DEV Community

Cover image for AWS Cost Explorer - Cost Anomaly Detection Report identified an unauthorized Amazon Sagemaker Canvas user
Wendy Wong for AWS Community Builders

Posted on • Updated on

AWS Cost Explorer - Cost Anomaly Detection Report identified an unauthorized Amazon Sagemaker Canvas user

A Very Expensive Lesson

I received a huge surprise this month, a forecast for a July month end bill of $586 linked to my AWS root account. As best practice I never use my AWS root account and always build projects with the AWS IAM account login.

The AWS Management Console provides a summary of the AWS services usage, forecasted costs, in particular indicating that Amazon Sagemaker had an end of month $578.57 forecast with cost increasing by over 300% in the current month. I have not used Amazon Sagemaker recently 🙄 and this raised concerns for my unexpected charges.



Amazon Cost Explorer

By navigating to Amazon Cost Explorer, AWS Cost Management provides a summary view of costs, commentary on the right hand side and also a graph outlining daily usage had increased by 270% in the region US-East-1 (N.Virginia).

root linked

I navigated each of the panes to investigate further information regarding the costs incurred such as Region, Instance Type and Linked Account.

Instance Type

I checked under Instance Type to see if there were any active EC2 instances. There were no active instances after 11 July 2022.


Usage Type

In this pane, I could identify that after 11 July 2022, someone had created an Amazon Sagemaker Canvas session from 11-17 July (indicated in purple)

Icanvas usage

Linked Account

I used the AWS root account login details to check any active sessions of Amazon Sagemaker Canvas.


Reduce Costs - Clean up Active AWS resources

The previous week on the 11 July, I cleaned up my AWS account for active resources such as:

a) Deleting EC2 instances in the regions Sydney, Ohio and N.Virginia


delete any EC2

b) Shutting down any active Cloud9 sessions

c) Deleting any active Cloud Formation stacks

d) Deleting any AWS Sagemaker processing jobs

e) Emptying S3 buckets for completed AWS Glue jobs

Reduce Costs - Create an AWS Cost Anomaly Detection Report

As an extra measure I created a Cost Anomaly Report that could be emailed to me to identify any suspicious activity to my AWS account over a threshold of $15. You may create a Cost Anomaly Detection Report from this link

AWS Cost Anomaly Detection Report uses machine learning to detect anomalies and the root causes for cloud spend.

create anamoly

You may also download as a csv file the Cost Anomaly Detection Report to view the details of the surprise charges:


Reduce Costs - Delete if not in use - Amazon Sagemaker Canvas

Navigate to Amazon Sagemaker Canvas and click on Canvas and then click Getting Started. I located active sessions of an unauthorized user 'michael-c' who has been generating workloads $40 per day from 13-18 July on my account. I followed the instructions to remediate and prevent unauthorized user from this link


I deleted the app from Amazon Sagemaker Canvas and then deleted the user.

deletion process

From the diagram you may see an unauthorized user 'michael-c'.


AWS CloudWatch

I further explored AWS CloudWatch to confirm the usage levels of Amazon Sagemaker Canvas used by user 'michael-c' in US East - region (N.Virginia) to understand how many days I was being charged from the Canvas instance.

AWS CloudWatch was able to monitor the metrics of an AWS Service and provide further evidence for my investigation of the surprise charges.

cloud watch

Block Public Access to all Amazon S3 buckets

I wanted to review my Amazon S3 buckets to see if I could further reduce my monthly bill. This is what I discovered:

a) User 'michael-c' had created an S3 bucket with my AWS account number and included a prefix with region US- East-1 (N.Virginia)

I emptied the files within the bucket.

delete s3

b) This S3 bucket was Public and not private. I updated the settings to Block Public S3 buckets.

Create MFA on Root Account and Admin IAM User Account

To further secure my linked AWS Root account I also implemented Multi-Factor Authentication (MFA) as recommended on the AWS IAM dashboard. Please this blog and follow all the steps to enable MFA on all AWS accounts.



Best practice guidelines to enable MFA include downloading Twilio Authy for an iPhone or Android phone and link it to your mobile device. You may find the steps here.


MFA provides an additional layer of security to identify the user during the login process of your AWS account.

Final Steps - Change passwords

As an extra measure to prevent unauthorized access to my AWS account, I also reset the passwords to the AWS IAM and Root user accounts.

I recommend that you also change your email passwords regularly and enable 2-factor authentication if possible.

I hope you won't have to learn the hard way like me. Until next time, happy learning! 😁


Join us for AWS re:Inforce conference 2022

Next week is AWS re:Inforce conference, 26-27 July 📆

A learning conference on compliance, privacy and identity 🔐🛠️

• Register to watch the keynote & sessions streamed live online 📺

• Link:


Top comments (2)

aditmodi profile image
Adit Modi

Hi wendy,
nice article about identifying and remediating aws costs. I usually also use cloudtrail logs for tracking any suspicious activity within my aws accounts.

abc_wendsss profile image
Wendy Wong • Edited

Hi Adit, Thanks for the tip. I will also implement Cloudtrail and AWS Budgets :)