By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Disable AWS Cost Explorer permissions

0

I enabled Cost Explorer and my costs have gone way up. Billing shows that 152,000 requests were made in January, which translates to $1.52 but it's 75% of my total charges for that month.

Documentation says that "You can't disable Cost Explorer after you enable it.". I contacted AWS support and tried to follow their first suggestion of deleting all Cost Explorer reports, but the user interface does not allow deleting the core Cost Explorer reports.

After realizing that, their suggestion was to remove from all users the permission to use Cost Explorer API:

It can't be disabled but charges will stop if they stop using Cost Explorer API. Cost Explorer API is not something that can be disabled, in order to stop being charged, you just have to stop using Cost Explorer API to query cost data and block ALL IAM users from using it. Cost Explorer API is only charged if a user (Root/IAM/Role) uses Cost Explorer API to query cost data.

The issue is that I don't know how to do that. I believe it's some kind of "hidden"/internal service account that is doing all these requests automatically, as I didn't even open Cost Explorer Dashboard last month. If it's the root account, does IAM allow limiting its permissions? I looked at the Roles listed in IAM and none of them seem to have ce:* permissions. Has anyone tried to somehow disable Cost Explorer?

  • Jason_S
    2 years ago

    Can you please provide an update on whether the question has been resolved? thanks.

Topics
Cloud Financial ManagementSecurity, Identity, & Compliance
Tags
AWS Cost ExplorerAWS Cost and Usage ReportAWS Identity and Access Management
Language
English
Diogo Kollross
asked 2 years ago2700 views
3 Answers
3

First of all I have to point out your statement is very misleading. If you ONLY turned on cost explorer, AWS will NEVER charge you even 1c. It is completely free service by default, if you only used the UI. That said, $1.52 is not a jump that justifies "way up", while I totally understand it's 75% of your current AWS spending.

Secondly, if you see 152k requests but are charged only $1.52, it is unlikely to be API charges. Because the API charge is $0.01 per request. That said, if you are sure, it must be either you, someone in your team or a 3rd party application that you authorized, that are making the request. AWS internal services will not making request on your behalf. You can search in CloudTrail for the CostExplorer API call to identify caller.

Lastly, based on your pricing it made me suspect you enabled Hourly and Resource Level Data Option. Again, that option is NEVER enabled by default, you must specifically Op-in. It cost $0.01 per 1,000 UsageRecords-month. That matched the bill you received. To disable, you go to Cost Explorer Console, go to Preferences (try this link), and uncheck the "Hourly and Resource Level Data" checkbox, then click the "Save preferences" button.

Jason_S
answered 2 years ago
0

Hi! Good question. Keep in mind that for ce permissions, a policy attached that allows

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "*:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

such as the AWS Managed AdministratorAccess policy also may allow for roles and users to run CE reports.

You can also use the Policy Simulator to check for access to CE: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html

There are 2 possible ways that CE charges:

  1. Cost Explorer API (0.01 per request)
  2. Cost Explorer Hourly and Resource level granularity ($0.01 per 1,000 UsageRecords month).

You can block access to CE by denying CE and applying that policy onto your users/roles such as:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ce:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}
jsonc
answered 2 years ago
0

Hi, very good question

I would suggest you to look for any IAM policy with action as "ce:*". Once you find a policy, you could try disabling/remove it and see

For Example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ce:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}
profile picture
Sri
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content