Cl⛅d Security Lab: Securing Your AWS Free Tier Account — Setting Billing Preference and Alert || AWS for Beginners-Series III

8 min readMay 14, 2023

INTRODUCTION

Setting up a billing account in AWS can help secure your AWS environment by providing increased visibility and control over your account usage and costs. Let’s evaluate a few ways in which setting up a billing account can help improve our AWS security.

Increased visibility and control: Setting up a billing account gives you greater visibility and control over your AWS usage and costs. This allows you to monitor your account activity and identify any unusual or unauthorized usage, which can help you detect and prevent security threats.
Access control: With a billing account, you can control who has access to your billing information and who is authorized to make changes or updates to your account. This helps to prevent unauthorized access and ensures that only authorized users are able to make changes to your account.
Cost monitoring and alerts: By setting up a billing account, you can monitor your AWS costs and receive alerts if there are any unexpected or unusual charges. This helps you detect and prevent potential security breaches, such as unauthorized usage or misuse of resources.
Resource optimization: By monitoring your AWS costs and usage, you can identify opportunities to optimize your resources and reduce costs. This can help minimize your attack surface and improve your overall security posture.
Compliance and audibility: Setting up a billing account can help you meet regulatory and compliance requirements by providing an audit trail of your account activity and usage. This can help you demonstrate compliance with security standards and best practices.

Disclaimer

The AWS Management Console is subject to updates and changes over time. The information provided in this lab write-up is based on the console’s state at the time of writing and may not reflect the current user interface or functionality. It is recommended to refer to the official AWS documentation for the most up-to-date instructions when using the AWS Management Console

In a few steps, I’ll demonstrate how to set up your billing preferences, alerts, budget, and account aliases on the AWS Management Console. Let’s dive in 🚀 . . .

📍 On your AWS Management Console, search for “Billing” to navigate to the Billing Dashboard.

📍 On the Billing Dashboard, navigate to the left-hand side under Preference and select “Billing Preferences”

📍 On Billing Preferences, Enable “invoices delivery preferences” and “Alert preferences”.

IAM User and Role Access to Billing Information

IAM User and Role Access to Billing Information refers to the permissions that can be granted to an IAM user or role to access and manage billing information in your cloud account. This includes the ability to view and download billing reports, modify payment methods, and manage account settings.

By assigning appropriate permissions to IAM users and roles, you can ensure that only authorized individuals or services can access and manage your billing information, reducing the risk of unauthorized access and potential billing issues.

📍 Navigate to the Top right of your Account Name e.g (00000@ 00000–000) and click on “Account”

📍 On your Account Page, scroll down to “IAM User and Role Access to Billing Information” Session and click “Edit”.

How AWS Billing Alarm Works

The AWS Billing Alarm is a feature that enables you to monitor your AWS usage and receive alerts when your costs exceed a certain threshold that you define. This feature helps you manage your AWS costs and avoid unexpected bills.

Difference between AWS Billing Alarm and AWS budget

AWS Billing Alarm and AWS Budgets are both services offered by Amazon Web Services (AWS) to help users monitor their AWS costs and usage.

AWS Billing Alarm is a feature that allows users to set up alarms that trigger when their AWS costs exceed a certain threshold. These alarms can be configured to send notifications via email or SMS or to perform automated actions like stopping an instance or sending a message to an SNS topic.

AWS Budgets, on the other hand, is a service that helps users track their AWS usage and costs against a set budget. Users can set up budgets for specific AWS accounts, services, or usage types, and receive notifications when their spending approaches or exceeds the budgeted amount. AWS Budgets also provides reports and dashboards to help users monitor their spending and identify trends over time.

In summary, while both AWS Billing Alarm and AWS Budgets are designed to help users monitor their AWS costs, Billing Alarm is focused on providing real-time alerts when costs exceed a set threshold, while AWS Budgets is focused on providing budgeting and forecasting tools to help users plan and manage their AWS spending over time.

Budgets is more powerful and flexible. You can use Budgets the same as Billing Alarms, but you can do a lot more.
Billing alarms are ‘per account’ only, and monthly only, based on overall AWS Spend. Alarms happen when you breach the set threshold amount.
Budgets on the other hand can be set to warn based on forecasted spend for a month, quarter or year, and can be tracked against different dimensions, such as a group of linked accounts, specific tags or services.

How do I set a billing alarm on my AWS free tier? Read More Guide

📍 Navigate to CloudWatch

📍 From your CloudWatch Dashboard, select Alarms from the navigation on the left side, then click Create Alarm.

NB: You get 10 free alarms and 1,000 free e-mail notifications each month as part of the AWS Free Tier

📍 Leave the default settings

📍 For Threshold value $1.00. This will enable you to receive notifications when your monthly charges approach the Free Tier limits.

Once DONE, Click Next

📍 On the Configure Actions page, select “Create SNS topic”. If you do not have an existing SNS topic, this will enable you to receive a notification when the alarm has been triggered. Also, provide an email address.

Once done, click “Create Topic” then click Next.

📍 Under Add name and description, provide a unique name for the alarm and a description (optional), then click Next.

📍 Under Preview and Create, review the configurations and selections. You can edit any of the sections by clicking the Edit button for that corresponding section. Once you have confirmed the sections, click Create Alarm.

📍 Once the alarm is created, check the email you added for notification and confirm the subscription, then go back to your console and refresh.

Cleaning up

To avoid incurring future charges, delete the resources you created in this walkthrough.

Delete the Amazon CloudWatch Billing Alarm
Delete the SNS topic: Amazon SNS pricing

You might be thinking, "Why should I delete the Amazon CloudWatch Billing Alarm and SNS topic since I am using the AWS free tier?

You might be charged for the use of SNS if you set up a CloudWatch billing alarm to send notifications to an SNS topic.

Amazon SNS pricing is based on the number of requests you make, the number of notifications you deliver, and any additional features you use, such as message filtering or mobile push notifications.

However, the cost of using SNS for billing alarms is generally very low, since the number of notifications and requests is typically small. If you’re using the AWS Free Tier, you should be able to set up a CloudWatch billing alarm and receive SNS notifications without exceeding the Free Tier limits.

It’s a good idea to review your AWS billing and usage regularly to ensure that you’re aware of any charges you may incur, and to optimize your resource usage and cost management.

AWS CloudWatch provides 10 free alarms per month as part of the free tier. After that, users are charged for the number of alarms created and managed per month.

How do I set a budget alarm for AWS free tier Account?

Navigate to the billing dashboard. On the left-hand side menu, under “Cost Management” select “Budgets”.

📍 Click on “Create Budget”

📍 Select “Use a template (simplified)” and “Zero spend budget”

📍 Provide any “Budget name” of your choice and Add Email recipients of your choice.

Once DONE, Click “Create Budget”

Creating AWS Account Alias

To sign in to an AWS account as an IAM user, you must have an account alias or an account ID for the AWS account. An example is shown below. It is difficult to remember the 12-digit number. Hence, it is important to create an account alias that your IAM user can recall.

To change your account ID:

Navigate to the Identity and Access Management (IAM) dashboard. Find the account ID on the right-hand side and click Create or Change under the AWS account alias. Provide a unique name for the account alias. Save your changes and distribute the new alias to your users.