Unchecked cross-regional traffic, mismanaged S3 storage classes, and orphaned resources like NAT gateways silently inflate AWS bills—here’s how to find and fix them.

Diagnosis: Where the Money Bleeds

1. Cross-regional data transfer

   • Data moving between regions (e.g., us-east-1 to eu-west-1) costs ~$0.12/GB.
   • Common culprits: application logs, backups, or CI/CD pipelines pulling/pushing across regions.
   • Check with: AWS Cost Explorer > Usage Type: DataTransfer-InterRegion.

2. S3 storage class misuse

   • Defaulting to Standard for infrequently accessed data.
   • Use Intelligent-Tiering or Standard-IA for files accessed <12 times/year.
   • Audit with: AWS S3 Storage Lens > Storage Class Distribution.

3. Orphaned NAT gateways

   • $0.75/hour per gateway, often left running after resources are decommissioned.
   • Identify with: AWS CLI: aws ec2 describe-nat-gateways --filters "Name=state,Values=available"

Repair Workflow

1. Run a quarterly resource sweep

   • Use AWS Config + CloudWatch Events to flag resources unused for >30 days.
   • Example:

     aws config get-resource-configuration-history --resource-types "AWS::EC2::NatGateway" --start-time "2026-03-01"  
     

2. Enforce S3 lifecycle policies

   • Apply rules to transition objects to cheaper tiers after 30 days:

     {  
       "Rules": [  
         {  
           "ID": "transition-to-ia",  
           "Status": "Enabled",  
           "Transitions": [  
             {  
               "Days": 30,  
               "StorageClass": "STANDARD_IA"  
             }  
           ]  
         }  
       ]  
     }  
     

3. Kill cross-region traffic

   • Use CloudFront or regional CDNs to cache data.
   • Restrict S3 bucket access to specific regions via bucket policies:

     {  
       "Effect": "Deny",  
       "Principal": "*",  
       "Action": "s3:*",  
       "Resource": ["arn:aws:s3:::example-bucket/*"],  
       "Condition": {  
         "StringNotLike": {  
           "aws:region": ["us-east-1", "eu-west-1"]  
         }  
       }  
     }  
     

Prevention

• Tagging strategy: Enforce Owner, Environment, and Project tags at launch.
• Automated alerts: Set CloudWatch alarms for NAT gateway hours > 720/month.
• Cost anomaly detection: Use AWS Cost Anomaly Detection Service (charges apply).

Tooling

• AWS-native:
  • Cost Explorer + Cost Categories
  • S3 Lifecycle Manager
  • AWS Config Rules (e.g., s3-bucket-public-read-prohibited)
• Third-party:
  • CloudHealth by VMware (granular cost breakdowns)
  • Datadog (monitoring + cost correlation)

Tradeoffs

• Automated cleanup risks: Aggressive deletion policies may remove production resources if tags are missing or stale.
  • Mitigation: Use dry-run mode first, notify owners via Slack/email before deletion.
• S3 Intelligent-Tiering costs: Monitor retrieval requests—if frequent, Standard-IA may be cheaper.

Troubleshooting

• NAT gateway still billing after deletion:
  • Check for Elastic IPs attached (aws ec2 describe-addresses).
• S3 lifecycle policy not applying:
  • Verify bucket versioning is enabled (required for transitions).
• Cross-region traffic hidden in VPC peering:
  • Use VPC Flow Logs to identify traffic between peered VPCs in different regions.

Fix these leaks now—they’re the low-hanging fruit that’ll save 20-40% on your 2026 AWS bill.

Source thread: Best AWS cost optimization mistakes to fix in 2026?