Storage Transfer Cost Reduction: The AWS Bandwidth Playbook

Storage-related data transfer is one of the most opaque cost categories on the AWS bill. It hides across line items — inter-AZ replication, cross-region replicas, EBS snapshot copies, S3 GET/PUT operations, CloudFront origin pulls, NAT Gateway processing — and most teams discover the magnitude only after the bill arrives. Across the engagements we audit, storage-related transfer typically accounts for 11 to 28 percent of total AWS spend.

This guide focuses specifically on the transfer costs generated by storage — not application traffic. It is the practical playbook our team uses to drive storage-transfer reductions of 30 to 55 percent.

Where storage transfer fees originate

Six fee types account for nearly all storage-related data transfer cost:

Fee type	Typical rate	What triggers it
S3 Cross-Region Replication (CRR)	$0.02 / GB	Object writes on a CRR-enabled bucket
S3 GET to non-AWS internet	$0.09 / GB (first 10 TB)	Direct public S3 reads
S3 GET cross-region	$0.02 / GB	Application in region A reading bucket in region B
EBS snapshot cross-region copy	$0.02 / GB	Snapshot CopySnapshot calls
EFS cross-AZ access	Free (within region)	Cross-AZ mounts
FSx cross-AZ / cross-region	Free / $0.02 / GB	Multi-AZ replication / cross-region SnapMirror

Notably absent: inter-AZ S3 transfer is free within a region. EBS-to-EC2 in same AZ is free. Same-region cross-AZ EBS replication is internal. The fees that matter are cross-region or to-internet egress.

Optimization 1 — Audit and prune cross-region replication

S3 Cross-Region Replication is enabled at the bucket level, then runs forever. Teams turn it on for compliance or DR purposes, then never re-evaluate whether the destination is still needed.

Audit every CRR-enabled bucket and ask:

1. What is the destination region used for? (DR? Latency? Regulatory?)
2. Is the destination bucket actually read from in steady state, or only in DR scenarios?
3. Could we replicate only the critical prefix instead of the whole bucket?
4. Could we replicate to Glacier Flexible Retrieval at the destination instead of Standard?

Replicating to a cheaper destination class (especially Glacier or Deep Archive on the destination side) is the highest-leverage change. The transfer fee still applies, but the destination storage drops 80-95 percent. Pairing destination lifecycle policies with replication compounds the savings.

Optimization 2 — Convert public S3 reads to CloudFront origin

S3 GET to internet bills at $0.09/GB for the first 10 TB, scaling down to $0.05/GB above 150 TB. CloudFront egress from the same region bills at $0.085/GB (first 10 TB), scaling down to as low as $0.02/GB at the highest tier — and CloudFront-to-S3 origin pulls are free.

For any S3 bucket serving public reads above ~5 TB/month, fronting with CloudFront is almost always cheaper. The crossover is even lower if your CloudFront commitment qualifies for a private pricing tier. AWS will negotiate CloudFront commitment-based discounts down to 60-80% off list for committed volumes — a lever we use routinely in EDP conversations.

Optimization 3 — Reduce EBS snapshot copies

EBS snapshot copies between regions bill at $0.02/GB. Many teams configure DLM (Data Lifecycle Manager) to copy every snapshot to a DR region — including transient daily snapshots that will be deleted next week. This is pure waste.

Better posture:

• Copy only weekly or monthly snapshot points, not daily.
• Aggregate snapshots into AMIs and copy AMIs, not raw snapshots, where possible.
• Use AWS Backup with cross-region rules and explicit retention — easier to audit than DLM.
• For very-rarely-accessed DR snapshots, store as exported S3 objects in Glacier Deep Archive rather than maintained EBS snapshots.

Optimization 4 — Co-locate compute and storage

If your compute in us-east-1 reads from an S3 bucket in us-west-2, you pay $0.02/GB for every byte read — forever. Cross-region storage access is one of the most expensive accidental architectures we see.

Audit your S3 GET traffic by source region using VPC flow logs or S3 access logs. Either:

• Replicate the relevant prefix into the compute region (one-time replication cost, then free reads), or
• Move the compute closer to the storage (often easier in modern container-orchestrated environments), or
• For large infrequent reads, accept the cross-region fee as long as it is less than steady-state replication.

Optimization 5 — Eliminate NAT Gateway processing for storage

NAT Gateway charges $0.045/GB processing fee on top of the underlying egress. If your EC2 instances in private subnets are reading directly from S3 through a NAT Gateway, you are paying NAT processing on every byte.

Fix: enable a VPC Gateway Endpoint for S3. It is free, bypasses the NAT Gateway entirely, and eliminates both NAT processing fees and S3 cross-AZ transfer. The same applies to DynamoDB. For other AWS services, use Interface Endpoints (which carry their own hourly fee, but are cheaper than NAT for any volume above ~3 TB/month).

This optimization alone routinely cuts $5,000-30,000 per month from enterprise AWS bills, and is among the first things we audit on any engagement.

Optimization 6 — Use S3 Transfer Acceleration only where it pays off

S3 Transfer Acceleration costs $0.04/GB on top of standard transfer. It can dramatically speed long-distance uploads — but only on geographically distributed clients. For uploads from within AWS (compute in another region) or from clients within ~3,000 km of the bucket region, it provides little benefit and pure cost.

Audit Transfer Acceleration usage and disable it on buckets where clients are local or already accessing via CloudFront.

Optimization 7 — Eliminate inter-region traffic via PrivateLink and Transit Gateway

For storage-adjacent service traffic (e.g., RDS-to-S3 streaming, Kinesis-to-S3 sinks), routing across regions can be reduced by careful Transit Gateway and PrivateLink architecture. The detailed pricing math depends on volume and topology — Transit Gateway pricing has its own gotchas worth modeling before committing to a hub-and-spoke pattern.

Putting it together — a real engagement

Engagement: SaaS company, $1.6M annual storage-related transfer spend. The intervention:

1. Enabled S3 Gateway Endpoints in every VPC. Eliminated $14,200/month of NAT processing on private-subnet S3 access.
2. Audited CRR — disabled replication on 4 of 11 buckets that no longer needed DR. Routed remaining replication to Glacier Flexible destinations. Net savings: $9,800/month.
3. Fronted public S3 reads with CloudFront under a negotiated 3-year private pricing tier (38% off list). Net savings: $11,400/month.
4. Pruned DLM daily-snapshot cross-region copies; kept weekly. Net savings: $3,200/month.
5. Migrated 2 misplaced workloads back to the storage region. Net savings: $5,100/month.
6. Negotiated CRR egress waiver on remaining DR-critical buckets in EDP renewal. Net savings: $4,400/month.

Total reduction: $582,000 annualized (44% of the storage-transfer baseline).

What to check in the next 14 days

1. Run S3 Storage Lens and identify the top 10 buckets by transfer-out cost.
2. Audit CRR — disable or redirect any replication that does not have a current business justification.
3. Enable VPC Gateway Endpoints for S3 and DynamoDB in every VPC.
4. Review DLM snapshot copy policies — eliminate daily cross-region copies in favor of weekly.
5. Cross-reference public S3 traffic against CloudFront fronting — convert anything above ~5 TB/month.
6. Flag CRR egress and CloudFront private pricing for your next EDP negotiation.
7. Contact our advisory team for a storage-transfer audit benchmarked against $2.4B+ of AWS spend reviewed.

Frequently asked questions