# Detecting unusual spend with AWS Cost Anomaly Detection
AWS Cost Anomaly Detection is a feature that uses machine learning models to detect and alert on anomalous spend patterns in your deployed AWS services.
Using AWS Cost Anomaly Detection includes the following benefits:
+ You receive alerts individually in aggregated reports either in an email message or an Amazon SNS topic.
For Amazon SNS topics, create an Amazon Q Developer in chat applications configuration that maps the Amazon SNS topic to a Slack channel or an Amazon Chime chat room. For more information, see [Receiving anomaly alerts in chat applications](cad-alert-chime.md).
+ You can evaluate your spend patterns using machine learning methods to minimize false positive alerts. For example, you can evaluate weekly or monthly seasonality and natural growth.
+ You can investigate the root causes of the anomaly, ranked by their dollar impact and split across four dimensions: AWS service, AWS account, Region, or usage type.
+ You can configure how to evaluate your costs. Choose whether you want to analyze all of your AWS services independently or analyze specific member accounts, cost allocation tags, or cost categories.
After your billing data is processed, AWS Cost Anomaly Detection runs approximately three times a day in order to monitor for anomalies in your net unblended cost data (that is, net costs after all applicable discounts are calculated). You might experience a slight delay in receiving alerts. Cost Anomaly Detection uses data from Cost Explorer, which has a delay of up to 24 hours. As a result, it can take up to 24 hours to detect an anomaly after a usage occurs. If you create a new monitor, it can take 24 hours to begin detecting new anomalies. For a new service subscription, 10 days of historical service usage data is needed before anomalies can be detected for that service.
**Note**
You can opt out of Cost Anomaly Detection at any time. For more information, see [Opting out of Cost Anomaly Detection](https://docs.aws.amazon.com/cost-management/latest/userguide/opting-out-cad.html).
Cost Anomaly Detection isn't available for bill source accounts that use billing transfer. Cost Anomaly Detection doesn't support billing transfer views.
**Topics**
+ [
# Setting up your anomaly detection
](settingup-ad.md)
+ [
# Controlling access for Cost Anomaly Detection
](accesscontrol-ad.md)
+ [
# Getting started with AWS Cost Anomaly Detection
](getting-started-ad.md)
+ [
# Transitioning from customer to AWS managed monitors
](transition-monitors.md)
+ [
# Editing your alert preferences
](edit-alert-pref.md)
+ [
# Creating an Amazon SNS topic for anomaly notifications
](ad-SNS.md)
+ [
# Receiving anomaly alerts in chat applications
](cad-alert-chime.md)
+ [
# Using EventBridge with Cost Anomaly Detection
](cad-eventbridge.md)
+ [
# Using AWS User Notifications with Cost Anomaly Detection
](cad-user-notifications.md)
+ [
# Opting out of Cost Anomaly Detection
](opting-out-cad.md)
# Setting up your anomaly detection
The overviews in this section describe how to get started with AWS Cost Anomaly Detection in AWS Billing and Cost Management.
**Topics**
+ [
## Enabling Cost Explorer
](#enable-ce-ad)
+ [
## Controlling access using IAM
](#access-iam-ad)
+ [
## Accessing the console
](#access-ad)
+ [
## Quotas
](#limits-ad-section)
## Enabling Cost Explorer
AWS Cost Anomaly Detection is a feature within Cost Explorer. To access AWS Cost Anomaly Detection, enable Cost Explorer. For instructions on how to enable Cost Explorer using the console, see [Enabling Cost Explorer](ce-enable.md).
## Controlling access using IAM
After you enable Cost Explorer at the management account level, you can use AWS Identity and Access Management (IAM) to manage access to your billing data for individual users. You can then grant or revoke access on an individual level for each user role, rather than granting access to all users.
A user must be granted explicit permission to view pages in the Billing and Cost Management console. With the appropriate permissions, the user can view costs for the AWS account that the user belongs to. For the policy that grants the necessary permissions to a user, see [Billing and Cost Management actions policies](billing-permissions-ref.md#user-permissions).
For more information about using resource-level access and attribute-based access control (ABAC) for Cost Anomaly Detection, see [Controlling access for Cost Anomaly Detection](accesscontrol-ad.md).
## Accessing the console
When your setup is complete, access AWS Cost Anomaly Detection.
**To access AWS Cost Anomaly Detection**
1. Open the Billing and Cost Management console at [https://console.aws.amazon.com/costmanagement/](https://console.aws.amazon.com/costmanagement/).
1. In the navigation pane, choose **Cost Anomaly Detection**.
## Quotas
For the default quotas, see [AWS Cost Anomaly Detection](management-limits.md#limits-ad).
# Controlling access for Cost Anomaly Detection
You can use resource-level access controls and attribute-based access control (ABAC) tags for cost anomaly monitors and anomaly subscriptions. Each anomaly monitor and anomaly subscription resource has a unique Amazon Resource Name (ARN). You can also attach tags (key-value pairs) to each feature. Both resource ARNs and ABAC tags can be used to give granular access control to user roles or groups within your AWS accounts.
For more information about resource-level access controls and ABAC tags, see [How AWS Cost Management works with IAM](security_iam_service-with-iam.md).
**Note**
Cost Anomaly Detection doesn't support resource-based policies. Resource-based policies are directly attached to AWS resources. For more information about the difference between policies and permissions, see [Identity-based policies and resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html) in the *IAM User Guide*.
## Controlling access using resource-level policies
You can use resource-level permissions to allow or deny access to one or more Cost Anomaly Detection resources in an IAM policy. Alternatively, use resource-level permissions to allow or deny access to all Cost Anomaly Detection resources.
When you create an IAM, use the following Amazon Resource Name (ARN) formats:
+ `AnomalyMonitor` resource ARN
`arn:${partition}:ce::${account-id}:anomalymonitor/${monitor-id}`
+ `AnomalySubscription` resource ARN
`arn:${partition}:ce::${account-id}:anomalysubscription/${subscription-id}`
To allow the IAM entity to get and create an anomaly monitor or anomaly subscription, use a policy similar to this example policy.
**Note**
For `ce:GetAnomalyMonitor` and `ce:GetAnomalySubscription`, users have all or none of the resource-level access control. This requires the policy to use a generic ARN in the form of `arn:${partition}:ce::${account-id}:anomalymonitor/*`, `arn:${partition}:ce::${account-id}:anomalysubscription/*`, or `*`.
For `ce:CreateAnomalyMonitor` and `ce:CreateAnomalySubscription`, we don't have a resource ARN for this resource. So, the policy always uses the generic ARN that was mentioned in the previous bullet.
For `ce:GetAnomalies`, use the optional `monitorArn` parameter. When used with this parameter, we confirm if the user has access to the `monitorArn` passed.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ce:GetAnomalyMonitors",
"ce:CreateAnomalyMonitor"
],
"Effect": "Allow",
"Resource": "arn:aws:ce::999999999999:anomalymonitor/*"
},
{
"Action": [
"ce:GetAnomalySubscriptions",
"ce:CreateAnomalySubscription"
],
"Effect": "Allow",
"Resource": "arn:aws:ce::999999999999:anomalysubscription/*"
}
]
}
```
------
To allow the IAM entity to update or delete anomaly monitors, use a policy similar to this example policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ce:UpdateAnomalyMonitor",
"ce:DeleteAnomalyMonitor"
],
"Resource": [
"arn:aws:ce::999999999999:anomalymonitor/f558fa8a-bd3c-462b-974a-000abc12a000",
"arn:aws:ce::999999999999:anomalymonitor/f111fa8a-bd3c-462b-974a-000abc12a001"
]
}
]
}
```
------
## Controlling access using tags (ABAC)
You can use tags (ABAC) to control access to Cost Anomaly Detection resources that support tagging. To control access using tags, provide the tag information in the `Condition` element of a policy. You can then create an IAM policy that allows or denies access to a resource based on the resource's tags. You can use tag condition keys to control access to resources, requests, or any part of the authorization process. For more information about IAM roles using tags, see [Controlling access to and for users and roles using tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html) in the *IAM User Guide*.
Create an identity-based policy that allows updating anomaly monitors. If the monitor tag `Owner` has the value of the user name, use a policy that's similar to this example policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ce:UpdateAnomalyMonitor"
],
"Resource": "arn:aws:ce::*:anomalymonitor/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Owner": "${aws:username}"
}
}
},
{
"Effect": "Allow",
"Action": "ce:GetAnomalyMonitors",
"Resource": "*"
}
]
}
```
------
# Getting started with AWS Cost Anomaly Detection
With AWS Cost Anomaly Detection in AWS Billing and Cost Management, you can configure your cost monitors and alert subscriptions to automatically adapt to your growing AWS environment.
AWS Cost Anomaly Detection offers AWS managed monitors that automatically track costs across all your accounts, teams, or business units without manual configuration. As your organization grows and changes, these monitors automatically include new accounts, tag values, or categories, maintaining comprehensive coverage without additional setup.
**Topics**
+ [
## Creating your cost monitors and alert subscriptions
](#create-ad-alerts)
+ [
## Detected anomalies overview
](#detector-history-values)
+ [
## Viewing your detected anomalies and potential root causes
](#view-ad-monitor)
+ [
## Monitor types
](#monitor-type-def)
## Creating your cost monitors and alert subscriptions
To start monitoring your spend, AWS Cost Anomaly Detection requires setting up at least one cost monitor to define what spending patterns to track. After creating your monitor, you can attach alert subscriptions to specify who receives notifications and through which channels. You can also create individual alerts using AWS User Notifications for more granular control over how alerts are delivered.
**Note**
You can only access cost monitors and alert subscriptions under the account that created them. Cost monitors for linked accounts, cost allocation tags, and cost categories can only be created in the management account
------
#### [ Cost monitors ]
**To create a cost monitor**
1. Open the Billing and Cost Management console at [https://console.aws.amazon.com/costmanagement/](https://console.aws.amazon.com/costmanagement/).
1. In the navigation pane, choose **Cost Anomaly Detection**.
1. Choose the **Cost monitors** tab.
1. Choose **Create monitor**.
1. In **Step 1**, choose a monitor type and name your monitor.
For **Monitor name**, enter a name for your anomaly monitor. We recommend that the name is a short description. That way, you know what the monitor represents when you view your monitors on the **Cost monitors** tab.
For more information about each monitor type and best practices, see [Monitor types](#monitor-type-def).
Choose your monitor method based on your needs:
+ **For AWS managed monitors:**
1. Under **Monitor method**, select **Managed by AWS**.
1. Select the dimension you want to monitor:
+ AWS services - Tracks all AWS services automatically
+ Linked account - Tracks all member accounts automatically
+ Cost allocation tag - Tracks all values for a specified tag key
+ Cost category - Tracks all values in a specified category
1. If you selected Cost allocation tag, specify the tag key from the dropdown (for example, "application-team" or "environment").
1. If you selected Cost category, specify the category from the dropdown.
+ **For customer managed monitors:**
1. Select the dimension for your monitor.
1. Under monitor method, select **Customer managed**.
1. Choose the specific values you want to monitor (up to 10).
1. (Optional) Add a tag to your monitor. For more information about tags, see [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the *AWS General Reference guide*.
1. Enter the key value for the tag.
1. Choose **Add new tag** to add additional tags. The maximum number of tags that you can add is 50.
1. Choose **Next**.
1. In **Step 2**, configure your alert subscriptions.
For **Alert subscription**, if you don't have an existing subscription, choose **Create a new subscription**. If you have existing subscriptions, select **Choose an existing subscription**.
**Note**
An alert subscription notifies you when a cost monitor detects an anomaly. Depending on the alert frequency, you can notify designated individuals by email or Amazon SNS.
For Amazon SNS topics, configure to create an Amazon Q Developer in chat applications configuration. This configuration maps the Amazon SNS topic to a Slack channel or an Amazon Chime chat room. For example, create a subscription for the Finance team in your organization. For more information, see [Receiving anomaly alerts in chat applications](cad-alert-chime.md).
For **Subscription name**, enter a name that describes your use case. For example, if the subscription is meant for leadership, the subscription name might be “Leadership report.”
Under **Alerting frequency**, choose your preferred notification frequency.
+ **Individual alerts** - The alert notifies you as soon as an anomaly is detected. You might receive multiple alerts throughout a day. These notifications require an Amazon SNS topic.
You can configure the Amazon SNS topic to create an Amazon Q Developer in chat applications configuration that maps the Amazon SNS topic to a Slack channel or an Amazon Chime chat room. For more information, see [Receiving anomaly alerts in chat applications](cad-alert-chime.md).
+ **Daily summaries** - An email notification with a daily summary of top 10 alerts from the previous day, sorted by cost impact. The system generates this summary at 00:00 UTC daily, though actual delivery time may vary. For example, an anomaly detected at 04:30 UTC on January 14 will be included in the daily summary sent at 00:00 UTC on January 15. At least one email recipient must be specified. For immediate alerts, we recommend using the individual alerts option.
+ **Weekly summaries** - An email notification with a weekly summary of alerts. You receive one email per week containing information about multiple anomalies that occurred during that week. At least one email recipient must be specified.
Under **Alert recipients**, enter email addresses for this subscription.
For **Threshold**, enter a number to configure the anomalies that you want to generate alerts for.
There are two types of thresholds: absolute and percentage. Absolute thresholds trigger alerts when an anomaly's total cost impact exceeds your chosen threshold. Percentage thresholds trigger alerts when an anomaly's total impact percentage exceeds your chosen threshold. Total impact percentage is the percentage difference between the total expected spend and total actual spend.
(Optional) Choose **Add threshold** to configure a second threshold on the same subscription. Thresholds can be combined by choosing **AND** or **OR** from the dropdown list.
**Note**
AWS Cost Anomaly Detection sends you a notification when an anomaly reaches or exceeds the **Threshold**. If an anomaly continues over multiple days, then alert recipients will continue to get notifications while the threshold is met.
Even if an anomaly is below the alert threshold, the machine learning model continues to detect spend anomalies on your account. All the anomalies that the machine learning model detected (with cost impacts that are greater or less than the threshold) are available in the **Detected anomalies** tab.
1. (Optional) Add a tag to your alert subscription. For more information about tags, see [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the *AWS General Reference guide*.
1. Enter the key value for the tag.
1. Choose **Add new tag** to add additional tags. The maximum number of tags that you can add is 50.
1. (Optional) Choose **Add alert subscriptions** to create another alert subscription. With this option, you can create a new subscription using the same monitor.
1. Choose **Create monitor**.
**Important considerations for AWS managed monitors:**
+ Alert subscriptions attached to AWS managed monitors use the same threshold across all tracked values
+ As new member accounts, tags, or categories are added to your AWS environment, they're automatically included
+ You cannot convert existing customer managed monitors to AWS managed monitors
+ For granular alert routing based on specific values, configure AWS User Notifications with JSON filtering patterns
**Note**
AWS managed monitors can track up to 5,000 values within a dimension. If your organization has more than 5,000 values (for example, more than 5,000 member accounts or tag values), the monitor will track the top 5,000 values based on their total spend.
------
#### [ Alert subscriptions ]
**To create an alert subscription**
You must create at least one alert subscription for each monitor. The "create cost monitor steps" that are described earlier already include the alert subscription creation process. If you want to create additional subscriptions, follow these steps.
1. Choose the **Alert subscriptions** tab.
1. Choose **Create a subscription**.
1. For **Subscription name**, enter a name that describes your use case. For example, if the subscription is meant for leadership, then the subscription name might be “Leadership report.”
1. Under **Alerting frequency**, choose your preferred notification frequency.
+ **Individual alerts** - The alert notifies you as soon as an anomaly is detected. You might receive multiple alerts throughout a day. These notifications require an Amazon SNS topic.
You can configure the Amazon SNS topic to create an Amazon Q Developer in chat applications configuration that maps the Amazon SNS topic to a Slack channel or an Amazon Chime chat room. For more information, see [Receiving anomaly alerts in chat applications](cad-alert-chime.md).
+ **Daily summaries** - An email notification with a daily summary of top 10 alerts from the previous day, sorted by cost impact. The system generates this summary at 00:00 UTC daily, though actual delivery time may vary. For example, an anomaly detected at 04:30 UTC on January 14 will be included in the daily summary sent at 00:00 UTC on January 15. At least one email recipient must be specified. For immediate alerts, we recommend using the individual alerts option.
+ **Weekly summaries** - An email notification with a weekly summary of alerts. You receive one email per week containing information about multiple anomalies that occurred during that week. At least one email recipient must be specified.
1. Under **Alert recipients**, enter email addresses for this subscription.
1. For **Threshold**, enter a number to configure the anomalies that you want to generate alerts for.
There are two types of thresholds: absolute and percentage. Absolute thresholds trigger alerts when an anomaly's total cost impact exceeds your chosen threshold. Percentage thresholds trigger alerts when an anomaly's total impact percentage exceeds your chosen threshold. Total impact percentage is the percentage difference between the total expected spend and total actual spend.
(Optional) Choose **Add threshold** to configure a second threshold on the same subscription. Thresholds can be combined by choosing **AND** or **OR** from the dropdown list.
**Note**
AWS Cost Anomaly Detection sends you a notification when an anomaly reaches or exceeds the **Threshold**. If an anomaly continues over multiple days, then alert recipients will continue to get notifications while the threshold is met.
Even if an anomaly is below the alert threshold, the machine learning model continues to detect spend anomalies on your account. All the anomalies that the machine learning model detected (with cost impacts that are greater or less than the threshold) are available in the **Detected anomalies** tab.
1. In the **Cost monitors** section, select the monitors that you want to be associated with the alert subscription.
1. (Optional) Add a tag to your alert subscription. For more information about tags, see [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the *AWS General Reference guide*.
1. Enter the key value for the tag.
1. Choose **Add new tag** to add additional tags. The maximum number of tags that you can add is 50.
1. Choose **Create subscription**.
------
#### [ AWS User Notifications ]
For information about how to create individual alerts, see [Using AWS User Notifications with Cost Anomaly Detection](https://docs.aws.amazon.com/cost-management/latest/userguide/cad-user-notifications.html).
------
## Detected anomalies overview
On the **Detected anomalies** tab, you can view a list of all the anomalies detected over a selected time frame. By default, you can see the anomalies that are detected in the last 90 days. You can search the anomalies by **Severity**, **Assessment**, **Services**, **Usage type**, **Region**, **Monitor type**, **Account**, or **Anomaly ID**. You can sort by **Start date**, **Last detected**, **Duration**, **Cost impact**, **Impact %**, **Monitor name**, and **Top root cause (Service)**.
The following default columns are included on the **Detected anomalies** tab:
**Start date**
The day that the anomaly started.
**Last detected**
The last time that the anomaly was detected.
**Duration**
The duration that the anomaly lasted. An anomaly can be ongoing.
**Cost impact**
The spend increase detected compared to the expected spend amount. It is calculated as **actual spend - expected spend**. For example, a total cost impact of \$120 on a service monitor means that there was a \$120 increase detected in a particular service with a total duration of the specified days.
**Impact %**
The percentage difference between the actual spend and expected spend. It is calculated as **(total cost impact / expected spend) \$1 100**. For example, if the total cost impact was \$120 and the expected spend was \$160, then the impact percentage would be 33.33%. This value cannot be calculated when expected spend is zero, so in those situations the value will show as “N/A”.
**Monitor name**
The name of the anomaly monitor.
**Top root cause (Service)**
The top service root cause for the anomaly. Choosing the service name in the Top root cause column displays the three other root cause dimensions—account, Region, and usage type—for the anomaly’s top root cause.
**View more**
A link to the Anomaly details page with information on the root cause analysis and cost impact of the anomaly. The link also indicates the number of root causes detected for an anomaly.
The **Detected anomalies** tab can also be configured to display additional columns of information. Any changes you make will be saved at the account level for all subsequent visits to the **Detected anomalies** tab. The following **optional columns** are included on the **Detected anomalies** tab.
**Account**
The account ID and account name that caused the anomaly. If the account is empty, AWS has detected an anomaly, but the root cause is undetermined.
**Region**
The Region detected as the top root cause for the anomaly.
**Usage type**
The usage type detected as the top root cause for the anomaly.
**Expected spend**
The amount our machine learning models expected you to spend during the anomaly’s duration, based on your historical spending pattern.
**Actual spend**
The total amount you actually spent during the anomaly’s duration.
**Assessment**
For each detected anomaly, you can submit an assessment to help improve our anomaly detection systems. The possible values are **Not submitted**, **Not an issue**, or **Accurate anomaly**.
**Severity**
Represents how abnormal a certain anomaly is accounting for historical spending patterns. A low severity generally suggests a small spike compared to historical spend and a high severity suggests a big spike. However, a small spike with historically consistent spend is categorized as high severity. And, similarly, a big spike with irregular historical spend is categorized as low severity.
## Viewing your detected anomalies and potential root causes
Viewing your anomalies
After you create your monitors, AWS Cost Anomaly Detection evaluates your future spend. Based on your defined alert subscriptions, you might start receiving alerts within 24 hours.
**To view your anomalies from an email alert**
1. Choose the provided **View in Anomaly Detection** link.
1. On the **Anomaly details** page, you can view the root cause analysis and cost impact of the anomaly.
1. (Optional) Choose **View in Cost Explorer** to view a time series graph of the cost impact.
1. (Optional) Choose **View root cause** in the **Top ranked potential root causes** table for a root cause of interest to see a time series graph that's filtered by that root cause.
1. (Optional) Choose **Submit assessment** in the **Did you find this detected anomaly to be helpful?** information alert to provide feedback and help improve our detection accuracy.
**To view your anomalies from the AWS Billing and Cost Management console**
1. Open the Billing and Cost Management console at [https://console.aws.amazon.com/costmanagement/](https://console.aws.amazon.com/costmanagement/).
1. In the navigation pane, choose **Cost Anomaly Detection**.
1. (Optional) On the **Detected anomalies** tab, use the search area to narrow the list of detected anomalies for a particular category. The categories that you can choose are Severity, Assessment, Service, Account, Usage type, Region, and Monitor type.
1. (Optional) Choose the **Start date** for a particular anomaly to view the details.
1. On the **Anomaly details** page, you can view the root cause analysis and cost impact of the anomaly.
1. (Optional) Choose **View in Cost Explorer** to view a time series graph of the cost impact and, if necessary, dive deeper into the data.
1. (Optional) Choose **View root cause** in the **Top ranked potential root causes** table to see a time series graph that's filtered by the root cause.
1. (Optional) Choose **Submit assessment** in the **Did you find this detected anomaly to be helpful?** information alert to provide feedback and help improve our detection accuracy.
**To view your anomalies from an Amazon SNS topic**
1. Subscribe an endpoint to the Amazon SNS topic that you created for a cost monitor with individual alerts. For instructions, see [Subscribing to an Amazon SNS topic](https://docs.aws.amazon.com/sns/latest/dg/sns-create-subscribe-endpoint-to-topic.html) in the *Amazon Simple Notification Service Developer Guide*.
1. After your endpoint receives messages from the Amazon SNS topic, open a message and then find the **anomalyDetailsLink** URL. The following example is a message from AWS Cost Anomaly Detection through Amazon SNS.
```
{
"accountId": "123456789012",
"anomalyDetailsLink": "https://console.aws.amazon.com/cost-management/home#/anomaly-detection/monitors/abcdef12-1234-4ea0-84cc-918a97d736ef/anomalies/12345678-abcd-ef12-3456-987654321a12",
"anomalyEndDate": "2021-05-25T00:00:00Z",
"anomalyId": "12345678-abcd-ef12-3456-987654321a12",
"anomalyScore": {
"currentScore": 0.47,
"maxScore": 0.47
},
"anomalyStartDate": "2021-05-25T00:00:00Z",
"dimensionKey": {
"type": "DIMENSION",
"key": "SERVICE"
},
"dimensionalValue": "ServiceName",
"impact": {
"maxImpact": 151,
"totalActualSpend": 1301,
"totalExpectedSpend": 300,
"totalImpact": 1001,
"totalImpactPercentage": 333.67
},
"monitorArn": "arn:aws:ce::123456789012:anomalymonitor/abcdef12-1234-4ea0-84cc-918a97d736ef",
"rootCauses": [
{
"linkedAccount": "AnomalousLinkedAccount",
"linkedAccountName": "AnomalousLinkedAccountName",
"region": "AnomalousRegionName",
"service": "AnomalousServiceName",
"usageType": "AnomalousUsageType",
"impact": {
"contribution": 601,
}
}
],
"subscriptionId": "874c100c-59a6-4abb-a10a-4682cc3f2d69",
"subscriptionName": "alertSubscription"
}
```
1. Open the **anomalyDetailsLink** URL in a web browser. The URL takes you to the associated **Anomaly details** page. This page shows the root cause analysis and cost impact of the anomaly.
## Monitor types
You can choose the monitor type that fits your account structure. AWS Cost Anomaly Detection offers two approaches for creating monitors: AWS managed monitors that automatically track the top 5,000 values independently within a dimension, and customer managed monitors that let you select specific values that get monitored in aggregate.
| Monitor Dimension | AWS Managed | Customer Managed |
| --- | --- | --- |
| AWS services | Automatically evaluates all AWS services used by your account for anomalies. When you start using new AWS services, the monitor automatically begins evaluating them. Available in both management and member accounts. | Customer managed AWS services monitors are not supported. |
| Linked Accounts | Automatically tracks spending patterns across all member accounts in your organization. As new accounts are added, they're automatically included in monitoring coverage. Only available in management accounts. | Track specific member accounts (up to 10) that you manually select. Spending is aggregated across selected accounts. Useful for monitoring specific project accounts or environments together. |
| Cost Allocation Tags | Automatically monitors all unique values for a specified tag key. For example, specifying "application-team" tracks every team value (team-a, team-b, team-c) independently. New tag values are automatically included as they're created. | Track specific tag values (up to 10) that you manually select for a given tag key. Useful when you need different thresholds for different tag values or want to monitor only high-priority teams. |
| Cost Categories | Automatically tracks all values within a specified cost category. If you have a "business-unit" category with values like "retail", "wholesale", and "operations", the monitor analyzes spending patterns for each unit independently. New cost category values are automatically included as they're created. | Track one specific cost category value that you manually select. Useful for monitoring specific business units or cost centers with unique threshold requirements. |
The maximum number of member accounts or tag values you can select for each customer managed monitor is 10.
**When to Use Each Monitor Type**
Use **AWS managed monitors** when you need:
+ Comprehensive coverage across all values in a dimension
+ Automatic adaptation as your organization grows
+ Minimal maintenance overhead
+ Consistent monitoring across all teams/accounts
Use **customer managed monitors** when you need:
+ Different alert thresholds for different groups
+ To monitor specific subsets of accounts or teams
+ To aggregate spending across specific values
+ Special monitoring for high-priority or sensitive workloads
**Best Practices:**
+ Use AWS managed monitors for comprehensive coverage across your primary cost organization dimension
+ Maintain your AWS services monitor alongside other AWS managed monitors for aggregate service-level visibility
+ Use customer managed monitors to supplement AWS managed monitors for specific use cases requiring different thresholds or groupings
+ Avoid creating monitors that span multiple dimensions to prevent duplicate alerts
**Note**
Customer managed monitors were previously called custom monitors. The functionality remains the same, with the name change reflecting the distinction from monitors that AWS manages on your behalf.
For more information about creating your Amazon SNS topic, see [Creating an Amazon SNS topic for anomaly notifications](ad-SNS.md).
# Transitioning from customer to AWS managed monitors
If you currently use multiple customer managed monitors to track individual accounts, teams, or categories, you can transition to AWS managed monitors for simplified management and automatic coverage.
**Transition Process**
1. **Create your AWS managed monitor alongside existing customer managed monitors**
+ Choose the dimension that matches your primary cost organization method
+ The AWS managed monitor will begin tracking all values automatically
1. **Verify detection coverage**
+ Allow the AWS managed monitor to run for at least 24-48 hours
+ Compare detected anomalies with your existing customer managed monitors
+ Ensure the AWS managed monitor is detecting anomalies as expected
1. **Configure alert subscriptions**
+ Set appropriate thresholds for your AWS managed monitor
+ Note that alert subscriptions attached to AWS managed monitors use the same threshold across all tracked values
+ For value-specific routing, configure AWS User Notifications with JSON patterns
1. **Remove redundant customer managed monitors**
+ After confirming complete coverage, delete individual customer managed monitors
+ Keep any customer managed monitors that serve specific purposes (such as grouping related accounts)
**Example transition scenario:** If you have 50 customer managed monitors tracking individual application teams via cost allocation tags:
1. Create one AWS managed cost allocation tag monitor using your team tag key
1. Verify it detects anomalies across all teams
1. Configure alert subscriptions with appropriate thresholds
1. Delete the 50 individual customer managed monitors
**Important notes:**
+ Direct conversion from customer managed to AWS managed monitors is not supported
+ AWS managed monitors may initially generate more anomaly detections due to comprehensive coverage
+ Historical anomaly data from customer managed monitors is preserved when you delete them (available via API only; deleted monitors and their anomalies do not appear in the console)
+ Consider keeping some customer managed monitors for specific use cases requiring different thresholds
# Editing your alert preferences
You can adjust your cost monitors and alert subscriptions in AWS Billing and Cost Management to match your needs.
You can also edit your notification configurations in AWS User Notifications.
**Note**
When using AWS managed monitors, consider that a single threshold applies to all tracked values. If you need different alert thresholds for different teams or accounts, you can:
Create supplementary customer managed monitors with dedicated alert subscriptions with specific thresholds
Use AWS User Notifications to filter and route alerts based on anomaly attributes
Configure Amazon Amazon SNS topics with custom logic for alert routing
------
#### [ Cost monitors ]
**To edit your cost monitors**
1. Open the Billing and Cost Management console at [https://console.aws.amazon.com/costmanagement/](https://console.aws.amazon.com/costmanagement/).
1. In the navigation pane, choose **Cost Anomaly Detection**.
1. Choose the **Cost monitors** tab.
1. Select the monitor that you want to edit.
1. Choose **Edit**.
+ (Alternative) Choose the individual monitor name.
+ Choose **Edit monitor**.
1. On the **Edit monitor** page, change any settings for **monitor name ** and **attached alert subscriptions**.
1. Choose **Manage tags** to add, edit, or remove tags for the monitor.
1. Choose **Save**.
------
#### [ Alert subscriptions ]
**To edit your alert subscriptions**
1. Open the Billing and Cost Management console at [https://console.aws.amazon.com/costmanagement/](https://console.aws.amazon.com/costmanagement/).
1. In the navigation pane, choose **Cost Anomaly Detection**.
1. Choose the **Alert subscriptions** tab.
1. Select the subscription that you want to edit.
1. Choose **Edit**.
+ (Alternative) Choose the individual monitor name.
+ Choose **Edit**.
1. On the **Edit alert subscription** page, change any settings for **subscription name**, **threshold**, **frequency**, **recipients**, or **cost monitors**.
1. Choose **Manage tags** to add, edit, or remove tags for the monitor.
1. Choose **Save**.
------
#### [ AWS User Notifications ]
For information about how to edit your notification configurations, see [Editing notification configurations in AWS User Notifications](https://docs.aws.amazon.com/notifications/latest/userguide/edit-notifications.html) in the *AWS User Notifications User Guide*.
------
# Creating an Amazon SNS topic for anomaly notifications
To create an anomaly detection monitor that sends notifications to an Amazon Simple Notification Service (Amazon SNS) topic, you must already have Amazon SNS topic or create a new one. You can use Amazon SNS topics to send notifications over Amazon SNS in addition to email. AWS Cost Anomaly Detection must have permissions to send a notification to your topic.
**To create an Amazon SNS notification topic and grant permissions**
1. Sign in to the AWS Management Console and open the Amazon SNS console at [https://console.aws.amazon.com/sns/v3/home](https://console.aws.amazon.com/sns/v3/home).
1. In the navigation pane, choose **Topics**.
1. Choose **Create topic**.
1. For **Name**, enter the name for your notification topic.
1. (Optional) For **Display name**, enter the name that you want displayed when you receive a notification.
1. In **Access policy**, choose **Advanced**.
1. In the policy text field, after ** "Statement": [**, enter one of the following statements:
To allow the AWS Cost Anomaly Detection service to publish to the Amazon SNS topic, use the following statement.
```
{
"Sid": "E.g., AWSAnomalyDetectionSNSPublishingPermissions",
"Effect": "Allow",
"Principal": {
"Service": "costalerts.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "your topic ARN"
}
```
To allow the AWS Cost Anomaly Detection service to publish to the Amazon SNS topic only on behalf of a certain account, use the following statement.
```
{
"Sid": "E.g., AWSAnomalyDetectionSNSPublishingPermissions",
"Effect": "Allow",
"Principal": {
"Service": "costalerts.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "your topic ARN",
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"account-ID"
]
}
}
}
```
**Note**
In this topic policy, you enter the subscription’s account ID as the value for the `aws:SourceAccount` condition. This condition has AWS Cost Anomaly Detection interact with the Amazon SNS topic only when performing operations for the account that owns the subscription.
You can restrict AWS Cost Anomaly Detection to interact with the topic only when performing operations on behalf of a specific subscription. To do this, use the `aws:SourceArn` condition in the topic policy.
For more information about these conditions, see [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) and [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) in the *IAM User Guide*.
1. In the topic policy statement that you select, replace the following values:
+ Replace (for example, *AWSAnomalyDetectionSNSPublishingPermissions*) with a string. The `Sid` must be unique within the policy.
+ Replace *your topic ARN* with the Amazon SNS topic Amazon Resource Name (ARN).
+ If you're using the statement with the `aws:SourceAccount` condition, replace *account-ID* with the account ID that owns the subscription. If the Amazon SNS topic has multiple subscriptions from different accounts, add multiple account IDs to the `aws:SourceAccount` condition.
1. Choose **Create topic**.
Your topic now appears in the list of topics on the **Topics** page.
## Checking or resending notification confirmation email messages
When you create an anomaly detection monitor with notifications, you also create Amazon SNS notifications. For notifications to be sent, you must accept the subscription to the Amazon SNS notification topic.
To confirm that your notification subscriptions are accepted or to resend a subscription confirmation email, use the Amazon SNS console.
**To check your notification status or to resend a notification confirmation email message**
1. Sign in to the AWS Management Console and open the Amazon SNS console at [https://console.aws.amazon.com/sns/v3/home](https://console.aws.amazon.com/sns/v3/home).
1. In the navigation pane, choose **Subscriptions**.
1. Check the status of your notification. Under **Status**, `PendingConfirmation` appears if a subscription isn't accepted and confirmed.
1. (Optional) To resend a confirmation request, select the subscription with a pending confirmation and choose **Request confirmation**. Amazon SNS sends a confirmation request to the endpoints that are subscribed to the notification.
When each owner of an endpoint receives the email, they must choose the **Confirm subscription** link to activate the notification.
## Protecting your Amazon SNS anomaly detection alerts data with SSE and AWS KMS
You can use server-side encryption (SSE) to transfer sensitive data in encrypted topics. SSE protects Amazon SNS messages by using keys managed in AWS Key Management Service (AWS KMS).
To manage SSE using AWS Management Console or the AWS SDK, see [Enabling Server-Side Encryption (SSE) for an Amazon SNS Topic](https://docs.aws.amazon.com/sns/latest/dg/sns-tutorial-enable-encryption-for-topic.html) in the *Amazon Simple Notification Service Getting Started Guide*.
To create encrypted topics using AWS CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html).
SSE encrypts messages as soon as Amazon SNS receives them. The messages are stored encrypted and are decrypted using Amazon SNS only when they're sent.
### Configuring AWS KMS permissions
You must configure your AWS KMS key policies before you can use server-side encryption (SSE). You can use this configuration to encrypt topics, in addition to encrypting and decrypting messages. For information about AWS KMS permissions, see [AWS KMS API Permissions: Actions and Resources Reference](https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) in the *AWS Key Management Service Developer Guide*.
You can also use IAM policies to manage AWS KMS key permissions. For more information, see [Using IAM Policies with AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html).
**Note**
You can configure global permissions to send and receive message from Amazon SNS. However, AWS KMS requires that you name the full Amazon Resource Name (ARN) of the AWS KMS keys (KMS keys) in the specific AWS Regions. You can find this in the **Resource** section of an IAM policy.
Ensure that the key policies of the KMS key allow the necessary permissions. To do this, name the principals that produce and consume encrypted messages in Amazon SNS as users in the KMS key policy.
**To enable compatibility between AWS Cost Anomaly Detection and encrypted Amazon SNS topics**
1. [Create a KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-keys-console).
1. Add one of the following policies as the KMS key policy:
To grant the AWS Cost Anomaly Detection service access to the KMS key, use the following statement.
------
#### [ JSON ]
****
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "costalerts.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt"
],
"Resource": "*"
}
]
}
```
------
To grant the AWS Cost Anomaly Detection service access to the KMS key only when performing operations on behalf of a certain account, use the following statement.
------
#### [ JSON ]
****
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "costalerts.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"account-ID"
]
}
}
}
]
}
```
------
**Note**
In this KMS key policy, you enter the subscription’s account ID as the value for the `aws:SourceAccount` condition. This condition has AWS Cost Anomaly Detection interact with the KMS key only when performing operations for the account that owns the subscription.
To have AWS Cost Anomaly Detection interact with the KMS key only when performing operations on behalf of a specific subscription, use the `aws:SourceArn` condition in the KMS key policy.
For more information about these conditions, see [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) and [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) in the *IAM User Guide*.
1. If you're using the KMS key policy with the `aws:SourceAccount` condition, replace *account-ID* with the account ID that owns the subscription. If the Amazon SNS topic has multiple subscriptions from different accounts, add multiple account IDs to the `aws:SourceAccount` condition.
1. [Enable SSE for your Amazon SNS topic](https://docs.aws.amazon.com/sns/latest/dg/sns-tutorial-enable-encryption-for-topic.html).
**Note**
Make sure that you're using the same KMS key that grants AWS Cost Anomaly Detection the permissions to publish to encrypted Amazon SNS topics.
1. Choose **Save Changes**.
# Receiving anomaly alerts in chat applications
You can use Amazon Q Developer to receive your AWS Cost Anomaly Detection alerts in Amazon Chime and Slack.
------
#### [ Amazon Chime ]
**To begin receiving your AWS Cost Anomaly Detection alerts in Amazon Chime**
1. Follow [Getting started with AWS Cost Anomaly Detection](getting-started-ad.md) to create a monitor.
1. Create an alert subscription using the `Individual alerts` type. Amazon SNS topics can be configured for `individual alerts` only.
1. Add an Amazon SNS topic as an alert recipient to a specific alert or alerts. To ensure that Cost Anomaly Detection has permissions to publish to your Amazon SNS topics, see [Creating an Amazon SNS topic for anomaly notifications](ad-SNS.md).
1. Attach the alert subscription to the monitor that you want to receive Amazon Chime alerts for.
1. Open [Amazon Chime](http://app.chime.aws/).
1. For **Amazon Chime**, choose the chat room that you want to set up to receive notifications through Amazon Q Developer.
1. Choose the Room settings icon on the top right and choose **Manage webhooks and bots**.
Amazon Chime displays the webhooks associated with the chat room.
1. For the webhook, choose **Copy URL**, and then choose **Done**.
If you need to create a new webhook for the chat room, choose **Add webhook**, enter a name for the webhook in the **Name** field, and then choose **Create**.
1. Open the [Amazon Q Developer in chat applications console](https://us-east-2.console.aws.amazon.com/chatbot/home?region=us-east-2#/chat-clients).
1. Choose **Configure new client**.
1. Choose **Amazon Chime**, and then choose **Configure**.
1. Under **Configuration details**, enter a name for your configuration. The name must be unique across your account and can't be edited later.
1. To configure Amazon Chime webhook, do the following:
1. For **Webhook URL**, paste the webhook URL that you copied from Amazon Chime.
1. For **Webhook description**, use the following naming convention to describe the purpose of the webhook: **Chat\$1room\$1name/Webhook\$1name**. This helps you associate Amazon Chime webhooks with their Amazon Q Developer configurations.
1. If you want to enable logging for this configuration, choose **Publish logs to Amazon CloudWatch Logs**. For more information, see Amazon CloudWatch Logs for Amazon Q Developer.
**Note**
There is an additional charge for using Amazon CloudWatch Logs.
1. For **Permissions**, set the IAM permissions as follows:
1. For **IAM role**, choose **Create an IAM role using a template**. If you want to use an existing role instead, choose it from the **IAM role** list. To use an existing IAM role, you might need to modify it for use with Amazon Q Developer. For more information, see Configuring an IAM Role for Amazon Q Developer.
1. For **Role name**, enter a name. Valid characters: a-z, A-Z, 0-9.
1. For **Policy templates**, choose **Notification permissions**. This is the IAM policy provided by Amazon Q Developer. It provides the necessary Read and List permissions for CloudWatch alarms, events, and logs, and for Amazon Amazon SNS topics.
1. Set up the Amazon SNS topics that will send notifications to the Amazon Chime webhook.
1. For **Amazon SNS Region**, choose the AWS Region that hosts the Amazon SNS topics for this Amazon Q Developer subscription.
1. For **Amazon SNS topics**, choose the Amazon SNS topic for the client subscription. This topic determines the content that's sent to the Amazon Chime webhook. If the region has additional Amazon SNS topics, you can choose them from the same dropdown list.
1. If you want to add an Amazon SNS topic from another Region to the notification subscription, choose **Add another Region**.
1. Choose **Configure**.
For any additional details, see [Tutorial: Get started with Amazon Chime](https://docs.aws.amazon.com/chatbot/latest/adminguide/chime-setup.html) in the *Amazon Q Developer in chat applications Administrator Guide*.
------
#### [ Slack ]
**To begin receiving your AWS Cost Anomaly Detection alerts in Slack**
1. Follow [Getting started with AWS Cost Anomaly Detection](getting-started-ad.md) to create a monitor.
1. Create an alert subscription using the `Individual alerts` type. Amazon SNS topics can be configured for `individual alerts` only.
1. Add an Amazon SNS topic as an alert recipient to a specific alert or alerts. To ensure that Cost Anomaly Detection has permissions to publish to your Amazon SNS topics, see [Creating an Amazon SNS topic for anomaly notifications](ad-SNS.md).
1. Attach the alert subscription to the monitor that you want to receive Slack alerts for.
1. Add Amazon Q Developer to the Slack workspace.
1. Open the [Amazon Q Developer in chat applications console](https://us-east-2.console.aws.amazon.com/chatbot/home?region=us-east-2#/chat-clients).
1. Choose **Configure new client**.
1. Choose **Slack**, and then choose **Configure**.
1. From the dropdown list at the top right, choose the Slack workspace that you want to use with Amazon Q Developer.
1. Choose **Allow**.
For any additional details, see [Tutorial: Get started with Slack](https://docs.aws.amazon.com/chatbot/latest/adminguide/slack-setup.html) in the *Amazon Q Developer in chat applications Administrator Guide*.
------
# Using EventBridge with Cost Anomaly Detection
AWS Cost Anomaly Detection is integrated with EventBridge, an event bus service that you can use to connect your applications with data from a variety of sources. For more information, see the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html).
You can use EventBridge to detect and react to Cost Anomaly Detection events. Then, based on rules that you create, EventBridge invokes one or more target actions when an event matches the values that you specify in a rule. Depending on the type of event, you can capture event information, initiate additional events, send notifications, take corrective action, or perform other actions. To set up an EventBridge rule for Cost Anomaly Detection events, see [Create a rule in Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-get-started.html#eb-gs-create-rule) in the *Amazon EventBridge User Guide*.
## Example: EventBridge event for Cost Anomaly Detection
When an immediate alert is detected, the subscriber receives an event with the `Anomaly Detected` detail type. The following example shows the event body for the detail type:
```
{
"version": "0",
"id": "", // alphanumeric string
"source": "aws.ce",
"detail-type": "Anomaly Detected",
"account": "", // 12 digit account id.
"region": "", // Cost Anomaly Detection home region.
"time": "", // Format: yyyy-MM-dd'T'hh:mm:ssZ
"resources": [
"arn:aws:ce::123456789012:anomalymonitor/abcdef12-1234-4ea0-84cc-918a97d736ef"
],
"detail": {
"accountName": "",
"anomalyEndDate": "2021-05-25T00:00:00Z",
"anomalyId": "12345678-abcd-ef12-3456-987654321a12",
"anomalyScore": {
"currentScore": 0.47,
"maxScore": 0.47
},
"anomalyStartDate": "2021-05-25T00:00:00Z",
"dimensionValue": "", // service name for AWS Service Monitor
"feedback": "string",
"impact": {
"maxImpact": 151,
"totalActualSpend": 1301,
"totalExpectedSpend": 300,
"totalImpact": 1001,
"totalImpactPercentage": 333.67
},
"rootCauses": [
{
"linkedAccount": "", // 12 digit account id.
"linkedAccountName": "",
"region": "",
"service": "", // AWS service name
"usageType": "", // AWS service usage type
"impact": {
"contribution": 601,
}
}
],
"accountId": "", // 12 digit account id.
"monitorArn": "arn:aws:ce::123456789012:anomalymonitor/abcdef12-1234-4ea0-84cc-918a97d736ef",
"monitorName": "",
"anomalyDetailsLink": "https://console.aws.amazon.com/cost-management/home#/anomaly-detection/monitors/abcdef12-1234-4ea0-84cc-918a97d736ef/anomalies/12345678-abcd-ef12-3456-987654321a12"
}
}
```
# Using AWS User Notifications with Cost Anomaly Detection
You can use [AWS User Notifications](https://docs.aws.amazon.com/notifications/latest/userguide/what-is-service.html) to set up delivery channels that notify you about Cost Anomaly Detection events. You will receive a notification when an event matches a specified rule. You can receive notifications for events through multiple channels, including email, [Amazon Q Developer in chat applications](https://docs.aws.amazon.com/chatbot/latest/adminguide/what-is.html) such as Amazon Chime, Microsoft Teams, and Slack, or [AWS Console Mobile Application](https://docs.aws.amazon.com/consolemobileapp/latest/userguide/what-is-consolemobileapp.html) push notifications. You can also see notifications using the [Console Notifications Center](https://console.aws.amazon.com/notifications/) in the AWS User Notifications console.
AWS User Notifications also supports aggregation, which can reduce the number of notifications you receive during specific events. For more information, see the [AWS User Notifications User Guide](https://docs.aws.amazon.com/notifications/latest/userguide/what-is-service.html).
To use AWS User Notifications, you must have the correct AWS Identity and Access Management (IAM) permissions. For more information about configuring your IAM permissions, see [Creating a notification configuration](https://docs.aws.amazon.com/notifications/latest/userguide/getting-started.html#getting-started-step1) in the *AWS User Notifications User Guide*.
## Example: EventBridge event for `Anomaly Detected`
The following is a generalized example event for `Anomaly Detected`. You can subscribe to EventBridge events (such as this one) using AWS User Notifications.
```
{
"version": "0",
"id": "", // alphanumeric string
"source": "aws.ce",
"detail-type": "Anomaly Detected",
"account": "", // 12 digit account id.
"region": "", // Cost Anomaly Detection home region.
"time": "", // Format: yyyy-MM-dd'T'hh:mm:ssZ
"resources": [
"arn:aws:ce::123456789012:anomalymonitor/abcdef12-1234-4ea0-84cc-918a97d736ef"
],
"detail": {
"accountName": "",
"anomalyEndDate": "2021-05-25T00:00:00Z",
"anomalyId": "12345678-abcd-ef12-3456-987654321a12",
"anomalyScore": {
"currentScore": 0.47,
"maxScore": 0.47
},
"anomalyStartDate": "2021-05-25T00:00:00Z",
"dimensionValue": "", // service name for AWS Service Monitor
"feedback": "string",
"impact": {
"maxImpact": 151,
"totalActualSpend": 1301,
"totalExpectedSpend": 300,
"totalImpact": 1001,
"totalImpactPercentage": 333.67
},
"rootCauses": [
{
"linkedAccount": "", // 12 digit account id.
"linkedAccountName": "",
"region": "",
"service": "", // AWS service name
"usageType": "", // AWS service usage type
"impact": {
"contribution": 601,
}
}
],
"accountId": "", // 12 digit account id.
"monitorArn": "arn:aws:ce::123456789012:anomalymonitor/abcdef12-1234-4ea0-84cc-918a97d736ef",
"monitorName": "",
"anomalyDetailsLink": "https://console.aws.amazon.com/cost-management/home#/anomaly-detection/monitors/abcdef12-1234-4ea0-84cc-918a97d736ef/anomalies/12345678-abcd-ef12-3456-987654321a12"
}
}
```
## Filtering events
You can filter events either by service and name using the filters available in the AWS User Notifications console, or by specific properties if you create your own EventBridge filter from JSON code.
**Topics**
+ [
### Example: Filter by impact
](#example-filter-by-impact)
+ [
### Example: Filter by service dimension
](#example-filter-by-service-dimension)
+ [
### Example: Filter by cost allocation tag
](#example-filter-by-cost-allocation-tag)
+ [
### Example: Filter by Region root cause
](#example-filter-by-region-root-cause)
+ [
### Example: Filter by multiple criteria
](#example-filter-composition)
### Example: Filter by impact
The following filter captures any anomaly with a total impact greater than \$1100 and a percentage impact greater than 10%.
```
{
"detail": {
"impact": {
"totalImpact": [{
"numeric": [">", 100]
}],
"totalImpactPercentage": [{
"numeric": [">", 10]
}]
}
}
}
```
### Example: Filter by service dimension
The following filter captures anomalies specific to the EC2 service, detected by the AWS services monitor.
```
{
"detail": {
"dimensionValue": ["Amazon Elastic Compute Cloud - Compute"],
"monitorName": ["aws-services-monitor"]
}
}
```
### Example: Filter by cost allocation tag
The following filter captures anomalies for the Frontend application team, detected by a dimensional cost allocation tag monitor.
```
{
"detail": {
"dimensionValue": ["ApplicationTeam:Frontend"],
"monitorName": ["dimensional-CAT-monitor"]
}
}
```
### Example: Filter by Region root cause
The following filter captures anomalies that have root causes in the US East (N. Virginia) Region.
```
{
"detail": {
"rootCauses": {
"region": ["us-east-1"]
}
}
}
```
### Example: Filter by multiple criteria
The following complex filter captures anomalies for the Frontend application team with a total impact greater than \$1100, a percentage impact greater than 10%, and root causes in the US East (N. Virginia) Region.
```
{
"detail": {
"dimensionValue": ["ApplicationTeam:Frontend"],
"monitorName": ["dimensional-CAT-monitor"],
"impact": {
"totalImpact": [{ "numeric": [">", 100] }],
"totalImpactPercentage": [{ "numeric": [">", 10] }]
},
"rootCauses": {
"region": ["us-east-1"]
}
}
}
```
# Opting out of Cost Anomaly Detection
You can opt out of Cost Anomaly Detection at any time. To opt out, you need to delete all cost monitors and alert subscriptions in your account. After you opt out, Cost Anomaly Detection no longer monitors your spend patterns for anomalies. You also won’t receive any further notifications.
**To opt out of Cost Anomaly Detection**
1. Open the Billing and Cost Management console at [https://console.aws.amazon.com/costmanagement/](https://console.aws.amazon.com/costmanagement/).
1. In the navigation pane, choose **Cost Anomaly Detection**.
1. To delete any existing cost monitors:
1. Choose the **Cost monitors** tab.
1. Select the cost monitor that you want to delete.
1. Choose **Delete**.
1. In the **Delete cost monitor** dialog box, choose **Delete**.
1. Repeat the steps for any additional cost monitors.
1. To delete any existing alert subscriptions:
1. Choose the **Alert subscriptions** tab.
1. Select the alert subscription that you want to delete.
1. Choose **Delete**.
1. In the **Delete alert subscription** dialog box, choose **Delete**.
1. Repeat the steps for any additional alert subscriptions.
**Note**
You can also opt out of Cost Anomaly Detection by deleting your cost monitors and alert subscriptions in the Cost Explorer API. To do so, you need to use [DeleteAnomalyMonitor](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_DeleteAnomalyMonitor.html) and [DeleteAnomalySubscription](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_DeleteAnomalySubscription.html).