DEV Community

Anushka B
Anushka B

Posted on • Originally published at aicloudstrategist.com

AWS Cost Audit for Fintech Startups in India: RBI + DPDP + FinOps Checklist (2026)

#aws #finops #india #fintech

Originally published at aicloudstrategist.com/blog/aws-cost-audit-fintech-india.html. This is a cross-post for the dev.to community.

AWS Cost Audit for Fintech Startups in India: RBI + DPDP + FinOps Checklist (2026)

By Anushka B, Founder · 2026-04-22 · 9 min read

Indian fintech AWS bills almost always overspend by 28-45% because the founding team optimised for RBI sovereignty first and cost second. This audit walks the exact nine checks we run on every fintech stack before writing the PDF report, with real INR numbers from Mumbai (ap-south-1).

Why fintech audits are different from SaaS audits

A typical Indian SaaS startup can lift-and-shift a workload to us-east-1 or Singapore to save 12-18% on compute. A fintech regulated under RBI's Storage of Payment System Data (2018) circular, PSS Act licensing, or the NPCI UPI reference architecture cannot. Payment data, KYC artefacts, and PMJDY records must reside in India. That locks you into ap-south-1 (Mumbai) and, since March 2022, optionally ap-south-2 (Hyderabad). Both regions carry a structural premium over us-east-1:

  • EC2 On-Demand: Mumbai is ~12-18% more expensive than N. Virginia on m6i/c6i families.

  • S3 Standard: ₹2.10/GB/month in Mumbai vs ₹1.92/GB in us-east-1 (~9% higher).

  • RDS Multi-AZ: ~15% premium, and you cannot use Aurora Global for read scale across regions without violating localisation.

  • Data transfer OUT to internet: $0.1093/GB in Mumbai vs $0.09/GB in us-east-1 (~21% higher).

This means the "just move to Singapore" advice you'll read on Reddit is illegal for your payment-data workloads. Your optimisation lever is inside Mumbai: commit coverage, right-sizing, networking, and data lifecycle — not region arbitrage.

The 2026 RBI + DPDP overlay on every AWS cost decision

As of the Digital Personal Data Protection Act rules notified in early 2026, every optimisation recommendation we make for a fintech is cross-checked against three regulatory boundaries:

  1. RBI Storage of Payment System Data — end-to-end transaction data must be stored only in India. A "cheaper" S3 replication target in Singapore is a non-starter.

  2. DPDP Act significant data fiduciary obligations — audit logs, consent artefacts, and breach detection must be retained with demonstrable integrity. You can move them to S3 Glacier Instant Retrieval, but not to another region without a RBI-approved transfer mechanism.

  3. PCI-DSS v4.0 scope — if you touch card data, the CDE must be network-isolated; that usually means VPC endpoints rather than NAT Gateway, which is a cost win too.

The 9-point fintech cost audit checklist

  1. Mumbai Savings Plans coverage — target 75-85% of steady-state compute under a 1-year Compute Savings Plan. Most fintechs we audit sit at 22-40% coverage. Gap = 15-25% overspend on EC2.

  2. NAT Gateway sprawl — ₹3.80/hour per AZ + ₹3.80/GB processed. Three-AZ fintechs often run 3 NATs in prod, 3 in staging, 3 in UAT. Moving S3, DynamoDB, STS, KMS, Secrets Manager, ECR to VPC endpoints cuts 40-70% of NAT data-processing charges.

  3. EBS gp2 -> gp3 migration — gp3 is 20% cheaper and decouples IOPS from size. Still the single highest-ROI, lowest-risk change on most fintech stacks.

  4. RDS idle replicas — staging read replicas running 24x7 for a CI suite that executes 4x/day. Schedule them.

  5. KMS key proliferation — one CMK per microservice sounds tidy; at ₹83/key/month x 60 keys across envs, that is ₹60,000/year of avoidable spend. Consolidate where the threat model allows.

  6. CloudTrail + GuardDuty + Config data volume — mandatory for RBI audit, but the default trail writes every management and data event. Separate the PCI-DSS CDE trail from the rest and lifecycle the non-CDE logs to S3 Glacier Instant Retrieval after 90 days.

  7. Orphaned EBS snapshots and volumes — the median fintech we audit has 8-14 TB of orphaned snapshots from decommissioned KYC pipelines. See our deep dive on orphaned EBS volumes.

  8. Cross-AZ chatter — every inter-AZ GB costs ₹0.83. A chatty microservice mesh with Istio mTLS and no topology-aware routing can burn ₹4-8 lakh/month on a mid-size fintech.

  9. Data egress to card networks and NPCI — often sits on public NAT. Moving to AWS Direct Connect or a Transit Gateway peering cuts the per-GB cost and improves latency to Visa/Mastercard gateways.

What we actually see in fintech audits: 6 recurring patterns

After auditing Indian lending, UPI-TSP, neo-banking, and wealth-tech stacks, the same six patterns repeat:

  • Over-provisioned production RDS for an event-driven load. An r6i.4xlarge sized for a once-a-month reconciliation job. Moving reconciliation to Aurora Serverless v2 or a separate scheduled cluster typically saves ₹2-4 lakh/month.

  • Three prod environments in three regions "for DR" — none of them actually tested. One is usually ap-south-1 primary, one ap-south-2 warm standby, and one Singapore or Tokyo "because the CTO read a blog post." The Singapore copy is usually both expensive and non-compliant.

  • GuardDuty at default verbosity on dev accounts. ₹40-80K/month of findings you never read.

  • Elasticsearch/OpenSearch clusters for log search with 7-day hot retention. Logs that regulators look at twice a year kept on gp3 SSD.

  • Lambda cold starts "fixed" with provisioned concurrency on every function. Usually only 2-3 functions genuinely need it.

  • WAF managed rule groups stacked without deduplication. You're paying per WCU for overlapping OWASP rules.

Mumbai region INR benchmark: what a compliant fintech should pay

Workload profile Typical AWS spend (INR/month) Post-audit target (INR/month) Savings
Early-stage UPI TSP, 500K txn/day ₹8-12 lakh ₹5-7 lakh 35-40%
Series A lending, co-lending model ₹18-25 lakh ₹12-16 lakh 30-35%
Series B neo-bank, 1M MAU ₹45-70 lakh ₹30-45 lakh 30-38%
Series C wealth-tech with ML models ₹80 lakh - 1.4 cr ₹55-90 lakh 30-35%

These are not promises — they are the median of 40+ audits we've run in 2024-2025. Your mileage will depend on how much of the spend is genuinely load-driven versus architecture-driven.

FinOps for fintech: the governance layer

Cost optimisation without governance reverts in 90 days. For a fintech, the FinOps layer must satisfy both the CFO and the Chief Compliance Officer. We insist on four controls before closing any audit engagement:

  1. Tagging policy enforced via AWS Organizations SCP — every resource must carry cost-center, data-classification, rbi-scope, and env. Untagged resources are blocked at creation in prod OUs.

  2. Monthly Savings Plan coverage review — see RI coverage governance for Indian startups.

  3. Anomaly detection scoped by service x account x tag — not the default Cost Anomaly Detection, which misses microservice-level spikes.

  4. Quarterly rightsizing with Compute Optimizer — cross-referenced with custom P95/P99 metrics, not the default 14-day window.

Frequently asked questions

Q: Can we move our non-payment workloads out of Mumbai to save cost?

Yes, for workloads outside the RBI and DPDP perimeter: marketing analytics, internal BI, ML training on anonymised data, CI/CD runners. We typically migrate 15-25% of a fintech's compute out of Mumbai this way, cutting ~18% off the affected services. The payment data plane stays in ap-south-1.

Q: Is ap-south-2 (Hyderabad) cheaper than ap-south-1 (Mumbai)?

No. Pricing is identical for EC2, S3, and RDS. Hyderabad is useful for RBI-compliant active-active DR, not for arbitrage.

Q: How do we handle Savings Plans when we don't know our 1-year volume?

Commit only the floor — the compute you know you will run no matter what. For most Series A fintechs that is 55-65% of current steady state. Top-up with on-demand and Spot for burst. See Savings Plans vs RI for India.

Q: Does your audit touch PCI-DSS scope?

We don't issue PCI-DSS attestations — your QSA does. But we flag cost-saving recommendations that would expand or reduce CDE scope so you can decide with your compliance lead. Usually reducing NAT Gateway sprawl and using VPC endpoints shrinks scope and cuts cost simultaneously.

Q: Do you sign NDAs and handle CSV bills with customer data?

Yes. Mutual NDA before any data exchange. We only need the Cost and Usage Report or the monthly invoice PDF — never production data, keys, or customer PII.

Q: How is this free? What's the catch?

We use the 24-hour audit as our only top-of-funnel. About one in five audits turns into a paid FinOps retainer or a remediation sprint. The other four get a useful PDF and we part as friends. No sales call is booked automatically.

Q: Can you also cover security posture alongside cost?

Our primary lens is cost, but we flag obvious security and RBI compliance gaps we spot — open S3 buckets, IAM users with long-lived keys, default security groups in prod. For a dedicated review see Cloud Secure and DPDP Act cloud security checklist.

Related reading: Fintech vertical · DPDP Act cloud security checklist · NAT Gateway vs VPC endpoints · RI coverage governance · AWS cost calculator

We run written 24-hour AWS cost audits. Founder-led. Free. No sales call. Send your last bill, get a PDF back. Request yours →

Top comments (0)