indicates:
    Your search – billing – did not match any metrics.
    Tags such as EC2 instance name tags are not supported in metric search.
    Make sure that all words are spelled correctly.
    Try different keywords.
    Try fewer keywords.

    1. It can sometimes take a few minutes for metrics to show up after having created them, so that might be why. If you check again now and still don’t see it, try to go back through the steps from the start, and let me know if the issue persists!

  2. Will this be the same as setting up AWS Cost Management on your account? because i can’t still get through step 6.

    1. I just double checked and it looks like AWS changed the user interface a little bit for enabling billing alerts. I’ve updated the steps above with a screenshot to show what needs to be enabled. Make sure you pull up the “Billing” dashboard, then click on “Billing Preferences” and then enable “Receive CloudWatch billing alerts.” Also make sure you are in the us-east-1 N. Virginia region. As long as you do that, you should see the Billing metric. This is something everyone has access to in AWS so we need to make sure this works for you!