Billing and Account Management FAQs
Q: How do I reset the AWS Identity and Access Management (AWS IAM) user password that I lost or forgot?
You can reset your password in the account sign-in page. When you reset your password, instructions are sent to the email address associated with your AWS account. You can follow the instructions in the email to reset your password.
If you’ve signed in to your account as admin user and want to change the password of another IAM user, see Managing passwords for IAM users. If you’re the only admin user and forgot your password, contact AWS Support for assistance.
Q: How do I update the contact information associated with my AWS account, including my address and telephone number?
To update the contact information associated with your AWS account, do the following:
- Sign in to the AWS Management Console, and then open the Billing and Cost Management console.
- On the navigation bar, choose your account name, and then choose My Account.
- Under Contact Information, choose Edit.
- Enter your updated information, and then choose Update.
Note: To update your telephone number, use the format xxx-xxxxxxxx (for example, 188-88888888).
You can see the mailing address associated with your account on the PDF version of your invoice.
Q: How do I change the email address associated with my AWS account?
To change the email address associated with your AWS account, do the following:
- Sign in to the IAM console.
- Choose your account name in the navigation bar, and then choose My security credentials.
- Choose Change next to AWS account email address.
- Enter your updated email address, and then choose Change email address.
Q: How do I update the tax settings in my AWS account?
To update your VAT/Fapiao settings in your AWS account, sign in to the Tax Settings page of the Billing and Cost Management console, and update the fields that you want to change. The Tax Settings page includes information, such as your tax registration address, tax registration number, bank information, and invoice mailing address.
After you update the tax settings, AWS Support will contact you as soon as possible to assist you in completing your tax setup.
For more information, watch the video How to complete Tax Setting in AWS Support Guide.
Q: When do I receive my bill?
The bill for your current month’s usage is generated between the 3rd and the 5th of the following month. If you purchase Reserved Instances with All Upfront or Partial Upfront payment options, the bill for the subscription charges is generated when your purchase is successful. The bill for the subscription charges is generated in addition to the bill for the usage charges.
Q: How do I view my bills in the console?
To view your bills, sign in to the Billing and Cost Management console, choose Bills in the navigation pane, and then choose the month that you want to view from the dropdown list.
Your bills for each month are generated between the 3rd and the 5th of the following month. To receive your monthly usage charges in your email, choose Billing preferences in the navigation pane, select Receive PDF Invoice by Email, and then choose Save preferences. You receive an email in your registered email address after the bills are generated. The email includes the payment information and usage charges for the month.
Q: How do I view my monthly billing in detail, including usage and charges?
You can set up a Detailed Billing Report (DBR) with resources and tags to manage your billing.
You can choose to receive monthly billing reports, DBRs, and monthly cost allocation reports with resources and tags. If you want to view detailed billing with resource usage, it’s a best practice to set up DBRs with tags and resources. DBRs allow you to quickly find out how resources are used. To use the cost allocation report or DBR with resources and tags, assign tags to your resources. The tags make it easier for you to classify and track costs. The billing reports aren’t charged separately. The billing reports utilize your S3 resources, and you’re charged for these resources based on standard pricing for S3.
Q: What is the last day to pay my bill?
The payment terms for your monthly bills is 30 days from the billing date. To view all your unpaid or overdue payments, sign in to the Billing and Cost Management console, and then choose Orders and invoices in the navigation pane.
Q: How do I increase my Amazon Elastic Compute Cloud (Amazon EC2) vCPU limit and launch more Amazon EC2 instances as my business requirements expand?
Create a case in the AWS Support Center, and request for increasing your EC2 vCPU limit. After verifying your account, a customer service agent can assist you with your request.
Q: How do I sign up for an AWS Support plan?
When you register for an AWS account, you can sign up for a Support Plan. Or, you can create a case in the AWS Support Center, or send an email to firstname.lastname@example.org after you sign up for an account. You need to include your business needs and use case in your email.
Q: How can I change the company name of my corporate account?
When you sign up for an AWS China corporate account, you need to enter the company name for the account and submit supporting documents. After the account is created, you aren’t allowed to update the company name. You must safeguard your account's login credentials. If you have a valid use case for changing the company name of your account, create a case in the AWS Support Center and include information on the use case.
Q: How can I check the credit amount and remaining credits in my AWS account?
Credits are vouchers that can be applied to bills to help cover costs associated with the eligible services. The credits can be applied before they expire or are exhausted. To view the credits in your account, sign in to the Billing and Cost Management console, and then choose Credits in the navigation pane.
To view the billing amount covered by the credits in your account, choose Bills in the navigation pane, and then choose the month that you want to view from the drop-down menu. For more information, see AWS Promotional Credit Terms & Conditions.
Q: What is credit sharing?
Credits are shared within a consolidated billing family by default. The management account of the consolidated billing family can disable credit sharing. If you’re the management account and you want to disable credit sharing within your consolidated billing family, do the following:
- Sign in to the Billing and Cost Management console.
- Choose Billing preferences in the navigation pane.
- Select Disable credit sharing.
- Choose Save preferences.
Q: How are my credits shared within my organization if I turn credit sharing on and off several times in a month?
Your consolidated bills are calculated based on the credit sharing preference that is active on the last day of the month.
Q: How do the active credits in my AWS account apply to the consolidated bill?
Here a few things to keep in mind if you’re joining or creating an organization with active credits on your account:
- We apply credits under an account to the organization's consolidated bill, beginning the first full billing cycle after an account joins the organization.
- Credits on a standalone account are applied to usage costs incurred by the account before joining the organization. With credit sharing on, the remaining credit balance, if any, is applied across all applicable usage incurred by member accounts from the start of the next billing cycle.
- Credits redeemed on a standalone account at any time during the month of joining the organization are applied to the usage generated by the standalone account until joining the organization.
Q: I have active credits in my AWS account, and I’ve linked my account to a management account. If I leave the organization on a certain day of the month, will my credits still be shared within the organization?
Yes. The credits will be applied to your standalone account starting the first day of the following month.
Q: I have more than one active credits in my account. What’s the order in which the credits are applied?
Credits are applied in the following order:
- Soonest expiring
- Least number of applicable products
- Oldest credit
For example, you have two credits available. Credit one is for ¥100, expires January 2021, and can be used for either Amazon S3 or Amazon EC2. Credit two is for ¥50, expires December 2021, and can be used only for Amazon EC2. You incurred two charges: ¥1000 for Amazon EC2 and ¥500 for Amazon S3. Credit one is applied, which expires in January, to the Amazon EC2 charge, which leaves you with a ¥900 Amazon EC2 charge and a ¥500 Amazon S3 charge. Then, credit two is applied to the remaining ¥900 of Amazon EC2 usage. You need to pay ¥850 for Amazon EC2 and ¥500 for Amazon S3. All your credits are now exhausted.
Q: Why am I getting high charges for Amazon Simple Storage Service (Amazon S3) Glacier?
With Amazon S3 Glacier, you’re charged for your storage and upload request. You need to pay only according to the actual usage. There are no minimum consumption charges.
When you retrieve data from S3 Glacier, you need to pay the retrieval request charges. You can retrieve data from S3 Glacier through three different methods. Each method has a different per-GB retrieval fee and per-archive request fee (that is, requesting one archive counts as one request).
For example, in the AWS China (Ningxia) Region, the retrieval charges are as follows:
- Expedited retrievals cost ¥0.2001 per GB and ¥0.0667 per request.
- Standard retrievals cost ¥0.0667 per GB and ¥0.3732 per 1,000 requests.
- Bulk retrievals cost ¥0.0167 per GB and ¥0.1668 per 1,000 requests.
The charges are calculated as follows:
- If you use Expedited retrievals to request ten archives each with the size of 1 GB each, you pay (10 GB x ¥0.2001) + (10 x ¥0.0667) = ¥2.67.
- If you use Standard retrievals to retrieve 500 archives each with the size of 1 GB, you pay (500 GB x ¥0.0667) + (500 x ¥0.3732/1000) = ¥33.54.
- If you use Bulk retrievals to retrieve 500 archives each with a size of 1 GB, you pay (500 GB x ¥0.0167) + (500 x ¥0.1668/1000) = ¥ 8.43.
For more information, see Amazon S3 Glacier pricing.
Q: Why am I charged an early deletion fee in Amazon S3 Glacier / Amazon S3 Glacier Deep Archive?
Amazon S3 Glacier and Amazon S3 Glacier Deep Archive are long-term archival solutions. Archives stored in S3 Glacier and S3 Glacier Deep Archive have a minimum storage duration of 90 and 180 days, respectively. Deleting data from S3 Glacier is free if the archive being deleted is stored for three months or longer. If an archive is deleted or overwritten within the minimal storage duration, you’re charged a prorated early deletion fee. With S3 Glacier, if you’ve deleted, overwritten, or transitioned the archives to a different storage class before three months, you’re still charged for three months of storage. With S3 Glacier Deep Archive, if you’ve deleted, overwritten, or transitioned the archives to a different storage class before 180 days, you’re still charged for 180 days of storage. For more information, see Amazon S3 pricing.
Q: How much data can I restore from Amazon S3 Glacier for free each month?
You can restore up to 5% of Amazon S3 data stored in Amazon S3 Glacier for free each month. The free restore allowance is typically sufficient for your backup and archival needs. Your 5% monthly free restore allowance is calculated and metered on a daily prorated basis. For example, if on a given day, you have archived 12 TB of Amazon S3 data to Amazon S3 Glacier, you can restore up to 20.5 GB of data for free the same day (12 TB x 5% / 30 days = 20.5 GB for a 30-day month).
Q: How do I close my AWS account?
To close your AWS account, do the following:
- Sign in to the AWS Management Console as the admin user of the account or an IAM user with permissions to close the account.
- On the navigation bar, choose your account name, and then choose My Account.
- Scroll to the Close Account section.
- Read and understand the terms of closing your account.
- Select all check boxes, and then choose Close Account.
- In the confirmation box, choose Close Account.
Within a few minutes, you receive email confirmation that your account is closed successfully.
Q: Can I access my AWS account after closing it?
After you close your account, you can no longer use it to access AWS services or launch resources. You can view the past bills and resource usage information for up to 90 days after closing your account (post-closure period). You can also access the AWS Support Center during the post-closure period.
During this period, data that you haven’t deleted and services that you haven’t shut down or terminated before account closure are retained. If you reactivate your account during the post-closure period, you can access only the retained data and services. You might be charged for any AWS services that aren't shut down or terminated before you closed the account.
To reactivate your account within 90 days after closing the account, you can create a case in the AWS Support Center. After 90 days, any content that you haven’t already deleted is deleted, and AWS services that aren’t already shut down or terminated are terminated. You can't reopen your account after 90 days. Also, you can't create new AWS accounts using the email address that was associated with your account at the time of its closure.
Q: What do I need to do before closing my AWS account?
Consider the following before closing your AWS account:
- After your AWS account is closed, your designated payment method is charged for any usage fees incurred before closure. If you used any services in the month in the month of account closure, you’ll receive the bill between the 3rd and the 5th of the following month. View your outstanding bills, and make sure that there are no overdue payments.
- If your account is the payer account of an organization, you must make sure that all member accounts are closed or removed from your organization. For more information, see Removing a member account from your organization.
- All your active resources might not be automatically shut down or terminated when you close your AWS account. It’s a best practice to check if you have any active resources and shut down or terminate them before you close your account. To see the charges against different services in your account, sign in to the AWS Billing and Cost Management console, and then choose Bills in the navigation pane. For each service, confirm the Regions where the services have incurred charges. For instructions on how to shut down, terminate, or back up a particular resource, see the AWS documentation for that service. If you need assistance to confirm whether all your active resources are shut down or terminated, create a case in the AWS Support Center.
- After you shut down or terminate the resources in your account, the data related to these resources are deleted.
- If you purchased any subscriptions with ongoing payment commitments, such as Reserved Instances, you are charged for these subscriptions until the plan term ends even after you close your account.
Q: How do I access the Internet Content Provider (ICP) Recordal website?
Q: Do I need to file for ICP Recordal if I want to host public content on AWS China (Beijing) Region or AWS China (Ningxia) Region?
Yes. In accordance with Chinese laws and regulations, if you use either AWS China Region to host a website providing non-commercial internet information services, you must undertake filing procedures for a non-commercial website (“ICP Recordal”) through the relevant government authority. You might be required to produce your ICP Recordal or ICP License, as applicable, before you host public content using one of the AWS China Regions. When you file for ICP Recordal, enter your IP address for URL and Domain.
Q: Can I use my AWS account to sign in to the ICP System?
No. You must not use your AWS account to sign in to the ICP System.
Q: Why do I need to file for the ICP Recordal separately to host public content on AWS China (Ningxia) Region or AWS China (Beijing) Region?
AWS services from AWS China (Ningxia) Region and AWS China (Beijing) Region are operated by NWCD and Sinnet, respectively. Because the Regions have different service providers, you must file for ICP Recordal with the respective service provider based on your demand.
Q: What rules should I comply with in naming my domain?
When you file for ICP Recordal, you need to be sure that the domain is registered with a Chinese domain registrar and has passed the real-name verification. The real-name verification information must be consistent with the ICP filing information.
Q: Do subdomains require ICP Recordal?
No. Currently, only the top domain requires ICP Recordal. Subdomains can be visited if the respective top domain is recorded.
Q: How long does it take to complete ICP Recordal?
Your application documents are submitted to the respective Communication Administration. The duration to complete the ICP Recordal varies across Communication Administrations usually from 3 to 20 working days.
Billing and Account Management Best Practices
Q: My organization uses AWS services across multiple departments. Each department performs different business functions, and I want to configure different permissions for the departments according to their business modules. For example, the finance department needs to have the permissions to view bills and manage tax settings but does not need access to other services on the AWS Management Console. How can I configure permissions for different departments?
Best Practice: Set up IAM users to manage and control access to your AWS resources.
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You can use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. You can grant different permissions to different people for different resources. For example, you can allow some users complete access to Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), Amazon DynamoDB, Amazon Redshift, and other AWS services. For other users, you can allow read-only access to only some S3 buckets, or permissions to use only certain EC2 instances. You can also configure in such a way that some users access only your billing information and nothing else.
You can create IAM groups according to job responsibilities, such as administrators, developers, and bills, define licenses for each group, and finally assign IAM users to each of these groups. An IAM group is a collection of IAM users. All users in an IAM group inherit the permissions assigned to that group. For example, you could have a group called Admins and give that group the types of permissions that administrators typically need. If a person changes jobs in your organization, you can remove them from the old IAM groups and add them to the appropriate new groups.
If you want to grant an IAM user or group the permissions needed to access your account’s billing information, sign in to the AWS IAM console, choose the IAM group, user, or role, choose Add permissions, select Attach existing policies directly, and then choose AWSBillingReadOnlyAccess.
Q: My organization uses AWS services across multiple technology research and development teams. How do I calculate the monthly bills for each team and consolidate the total monthly expenses across different teams?
Best Practice: Set up Detailed Billing Reports with resources and tags.
With usage reports from us, you can drill down into your cost and usage. The data in the usage report is updated more than once a day. You can filter reports based on AWS account, Region, Availability Zone, operating system, instance type, purchase options, lease, and label.
To view your detailed billing, you can enable Detailed Billing Reports (DBRs) with resources and tags. You can use an existing Amazon S3 bucket or create a new bucket to receive your DBRs. Be sure to manage access to this bucket because this bucket contains billing information.
To use an S3 bucket for receiving the Detailed Billing Report, do the following:
- Sign in to the Billing and Cost Management console.
- Choose Billing preferences.
- Expand Detailed Billing Reports [Legacy].
- Select Turn on legacy Detailed Billing Reports feature to receive ongoing reports of your AWS charges.
- Choose Configure.
- Choose an existing S3 bucket or create an existing bucket, and then choose Next. Confirm the policy, and then choose Save.
Note: The default policy is applied to your bucket, and the bucket is automatically verified. The original policy of the bucket is overridden. If you want to keep the original policy of the bucket, it’s a best practice to create a new S3 bucket for receiving the billing reports.
- Choose Save preferences.
If you chose to receive Detailed Billing Report with resources and tags, tag your instances so that these tags can be used to report the cost and usage of the corresponding instance.
If you want to use tags in Cost allocation report or Detailed Billing Report with resources and tags, you need to activate the relevant tags in the payer account.
Here are a few things to consider when generating billing reports:
- Billing reports can be checked only in the payer account.
- The reports do not incur extra charges. However, the reports are saved in S3 buckets, and you’re charged for the storage used.
- The start time for the report can be set to the first day of the month. Note that services with tags can't retrieve billing history.
- Not all services support tags. For a list of AWS services that support tags, see the following:
Tagging your Amazon EC2 resources
Tagging Amazon RDS resources
Tagging your Amazon ECS resources
Tagging Amazon S3 Glacier resources
Tagging Storage Gateway resources
Monitoring costs with cost allocation tags
Tagging resources in AWS Database Migration Service
Tagging AWS Direct Connect resources
Q: My organization needs to monitor the increase in costs so that excessive spending can be avoided. How do I detect the increase in spending in my AWS account?
Best Practice: Use CloudWatch billing alerts to monitor the spending in your AWS account.
To manage the billing and spending more effectively, it’s a best practice to use the Amazon CloudWatch service. You can create alarms that watch metrics and then send notifications or automatically make changes to the resources you are monitoring when a threshold is breached. For example, you can create an alarm to watch your bill amount and notify you when the bill amount exceeds the threshold that you set. You can receive relevant reminders in your email and take actions accordingly.
Each CloudWatch alert triggers only one notification. When your bill amount reaches the preset threshold value, an alert notification is sent based on the notification method that you chose. It’s a best practice to set different thresholds based on your budget to receive multiple alerts. If you use resources in both the AWS China (Beijing) Region and the AWS China (Ningxia) Region, you need to set up billing alerts in both Regions. You can add multiple alert receiver email addresses when setting up the SNS topic.
To create a billing alert using CloudWatch, follow the instructions in Scenario: Monitor your estimated charges using CloudWatch.
Q: My company has several branches. All branches use AWS and have individual AWS accounts. The payment processes in these branches are complex. Can the payments for multiple accounts in my organization be combined?
Best Practice: Combine and manage multiple account costs with a Consolidated Billing Family.
Consolidated Billing is a feature that you can use to simplify payments for multiple AWS China accounts within your company. With Consolidated Billing, a single paying account can be designed to pay for all the accounts. Linked accounts can view their usage and costs, but all bills and Fapiao of the linked accounts are charged to the payer account. Consolidated Billing constitutes a payer account and a set of linked accounts. The payer account along with its linked accounts is called a consolidated family. All expenses of the linked accounts are charged to the payer account.
You don’t incur additional charges for using Consolidated Billing.
Consolidated Billing is just a billing method, rather than a feature to control accounts or plan resources. Consolidated Billing doesn’t affect account functions or the account sign-in process. Resources can’t be shared across linked accounts.
Only the payer account needs to register for Consolidated Billing. The payer account can invite existing AWS accounts to join the Consolidated Billing family. Linked accounts can accept the invitations sent by the payer account to join the Consolidated Billing family. Email invitations are sent out to linked accounts, and the linked accounts can accept or reject the request within 15 days. If the linked account accepts the invitation, it’s added to the Consolidated Billing family immediately. After the association is successful, all the expenses incurred by the linked account are charged to the payer account from the time of association unless the linked account is removed from the Consolidated Billing family.
For more information about Consolidated Billing, see AWS China Billing FAQs.
Q: How can I use Reserved Instances (RIs) with my existing On-Demand instances to save costs?
Best Practice: Use RIs to save costs.
RIs are not physical instances, but rather a billing discount applied to the use of On-Demand instances in your account. RIs provide you with a significant discount compared to On-Demand instance pricing.
The following payment options are available for purchasing RIs:
- All Upfront: You pay fully for the RI at the start of the term. You don’t incur any other costs for the reminder of the term, regardless of hours used. This option provides you with the largest discount compared to On-Demand Instance pricing.
- Partial Upfront: You pay a portion of the cost upfront and the remaining hours in the term at a discounted hourly rate, regardless of whether you use the RI.
- No Upfront: You are billed a discounted hourly rate for every hour within the term, regardless of whether you use the RI. No upfront payment is required.
The total cost of a Partial Upfront RI is less than that of a No Upfront RI. You can save the most by purchasing an All Upfront RI. You can purchase RIs for Amazon EC2, Amazon RDS, Amazon ElastiCache, Amazon Redshift, and Amazon DynamoDB. After purchasing the RIs, you can view the information about RIs in the respective console. Be sure to select the right Region using the Region Selector in the AWS Management Console.
To get the maximum benefit from your RI purchase, the RI must match the attributes, such as Region and instance type, for running On-Demand Instances on your account. If you successfully purchase an RI and you have a running instance that matches the specifications of the RI, the billing benefit is immediately applied. You don’t need to restart your instances. After the RI term expires, you no longer receive the billing benefit or capacity reservation. Your instances are billed at the On-Demand Instance rates.
You can queue your RI purchases for a specific date and time in the future. To renew your EC2 RI automatically, you can queue an RI purchase for the date and time that your existing RI expires. On the scheduled date and time, we automatically purchase the RI for you using your account's default payment method. For more information, see Queuing your purchase. It’s a best practice to track your reservations and their expiration in Cost Explorer. To view your information about your reservations in Cost Explorer, sign in to Cost Explorer, choose Reservations, and then choose Overview. You can purchase new RIs based on reservation expiration information to avoid incurring unexpected charges.
Consider the following when deciding if Reserved Instances are right for you:
- RIs have long contract terms (usually, one or three years). You should purchase reservations only for an instance specification that you use over the long term.
- Partial Upfront and No Upfront RIs are billed as a lump sum each month for each hour in that month. You're billed for this amount whether you ran an instance that matched your reservation or not. Reserved Instances provide the maximum discount for instance types that you use often and for long periods of time.
- You can’t cancel or transfer an RI once purchased. The purchase of RIs should be carefully considered.
Here are a few things to keep in mind when purchasing RIs:
- If you have an EC2 RI, the RI must exactly match a running EC2 instance’s characteristics. To get the maximum benefit from your RI, a running On-Demand Instance must match the instance type, Availability Zone, platform, and tenancy of your RI exactly.
- If you purchase a Regional RI, the RI discount applies to instance usage in any Availability Zone in the specified Region.
- For EC2 Linux platform, the default tenancy (Shared) Regional RI has the size flexibility. The instance size flexibility is determined by the normalization factor of the instance size. An RI that’s size-flexible applies all or part of its pricing benefit to any instance in the same instance family, regardless of Availability Zone or size. If you don’t have a running On-Demand Instance of the same type, the pricing benefit of the RI can be applied to other On-Demand Instances in the same family. For example, if you have two Linux t2.large On-demand Instances with a default tenancy under the account, and the normalization factor for large is 4, and you purchased a Linux t2.xlarge RI with default tenancy, and the normalization factor for xlarge is 8, then the billing benefit of the RIs can be applied to the two Linux t2.large On-Demand instances. Note that instance size flexibility is supported only on Amazon Linux/Unix RIs with default tenancy and Regional scope. Instance size flexibility is not supported for EC2 RIs on other platforms and G4 series instances.
- If you have an Amazon Relational Database (Amazon RDS) RI, the RI must exactly match the specifications of a running DB instance. Otherwise, the DB instance is billed at the On-Demand rate. The charges for a reserved DB instance cover only the instance costs. These charges don't include regular costs associated with storage, backups, and I/O. Note that the Region, DB engine, DB instance class, Offering type, and Term chosen during the purchase of RI can't be changed later.
- RDS RIs provide instance size flexibility for MySQL, MariaDB, PostgreSQL, Amazon Aurora, Oracle SE1 (BYOL), Oracle SE (BYOL), Oracle EE (BYOL), and Oracle SE2 (BYOL) database engines. With size-flexible RDS RIs, the billing benefit of your RIs are automatically applied across all DB instance class sizes. Size-flexible reserved DB instances can be matched with DB instances with the same AWS Region and database engine. Size-flexible reserved DB instances can only scale in their instance class type. For example, a db.m4.large RI can apply to a db.m4.xlarge, but not to a db.m5.large because db.m4 and db.m5 are different instance class types.
- The RI discounted rate applies to usage in both Single-AZ and Multi-AZ configurations for the same database engine and instance family. For example, if you purchase a Mysql db.m4.large Single-AZ RI, the billing benefit from this RI can be automatically applied to 50% of the usage of a Mysql db.m4.large Multi-AZ instance in the same Region.
- If you purchase an Amazon ElastiCache Reserved Node RI, the billing benefit can be applied to the On-Demand cache node with the same engine (Redis/Memcached), Region, and node type. Each hour, if the number of running cache nodes is less than or equal to the number of applicable Reserved Cache Nodes you have, all running cache nodes are be charged at the Reserved Cache Node hourly rate. If the number of running cache nodes exceeds the number of applicable Reserved Cache Nodes, you are charged the On-Demand rate.
- If you have an Amazon Elasticsearch Service RI, the RI must match the Region, instance class, and instance type of the standard On-Demand Instance. Otherwise, the instance is billed at the On-Demand rate.
- If you purchase an Amazon Redshift reserved node, the node must match the instance type and Region of the On-Demand node for the billing benefit to be applied.
Q: My account is a part of the Consolidated Billing family and has several AWS resources. A few other accounts in the Consolidated Billing family have a higher monthly expenditure. How can I reduce my Consolidated Billing amount by fully utilizing the available resources?
Best Practice: Reduce the consolidated billing amount by fully utilizing the RIs.
The billing benefit from the RIs in an account is applied to the other accounts in the Consolidated Billing family if RI discount sharing is enabled for the account. By default, the RI discount sharing is enabled for all accounts in a Consolidated Billing family. The payer account can turn off RI discount sharing for any account in an organization.
The capacity reservation for an RI applies only to the account the RI is purchased on, regardless of whether the RI discount sharing is turned on or off.
Here are a few things to remember about RI discount sharing in a Consolidated Billing family:
- The account that originally purchased the RI receives the discount first. If the purchasing account doesn't have any running On-Demand Instances that match the specifications of the RI, then the discount for the RI is applied to any matching usage on another account in the organization.
- For EC2 regional RIs with size flexibility, the billing benefit from the RI applies to instances of all sizes in the same instance family (from the smallest to the largest). However, if another account in the Consolidated Billing family has unused zonal RIs that are applicable to the same Availability Zone, then the size-flexible RIs are applied to the account before the regional RIs. The Consolidated Billing family is a billing entity, and all charges are paid by the payer account. RI discount sharing in the Consolidated Billing family provides maximum utilization rate and lower costs.
Here are a few things to remember when turning off RI discount sharing for an account in a Consolidated Billing family:
- RI discounts apply only to the account that purchased the RI.
- RI discounts from other accounts in the Consolidated Billing family don't apply to the account with RI discount sharing turned off.
- The charges incurred by the account with RI sharing off are still added to the consolidated bill and paid by the payer account.
For more information, see Reserved Instances and Consolidated Billing.
Q: I am preparing some whitepapers related to account security in AWS accounts in my organization. What do I do to keep my account secure and prevent unauthorized access?
Best Practice: Protect your account from unauthorized access by securing your access keys.
To keep your account secure, you need to be aware of the security concerns with access keys and key leaks. Access keys are long-term credentials for an IAM user or the AWS account admin user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). For more information, see Signing AWS API requests. Access keys consist of two parts: an access key ID and a secret access key. Similar to a user name and password, you must use the access key ID and secret access key together to authenticate your requests. Manage your access keys as securely as you do your user name and password.
When you create access keys for the admin user, you might embed the access keys in your application and code. When this code is shared in community websites, the access keys are exposed. Exposed access keys can pose security risks to your account and could lead to excessive charges from unauthorized activity or abuse. According to the Sinnet Customer Agreement for AWS (Beijing Region) and/or Western Cloud Data Customer Agreement for AWS (Ningxia Region), you are responsible for protecting your AWS resources from unauthorized access.
The following best practices can help you protect your access keys:
Don’t share your access keys: Don’t provide your access keys to a third party, even to help find your canonical user ID. Sharing your access keys might give someone permanent access to your account. It’s a practice to use temporary security credentials (IAM roles) instead of access keys, and disable any AWS account admin user access keys. If you still need to use long-term access keys, you can create, modify, view, or rotate your access keys (access key IDs and secret access keys). You can have a maximum of two access keys allowing you to rotate the active keys. When you create an access key pair, save the access key ID and secret access key in a secure location. The secret access key is available only at the time you create it. If you lose your secret access key, you must delete the access key and create a new one.
Check for unauthorized access: If you notice unauthorized activity within your account possibly caused due to your exposed API keys, you need to immediately secure your account. You need to update your account password, rotate and delete your AWS Access Keys (including the Access Keys that were not exposed and/or compromised), check your account for unauthorized usage in the AWS China (Beijing) Region and AWS China (Ningxia) Region.
Unfortunately, deleting the access keys from the public website, or disabling them is not enough to secure your account. You need to delete the exposed credentials from your AWS account by using the instructions below and take steps to prevent any new credentials from being published in public websites.
It’s strongly recommended to check your AWS account for any unauthorized AWS usage, unauthorized activity, or inappropriate IAM users and policies. To check the usage, sign in to your AWS Management Console and then view the different services to see what resources are being used. Be sure to check the running EC2 instances and IAM users, roles, and groups. You can also check the Bills page in the AWS Billing and Cost Management console to deduct unexpected usage. Unauthorized activity on your account might occur in any Region. Make sure to check for resource usage in different Regions by selecting the Regions from the Region Selector in the navigation bar.
Delete unused access keys: Be sure to delete the access keys that are exposed, or unused. To delete an access key, do the following:
- Sign in to the AWS IAM console.
- Select the IAM user with the unused or exposed access key.
- Choose Security credentials.
- Choose Delete next to the access key that you want to delete.
- In the confirmation box, choose Yes.
It’s a best practice to delete IAM users with unused access keys. For information on how to delete an IAM user, see Deleting an IAM user.
Rotate the access keys: If your application uses the access key, you need to replace the exposed key. Changing access keys on a regular schedule is a well-known security practice because it reduces the period an access key is active and improves the security. To replace an access key, first create a second key while the first access is still active. At that point both keys are active. Modify your applications to use the new access key. Then, disable, but do not delete, the first access key. If you encounter problems with your application, make the first access key active again. When your application is fully functional with the first access key inactive, delete the first access key.
For more information, see Managing access keys for IAM users.
For information on best practices in managing your access keys, see Best practices for managing AWS access keys.
Q: I observe abnormal and large data traffic transmission records on my Amazon EC2 instances. How do I check for unauthorized activity in my EC2 instances and improve the security of these instances?
Best Practice: Secure your Amazon EC2 instances with security group rules.
It’s a best practice to manage access to AWS resources and APIs using identity federation, IAM users, and IAM roles. To learn more about IAM Best Practices, see Best practices for Amazon EC2.
Be sure not to open access to ports (0.0.0.0/0) externally while using EC2 instances. Opening access to external ports allows all IP addresses to access your interface, which allows your EC2 instances to participate in unauthorized network activities. It’s a best practice to set security group rules to allow access to instances only from known IP addresses. To learn more about Amazon EC2 security groups, see Amazon EC2 security groups for Linux instances.
You need to monitor your account usage regularly to avoid unexpected charges. You can create an Amazon CloudWatch alarm to monitor your estimated charges. Creating a billing alarm helps you to easily and efficiently manage your expenses.
To learn more about creating a billing alarm, see Creating a billing alarm to monitor your estimated AWS charges.
Security is a shared responsibility between you and us. It is your responsibility to ensure that your instances and applications are secure. For more information on securing your Linux instances, see Security in Amazon EC2. For information on securing your Windows instances, see Security in Amazon EC2. For information on security in Amazon Virtual Private Cloud (Amazon VPC), see Security in Amazon Virtual Private Cloud.
Note: If you receive an outstanding abuse report from us against your EC2 instance(s), review the abuse notice to see what content or activity is reported. Reply to the abuse report and explain how you’re preventing the abuse activity from recurring in the future. If you don't respond to an abuse notice within 24 hours, we might block your resources or suspend your AWS account.
Q: I understand that Amazon S3's version control capabilities helps me guarantee data storage at each stage. However, I might require frequent versions of storage and updates based on my business needs. What are the charges for configuring versioning on my Amazon S3 buckets?
Best Practice: Use Amazon S3 bucket lifecycle rules to reduce the cost of storing multiple versions.
Amazon S3 helps you better protect your data with versioning capability. You can use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. Versioning allows you to easily recover from both unintended user actions and application failures. By default, requests retrieve the most recently written version. Older versions of an object can be retrieved by specifying the version in the request. Storage rates apply for every version stored. You can configure lifecycle rules to automatically control the lifetime and cost of storing multiple versions. To learn more about creating a lifecycle policy for an S3 Bucket, see How do I create a lifecycle rule for an S3 bucket?
Normal Amazon S3 rates apply for every version of an object stored or requested. For example, let’s look at the following scenario to illustrate storage costs when utilizing Versioning (let’s assume the current month is 31 days long):
- Day 1 of the month: You perform a PUT of 4 GB (4,294,967,296 bytes) on your bucket.
- Day 16 of the month: You perform a PUT of 5 GB (5,368,709,120 bytes) within the same bucket using the same key as the original PUT on Day 1.
When analyzing the storage costs of the above operations, you can see that the 4 GB object from Day 1 is not deleted from the bucket when the 5 GB object is written on Day 15. Instead, the 4 GB object is preserved as an older version and the 5 GB object becomes the most recently written version of the object within your bucket. At the end of the month:
Total Byte-Hour usage =
[4,294,967,296 bytes x 31 days x (24 hours / day)] + [5,368,709,120 bytes x 16 days x (24 hours / day)] = 5,257,039,970,304 Byte-Hours.
Conversion to Total GB-Months =
5,257,039,970,304 Byte-Hours x (1 GB / 1,073,741,824 bytes) x (1 month / 744 hours) = 6.581 GB-Month.
It’s a best practice to monitor your account usage regularly to avoid unnecessary charges. You can also create an Amazon CloudWatch billing alarm to monitor your estimated charges. To learn more about creating a billing alarm, see Creating a billing alarm to monitor your estimated AWS charges.
To learn more about Amazon S3 Versioning, see Using versioning.
For information on Amazon S3 pricing, see Amazon S3 pricing.
For Amazon S3 FAQs, see Amazon S3 FAQs.
If you want detailed billing information, you can enable Detailed Billing Reports on your account. Detailed Billing Reports provide information on the hourly usage in your account across different services and Regions. To learn more about setting up the Detailed billing reports, see Detailed Billing Reports.
Technical Troubleshooting FAQs
Q: I am asked to configure the Amazon Virtual Private Cloud (Amazon VPC) and security groups when I launch an Amazon EC2 instance. What is a VPC and a security group?
A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. Amazon VPC enables you to launch AWS resources into a virtual network that you've defined. That is, you place your Amazon EC2 resources in a virtual network that’s applicable only to your AWS account and build your own network environment by configuring the subnet and routing table. A security group acts as a virtual firewall for your instance to control incoming and outgoing traffic.
Note: If you are a new AWS customer and have questions about terminology or operations when using AWS, contact the AWS Support Center for technical support.
Q: I see that the target health check status in my Elastic Load Balancing target group is Unhealthy, but my Amazon EC2 instance is running normally. How do I resolve this issue?
There are several possible causes for the target health check to be Unhealthy. You can check the health of your target to see the reason code and description of your issue. For example, Target.Timeout means that the health check request has timed out. When you see this status, check whether ELB can connect to the target successfully at this time. If a TCP connection can’t be established, continue to check the configurations of ELB and target instances (such as security group and network access control lists (ACLs)).
Tip: For technical support and assistance in troubleshooting, subscribe to a paid AWS Support Plan.
Q: The CPU utilization of my Amazon Elastic Compute Cloud (Amazon EC2) instance has suddenly reached 100%. How can I check what processes are currently running?
Collect system logs, status, and configuration information by running $ sudo sosreport. The information can help you to understand the status of your system. Contact AWS Support Center to get assistance on further analysis and resolution.
Note: If you are have a Business Support Plan or an Enterprise Support Plan, you can get support on third-party software operation, configuration guidance, and common troubleshooting.
Technical Troubleshooting Best Practices
Q: How can I automatically recover my Amazon EC2 instance that failed a status check?
Amazon EC2 Best Practice: Set up an Amazon CloudWatch alarm to automatically restart or recover your Amazon EC2 instance.
There are two types of status checks: system status checks and instance status checks. System status checks monitor the AWS systems on which your instance runs. If your instance fails a system status check, it’s usually caused by the underlying problems. For instances backed by Amazon Elastic Block Store (Amazon EBS), you can stop and start the instance, which in most cases results in the instance being migrated to a new healthy host. You can also create a CloudWatch alarm that monitors and automatically recovers the Amazon EC2 instance from any issue that requires AWS Support involvement.
If the instance fails an instance status check, it’s usually caused by operation issues. You can create a CloudWatch alarm that automatically reboots the instance. An instance reboot is equivalent to an operating system reboot. When your business is interrupted by a failed instance status check, you might quickly recover your instance by automatically rebooting it.
Q: I see there are three types of load balancers. How do I select the load balancer that’s suitable for my application? What are the differences between the three types of load balancers?
Elastic Load Balancing (ELB) Best Practice: Select the appropriate type of load balancer for your application.
ELB supports three types of load balancers: Application Load Balancers (ALBs), Network Load Balancers (NLBs), and Classic Load Balancers (CLBs). You can select the appropriate load balancer based on your application needs. It’s a best practice to use the Application Load Balancer if you need to load balance HTTP/HTTPS requests. Network Load Balancer is the most suitable for network/transport protocols (layer4 - TCP, UDP) load balancing and extreme performance/low latency applications. ALBs and NLBs are load balancers of the current generation. If you are using the CLB, it’s a best practice to migrate the CLB to an ALB or NLB. After you’ve completed the migration process, you can take advantage of the features of your new load balancer (such as WebSocket protocol/SNI support).
Q: Large amounts of data from my organization's applications are stored in Amazon Simple Storage Service (Amazon S3). How do I efficiently determine the frequency of data access to reduce data storage costs?
Amazon S3 Best Practice: Determine Amazon S3 data storage plans to reduce costs.
Amazon S3 analytics Storage Class Analysis analyzes storage access patterns to help you decide when to transition the right data to the right storage class. After enabling the analysis feature, Amazon S3 analyzes the access mode of the objects in the S3 bucket to help you decide when to transfer data to the most cost-effective storage class. Users can create lifecycle rules based on the analysis results and minimize storage costs without affecting the normal use of data.
Q: How do I recover data if there is a problem with my Amazon RDS database?
Amazon Relationship Database Service (Amazon RDS) Best Practice: Configure automatic backups for Amazon RDS databases.
Amazon RDS creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases. This backup occurs in a user configurable 30-minute daily time period, called the backup window. The system retains automated backups for a configurable number of days, called the backup retention period. If you don't set the backup retention period, Amazon RDS uses a default backup retention period of seven days. You can set the backup retention period between 0 and 35 days. You can disable automated backups by setting the backup retention period to zero. This allows you to restore your database to any specified time (point-in-time-recovery) during your retention period, up to the last five minutes, and create a new database instance. In addition, you can create a manual snapshot for the Amazon RDS database instance if you choose to change the database according to your business needs. Manual snapshot limits (100 per Region) do not apply to automated backups. The automatic backup is deleted when you delete an Amazon RDS database, but the manual backup is retained.
Q: I understand that the REST API can integrate with Amazon Lambda, HTTP, AWS Service, VPC Link and MOCK endpoint, and that I can set up a proxy integration. What's the difference between the different REST API Gateway integration types?
Amazon API Gateway Best Practice: Choose among different REST API Gateway integration types based on your needs.
If you want to build your Serverless Architecture, you can use Lambda integration. HTTP integration lets an API Gateway expose HTTP endpoints in the backend. An API Gateway with the AWS Service integration has the advantage of providing a consistent application protocol for your client to access different AWS services. The VPC Link integration makes it simple to expose your HTTP/HTTPS resources behind an Amazon VPC for access by clients outside of the VPC. Mock Integration enables API developers to generate API responses from API Gateway directly, without the need for an integration backend. In most cases, proxy integration settings are simple, while custom integration settings are complex. However, custom integration settings help you define customized configurations.
Q: Our organization uses Amazon EMR Hive as the data warehouse. By default, Hive records metadata in a MySQL database on the master node's file system. When a cluster terminates, its metadata is lost. How do we configure an external metadata for Amazon EMR Hive and allow multiple clusters to share the same Hive metadata?
Amazon EMR Best Practice: Configure an external metadata for Amazon EMR Hive.
You have two options to conveniently manage a Hive external metastore: AWS Glue Data Catalog (Amazon EMR version 5.8.0 or later only), and Amazon RDS, or Amazon Aurora. The AWS Glue Data Catalog provides a unified metadata repository across a variety of data sources and data formats, integrating with Amazon EMR as well as Amazon RDS, Amazon Redshift, Amazon Athena, and any application compatible with the Apache Hive metastore. As an RDBMS, Amazon RDS MySQL or Amazon Aurora can be used as an external Hive metadata store. All you need to do is to use Amazon RDS configuration to overwrite the default configuration of the EMR Hive metastore. Both options support configuring the metastore when launching the cluster, which is an efficient and faster way to start an EMR Hive cluster with an external metastore configured.
Enterprise Support Best Practices
Q: The high latency alarm from the Amazon ElastiCache service has affected our big selling event. We saw some error messages and warnings from the AWS management dashboard that indicated apparent performance bottlenecks. We have the AWS Enterprise Support Plan and need your help in checking the error message and providing assistance as soon as possible. Who should we contact?
Create a critical case in the AWS Support Center immediately. Be sure to include detailed information on the use case and error messages in the case. An Amazon ElastiCache support engineer will contact you within 15 minutes and help you to resolve the issue. If you are an enterprise customer and you submit a case, your technical account manager is notified of the case immediately. The technical account manager will assist you with support resources and make sure that the services are restored in the shortest possible time. After the issue is resolved, your technical account manager provides a series of suggestions to avoid the issue from recurring.
Q: We’ve been using AWS services for some time, and overall the system is very stable. However, we need support to check whether our current architecture and usage are efficient. Who should we contact?
If you are an enterprise customer, contact your technical account manager. Your technical account manager is familiar with enterprise-level support and AWS architecture and technology and sensitive to operating costs. The technical account manager proactively reviews your AWS infrastructure with you every six months or once a quarter. During the audit, the rationality, reliability, and security of your infrastructure is reviewed. The proactive guidance helps you review the health of your cloud operations, optimize costs, and scale workloads efficiently through workload reviews, best practices workshops, and deep dives.
Q: We learned that the Amazon SageMaker service is now available in the AWS China Region. How do we enable this service and receive guidance?
Contact your technical account manager. The technical account manager understands your business needs and provides relevant guidance. When necessary, the technical account manager arranges an architect to assist you in planning and validating your new architecture. In addition, we can provide enterprise customers with beta testing options for newly launched AWS services.
Q: We are an enterprise customer. We have the company's annual new product launch conference in two months. For the event to be successful, we need to make sure that all systems function normally. We might need to contact AWS Support for assistance in case of unforeseen technical issues. Do we need to purchase AWS Infrastructure Event Management (IEM)?
AWS IEM offers architecture and scaling guidance and operational support during the preparation and execution of planned events, such as shopping holidays, product launches, and migrations. For these events, AWS Infrastructure Event Management will help you assess operational readiness, identify and mitigate risks, and run your event confidently with experts by your side. The program is included in the Enterprise Support plan. Contact your technical account manager for the event planning. Your technical account manager will work with you from event preparation till the end of the event.