Why hidden AWS costs are so hard to catch
AWS has over 200 services and thousands of pricing dimensions. The default Cost Explorer view shows you total spend by service — but it does not show you which specific resources are wasting money, or why. Hidden AWS costs live in the gap between 'total EC2 spend' and 'which of my 47 EC2 instances are actually doing useful work.'
Flexera's 2025 State of the Cloud report found that organizations waste an average of 32% of their cloud budget. For a company spending $15,000/month on AWS, that is $4,800 in hidden AWS costs every single month — resources that are running, billing, and delivering zero value.
The reason these costs stay hidden: they are spread across dozens of small line items, none of which is large enough to trigger an alert on its own. Here are the seven most common sources.
Hidden cost 1: Unattached EBS volumes
When you terminate an EC2 instance, the root volume is usually deleted automatically. But additional data volumes — the ones you attached for extra storage, temp files, or database data — often persist in an 'available' state. They are not attached to any instance, but AWS keeps billing for them at full rate.
At $0.08/GB/month for gp2 or $0.08/GB/month for gp3, a 500GB unattached volume costs $40/month. These volumes are invisible in the EC2 dashboard unless you specifically navigate to EC2 > Volumes and filter by State = available. Most teams never do.
How to find them
- ✓Go to EC2 > Volumes, filter by State = available
- ✓Sort by Size (largest first) to prioritize the most expensive ones
- ✓Check the Created date — volumes older than 30 days with no Name tag are almost always safe to delete
- ✓Create a snapshot before deleting (costs pennies compared to the volume itself)
Hidden cost 2: Old EBS snapshots
EBS snapshots are one of the most overlooked hidden AWS costs. Every AMI you create, every manual snapshot, every automated backup policy generates snapshots that accumulate silently at $0.05/GB/month.
The compounding math is brutal: daily snapshots of a 200GB volume generate 30 snapshots per month. After one year, you have 365 snapshots. Even with incremental storage, that can easily reach $200-$400/month in snapshot costs alone — for a single volume. Multiply across a team that has been running for two years.
How to find them
Go to EC2 > Snapshots, filter by Owner = self. Sort by Start Time to find the oldest ones. Look for snapshots whose source volume no longer exists (the Volume ID column will show 'N/A') — these are orphaned snapshots from deleted instances and are safe to remove. Also review your Data Lifecycle Manager policies to ensure retention periods are not set to 'keep forever.'
Hidden cost 3: Idle load balancers
Application Load Balancers cost $16-$22/month in fixed charges regardless of traffic, plus $0.008 per LCU-hour for actual usage. When a service is decommissioned, the ALB often survives because nobody remembers it exists. It sits there, routing traffic to an empty target group, billing $200+ per year for nothing.
Classic Load Balancers are even more common hidden AWS costs — they were the default before ALBs existed, and many teams have forgotten CLBs attached to services that were migrated years ago.
How to find them
- ✓Go to EC2 > Load Balancers and check the Target Groups column
- ✓Any load balancer with zero healthy targets is a candidate for deletion
- ✓Check RequestCount in CloudWatch — zero requests for 14+ days means it is serving nothing
- ✓Also check for load balancers with targets that are all unhealthy — the LB is running but broken
Hidden cost 4: NAT Gateway data processing charges
NAT Gateways are one of the most surprising hidden AWS costs for teams that are new to VPC networking. Each NAT Gateway costs $32/month in fixed charges plus $0.045 per GB of data processed. A single NAT Gateway processing 2TB/month costs $122 — and many teams run one per Availability Zone for redundancy.
The hidden part: data transfer charges from NAT Gateways appear as a separate line item in your AWS bill under 'EC2 - Other,' not under the service that generated the traffic. Teams often see their EC2 costs and think they understand their bill, while hundreds of dollars in NAT Gateway processing charges accumulate in a line item they never look at.
How to reduce NAT Gateway costs
- ✓Use VPC endpoints for S3 and DynamoDB — traffic to these services bypasses the NAT Gateway entirely and is free
- ✓Check if services in private subnets actually need internet access, or if they can use VPC endpoints instead
- ✓Use Cost Explorer grouped by Usage Type to find 'NatGateway-Bytes' charges and trace them to the source
- ✓Consider consolidating to a single NAT Gateway if multi-AZ redundancy is not critical for your workload
Hidden cost 5: Unused Elastic IPs
AWS charges $0.005 per hour ($3.60/month) for every Elastic IP that is allocated but not associated with a running instance. This is a deliberate pricing signal — AWS wants you to release IPs you are not using because IPv4 addresses are a scarce resource.
Three dollars and sixty cents sounds trivial. But teams accumulate Elastic IPs over time — allocated 'just in case,' forgotten after an instance was terminated, or left over from a service migration. Twenty unused EIPs is $72/month, $864/year. More importantly, unused EIPs signal a lack of hygiene that usually means bigger hidden AWS costs elsewhere.
How to find them
Go to EC2 > Elastic IPs. Any IP without an 'Associated instance ID' is costing you money for nothing. Check across all regions — Elastic IPs are regional resources and the AWS console only shows the current region. Use AWS Config or a multi-region scan to catch them all.
Hidden cost 6: CloudWatch log storage
CloudWatch Logs storage costs $0.03/GB/month. That sounds cheap — until you realize that a busy application logging at INFO level can generate 50-100GB of logs per month, and the default retention policy is 'Never Expire.' After two years of operation, you might be storing 2TB of logs that nobody has looked at since the week they were written.
At $0.03/GB/month, 2TB of CloudWatch logs costs $60/month — $720/year — for data that has zero operational value. This is one of the most purely wasteful hidden AWS costs because the data is not being used for anything.
How to fix it
- ✓Go to CloudWatch > Log Groups and sort by Stored Bytes (largest first)
- ✓Set retention policies on every log group — 30 days for application logs, 90 days for security/audit logs is a reasonable default
- ✓For log groups with 'Never Expire' and large storage, manually delete old log streams
- ✓Consider exporting logs to S3 (at $0.023/GB/month) for long-term retention if compliance requires it
Hidden cost 7: Idle RDS instances and read replicas
RDS is expensive by design — managed databases include compute, storage, I/O, and backup storage in a single hourly charge. A db.r5.large costs about $175/month. What makes RDS a hidden AWS cost is that unlike EC2, you cannot stop an RDS instance indefinitely: AWS automatically restarts stopped RDS instances after 7 days and resumes full billing.
Read replicas are a particularly common source of hidden RDS costs. A team creates a read replica for a load test, the test completes, and the replica keeps running at $175/month because nobody thought to delete it. Six months later, that is $1,050 in pure waste from a single forgotten replica.
How to find idle RDS
- ✓Check DatabaseConnections in CloudWatch — zero connections for 7+ days means nobody is using it
- ✓Check CPUUtilization — sustained under 2% for two weeks suggests the instance is idle
- ✓Look for read replicas with zero ReplicaLag changes — if replication lag is not changing, no writes are happening
- ✓Check for Multi-AZ deployments on dev/staging databases — Multi-AZ doubles the cost and is rarely needed outside production
The common thread: lack of automated detection
Every hidden AWS cost on this list shares the same root cause: there is no system watching for it. Manual audits catch waste once. Waste accumulates continuously. The teams that keep their AWS costs under control are the ones that have automated detection running 24/7 — not the ones that do a quarterly cleanup.
Driftak monitors your AWS accounts continuously and surfaces hidden costs before they compound. It scans EC2, EBS volumes and snapshots, RDS instances, Elastic IPs, and Load Balancers, checks actual utilization metrics (not just tags), and sends escalating alerts through Slack, email, and Telegram. Connect your AWS account in 5 minutes with read-only access — no agents, no code changes.
The first scan usually surfaces $200-$500 in hidden AWS costs that have been accumulating for months. That is the ROI conversation that pays for itself before the first billing cycle ends.