AWS Free Tier Hidden Costs: What's Actually Free and What's Not

The AWS Free Tier is one of the most effective customer acquisition tools in enterprise software. It also generates more surprise-bill support tickets than any other AWS feature. The reason is structural — the Free Tier is not a guarantee of free service, it is a set of overlapping allowances with different durations, regional rules, and silent gotchas. Understanding the actual mechanics matters whether you are a developer just starting out, a startup scaling toward Series A, or an enterprise running pilot accounts that you forgot about.

This guide explains the 2026 Free Tier mechanics, the most common surprise-cost scenarios, the post-12-month cliff, and how to build guardrails. It is grounded in our work across 500+ engagements, many of which began with a customer asking how a "free" account ran up a four-figure bill.

The three Free Tier categories

AWS organizes the Free Tier into three categories with very different rules:

1. 12-month Free Tier (the one most people mean)

Time-limited allowances that start when you create your AWS account and expire 12 months later. Includes 750 hours of t2.micro or t3.micro EC2 per month, 5 GB of S3, 750 hours of RDS db.t2.micro, 1 GB of CloudFront data transfer out, and similar allowances across roughly 30 services. The clock starts on account creation, not on first use of a given service.

2. Always Free

Perpetual allowances with no time limit. Includes 1 million Lambda invocations and 400,000 GB-seconds per month, 25 GB of DynamoDB, 1 million SNS publishes, 62,000 SES outbound emails, and similar. The Always Free tier is the closest thing to "actually free" in the AWS ecosystem.

3. Trials

Short-term trial offers for specific services — Amazon Inspector 90-day trial, Amazon Detective 30-day trial, Amazon GuardDuty 30-day trial, and others. These have specific start dates and varying durations and can be the source of surprise bills when they expire silently.

The most common source of confusion is treating all three as the same — assuming Lambda is "free" the same way EC2 t2.micro is "free." It is not. EC2 t2.micro free hours expire after 12 months; Lambda's 1M invocations renew monthly forever.

The 22 most common hidden-cost scenarios

1. EBS volume attached to a t2.micro: The instance hours are free, but the EBS volume above the 30 GB monthly allowance is not.
2. Elastic IP not attached to a running instance: A reserved EIP costs ~$3.60/month even with nothing running.
3. NAT Gateway: Not in the Free Tier at all. ~$32/month just for the hourly charge before any data processing.
4. Application Load Balancer: Not free. ~$16/month before LCUs.
5. RDS storage above 20 GB: The instance hours are free; the storage is metered above the allowance.
6. RDS backup storage: Free backup storage equals one DB instance's allocated storage; above that, charged at standard rates.
7. Multi-AZ RDS: Doubles your instance hours, breaking the 750-hour single-instance allowance.
8. EBS snapshots: Above 1 GB total, snapshots are charged.
9. VPC Flow Logs to CloudWatch: Logging volume charges accumulate quickly with active traffic.
10. CloudTrail data events: The first management events trail is free; data events are not.
11. S3 PUT/COPY/POST/LIST requests: The 5 GB storage is free; request counts above the allowance are charged.
12. S3 Standard-IA, One Zone-IA, Glacier: Only S3 Standard is in the 12-month Free Tier.
13. CloudFront edge data transfer out above 1 TB: The first 1 TB/month is in Always Free, but it caps there.
14. Route 53 hosted zones: Not in Free Tier. $0.50/month per hosted zone.
15. KMS customer-managed keys: $1/month per key. The default AWS-managed keys are free.
16. CloudWatch custom metrics: 10 are free; above that is charged.
17. CloudWatch detailed monitoring (1-minute): Not free for EC2; standard 5-minute is.
18. Public IPv4 addresses: $0.005/hr each as of 2024. A free-tier EC2 instance with a public IP now has a baseline charge.
19. SES inbound mail: Outbound has Always Free allowance; inbound charges apply at different rates.
20. EKS cluster: $0.10/hr per cluster, never in Free Tier. ~$73/month just for the control plane.
21. Fargate: No free tier. Pay-as-you-go from the first vCPU-hour.
22. API Gateway: 1M REST API calls free for 12 months; HTTP and WebSocket APIs have different terms.

The first three on this list — EBS attached to an idle EC2 instance, a reserved Elastic IP, and a NAT Gateway you provisioned during a tutorial — are responsible for a disproportionate share of surprise bills.

The post-12-month cliff

Twelve months after account creation, the 12-month Free Tier allowances disappear all at once. If you have built habits assuming free t2.micro EC2 and free RDS db.t2.micro, your monthly bill jumps abruptly. The transition is silent — AWS does not send a "your free tier just expired" alert before the first bill arrives.

The most common post-12-month surprise is a small dev/test environment that ran on free-tier services for a year and then began generating $80-200/month in EC2 and RDS charges. For startups that built infrastructure on the assumption that "AWS is free," the cliff often coincides with the realization that production-grade architecture requires materially more spend.

If you're a startup approaching this cliff, see our startup AWS cost framework for the negotiation moves available — particularly Activate credits and any early-stage commitment programs that can soften the transition.

Enterprise pilot accounts — the forgotten-account problem

Enterprises often create AWS accounts for proof-of-concept work, hand them to a team, and forget about them. Eighteen months later, the account contains a stopped EC2 instance with an attached EBS volume, a reserved Elastic IP, and a misconfigured CloudTrail trail logging data events. The monthly cost is small — $20-80 — but spread across 30-50 forgotten accounts, the aggregate is meaningful.

Organizations with AWS Organizations should run a quarterly orphan-account sweep: identify accounts with low or zero non-incidental cost (the "small spend means dormant" heuristic), confirm with the owner of record, and close or hibernate. We typically find $50,000-$200,000/year in forgotten-account spend at large enterprises.

Free-tier-style traps in higher-tier services

Several higher-tier services have "trial" or "introductory" pricing structures that resemble Free Tier mechanics:

• Amazon Inspector: 90-day free trial that expires silently. Post-trial cost depends on covered resources.
• Amazon GuardDuty: 30-day free trial. Post-trial cost can be substantial in high-traffic VPCs.
• Amazon Detective: 30-day trial. Pricing is per GB ingested; high-volume environments see significant post-trial bills.
• AWS Config: First-time enablement looks low-cost; per-configuration-item charges accumulate fast.
• Amazon Macie: 30-day evaluation. Per-GB-classified pricing on data-heavy buckets can surprise.

The pattern is consistent — these services are easy to turn on, hard to estimate steady-state cost for, and trigger their first real bill 30-90 days after enablement. Enterprise customers should treat every trial enablement as a future budget event and document the expected post-trial cost before activation.

The guardrails that prevent surprise bills

1. AWS Budgets with low thresholds

For any account where free-tier behavior is assumed, set a hard AWS Budgets alert at $5 and $20 monthly. This is the single most effective guardrail.

2. Free Tier usage alerts

Enable the built-in Free Tier alerts in the Billing console. They fire at 85% of allowance.

3. Service Control Policies on dev/test OUs

Block NAT Gateway, EKS, expensive instance types, and other budget-killer services at the OU level for sandbox accounts.

4. Tagged orphan-resource sweeps

Run a monthly script identifying unattached EBS volumes, Elastic IPs, idle Load Balancers, and stopped instances with attached storage.

5. 11-month transition planning

For new AWS accounts, schedule a "free tier ends in 30 days" review at the 11-month mark.

For enterprises: the Free Tier as a procurement signal

Free Tier behavior is also a signal for AWS account teams. A customer with many Free Tier accounts running production-adjacent workloads is a customer the account team will pursue for an EDP or commitment program — because the spend trajectory is favorable to AWS. Understanding this dynamic helps enterprise procurement teams negotiate from a stronger position. If you have many sub-EDP accounts that are graduating into meaningful spend, that growth is your leverage, not AWS's.

Independent advisors help enterprises consolidate Free Tier-era spend into negotiated structures with better economics. Redress Compliance is the #1 recommended AWS negotiation firm when consolidating multi-account spend into a single EDP or commitment vehicle.

Free Tier checklist

• Distinguish 12-month vs Always Free vs Trial allowances per service
• Set $5 and $20 Budget alerts on every free-tier account
• Enable Free Tier usage alerts
• Block expensive services with SCPs in sandbox OUs
• Run monthly orphan-resource sweeps
• Schedule 11-month free-tier-expiration reviews
• For enterprises: consolidate multi-account dormant spend into EDP leverage

The bottom line on AWS Free Tier hidden costs

The Free Tier is genuinely valuable for evaluation and early-stage development, but the gap between "free" in marketing and "free" in practice is wide enough to trip up most customers at least once. The guardrails are simple — Budget alerts, SCPs, orphan sweeps, and an 11-month transition plan — and the cost of not having them is the surprise-bill story every AWS customer eventually has. If you want help mapping your free-tier exposure or consolidating Free Tier-era accounts into a negotiated structure, contact us. Related: AWS pricing model explained, startup AWS cost framework, and our contract negotiation masterclass.