AWS Cloud Operations & Migrations Blog

Cost optimization with nOps and CloudTrail

This post is co-authored by JT Giri, CEO and Founder at nOps, and Tomo Sakatoku, Principal Partner Solutions Architect at AWS

Cost optimization is always critical to everyone. Customers make lots of effort to make sure their AWS Platform operates cost-effectively. AWS provides tools to help customers optimize and visualize costs. AWS Cost Explorer provides an easy-to-use interface to visualize, understand, and manage your costs and usage over time. AWS Cost and Usage Report provides a comprehensive set of cost and usage data, including metadata about service usage, pricing, and reservations.

AWS CloudTrail is also an excellent service to help optimize AWS. AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. You can complement cost and usage data by enabling CloudTrail Insights to detect unusual activity in the logs with just a few clicks. CloudTrail Insights analyzes historical API calls, identifies usage patterns, and generates Insight events for unusual activity. We recommend enabling CloudTrail/CloudTrail Insights in your AWS account to detect unusual activities proactively. For more information, see Announcing CloudTrail Insights: Identify and Respond to Unusual API Activity.

About nOps and how nOps helps cost optimization

nOps is an Advanced Technology Partner in the AWS Partner Network that provides a cloud management platform for AWS. The platform offers instant visibility into changes in your AWS infrastructure. It enables change management, continuous cost and resource optimization, painless compliance and security audits, workflow automation, and automation of AWS Well-Architected Framework Reviews. Customers like to use nOps as it provides lots of insights. Uber ATG is one of their customers and nOps helped reduce AWS cost 15% in 30 days. Below is a quote from Uber.

“nOps allows me to operationalize costs and get them in front of the engineers directly, saving 15% in the first month of implementation. In addition to providing reports for leadership and budget processes, nOps helps our efficiency team enact behavioral changes for R&D engineers typically used to throwing money at challenging problems. We are even able to denote user and team charges in multi-tenant Kubernetes clusters used by a variety of teams in our organization. 

The nOps product team is super responsive and awesome to partner with, even providing us with engagement numbers to track the tool’s usage in our organization. Awesome tool.”

– Nick Cobb from Uber ATG (Note: In early 2021, Uber ATG was acquired by Aurora, an autonomous vehicle company.)

In this post, JT Giri, CEO and Founder of nOps and Tomo Sakatoku, AWS Principal Partner Solutions Architect, describe how nOps and CloudTrail can help you visualize and optimize your AWS costs.

Analyzing cost increase anomalies with nOps

You may have identified a spike or cost increase and tried to figure out why it happened. In the following use case, we analyze a three-month growth in the spend rate for AWS services in an AWS account; nOps calls this the 3MRC (three-month recurring cost) metric. After identifying the source of the cost increase, we correlate the changes with CloudTrail to find the root cause of the cost increase. We use Amazon Virtual Private Cloud (Amazon VPC) as an example.

Although there’s no additional charge to use Amazon VPC, you pay the standard usage rates for instances, VPN endpoints, and other Amazon Elastic Compute Cloud (Amazon EC2) features. There are charges for operation type, including the following:

  • ClientVpnEndpoint
  • ClientVpnRoute
  • ClientVpnTargetNetworkAssociation
  • ClientVpnAuthorizationRule
  • TransitGateway
  • TransitGatewayAttachment
  • TransitGatewayRoute
  • TransitGatewayRouteTable
  • TransitGatewayRouteTableAssociation
  • TransitGatewayRouteTablePropagation
  • VPCEndpoint
  • VPCGatewayAttachment
  • VPCPeeringConnection

In AWS Cost Explorer, the charges for Amazon VPC appear under Amazon EC2. So if you see a cost increase for Amazon EC2 in the AWS Management Console, it can be challenging to correlate that increase with the cost increase in Amazon VPC.

With nOps and AWS Cost and Usage Report, you can filter the cost by Amazon VPC. In nOps, you can sort services by the highest spend increase rate. Figure 1 shows that the net 3MRC of Amazon VPC grew 186 percent!

In the nOps dashboard, you can filter your costs by fastest-growing services and by spend to immediately spot similar anomalies for other usage types, like network traffic, IOPS cost, or many other dimensions.

Figure 1: Net 3MRC growth for Amazon VPC

Digging deeper into net 3MRC analysis

Continuing with the Amazon VPC use case, if you want to quickly find where the Amazon VPC net 3MRC increase came from, you can use the following CloudTrail metrics related to Amazon VPC costs:

  • “AWS::EC2::ClientVpnEndpoint”,
  • “AWS::EC2::ClientVpnRoute”,
  • “AWS::EC2::ClientVpnTargetNetworkAssociation”,
  • “AWS::EC2::ClientVpnAuthorizationRule”,
  • “AWS::EC2::TransitGateway”,
  • “AWS::EC2::TransitGatewayAttachment”,
  • “AWS::EC2::TransitGatewayRoute”,
  • “AWS::EC2::TransitGatewayRouteTable”,
  • “AWS::EC2::TransitGatewayRouteTableAssociation”,
  • “AWS::EC2::TransitGatewayRouteTablePropagation”,
  • “AWS::EC2::VPCEndpoint”,
  • “AWS::EC2::VPCGatewayAttachment”,
  • “AWS::EC2::VPCPeeringConnection”,

In this use case, the cost increase came from the VPN client and VPC transit gateway. In nOps, you can quickly correlate these increases with related CloudTrail events. nOps built a data lake and stored CloudTrail logs in our analytics platform using Elasticsearch to correlate those events and analyze the impact of the cost.

On the Config History tab, you can see event names, accounts (in this example, dev), event times, user names, and resources. nOps used CloudTrail events logs to tie these events to the cost impact. By using CloudTrail, nOps can show you when the events occurred  and who took the actions.

Figure 2: Config History tab

Tracking the net 3MRC growth rate in nOps and correlating those events with CloudTrail helps you quickly determine the root cause of cost increases. Although they often have a valid reason, cost increases are sometimes due to an automation script or misconfiguration. Your goal should be to find these scenarios as quickly as possible and take appropriate action to limit unexpected charge increases.


The net 3MRC growth rate is a key metric that you can use to identify AWS Cloud cost-savings opportunities. To gain continuous visibility into the source of recurring charges and its growth, you can use the nOps cloud management platform to perform a net 3MRC analysis. When you look at the growth rate of your usage, it’s remarkable how quickly you can identify opportunities to reduce costs and take measures (such as buying Reserved Instances or Spot Instances, right-sizing AWS resources, or tagging). Enabling services such as AWS Budget or similar functionality within nOps provides reactive measures to enrich the experience.

For more information about AWS Cost Explorer and AWS Cost and Usage Report, see the AWS Billing and Cost Management User Guide. If you have any questions or other feedback, post them on AWS Cost Explorer service forum or AWS Cost and Usage Reporting service forum(Make sure you are signed in).

Are you interested in trying out a root cost analysis of the net MRC growth rate using your AWS data? You can get started with a free 14-day trial of nOps (or, if you’re already a user, sign in to nOps).


About the Authors

JT Giri, CEO and Founder, nOps

JT has been migrating rapid-growth companies to AWS since Amazon EC2 was in beta in 2006. His teams have performed more than 350 DevOps AWS implementations and 200 AWS Well-Architected Reviews. He founded nOps, an AWS Advanced Technology Partner, and previously cofounded nClouds, an AWS Premier Consulting Partner.

Tomo Sakatoku

Tomo Sakatoku is a Principal Partner Solutions Architect at Amazon Web Services in Seattle. Tomo is passionate about working with AWS customers to solve challenging problems, also loves to unplug and enjoys playing tennis, traveling with his family.