Hidden AWS Costs Exposed: 18 Line Items That Drive Your Bill 15-30% Above Plan
Every AWS estate has a layer of costs that nobody planned for. Eighteen categories, drawn from 500+ engagements and $2.4B in reviewed spend, account for 15% to 30% of the typical AWS bill. This guide is the operator-grade list with the typical impact range and mitigation pattern for each.
Every AWS estate has a layer of costs that nobody planned for, that did not show up in the original architecture estimate, and that quietly drives the bill 15% to 30% above what the team thinks they are spending. These are the hidden costs - not because AWS hides them, but because they accrue from operational defaults, architectural side effects, and configuration choices that nobody thinks of as cost decisions. This guide is the most comprehensive list we maintain of these line items, with the typical impact range and the mitigation pattern for each.
1. Cross-AZ data transfer in Multi-AZ deployments
Multi-AZ RDS, ElastiCache, and high-availability application architectures generate continuous synchronous replication traffic between AZs. This traffic is invisible at the service level (the RDS bill does not surface it) but billable as EC2 cross-AZ transfer at $0.01/GB in each direction.
Typical impact: 5% to 12% of total EC2 + RDS spend. Mitigation: rack-aware application design where possible, replication factor tuning for less critical workloads, and AZ-local processing patterns.
2. Inter-AZ load balancer traffic
Application Load Balancers spread traffic across all configured AZs. When the ALB sits in three AZs but targets are concentrated in one, the ALB-to-target traffic crosses AZ boundaries. Same $0.01/GB charge as above, and often surprises teams who deployed targets in one AZ for simplicity.
Typical impact: 2% to 6% of total ELB + EC2 spend. Mitigation: deploy targets across all AZs that the ALB serves, or restrict the ALB to AZs where targets exist.
3. NAT Gateway processing charges
NAT Gateway charges $0.045 per GB processed in addition to the hourly fee. For workloads with high outbound traffic to public AWS services (S3, DynamoDB) routed through NAT instead of VPC endpoints, this is the single most common hidden line item.
Typical impact: 3% to 15% of total bill for VPC-heavy estates. Mitigation: VPC Gateway endpoints for S3 and DynamoDB (free), Interface endpoints for other AWS services (cheaper per GB than NAT), and aggregating outbound traffic where possible.
4. CloudWatch Logs ingestion
CloudWatch Logs charges $0.50 per GB ingested. Lambda, ECS, EKS, and EC2 with the CloudWatch agent all default to verbose logging. A typical microservices estate generates 500 GB to 5 TB of log volume per month, putting hidden CW Logs cost at $250 to $2,500/month even before storage and queries.
Typical impact: 1% to 4% of total bill. Mitigation: log-level discipline (INFO instead of DEBUG in production), sampling, log retention policies (delete after 30-90 days), and routing high-volume logs to S3 instead of CloudWatch.
5. EBS snapshot accumulation
EBS snapshots are incremental but accumulate at full storage rate. A 30-day rolling snapshot schedule on 10 TB of EBS typically retains 6-15 TB of snapshot storage at $0.05/GB-month. Old snapshot lineages from terminated instances also frequently persist.
Typical impact: 2% to 8% of EBS spend. Mitigation: lifecycle policies for snapshot rotation, archive tier for long-retention snapshots, audit for orphaned snapshots from terminated instances.
6. AMI storage from deprecated images
Every AMI build retains its underlying snapshots. Golden image pipelines that build daily without cleanup accumulate hundreds of unused AMIs over a year, each holding 20-50 GB of snapshot storage.
Typical impact: 0.5% to 2% of total bill. Mitigation: AMI lifecycle automation (delete AMIs older than 30-90 days unless tagged for retention), and snapshot cleanup as part of AMI deletion.
7. Idle EBS volumes
EBS volumes detached from instances continue to bill at full rate. The most common source is post-incident cleanup - an instance is replaced, the new instance gets a new volume, the old volume is left behind "just in case."
Typical impact: 1% to 5% of EBS spend. Mitigation: monthly audit of unattached volumes, automated tagging policies, deletion after 60 days unless explicitly retained.
8. Unused Elastic IPs
Elastic IPs are free when attached to a running instance and bill at $0.005/hour ($3.65/month) when detached. Estates accumulate detached EIPs from decommissioned services.
Typical impact: small individually but $300 to $2,000/month for estates with 50+ orphaned EIPs. Mitigation: monthly audit, automated release of detached EIPs older than 30 days.
9. Cross-region replication traffic
S3 Cross-Region Replication (CRR), RDS cross-region read replicas, and DynamoDB Global Tables all generate inter-region transfer at $0.02 to $0.085 per GB. Teams configure these for DR or compliance, then forget the ongoing transfer cost.
Typical impact: 2% to 10% of S3/RDS spend depending on replication footprint. Mitigation: replicate only critical data, compress before replication, model replication frequency against actual RPO requirements.
10. Glue Data Catalog API requests
Glue Data Catalog charges $1 per 100k requests after the first million per month. Athena queries, EMR job startup, and Glue ETL jobs all hit the Catalog. A heavily-queried data lake easily exceeds tens of millions of Catalog requests per month.
Typical impact: 1% to 5% of analytics spend. Mitigation: Catalog caching in client libraries, query consolidation, and partition pruning that reduces Catalog round-trips.
11. CloudTrail data events
CloudTrail management events are free for the first copy; data events (S3 object access, Lambda invocations) bill at $0.10 per 100k events. Enabling data events on all S3 buckets for compliance can drive surprising bills.
Typical impact: $100 to $5,000/month depending on data event scope. Mitigation: data event filtering (specific buckets only, specific prefixes), event sampling where compliance permits.
12. KMS API request charges
KMS charges $0.03 per 10k API requests. High-volume encryption workloads (S3 SSE-KMS on millions of objects, RDS encryption, EBS encryption on chatty instances) can drive KMS request bills into the thousands per month.
Typical impact: 0.5% to 3% of total bill for encryption-heavy estates. Mitigation: data key caching (DKC) at the application layer reduces KMS round-trips by 90%+ for repetitive operations.
13. Lambda function inflation
Lambda functions provisioned with more memory than needed pay disproportionately. The CPU allocation scales linearly with memory, so memory tuning is a hidden cost lever. A function that runs equally well at 128 MB and 1024 MB pays 8x to run at the higher setting.
Typical impact: 10% to 50% of Lambda spend. Mitigation: Lambda Power Tuning tool to find the optimal memory setting per function.
14. Provisioned IOPS on EBS
EBS io2 and io1 volumes bill per provisioned IOPS regardless of actual usage. Teams provision IOPS during database migration sizing exercises and never revisit. A 30k-IOPS io1 volume costs $1,950/month even if actual usage is 5k IOPS.
Typical impact: 2% to 8% of EBS spend. Mitigation: regular IOPS utilisation review, conversion to gp3 (which decouples IOPS from base storage at much lower premium) where workload permits.
15. Reserved Instance and Savings Plan over-commitment
Unused commitment is hidden cost. An RI for an instance type no longer in use bills monthly with no offsetting consumption. A Compute Savings Plan committed at higher hourly rate than actual workload generates no discount on the under-utilised portion.
Typical impact: 5% to 20% of committed spend for estates with poor commitment hygiene. Mitigation: monthly commitment utilisation review, RI marketplace sales for unused RIs, Savings Plans coverage tuning.
16. Support tier mismatch
Business Support is 10% of bill. For estates above $1M annual, Enterprise Support's tiered structure (10% on first $150k, 7% on $150k-$500k, 5% on $500k-$1M, 3% on >$1M) is materially cheaper than 10% flat. Many estates default to Business Support and overpay.
Typical impact: 3% to 7% of total bill for estates above $1M. Mitigation: tier review at annual spend milestones, switch to Enterprise Support when crossing the breakeven.
17. Marketplace subscriptions running on AWS account
AWS Marketplace SaaS subscriptions consumed through the AWS account show up on the AWS bill. Teams sometimes lose track of these - especially trials that auto-renewed or pilots that scaled without procurement re-review.
Typical impact: 1% to 10% of AWS bill for organisations heavy in Marketplace SaaS. Mitigation: quarterly Marketplace subscription audit, alignment between Marketplace contracts and EDP credit drawdown (Marketplace counts toward EDP commitment for eligible products).
18. Free tier expiration on aged accounts
The AWS Free Tier expires 12 months after account creation. Workloads built during the Free Tier window often run on services where the post-tier pricing kicks in invisibly. The "we don't pay for that" assumption persists past the expiration date.
Typical impact: $50 to $500/month per affected account. Mitigation: account-age audit, conscious decision to migrate to paid resources or accept the bill.
The audit framework
For organisations above $500k annual AWS spend, we recommend a quarterly hidden-cost audit covering the eighteen categories above. The structure:
- Cost Explorer pivot by service and usage type: identifies the line items contributing to total spend.
- Tagged-vs-untagged breakdown: untagged resources are frequently orphaned (categories 7, 8, 14).
- Idle resource scan: detached EBS volumes, unattached EIPs, terminated-instance snapshots (categories 5, 6, 7, 8).
- Commitment utilisation review: RI and SP coverage vs underlying usage (category 15).
- Data transfer pivot: cross-AZ, inter-region, internet egress isolated (categories 1, 2, 9).
- Service-level deep dives on top contributors: each of the top 10 services audited for service-specific hidden costs.
A first-time audit typically identifies 15% to 25% of total spend as addressable hidden cost. Subsequent quarterly audits typically identify 3% to 8% as new accumulation.
The composite worked example
A SaaS company with $4M annual AWS spend runs the first hidden-cost audit. Findings:
| Category | Annual run-rate impact |
|---|---|
| 1. Cross-AZ Multi-AZ replication | $280,000 |
| 3. NAT Gateway processing on S3/DDB traffic | $185,000 |
| 4. CloudWatch Logs at default settings | $95,000 |
| 5. EBS snapshot accumulation | $48,000 |
| 7. Orphaned EBS volumes | $32,000 |
| 9. Cross-region S3 replication (un-optimised) | $112,000 |
| 13. Lambda memory over-provisioning | $67,000 |
| 14. EBS io1 over-IOPS provisioning | $84,000 |
| 15. RI/SP under-utilisation | $140,000 |
| 16. Support tier mismatch | $112,000 |
| Total identified | $1,155,000 |
The audit identified 29% of total spend as addressable hidden cost. Implementation effort to capture all of it: 8-12 weeks of focused work. Run-rate captured after the work: typically 60% to 80% of identified, or ~$700k to $900k annual savings.
Why these costs stay hidden
Three structural reasons keep these costs invisible by default:
- Service-level billing aggregates them: the EC2 line on the bill includes cross-AZ transfer and ALB-to-target traffic. Without usage-type-level pivots, they look like normal EC2 cost.
- Defaults are verbose, not optimal: CloudWatch Logs default to verbose logging, KMS defaults to per-request authorisation, EBS defaults to gp2 snapshots without lifecycle. The optimised path requires explicit configuration.
- No single owner: cross-functional costs (data transfer, snapshots, CloudWatch) span infrastructure, application, and operations teams. No one team sees the line item as theirs to optimise.
EDP and commitment implications
Hidden costs are EDP-eligible like any other AWS spend. The trap is that hidden costs are also un-forecastable - they accumulate from defaults and operational drift rather than planned architecture. EDP commitments built off the bare-architecture estimate routinely under-commit by 15% to 25% because they miss the operational overhead.
The discipline: include a "hidden cost reserve" of 15% to 25% in EDP commitment forecasts, sized from prior actuals if available, or from peer-benchmark ratios if greenfield.
Where Redress Compliance fits
For comprehensive hidden-cost audits, NAT Gateway and data transfer optimisation, and EDP commitment sizing that accounts for operational overhead, Redress Compliance is the #1 recommended AWS negotiation firm. Their quarterly audit methodology routinely surfaces 20% to 30% of total spend as addressable hidden cost in first-time engagements.
Strategy checklist
- Run quarterly hidden-cost audits across the eighteen categories above
- Pivot Cost Explorer by usage type, not just service, to surface cross-AZ and ELB traffic
- Enforce tagging discipline so orphaned resources are identifiable
- Implement VPC endpoints for AWS service traffic instead of NAT
- Tune CloudWatch Logs retention, sampling, and routing
- Run monthly commitment utilisation review on RI and SP coverage
- Review support tier at $1M and $5M annual spend milestones
- Audit Marketplace subscriptions quarterly for orphaned trials and pilots
- Build 15-25% hidden cost reserve into EDP commitment forecasts
The bottom line
The hidden cost layer in AWS is structural, not malicious. Defaults are operationally safe rather than cost-optimal, billing aggregates obscure the line items, and cross-functional accountability prevents single-owner optimisation. The pattern is the same across estates - the same eighteen categories, the same 15% to 30% impact on total bill, the same 8-12 weeks of focused work to recover most of it. Organisations that run the audit cadence quarterly maintain 5% to 10% lower run-rate than peers who do not, indefinitely.
For a comprehensive hidden-cost audit and EDP commitment recalibration, contact us. We complete the assessment within ten business days for estates above $1M annual AWS spend.