Reading an AWS bill: the 8 line items most teams miss

Every AWS bill has a top-level breakdown by service. EC2 is at the top, and the conversation usually starts and ends there. But if you actually open the Cost & Usage Report and group by usage type, you find a long tail of line items that account for 20-40% of the bill — and most teams have never seen them.

Here are the eight I check first on any AWS account I haven't audited before. Numbers are 2026 list prices for us-east-1.

1. EBS Snapshots ($0.05/GB-month)

EBS snapshot pricing is incremental — only the changed blocks are stored — but the headline pricing page makes this look cheaper than it is. Most teams enable AWS Backup or DLM, set "retain for 30 days", and forget about it. A fleet of 50 production volumes at 200 GB each, with daily snapshots and 30-day retention, can easily accumulate 1-2 TB of snapshot data. That's $50-100/month of pure storage with zero query value.

Worse: snapshot storage is billed in the source region, but cross-region snapshots double the cost and add transfer charges. Audit the EBS:SnapshotUsage line monthly.

2. NAT Gateway data processing ($0.045/GB)

The hourly NAT charge ($0.045/hour, $33/month per AZ) is the visible cost. The data processing charge is the silent one. Every byte that egresses through NAT — including OS package downloads, ECR image pulls, S3 traffic that wasn't routed through a Gateway endpoint — costs $0.045/GB on top of the egress.

I have seen single workloads quietly add $2,000/month here because a containerised app was pulling 100 GB images to fresh nodes during autoscale. The fix is usually free: add a VPC Gateway endpoint for S3 and DynamoDB, and Interface endpoints for SSM, ECR, and Secrets Manager. Then watch the line go to zero.

3. S3 LIST and PUT requests

S3 storage at $0.023/GB-month is fine. S3 LIST at $0.005 per 1000 requests is fine. But applications that scan buckets — Athena, Glue, custom analytics, half of all CI/CD pipelines — generate millions of LIST calls per day.

One DataDog customer of mine was at $2,000/month in S3 LIST alone, all from a custom log-shipping daemon that re-enumerated the bucket every 30 seconds to find new files. S3 Event Notifications + SQS would have cost $5/month.

4. CloudWatch Logs ingestion ($0.50/GB)

CloudWatch Logs ingest at $0.50/GB is the highest-margin line item on any AWS bill. A Kubernetes cluster of 50 nodes, with default log levels and no filtering, can easily ingest 100-200 GB/day. That's $1,500-3,000/month before you've queried a single log line.

Storage is separate at $0.03/GB-month. Query is separate again ($0.005/GB scanned via Insights). And data egress for log replication to a SIEM is yet another line. The fix: ship logs directly to S3 via Kinesis Firehose ($0.029/GB), then use Athena to query.

5. KMS API requests ($0.03 per 10,000 requests)

Customer Managed KMS keys cost $1/month each. Cheap. But every time an EBS volume mounts, every S3 object decrypts, every Secrets Manager fetch — that's a KMS API call. At $0.03 per 10,000 requests it sounds trivial. A 500-pod Kubernetes cluster fetching secrets every 30 seconds from Secrets Manager = 1.4 million calls/day = $130/month. Fix: cache secrets at the pod level with a sidecar.

6. AZ-to-AZ traffic ($0.01/GB each way)

Inter-AZ traffic is $0.01/GB each direction. A chatty Kubernetes service mesh with pods spread across 3 AZs can rack up $500-1500/month here. The visibility is poor — it shows up under DataTransfer-Regional-Bytes, not under EC2 or EKS.

The fix is topology-aware routing: keep traffic in-AZ where possible. Istio, Linkerd, and native Kubernetes topology.kubernetes.io/zone awareness all handle this. Or use a lighter cloud like Hetzner where there is no inter-AZ billing.

7. Public IPv4 addresses ($0.005/hour, ~$3.65/month each)

AWS introduced this charge in February 2024. Every public IPv4 address — attached or unattached, EIP or auto-assigned — costs $0.005/hour. For a fleet of 100 internet-facing EC2 instances, that's $365/month of IP address cost that didn't exist two years ago. Audit unused Elastic IPs and switch to IPv6 + dual-stack where the application supports it.

8. AWS Config recorders

AWS Config charges $0.003 per configuration item recorded. Sounds fine until you realise every change to every resource — every Auto Scaling Group resize, every EBS volume attachment — counts. In an active account this is easily $200-500/month, and most teams enabled it once for compliance and never tuned it.

Quick audit checklist

Open Cost Explorer, group by Usage Type, filter to the last 30 days, and scroll. The top 20 usage types are almost never just EC2 and S3. If you want a sanity check on whether your bill is "reasonable" for the compute footprint you have, build a baseline with the cloudprice catalogue and the TCO calculator. Then anything on the bill above 1.3x the catalogue total is the long tail above.

Further reading: AWS Cost and Usage Reports docs and the FinOps Framework on showback and chargeback.