Billing alarms for anomaly detection
It is advisable to configure Billing Alarms to identify potential attacks related to bitcoin mining or botnet instance deployments, and other unusual activity in your account. The alarm should not be about the billing of security services only, but mainly from the computer services such as EC2, ECS, EKS, Lambda, or on the total invoice.
Alarms should reach an actively monitored email account (distribution list with 2+ recipients), SMS or instant messaging.
You can also use AWS Cost Anomaly Detection to detect anomalies using Machine Learning without the need to establish thresholds, configuring alerts and making root cause analysis about costs.
Risk Mitigation
- Detects adversaries early based on the billing that their resources consume, for example, if adversaries do Cryptomining or launch resources to join into a botnet.
Guidance for assessments
- Are billing alarms configured for the Total bill or the bill of the compute services ?
- Alarms get to the security team or only to FinOps team ?
- Are alarms getting to more than one person on the security team ?
Pricing
https://aws.amazon.com/sns/pricing
https://aws.amazon.com/cloudwatch/pricing
AWS Cost Anomaly Detection is a free service.