Account_billing
Chapter 2: AWS Account Management & Billing
Section titled “Chapter 2: AWS Account Management & Billing”Mastering AWS Account Structure and Cost Management
Section titled “Mastering AWS Account Structure and Cost Management”2.1 Overview
Section titled “2.1 Overview”Understanding AWS account management and billing is crucial for DevOps engineers to maintain control over resources, security, and costs.
AWS Account Hierarchy+------------------------------------------------------------------+| || +------------------------+ || | Management Account | || | (Payer Account) | || | | || | - Consolidated Billing | || | - AWS Organizations | || | - Cost Explorer | || +-----------+------------+ || | || +-------------------+-------------------+ || | | | || v v v || +---------------+ +---------------+ +---------------+ || | Member Account| | Member Account| | Member Account| || | (Dev) | | (Test) | | (Prod) | || +---------------+ +---------------+ +---------------+ || | | | || v v v || +---------------+ +---------------+ +---------------+ || | OU-Dev | | OU-Test | | OU-Prod | || | (Dev Team) | | (Test Team) | | (Prod Team) | || +---------------+ +---------------+ +---------------+ || |+------------------------------------------------------------------+2.2 AWS Account Types
Section titled “2.2 AWS Account Types”Account Types Comparison
Section titled “Account Types Comparison”| Account Type | Purpose | Features |
|---|---|---|
| Standard | Individual/Small teams | Full AWS access, basic support |
| Organization | Enterprise | Consolidated billing, SCPs |
| GovCloud | US Government | FedRAMP compliance |
| China | China operations | Isolated infrastructure |
Account Type Architecture+------------------------------------------------------------------+| || Standard Account Organization Account || +----------------+ +------------------------+ || | | | Management Account | || | Single User | | | || | Single Bill | | +----------------+ | || | Basic IAM | | | Member Account 1| | || | | | +----------------+ | || +----------------+ | +----------------+ | || | | Member Account 2| | || | +----------------+ | || | +----------------+ | || | | Member Account N| | || | +----------------+ | || +------------------------+ || |+------------------------------------------------------------------+2.3 AWS Organizations
Section titled “2.3 AWS Organizations”Organization Structure
Section titled “Organization Structure” AWS Organizations Hierarchy+------------------------------------------------------------------+| || +------------------------+ || | Root | || | (Organization Root) | || +-----------+------------+ || | || +-------------------+-------------------+ || | | || v v || +---------------+ +---------------+ || | OU-Security| | OU-Workloads| || | | | | || | +---------+ | | +---------+ | || | |Security | | | |OU-Dev | | || | |Account | | | +---------+ | || | +---------+ | | +---------+ | || | +---------+ | | |OU-Test | | || | |Audit | | | +---------+ | || | |Account | | | +---------+ | || | +---------+ | | |OU-Prod | | || +---------------+ +---------------+ || || Key Concepts: || - Root: Top-level container || - OU (Organizational Unit): Group accounts || - SCP (Service Control Policy): Permission boundaries || - Member Accounts: Individual AWS accounts |+------------------------------------------------------------------+Service Control Policies (SCPs)
Section titled “Service Control Policies (SCPs)” SCP Inheritance Model+------------------------------------------------------------------+| || +------------------------+ || | Root SCP | || | (Full AWS Access) | || +-----------+------------+ || | || Inherited down the tree || | || +-------------------+-------------------+ || | | || v v || +------------------------+ +------------------------+ || | OU-Production SCP | | OU-Development SCP | || | | | | || | ALLOW: EC2, RDS, S3 | | ALLOW: EC2, Lambda | || | DENY: IAM Delete | | DENY: RDS, Redshift | || | | | | || +------------------------+ +------------------------+ || | | || v v || +------------------------+ +------------------------+ || | Prod Account | | Dev Account | || | Effective Policy: | | Effective Policy: | || | Root SCP + OU SCP | | Root SCP + OU SCP | || +------------------------+ +------------------------+ || |+------------------------------------------------------------------+SCP Example: Deny Specific Regions
Section titled “SCP Example: Deny Specific Regions”{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyNonApprovedRegions", "Effect": "Deny", "NotAction": [ "iam:*", "organizations:*", "route53:*", "support:*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": [ "us-east-1", "us-west-2", "eu-west-1" ] } } } ]}SCP Example: Prevent Leaving Organization
Section titled “SCP Example: Prevent Leaving Organization”{ "Version": "2012-10-17", "Statement": [ { "Sid": "PreventLeaveOrganization", "Effect": "Deny", "Action": "organizations:LeaveOrganization", "Resource": "*" } ]}2.4 Consolidated Billing
Section titled “2.4 Consolidated Billing” Consolidated Billing Flow+------------------------------------------------------------------+| || Individual Billing (Without Organization) || +------------------------+ || | Account A: $500/month | || | Account B: $300/month | || | Account C: $200/month | || +------------------------+ || Total: $1000/month (separate bills) || || ============================================================ || || Consolidated Billing (With Organization) || +------------------------+ || | Management Account | || | (Payer Account) | || | | || | Account A: $500 | || | Account B: $300 | || | Account C: $200 | || | | || | Combined: $1000 | || | Volume Discount: -$50 | || | Final Bill: $950 | || +------------------------+ || || Benefits: || - Volume pricing discounts || - Single bill for all accounts || - Reserved Instance sharing || - Savings Plans sharing |+------------------------------------------------------------------+Volume Tiered Pricing Example
Section titled “Volume Tiered Pricing Example” S3 Pricing Tiers (Example)+------------------------------------------------------------------+| || Storage Tier Price per GB || +----------------+-------------------+ || | First 50 TB | $0.023 per GB | || | Next 450 TB | $0.022 per GB | || | Over 500 TB | $0.021 per GB | || +----------------+-------------------+ || || Example: 600 TB storage || || Without Consolidation: || Account A (200 TB): 50×0.023 + 150×0.022 = $4.35 || Account B (200 TB): 50×0.023 + 150×0.022 = $4.35 || Account C (200 TB): 50×0.023 + 150×0.022 = $4.35 || Total: $13.05 || || With Consolidation: || Combined (600 TB): || 50×0.023 + 450×0.022 + 100×0.021 = $13.20 || (Better rate for over 500TB) |+------------------------------------------------------------------+2.5 AWS Cost Management Tools
Section titled “2.5 AWS Cost Management Tools”Cost Explorer
Section titled “Cost Explorer” AWS Cost Explorer Dashboard+------------------------------------------------------------------+| || +----------------------------------------------------------+ || | Cost Over Time | || | | || | $$$$$ | || | $ $$ | || | $ $$ $$$ | || | $ $$ $$$ $$ | || | $ $$ $$$ $$ $$ | || | |----|----|----|----|----| | || | Jan Feb Mar Apr May | || +----------------------------------------------------------+ || || +--------------------------+ +--------------------------+ || | Top Services by Cost | | Top Accounts by Cost | || | | | | || | EC2 $2,500 | | Prod Account $3,000 | || | RDS $1,200 | | Dev Account $1,500 | || | S3 $800 | | Test Account $500 | || | Lambda $300 | | | || +--------------------------+ +--------------------------+ || || Features: || - View costs by service, account, region || - Forecast future costs || - Create custom reports || - Set up anomaly detection |+------------------------------------------------------------------+AWS Budgets
Section titled “AWS Budgets” AWS Budgets Configuration+------------------------------------------------------------------+| || Budget Types: || || 1. Cost Budget || +----------------------------------------------------------+ || | Budget Name: Monthly EC2 Budget | || | Budget Amount: $5,000 | || | Alert Thresholds: | || | - 70% ($3,500) -> Email to team | || | - 90% ($4,500) -> Email + SNS to Slack | || | - 100% ($5,000) -> Email + SNS + Auto Action | || +----------------------------------------------------------+ || || 2. Usage Budget || +----------------------------------------------------------+ || | Budget Name: S3 Storage Budget | || | Budget Amount: 10 TB | || | Alert Thresholds: | || | - 80% (8 TB) -> Email | || | - 100% (10 TB) -> Email + Auto Action | || +----------------------------------------------------------+ || || 3. RI/Savings Plans Budget || +----------------------------------------------------------+ || | Budget Name: RI Utilization | || | Target: 80% utilization | || | Alert: Below 70% utilization | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Budget Actions
Section titled “Budget Actions”{ "ActionThreshold": { "ActionThresholdType": "PERCENTAGE", "ActionThresholdValue": 100 }, "ActionType": "APPLY_IAM_POLICY", "BudgetName": "Monthly-EC2-Budget", "Definition": { "IamActionDefinition": { "PolicyArn": "arn:aws:iam::aws:policy/AWSDenyAllEC2Actions", "Roles": ["EC2LaunchRole"], "Users": ["dev-user"] } }, "ExecutionRoleArn": "arn:aws:iam::123456789012:role/BudgetActionRole", "ApprovalModel": "AUTOMATIC"}2.6 Cost Optimization Strategies
Section titled “2.6 Cost Optimization Strategies”Strategy 1: Right-Sizing
Section titled “Strategy 1: Right-Sizing” Right-Sizing Analysis+------------------------------------------------------------------+| || Under-utilized Instance Detection || || +------------------------+ || | Instance: i-12345 | || | Type: m5.xlarge | || | Cost: $140/month | || | | || | CPU Utilization: 15% | <-- Under-utilized! || | Memory: 30% | || | Network: 5% | || +------------------------+ || || Recommendation: || +------------------------+ || | Downsize to: | || | m5.large | || | Cost: $70/month | || | Savings: $70/month | || +------------------------+ || || Tools: || - AWS Cost Explorer (Right-sizing recommendations) || - AWS Compute Optimizer || - CloudWatch Metrics |+------------------------------------------------------------------+Strategy 2: Reserved Instances & Savings Plans
Section titled “Strategy 2: Reserved Instances & Savings Plans” Pricing Models Comparison+------------------------------------------------------------------+| || On-Demand Pricing (Baseline) || +----------------------------------------------------------+ || | m5.xlarge (Linux) | || | $0.192/hour = $140.16/month = $1,681.92/year | || +----------------------------------------------------------+ || || Reserved Instance (1 Year, All Upfront) || +----------------------------------------------------------+ || | m5.xlarge (Linux) | || | $1,008/year = $84/month = $0.115/hour | || | Savings: 40% | || +----------------------------------------------------------+ || || Reserved Instance (3 Year, All Upfront) || +----------------------------------------------------------+ || | m5.xlarge (Linux) | || | $2,016/3-years = $56/month = $0.077/hour | || | Savings: 60% | || +----------------------------------------------------------+ || || Savings Plans (Compute) || +----------------------------------------------------------+ || | Commit $100/hour for 1 year | || | Applies to: EC2, Fargate, Lambda | || | Savings: Up to 72% | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+RI vs Savings Plans Decision Tree
Section titled “RI vs Savings Plans Decision Tree” Choose Your Savings Model+------------------------------------------------------------------+| || Start: Need Savings? || | || v || +---------------------+ || | Predictable | || | Workload? | || +----------+----------+ || | || +------------+------------+ || | | || v v || (Yes) (No) || | | || v v || +------------------+ +---------------------+ || | Single Service | | Use On-Demand | || | (EC2 only)? | | with Auto Scaling | || +--------+---------+ +---------------------+ || | || +--------+---------+ || | | || v v || (Yes) (No) || | | || v v || +--------+ +-------------+ || |Reserved| | Savings | || |Instance| | Plans | || +--------+ +-------------+ || | | || v v || +--------+ +-------------+ || |Up to 72%| | Up to 66% | || |savings | | (flexible) | || +--------+ +-------------+ || |+------------------------------------------------------------------+Strategy 3: Spot Instances
Section titled “Strategy 3: Spot Instances” Spot Instance Usage Patterns+------------------------------------------------------------------+| || Spot Instance Pool || +----------------------------------------------------------+ || | Region: us-east-1 | || | Instance Type: m5.xlarge | || | | || | On-Demand Price: $0.192/hour | || | Spot Price: $0.038/hour (80% off!) | || | | || | Interruption Rate: <5% (varies) | || +----------------------------------------------------------+ || || Best Use Cases: || +----------------------------------------------------------+ || | - Batch processing jobs | || | - CI/CD pipelines | || | - Data analysis | || | - Image/video processing | || | - Distributed computing | || +----------------------------------------------------------+ || || NOT Recommended For: || +----------------------------------------------------------+ || | - Databases (critical) | || | - Production web servers | || | - Stateful applications | || | - Long-running jobs without checkpointing | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Spot Fleet Configuration
Section titled “Spot Fleet Configuration”{ "SpotFleetRequestConfig": { "IamFleetRole": "arn:aws:iam::123456789012:role/spot-fleet-role", "AllocationStrategy": "diversified", "TargetCapacity": 10, "SpotPrice": "0.10", "LaunchSpecifications": [ { "ImageId": "ami-12345678", "InstanceType": "m5.xlarge", "KeyName": "my-key-pair", "SubnetId": "subnet-12345678" }, { "ImageId": "ami-12345678", "InstanceType": "m5.2xlarge", "KeyName": "my-key-pair", "SubnetId": "subnet-12345678" } ] }}2.7 Cost Allocation Tags
Section titled “2.7 Cost Allocation Tags” Cost Allocation Tags Strategy+------------------------------------------------------------------+| || Tag Structure: || || +------------------------+ || | Key: Environment | || | Values: | || | - production | || | - staging | || | - development | || +------------------------+ || || +------------------------+ || | Key: Project | || | Values: | || | - project-alpha | || | - project-beta | || | - project-gamma | || +------------------------+ || || +------------------------+ || | Key: CostCenter | || | Values: | || | - cc-1001 | || | - cc-1002 | || | - cc-1003 | || +------------------------+ || || +------------------------+ || | Key: Owner | || | Values: | || | - team-backend | || | - team-frontend | || | - team-devops | || +------------------------+ || || Cost Report by Tags: || +----------------------------------------------------------+ || | Environment | Project | Cost | % of Total | || | ------------|--------------|---------|---------- | || | production | project-alpha| $5,000 | 50% | || | staging | project-alpha| $1,000 | 10% | || | development | project-beta | $2,000 | 20% | || | production | project-beta | $2,000 | 20% | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Tagging Best Practices
Section titled “Tagging Best Practices”# AWS CLI - Tag Resourcesaws ec2 create-tags \ --resources i-1234567890abcdef0 \ --tags Key=Environment,Value=production Key=Project,Value=alpha Key=Owner,Value=team-backend
# AWS CLI - Activate Cost Allocation Tagsaws ce tag-resource \ --resource-arn arn:aws:ce::123456789012:tagpolicy/default \ --tags Key=Environment,Value=production
# List all tags for a resourceaws ec2 describe-tags \ --filters "Name=resource-id,Values=i-1234567890abcdef0"2.8 Billing Alarms & Alerts
Section titled “2.8 Billing Alarms & Alerts” CloudWatch Billing Alarm Setup+------------------------------------------------------------------+| || Step 1: Enable Billing Metrics || +----------------------------------------------------------+ || | Go to Billing Console -> Billing Preferences | || | Enable: "Receive Billing Alerts" | || +----------------------------------------------------------+ || || Step 2: Create CloudWatch Alarm || +----------------------------------------------------------+ || | Namespace: AWS/Billing | || | Metric: EstimatedCharges | || | Currency: USD | || | Statistic: Maximum | || | Period: 6 hours | || +----------------------------------------------------------+ || || Step 3: Set Threshold || +----------------------------------------------------------+ || | Threshold: $100 | || | Comparison: GreaterThanThreshold | || | Evaluation Periods: 1 | || +----------------------------------------------------------+ || || Step 4: Configure Notification || +----------------------------------------------------------+ || | SNS Topic: billing-alerts | || | Subscribers: | || | - finance@company.com | || | - devops@company.com | || | - Slack webhook | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+CloudWatch Billing Alarm (Terraform)
Section titled “CloudWatch Billing Alarm (Terraform)”# SNS Topic for billing alertsresource "aws_sns_topic" "billing_alerts" { name = "billing-alerts"}
resource "aws_sns_topic_subscription" "email" { topic_arn = aws_sns_topic.billing_alerts.arn protocol = "email" endpoint = "devops@company.com"}
# CloudWatch billing alarmresource "aws_cloudwatch_metric_alarm" "billing" { alarm_name = "billing-threshold-100" comparison_operator = "GreaterThanThreshold" evaluation_periods = "1" metric_name = "EstimatedCharges" namespace = "AWS/Billing" period = "21600" # 6 hours statistic = "Maximum" threshold = "100" alarm_description = "Billing exceeds $100" alarm_actions = [aws_sns_topic.billing_alerts.arn]
dimensions = { Currency = "USD" }}2.9 AWS Cost Anomaly Detection
Section titled “2.9 AWS Cost Anomaly Detection” Cost Anomaly Detection Flow+------------------------------------------------------------------+| || Normal Pattern: || +----------------------------------------------------------+ || | $$$$$ | || | $ $$ | || | $ $$ $$$ | || | $ $$ $$$ $$ | || | |---|---|---|---|---| | || | Mon Tue Wed Thu Fri | || +----------------------------------------------------------+ || || Anomaly Detected: || +----------------------------------------------------------+ || | $$$$$ | || | $ $$ | || | $ $$ $$$ | || | $ $$ $$$ $$ $$$$$$$$$$$$ <-- ANOMALY! | || | |---|---|---|---|---|---| | || | Mon Tue Wed Thu Fri Sat | || +----------------------------------------------------------+ || || Alert Flow: || +----------------------------------------------------------+ || | 1. Anomaly detected by ML model | || | 2. Alert sent to SNS topic | || | 3. Notification to email/Slack | || | 4. Investigation triggered | || | 5. Root cause identified | || | 6. Remediation applied | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+2.10 Practical Commands
Section titled “2.10 Practical Commands”AWS CLI - Billing & Cost Management
Section titled “AWS CLI - Billing & Cost Management”# Get current month's costaws ce get-cost-and-usage \ --time-period Start=2026-02-01,End=2026-02-28 \ --granularity MONTHLY \ --metrics BlendedCost
# Get cost by serviceaws ce get-cost-and-usage \ --time-period Start=2026-02-01,End=2026-02-28 \ --granularity MONTHLY \ --metrics BlendedCost \ --group-by Type=DIMENSION,Key=SERVICE
# Get cost forecastaws ce get-cost-forecast \ --time-period Start=2026-03-01,End=2026-03-31 \ --metric BLENDED_COST \ --granularity MONTHLY
# List budgetsaws budgets describe-budgets --account-id 123456789012
# List cost allocation tagsaws ce list-cost-allocation-tags
# Get reservation coverageaws ce get-reservation-coverage \ --time-period Start=2026-02-01,End=2026-02-28 \ --granularity MONTHLYPython/boto3 Example
Section titled “Python/boto3 Example”import boto3from datetime import datetime, timedelta
# Initialize Cost Explorer clientce = boto3.client('ce')
# Get cost for last 30 daysend_date = datetime.now().strftime('%Y-%m-%d')start_date = (datetime.now() - timedelta(days=30)).strftime('%Y-%m-%d')
response = ce.get_cost_and_usage( TimePeriod={ 'Start': start_date, 'End': end_date }, Granularity='DAILY', Metrics=['BlendedCost'], GroupBy=[ {'Type': 'DIMENSION', 'Key': 'SERVICE'} ])
# Print costs by servicefor result in response['ResultsByTime']: print(f"\nDate: {result['TimePeriod']['Start']}") for group in result['Groups']: service = group['Keys'][0] cost = group['Metrics']['BlendedCost']['Amount'] print(f" {service}: ${float(cost):.2f}")2.11 Best Practices Summary
Section titled “2.11 Best Practices Summary” Cost Management Best Practices+------------------------------------------------------------------+| || 1. Use AWS Organizations for consolidated billing || +----------------------------------------------+ || | Management Account -> Member Accounts | || | (Volume discounts, single bill) | || +----------------------------------------------+ || || 2. Implement tagging strategy from day one || +----------------------------------------------+ || | Required tags: Environment, Project, Owner | || | Enable cost allocation tags | || +----------------------------------------------+ || || 3. Set up budgets and alerts || +----------------------------------------------+ || | Monthly budget per environment | || | Alert at 70%, 90%, 100% | || +----------------------------------------------+ || || 4. Regular cost reviews || +----------------------------------------------+ || | Weekly: Review anomalies | || | Monthly: Review top costs | || | Quarterly: Review commitments | || +----------------------------------------------+ || || 5. Use Savings Plans/Reserved Instances || +----------------------------------------------+ || | For stable workloads: RI (up to 72% off) | || | For flexible workloads: Savings Plans | || +----------------------------------------------+ || |+------------------------------------------------------------------+2.12 Exam Tips
Section titled “2.12 Exam Tips”
- Consolidated Billing: Combines usage across accounts for volume discounts
- SCPs: Use to set permission boundaries, not grant permissions
- Reserved Instances: Best for steady-state workloads with 1-3 year commitment
- Savings Plans: More flexible than RIs, apply across EC2, Lambda, Fargate
- Spot Instances: Up to 90% discount, but can be interrupted
- Cost Allocation Tags: Must be activated to appear in billing reports
- Budget Actions: Can automatically restrict resources when budget exceeded
Next Chapter
Section titled “Next Chapter”Chapter 3: AWS Identity and Access Management (IAM)
Last Updated: February 2026