Introducing Budget Controls for AWS: Automatically Manage Your Cloud Costs

Cost optimization of cloud resources isn’t just a best practice, it is also one of the pillars of the AWS Well-Architected framework. If you are new to AWS, you may be wondering how you can learn and experiment with cloud services while keeping your spend under your control.

Budget Controls for AWS is an open-source solution designed to solve this problem. This solution was designed for customers new to AWS with no prior experience. It automatically watches your spending and takes actions you define when costs reach certain thresholds. Think of it as a safety net that can send you alerts, temporarily stop resources, or even delete them to prevent runaway costs.

The solution uses a custom tag named BudgetControlAction which is automatically applied to supported resources. The allowed case-sensitive values for this tag are Inform, Stop, and Terminate.

1. The default value is Inform. When the budget is consumed and the actions are triggered, with this value set, the account owner is simply reminded that this resource is in use, and no further action is taken.
2. The next allowed value is Stop. If this value is set by the account owner, when the actions are triggered, this will stop the resource. The resource will no longer generate charges, and can be restarted whenever the account owner wishes. Note, any service dependencies, such as storage attached to compute instances, will continue to generate charges.
3. The last allowed value is Terminate, which is destructive. When the actions are triggered, resources with this tag value will be permanently deleted. This value should be used for test or development resources that can be easily recreated later. As a reminder, this action is permanent, and not reversible.

This solution is particularly valuable for teams starting their AWS journey, students, developers, and anyone who wants to explore AWS services confidently without fear of surprise bills. The tool ensures your cloud expenses stay aligned with your budget by automatically responding when spending reaches 80% (email alert) and 90% (automated actions) of your defined limit. Some resources, like storage, networking, and other resources not supported by Budget Controls for AWS, may continue to accrue charges. This provides a cushion for your actual budget.

The Budget Controls for AWS solution can be found on Github at https://github.com/awslabs/budget-controls-for-aws.

The Budget Controls for AWS solution was originally released in September 2024 and only supported Amazon Elastic Compute Cloud (EC2) resources. With this update, Budget Controls for AWS adds support for Amazon Relational Database Service (RDS) Aurora databases, Amazon SageMaker notebook instances and domains, and Amazon OpenSearch Service clusters.

Reviewing the Budget Controls for AWS architecture

There are two key services at the heart of the Budget Controls for AWS solution:

• AWS Budgets: A budget is created to track overall costs. When the customer-defined spending threshold reaches 80%, AWS Budgets sends out an email alert to the user. When the budget reaches 90%, a workflow is triggered to take actions specified by the account owner, as detailed below.
• AWS Config: This service monitors the configuration of your resources and detects whether the required tags are used correctly.

There are several other AWS services deployed as part of the solution, as shown in the full architecture diagram below.

Figure 1. Architecture diagram for the Budget Controls for AWS solution

Refer to the numbered call-outs in the diagram:

1. AWS Config watches for configuration changes in resources. A custom AWS Lambda rule evaluates configuration changes for supported resources. If a supported resource does not have the required BudgetControlAction tag, or if that tag does not have a valid value, the resource is flagged NON_COMPLIANT.
2. Resources that are evaluated as COMPLIANT are recorded in an Amazon DynamoDB table.
3. An Amazon EventBridge rule listens for AWS Config evaluations that are NON_COMPLIANT. If one is found for a supported resource, it triggers the Lambda Remediation Function.
4. The Lambda Remediation Function adds a tag to the resource with a key name of BudgetControlAction and sets the value to Inform, which is the default.
5. The function records the resources in a DynamoDB table. Then, the function sends a message to the Amazon Simple Notification Service (SNS) Alert topic, which sends an e-mail to the address specified during deployment. This topic is encrypted with a customer-managed AWS Key Management Service (KMS) key.
6. At deployment, a monthly total cost Budget is created, set to a value specified by the customer. When the Budget is 80% consumed, it sends a notification to the SNS Alert Topic. This topic is also encrypted with the KMS key.
7. When the budget is 90% consumed, a message is sent to the SNS Action Topic.
8. A Lambda function is subscribed to the SNS Action Topic, which executes an AWS Step Function.
9. Upon execution, the Step Function reads a DynamoDB table for all of the resources with a BudgetControlAction tag properly set. It then performs the action that is specified by the customer in the BudgetControlAction tag.
10. The Step Function will Inform about, Stop, or Terminate the resource, as specified by the tag. It also updates a temporary DynamoDB table with the action taken.
11. The Action Step Function retrieves the ARN for the SNS Alert Topic from an AWS Systems Manager (SSM) Parameter.
12. The Action Step Function updates the DynamoDB tables. It reads the temporary DynamoDB table and creates a report.
13. When the Step Function completes successfully, an EventBridge rule triggers a reporting Lambda function. It reads from the DynamoDB table, and creates a report to the SNS Alert Topic, which is then e-mailed.

Deploying the solution

Before the solution can be deployed into an account, AWS Config must be enabled. The easiest way to get started using AWS Config is to use the “1-click setup” method in the console. This action only needs to be done once in an account, and no additional configuration is necessary.

Deploying the solution into your AWS account takes only a few minutes. You must have administrator permissions in your AWS account to deploy the solution. Click the “Launch Stack” button below to install the solution in the us-east-1 region.

Alternatively, you can download the Github repository to your local computer. The file named budgetcontrol_resources.yaml is an AWS CloudFormation template that you will use to deploy the solution.

Open the CloudFormation console in your AWS account. The Budget Controls for AWS solution runs in a single region. Validate that you are in the desired region before continuing. Then click Create stack, and With new resources (standard). Leave the first option as Choose an existing template, but change the second option to Upload a template file. Click the Choose file button and direct it to the CloudFormation template file in the repository.

Figure 2: Creating a stack from the template

Click Next, and you will be taken to the Specify stack details page. You will need to provide only three pieces of information. First, you need to give the stack a name, such as BudgetControl. Type in a budget amount in US dollars, but do not include the dollar sign. For example, 500.00. And finally, put in your e-mail address where you would like to receive notifications. Then, click Next.

Figure 3. Supply the required parameters for the stack

You do not need to change anything on the next screen, but you will need to acknowledge that CloudFormation will be creating AWS Identity and Access Management (IAM) roles. These roles define what permissions the solution has in your AWS account. Once you have checked the box, click Next. Make one final review of all of the information, and then click Next to create the stack.

You will receive an email asking you to confirm your subscription to an Amazon Simple Notification Service (SNS) topic. If you click the link inside the e-mail to validate your email address, you will begin receiving notifications from the Budget Controls for AWS solution.

Managing the tag values

When AWS Config detects a supported resource does not have the required BudgetControlAction tag, or when the value for that tag isn’t valid, it begins a remediation process. The tag will be added to the resource, if needed. Then, the default value of Inform will be set. It will then send the user an email reporting this activity.

If the tag values are left as the default value of Inform, the account owner will simply be informed of the resources when the budget is spent. To really take advantage of the solution, the account owner should leverage the Stop and Terminate values to control costs.

There are two ways to modify the value of the tag. The first is to go to the console for that particular service. For example, to modify the tag on an EC2 instance, you would go to the EC2 console. Next, select Instances in the left-hand menu. Check the box next to your instance, and the details for that instance will display in the lower window. Select Tags in the list of tabs for the lower window. Finally, select Manage tags to edit the tags and values.

Figure 4. Managing tags in the EC2 console

You will see a list of tags attached to your EC2 instance. To change the behavior when your budget is spent, find the tag named BudgetControlAction and change the value. For example, if you want the instance to stop, add the value Stop in the field. Then, click “Save” to apply the change. Within a few minutes after the change is validated, you will receive an e-mail stating the new value.

Figure 5. Entering a new value for the tag

Using individual service consoles is an easy way to manage tags when you only have a few resources. But when you have many resources, or when you want to manage them all from a single interface, it is better to use the AWS Resource Groups Tag Editor. Navigate to the AWS Resource Groups console, then select Tag Editor in the left-hand menu. Verify you are in the correct Region. Under Resource types, select All supported resource types from the drop-down menu. Alternatively, you can select specific resource types if you know exactly what you want to edit. Type in BudgetControlAction as the name of the tag. It will also appear in a pop-up list as you are typing. Then, click on the Search resources button.

Figure 6. Finding resources with the required tag in Tag Editor

Scroll down to see the results. It will display the current tag values under the Tag: BudgetControlAction column. Click the checkbox next to the resources you wish to manage, and then click the Manage tags of selected resources button.

Figure 7. Selecting resources to edit the tag values

To change the behavior, edit the value next to the BudgetControlAction tag. For example, if you want the resource to stop, type Stop into the field. Then click Review and apply tag changes to apply the new value.

Figure 8. Updating the tag values using Tag Editor

Actions taken once budget is spent

When your budget is 80% consumed, an email will be sent. No further actions will be taken.

When your budget is 90% consumed, AWS Budgets will send a message to an SNS topic, which causes the workflow to execute. The first step in the workflow is for AWS Config to re-evaluate all supported resources to ensure the most current tag values are considered.

The workflow will then process every resource listed in the DynamoDB table, taking the action that is specified by the value in the BudgetControlAction tag. The results of the workflow are stored in another DynamoDB table, which becomes a permanent record of all actions taken on your resources over time. Additionally, a summary email is sent listing all of the actions taken on the supported resources.

Please note that OpenSearch clusters cannot be stopped; they can only be deleted. Therefore, Terminate is the only tag value that will result in a destructive action for OpenSearch clusters. Values of Inform and Stop will simply report that the resource is in use.

By default the workflow is triggered at 90% of the budget. You may change this default behavior to trigger at 100% by manually editing the budget in the Billing and Cost Management console, under Budgets.

After the workflow has executed, the resources can be restarted or rebuilt as desired. Unless the budget is changed to a higher amount, it will only trigger the workflow at most once each month. When the budget is reset on the first day of the next month, it will not change the state of any resources.

Cost estimate for solution

There are fixed and variable costs for the solution. The one fixed cost is for the KMS encryption key, which is $1 per month.

The variable costs are based on how many supported resources are in the account, and how frequently their configuration changes. The service generating the most significant charges is AWS Config. Every time a supported resource’s configuration changes, AWS Config records this and charges $0.003. To estimate this cost, take your number of supported resources and multiply by the number of configuration changes you expect to make each month. If the BudgetControlAction tag has been changed, the AWS Config evaluation rule is executed for a charge of $0.001. To estimate this cost, take the number of supported resources and multiply by the number of times you expect to change the tag value.

The charges from the other services combined are less than one cent each month.

Limitations of solution

There are a few important limitations of Budget Controls for AWS to note:

Single Account: the solution only monitors a single AWS account. If you have a multi-account environment, you need to deploy a stack in each account.

Single Region: the solution only works within a single region of an account. If you use multiple regions, you will need to deploy the stack into each region where you have supported resources.

Limited Resource Types: At the time of publication, the solution only supports EC2, RDS Aurora, SageMaker instances and domains, and OpenSearch clusters.

Email-Based Notifications: All communication from the solution is handled via email, requiring confirmation of the SNS subscription.

Clean up

Navigate to the CloudFormation console. Ensure you are in the correct region, as the stack may not show up if you are not in the same region where the solution was launched. Select the stack you created and then select Delete. Confirm you want to delete the selected resource by selecting Delete again. This will permanently delete the stack and all stack resources. Note: This does not remove the BudgetControlAction tag on resources. Further, Aurora snapshots and CloudWatch logs will be left. These can be deleted manually at any time.

Conclusion

In this post, we explored how Budget Controls for AWS enables you to manage your cloud costs effectively by leveraging automated notifications and actions on your AWS resources. This solution now supports a wider range of resource types, including Amazon RDS Aurora databases, Amazon SageMaker notebook instances and domains, and Amazon OpenSearch Service clusters in addition to Amazon EC2. With the ability to set custom tags, you can dictate the actions taken when budget thresholds are reached automatically informing you about, stopping, or terminating resources. We also show you how to deploy and manage tag values in Budget Controls for AWS.

We encourage you to visit the GitHub repository to explore the solution further and begin your journey towards automated cost control.