Here's a real story: a developer's account was normally at $100/month. In two days it jumped to $4,000. He went to Reddit for help. The
top upvoted comment? Read the shared responsibility model.
Not exactly helpful.
These stories are everywhere - Reddit, Hacker News, Twitter. $14K bills. $120K bills. And the thing is, every single one of them was
preventable.
Here are the 5 mistakes and how to fix them.
Mistake 1: No Billing Alerts
AWS won't stop you from spending. If you don't set up alerts, you'll find out about a cost spike when your credit card statement
arrives.
Three fixes:
-
Create a zero-spend budget. Go to Billing → Budgets → Create Budget. You'll get notified the moment anything is
charged.
-
Activate Cost Anomaly Detection. It's free. Detects unusual spending patterns and emails you automatically.
-
Send alerts where you actually read them. Route to Slack, Teams, or Discord. Nobody checks billing emails.
Mistake 2: Using the Root User
The root user can do literally everything. Close the account, change billing, create backdoors. One developer had a 20-character
password, no MFA. Still got hacked. Attackers spun up Bitcoin mining rigs in a hidden region.
Four fixes:
- Enable MFA on root. Use a hardware key if possible.
- Create an admin IAM user. Use this for daily work. Never touch root again.
- Lock root away. Only CTO/founders. Use a distribution email list.
-
CloudTrail alerts for root logins. Get immediate alerts via EventBridge → SNS → Slack.
Mistake 3: Single AWS Account
Dev and prod in one account? A developer runs a load test, hits the Lambda concurrency limit, and production goes down too. AWS doesn't
know about your "environments." The account is the boundary.
The fix: Create an AWS Organization with two accounts. One prod, one dev. Your blast radius drops dramatically.
Mistake 4: No Tagging
The most boring mistake on the list. Also the one I see every single time. Without tags, you know costs are going up but not
why. Which project? Which team? You're guessing.
Two steps:
- Activate cost allocation tags. Free. Go to Billing → Cost Allocation Tags.
-
Tag your resources. Minimum two tags:
project and
owner.
Mistake 5: No Infrastructure as Code
If you're clicking resources together in the console, stop. ClickOps works for you once. It doesn't work for a second environment, a new
developer, or a rollback.
Pick one tool and commit to it. Terraform, CDK, Pulumi, SST. The worst IaC tool is still better than ClickOps.
And this ties everything together: billing alerts, CloudTrail rules, multi-account setup, tagging - all of it can be defined in code.
Fix all five and your account is ahead of 90% of the ones out there. Start with number one. It takes a couple of minutes.
Check it out →