AWS Cloud Financial Management

Identifying security risks using AWS Cost and Usage Report data

Your AWS bill reveals more than spend patterns; it can identify security issues. The AWS Cost and Usage Report (CUR) contains detailed usage data across your AWS Organization, enabling you to find cost optimization opportunities, allocate costs, and uncover potential security risks. In this post you’ll learn how you can use the AWS CUR to identify potential security issues in your environment. We share examples of potential risks, and the markers in the CUR data that can be used to identify if they are present in your accounts.

To follow this blog post, you’ll need to have access to the primary billing account (or a delegated administrator account) in your AWS Organization, have Cost and Usage Report 2.0 with Data Exports configured, and have access to Amazon Athena too query your data.

For each security risk, we provide details on why it’s an issue, how to detect it, and a SQL query you can run against your CUR data in Athena in the console to identify potential problems in your AWS environment. We have used placeholder for your CUR table name and date filter using ${table} and ${date-filter}, see how to find these with the CUR Query Library. Also speak to your security teams with any questions or findings to consider your company’s architecture.

Risk 1: Unencrypted Amazon CloudFront traffic

What is the issue? Amazon CloudFront supports both encrypted (HTTPS) and unencrypted (HTTP) web traffic. When configured to support HTTP, data travels unprotected between users and your CloudFront distribution. Anyone intercepting this traffic can read or modify the data.

Many compliance frameworks (PCI DSS, HIPAA, GDPR) require encryption for data in transit. Unencrypted traffic can lead to compliance violations, data breaches, and loss of customer trust.

Detection Method: The CUR captures CloudFront usage patterns through specific usage type codes that distinguish between HTTP and HTTPS traffic. HTTP usage traffic generates charges like region-Out-Bytes-HTTP-Static, or region-Out-Bytes-HTTP-Dynamic, while secure traffic shows region-Out-Bytes-HTTPS-Static and region-Out-Bytes-HTTPS-Dynamic. These HTTP charges could indicate potential policy violations requiring investigation.

The query below can be used to identify unencrypted traffic on your CloudFront distribution:

SELECT
    line_item_resource_id,
    line_item_usage_type,
    product['region']                    AS region,
    billing_period,
    SUM(line_item_usage_amount)          AS total_usage_amount,
    SUM(line_item_unblended_cost)        AS total_cost
FROM ${table}
WHERE product['product_name'] = 'Amazon CloudFront'
  AND (
        line_item_usage_type LIKE '%HTTP-Static%'
     OR line_item_usage_type LIKE '%HTTP-Dynamic%'
     OR line_item_usage_type LIKE '%HTTP-Proxy%'
      )
  AND line_item_usage_type    NOT LIKE '%HTTPS%'
  AND line_item_unblended_cost > 0
  AND billing_period           = ${date-filter}
GROUP BY
    1, 2, 3, 4
ORDER BY
    total_cost DESC;

Results from this query indicate CloudFront distributions actively serving unencrypted traffic. Use the line_item_resource_id to locate the distribution in the CloudFront console and update the Viewer Protocol Policy to ‘Redirect HTTP to HTTPS’ or ‘HTTPS Only’.

Risk 2: Unauthorized Region Usage

What is the issue? Organizations typically operate AWS resources in specific approved regions based on data residency requirements, compliance regulations, or business policies. When resources appear in unauthorized regions, it may indicate compromised credentials or employees circumventing established policies and should be investigated.

Detection Method: The CUR captures regional information through the product[‘region’] field for each line item and identifies data transfer codes following the pattern source-destination-usage (for example USE1-TimedStorage-ByteHrs). By filtering for regions outside your approved list, you can identify unexpected resource usage. Note that some AWS services like AWS CloudTrail operate globally or across multiple regions by design and should be excluded from this analysis.

The query below identifies charges in regions outside your approved list. Before running the query, update the NOT IN clause to include all your organization’s approved regions (e.g., ‘us-east-1’, ‘us-west-2’, ‘eu-west-1’, ‘global’).

SELECT
    CASE
        WHEN (bill_billing_entity = 'AWS Marketplace'
              AND line_item_line_item_type NOT LIKE '%Discount%')
            THEN product['product_name']
        WHEN (product['product_name'] = '')
            THEN line_item_product_code
        ELSE product['product_name']
    END AS product_name,
    CASE product['region']
        WHEN NULL     THEN 'Global'
        WHEN ''       THEN 'Global'
        WHEN 'global' THEN 'Global'
        ELSE product['region']
    END AS product_region,
    line_item_availability_zone,
    SUM(line_item_unblended_cost) AS sum_line_item_unblended_cost
FROM ${table}
WHERE billing_period = ${date-filter}
  AND line_item_line_item_type IN ('DiscountedUsage', 'Usage', 'SavingsPlanCoveredUsage')
  AND product['region'] NOT IN ('us-east-1', 'global')  -- update with approved region list
GROUP BY
    1,
    line_item_product_code,
    line_item_availability_zone,
    product['region']
HAVING
    SUM(line_item_unblended_cost) > 0
ORDER BY
    product_region,
    sum_line_item_unblended_cost DESC;

Results from this query show resources operating in unauthorized regions. Review the product_name and product_region columns to identify which services are running where. Investigate high-cost items first, as they may indicate crypto mining or other malicious activity. Cross-reference findings with CloudTrail logs to identify who created these resources and whether the activity was authorized.

Risk 3: Unprotected DDoS Attack Surface on Amazon CloudFront and Route 53

What is the issue? Amazon CloudFront and Amazon Route 53 are often the front door to your workloads, handling DNS resolution and content delivery at scale. That visibility makes them targets for volumetric DDoS attacks. Without proactive DDoS protections such as AWS Shield Advanced, organizations lack dedicated DDoS protection layers, real-time attack notifications, and access to the AWS DDoS Response Team (DRT). This gap can result in service outages, degraded performance during attacks, and potential financial losses from downtime.

Detection Method: The CUR reveals this security gap through absence rather than presence. By calculating CloudFront and Route 53 spend and checking whether any Shield Advanced charges exist in the same billing period, you can identify exposed infrastructure. If CloudFront or Route 53 costs appear without corresponding Shield Advanced spend, these distributions lack dedicated DDoS protection.

The query below flags CloudFront/Route 53 spend without corresponding Shield Advanced coverage:

WITH cloudfront_route53_spend AS (
    SELECT
        billing_period,
        SUM(line_item_unblended_cost) AS exposed_spend
    FROM ${table}
    WHERE product['product_name'] IN ('Amazon CloudFront', 'Amazon Route 53')
      AND line_item_unblended_cost > 0
      AND billing_period = ${date-filter}
    GROUP BY 1
),
shield_spend AS (
    SELECT
        billing_period,
        SUM(line_item_unblended_cost) AS shield_cost
    FROM ${table}
    WHERE product['product_name']   = 'AWS Shield'
      AND line_item_unblended_cost > 0
      AND billing_period            = ${date-filter}
    GROUP BY 1
)
SELECT
    c.billing_period,
    c.exposed_spend                  AS cloudfront_route53_spend,
    COALESCE(s.shield_cost, 0)       AS shield_advanced_spend,
    CASE
        WHEN COALESCE(s.shield_cost, 0) = 0
            THEN 'No Shield Advanced - DDoS Protection Gap'
        ELSE 'Shield Advanced Active'
    END AS ddos_risk_status
FROM cloudfront_route53_spend c
LEFT JOIN shield_spend        s
       ON c.billing_period = s.billing_period
ORDER BY c.exposed_spend DESC;

Results showing “No Shield Advanced – DDoS Protection Gap” indicate CloudFront or Route 53 distributions operating without DDoS protection. Review the exposed_spend to identify unprotected infrastructure and resources across your AWS environment. Evaluate the cost-benefit based on your risk tolerance and the potential impact of DDoS attacks on your operations. Consider enabling AWS Shield Advanced for critical distributions, especially those handling sensitive data or business-critical applications.

Risk 4: Outdated software with Extended Support

What is the issue? Extended support charges indicate systems running outdated software versions with known security weaknesses. When organizations continue operating legacy software versions beyond their standard support lifecycle, not only are they paying premium fees (100-600% cost increases), but these outdated versions may also contain unpatched vulnerabilities that attackers can exploit. Year 3+ extended support highlights critical exposure that may require immediate remediation, depending on the criticality of the resource under extended support. The financial impact of extended support should also serve as a clear signal to prioritize upgrades.

Detection Method: The CUR captures extended support charges through the line_item_usage_type field containing “ExtendedSupport” patterns. These charges appear as distinct line items in your billing data, making them easy to identify. By filtering for Usage line items with ExtendedSupport in the usage type, you can pinpoint exactly which workloads or resources are running vulnerable, outdated versions. The cost magnitude also indicates severity—higher extended support costs typically correlate with older versions requiring more urgent attention. The query below identifies systems incurring extended support charges:

SELECT
    line_item_line_item_type,
    line_item_resource_id,
    line_item_usage_account_id,
    product['product_code']          AS product_code,
    line_item_operation,
    line_item_line_item_description,
    line_item_usage_type,
    billing_period,
    SUM(line_item_usage_amount)      AS sum_line_item_usage_amount,
    SUM(line_item_unblended_cost)    AS sum_line_item_unblended_cost
FROM ${table}
WHERE billing_period           = ${date-filter}
  AND line_item_line_item_type = 'Usage'
  AND line_item_usage_type LIKE '%ExtendedSupport%'
GROUP BY
    1, 2, 3, 4, 5, 6, 7, 8
ORDER BY
    sum_line_item_unblended_cost DESC
LIMIT 100;

Results showing extended support charges indicate outdated, vulnerable software requiring immediate attention. Review the line_item_line_item_description to identify specific resources or workloads. Prioritize upgrades based on cost impact and support tier – for example, longer term (3yr +) extended support may represent critical exposure, and can help drive migration plans.

Risk 5: Abnormal Data Transfer Costs

What is the issue? Spikes in data transfer charges can indicate security problems. When attackers compromise your AWS environment, they often attempt to steal (exfiltrate) large amounts of data or use your resources to communicate with external command-and-control servers. These activities generate unusual data transfer patterns that appear as cost anomalies in your billing data.

Detection Method: The CUR captures detailed data transfer information through the lineItem/UsageType field, which identifies different types of data movement including outbound internet traffic (DataTransfer-Out-Bytes), inter-region transfers (AWS-Out-Bytes), and cross-availability zone traffic (DataTransfer-Regional-Bytes). By analyzing these patterns over time and comparing them to your baseline usage, you can identify suspicious spikes that warrant investigation.

The query below identifies data transfer costs and patterns that may indicate security issues:

SELECT
    line_item_usage_account_id,
    line_item_resource_id,
    product['region'] as region,
    line_item_usage_type,
    product_product_family,
    line_item_operation,
    product_from_location,
    product_to_location,
    pricing_unit,
    DATE_FORMAT(line_item_usage_start_date, '%Y-%m-%d') AS usage_date,
    ROUND(SUM(line_item_usage_amount), 2)              AS total_gb,
    ROUND(SUM(line_item_unblended_cost), 2)            AS total_cost
FROM ${table}
WHERE product_product_family   = 'Data Transfer'
  AND line_item_line_item_type = 'Usage'
  AND (
        line_item_usage_type LIKE '%DataTransfer-Out-Bytes%'
     OR line_item_usage_type LIKE '%DataTransfer-Regional-Bytes%'
     OR line_item_usage_type LIKE '%AWS-Out-Bytes%'
      )
  AND billing_period = ${date-filter}
GROUP BY
    1, 2, 3, 4, 5, 6, 7, 8, 9, 10
ORDER BY
    total_cost DESC,
    total_gb   DESC;

These results showing significant cost increases or unusual transfer patterns should be investigated. It is not as simple as some of the others to see potential risk so make sure to work with your dev teams on this data. Key fields to review include:

  • line_item_resource_id: Identifies the specific AWS resource (EC2 instance, S3 bucket, etc.) generating the data transfer
  • total_gb: Volume of data transferred—sudden increases warrant investigation
  • total_cost: Financial impact of the transfer activity
  • product_from_location and product_to_location: Source and destination regions

Cross-reference the line_item_resource_id with your known resources to identify any unauthorized or compromised instances. For deeper investigation, correlate these findings with VPC Flow Logs and CloudTrail to identify the specific network connections and API activities associated with the data transfer spike.

Additional proactive security measures

So far, we’ve covered some example queries that can be used to analyze your CUR, however there are also some proactive measures using AWS Services that you can use to detect security issues:

  • AWS Budgets identify sudden spend spikes indicating unauthorized resource provisioning. Set separate budgets for compute-intensive services commonly targeted for malicious activities.
  • AWS Cost Anomaly Detection uses machine learning to identify unusual spend patterns automatically, running three times daily with 24-hour detection windows.
  • Amazon GuardDuty correlates behavioral analysis with cost patterns, specifically detecting cryptocurrency mining and other types of analysis through suspicious system calls combined with compute cost spikes.
  • AWS Security Hub centralizes cost-based findings with traditional security alerts, reducing investigation time through unified visibility. Correlate budget alerts with GuardDuty findings and Amazon Inspector vulnerability assessments for comprehensive threat detection.

Take Action Today

Start with these steps:

  1. Enable AWS Cost and Usage Reports (CUR) with hourly granularity and resource-level data
  2. Configure Amazon Athena to query CUR data using the SQL queries provided
  3. Set up Budgets and Anomaly Detection with aggressive thresholds
  4. Run queries to find the risks mentioned in this post
  5. Integrate findings with AWS Security Hub for centralized security management

Cost-based security monitoring complements traditional tools by detecting threats through financial footprints. The convergence of economic incentives and security requirements creates natural pressure for better architecture. When security issues generate visible costs, organizations are motivated to fix them while gaining measurable security indicators.
Security and FinOps leaders should collaborate to establish cost-based monitoring as standard practice. The queries in this post offer immediate implementation opportunities, while integration with AWS security services ensures compatibility with established operations. Transform your AWS billing data from a financial reporting tool into a security intelligence platform. The time to act is now.

TAGS:
Steph Gooch

Steph Gooch

Steph is a Sr. Optimization Solutions Architect Advocate. She is a subject matter expert in guiding customers through ways to optimize their current and future AWS spend. she enables customers to organize and interpret billing and usage data, identify actionable insights from that data, and develop sustainable strategies to embed cost into their culture. In her previous career, she managed the FinOps team for one of the Big four.

Mark Keating

Mark Keating

Mark is a Principal Security Solutions Architect based out of the U.K. who works with Global Healthcare & Life Sciences and Automotive customers to solve their security and compliance challenges and help them reduce risk. He has over 20 years of experience working with technology, within in operations, solution, and enterprise architecture roles.