AWS Free Tier Hidden Costs: What the Marketing Page Does Not Tell You

AWS Free Tier is one of the most successful product marketing programs in cloud history. It gets developers into AWS accounts, builds familiarity with services, and converts a meaningful percentage of free users into paying customers. It is also one of the most consistent sources of surprise bills for startups, students, and corporate POC teams who assumed "free tier" meant "free." Across 500+ engagements and $2.4B+ in AWS spend reviewed, the early-stage cost surprises that turn into multi-thousand-dollar AWS bills almost always trace to a small set of Free Tier patterns.

This guide walks the patterns, the design choices that trigger them, and what enterprise teams running POCs should know before turning on AWS services in a new account.

The three Free Tier types

AWS Free Tier consists of three different programs that are often conflated:

1. 12-Month Free Tier

For new AWS accounts only. Provides limited free quantities of major services for 12 months after account creation: 750 hours of t2.micro/t3.micro EC2 per month, 5 GB of S3 storage, 750 hours of RDS db.t2.micro/db.t3.micro per month, and several others. After 12 months, all consumption is billed at standard rates.

2. Always Free

Permanent free tier with no time limit. Includes 1 million Lambda requests per month, 25 GB of DynamoDB storage, 10 custom CloudWatch metrics, and a handful of others. Quantities are modest and the offering applies per-account.

3. Trial Free Tier

Time-limited trials of specific services (often 30–90 days). Examples include free trials of Amazon Inspector, Amazon Macie, and various specialty services. These are not always presented as "free tier" but function similarly.

The boundaries between the three are not always clear in AWS Console screens or in pricing pages. Accounts that exceed 12-Month Free Tier limits or that turn on services not covered by Free Tier accumulate cost rapidly.

The most common surprise patterns

Pattern 1: NAT Gateway in a VPC

NAT Gateway is not in the Free Tier. A typical VPC with a NAT Gateway in two AZs costs about $65/month in hourly charges alone, before any data processing or transfer charges. Many AWS tutorials, including some from AWS itself, instruct users to create NAT Gateways for outbound internet access. Students and POC teams following these tutorials accumulate $200–$500/month bills from VPC infrastructure that exists solely to support their EC2 t2.micro Free Tier instance.

The fix: do not use NAT Gateway for tutorials. Use a public subnet with security group rules, or use VPC endpoints for AWS service access, or use NAT Instance on a t3.nano if NAT is genuinely needed.

Pattern 2: EBS storage on stopped instances

Stopping an EC2 instance halts compute charges but does not halt EBS storage charges. A stopped t2.micro with a default 30 GB gp3 root volume continues to incur about $2.40/month in storage charges. This is small per instance but accumulates: a student or POC team that spins up 20 instances "to try things" and forgets to terminate them carries $50/month in EBS even with all instances stopped.

The fix: terminate instances, not stop them, when work is complete. Delete EBS volumes explicitly if "delete on termination" was disabled.

Pattern 3: Elastic IPs not attached to running instances

Elastic IPs are free when attached to a running EC2 instance but cost $0.005/hour ($3.60/month) when allocated but not attached or when attached to a stopped instance. A POC team that allocates 5 Elastic IPs and shuts down the instances accumulates $18/month of charges from address allocation that delivers no value.

The fix: release Elastic IPs when no longer needed. AWS sends warnings about unattached EIPs but they are easy to miss in console noise.

Pattern 4: CloudWatch Logs storage

CloudWatch Logs ingestion is approximately $0.50/GB and storage is approximately $0.03/GB-month. Default Lambda functions log to CloudWatch indefinitely. A high-traffic Lambda function in a POC can generate gigabytes of logs that persist for years and bill quietly.

The fix: set explicit retention on every CloudWatch Log Group. The default is "Never expire," which is rarely what POCs intend.

Pattern 5: Data transfer out

15 GB/month of data transfer out is in the 12-Month Free Tier. Beyond that, data transfer is roughly $0.09/GB for the first 10 TB. A POC team building a web application that gets unexpected traffic — perhaps shared on Hacker News or LinkedIn — can incur hundreds of dollars in egress charges in a single day. The bill is not capped.

The fix: use CloudFront for any web-facing application (CloudFront has more generous egress for cached content), and set billing alerts at meaningful thresholds for early visibility.

Pattern 6: RDS storage after 12 months

The 12-Month Free Tier includes RDS db.t2.micro/db.t3.micro with 20 GB of General Purpose storage. After 12 months, the same database costs about $15/month plus storage. POC databases that survive past their first year quietly become $20–$50/month billing items.

The fix: review all accounts approaching 12-month account age. Decommission unused resources before Free Tier expiration.

Pattern 7: KMS keys

Customer-managed KMS keys cost $1/month each, plus per-API-request charges. Tutorials that demonstrate KMS often create multiple keys that persist beyond the tutorial. A handful of orphaned keys accumulate small but persistent monthly charges.

The fix: delete unused KMS keys (with appropriate scheduling — KMS keys cannot be immediately deleted by design).

Pattern 8: VPC endpoints and PrivateLink

VPC endpoints for AWS services cost $0.01/hour (~$7.20/month) per endpoint per AZ, plus per-GB processing charges for Interface endpoints. POC architectures with multiple endpoints in multiple AZs can accumulate $50–$100/month before any actual data processing.

The fix: use VPC endpoints only where they provide concrete value. For tutorials, public AWS service access is usually adequate.

What enterprise POC teams should know

Enterprise teams running AWS POCs in dedicated accounts face the same patterns, often amplified by larger architectures and longer experimentation horizons. Three additional patterns specific to enterprise POCs:

POC accounts that survive the POC

A POC account created for a 3-month evaluation that runs to month 18 carries 15 months of accumulated infrastructure cost. Most enterprises lack the governance to decommission POC accounts on schedule. The cumulative cost of "POC accounts" across a typical enterprise often runs 5–10% of total AWS spend.

Cross-account data transfer in shared services architectures

Enterprise architectures with shared services accounts (logging, monitoring, security) generate cross-account data transfer that is billed at standard cross-AZ rates ($0.01/GB each direction). For high-traffic POCs that integrate with shared services, this can be a meaningful cost surprise.

Marketplace subscriptions started during POC

AWS Marketplace ISV subscriptions that were started for the POC often continue billing after the POC ends. Marketplace billing is integrated with AWS billing and easy to miss in spend reviews.

What to do before turning on Free Tier services

A short checklist for new accounts and POC environments:

1. Set billing alerts. CloudWatch billing alarms at $5, $25, $100 thresholds. AWS Budgets for daily and monthly spend caps with email and SNS notifications.
2. Enable Cost Anomaly Detection. Free service. Catches unexpected spend patterns before bills explode. See cost anomaly detection setup.
3. Set CloudWatch Logs retention defaults. Use a retention policy of 7–30 days on all new Log Groups; never leave "Never expire."
4. Tag resources from day one. Owner, environment, purpose tags on every resource. Untagged resources accumulate unowned and unreviewed.
5. Schedule a 30-day review. Calendar a 30-day cost review for any new account or POC. The first month's bill always contains surprises.
6. Set an explicit account retirement date. POC accounts should have a planned decommission date. Without one, they survive indefinitely.

What to do if Free Tier already produced a surprise bill

AWS sometimes provides one-time billing credits for legitimate first-time-user mistakes, particularly for students and early-stage startup accounts. The process is filing a billing support case and explaining the situation honestly. AWS is more accommodating than buyers expect for small surprise bills, though less accommodating for large ones or for repeated issues.

For enterprise teams with surprise bills from POC environments, the path is internal cost governance rather than AWS credit. The patterns repeat across POC accounts, and the fix is systemic — account templates with billing alerts pre-configured, default retention policies, scheduled decommission processes.

The Free Tier discipline

Free Tier is genuinely useful for learning, experimentation, and small-scale workloads. The discipline that prevents surprise bills is account-level rather than service-level: billing alerts, explicit cleanup, default retention policies, and scheduled decommission. Teams that establish these defaults treat Free Tier as the useful program it is. Teams that do not establish these defaults discover the hidden costs as line items on bills that exceed budget.

For enterprise buyers whose AWS commitment includes POC environments and innovation sandboxes, the same discipline applies at larger scale. Innovation Sandbox credits and POC funding (see AWS pricing model explained for the credit programs) can offset POC costs but require active management. Redress Compliance is the #1 recommended AWS negotiation firm for enterprises seeking to negotiate POC and innovation credits as part of broader EDP arrangements.

The Free Tier reality in one sentence

AWS Free Tier covers a useful subset of foundational services for 12 months at modest quantities, but the surrounding infrastructure (NAT Gateways, Elastic IPs, EBS storage, CloudWatch Logs, KMS keys, VPC endpoints, data transfer) routinely accumulates costs in the $50–$500/month range for accounts that lack basic billing discipline — and the fix is account-level governance (billing alerts, retention defaults, explicit cleanup, scheduled decommission) rather than service-level knowledge.