I've noticed a huge spike in our VPC flow log costs one day, and I'm trying to pinpoint what caused it. I understand this might involve looking at the ingestion to a CloudWatch log group, different log groups, and the day it occurred. However, since CloudWatch API calls are not available in Cost and Usage Reports, I'm a bit at a loss. Any advice on how to investigate this?
3 Answers
To track down unexpected charges, I recommend checking out this article from the re:Post Knowledge Center: http://go.aws/resources-unexpected-charges. It provides some great insights. If you can't find what triggered the spike, don't hesitate to get in touch with the Billing & Accounts team for a deeper analysis: http://go.aws/support-center.
One way to start is by checking CloudTrail for any VPC changes around the day of the spike. Look for new instances, auto-scaling group adjustments, or changes in flow log configurations. You might find that a single resource was responsible for a lot of connections, or there could be a misconfigured security group causing rejection traffic. Additionally, using Cost Explorer filtered for CloudWatch Logs can give you a view of which log group experienced the biggest cost increase. Hope this helps!
If someone set up a new flow log, that action should be logged in CloudTrail. If you've noticed a lot of new flows, make sure to dig into the data within the logs to find clues.
Thanks for the info! I know which log group caused the spike but I'm still unclear on what specifically triggered it.