Imagine receiving an unexpected $1,200 Data Transfer Out (DTO) charge on your Amazon Web Services (AWS) bill. You know something generated significant outbound traffic, but you’re left wondering: which resource caused it? Where was the data sent? Was it legitimate application traffic or a security incident?
This common challenge faces FinOps professionals, DevOps engineers, and security analysts who need to trace billing line items to their root causes. Although AWS bills show what you’re charged for, connecting those charges to specific resource activities necessitates correlating information across different services such as VPC Flow Logs and Amazon Route 53 DNS Query Logging.
In this post, we demonstrate a systematic four-step methodology to investigate any AWS billing line item using AWS Data Exports (Cost and Usage Reports 2.0) along with VPC Flow Logs and Route 53 DNS Query Logging. Furthermore, we demonstrate how to trace charges from billing…
