Parag Agrawal

Posted on May 30 • Originally published at turbodeploy.dev

FinOps for Startups: How to Keep Your AWS Bill Under $100/Month

#aws #devops #cloud #finops

Our first AWS bill was $347.

We had one service. One database. Zero users. And $347 worth of "we didn't know that was running."

A NAT Gateway we forgot about: $32. An RDS instance sized for 10,000 users serving exactly zero: $65. CloudWatch Logs with no retention policy, growing forever: $28. And the rest was a collection of Elastic IPs, unused EBS volumes, and a load balancer pointing to nothing.

This is embarrassingly common. Studies show that startups overspend on cloud by 40-60% in their first year. Not because AWS is expensive, but because nobody teaches you where the money actually goes.

This guide is our playbook for running a production SaaS application on AWS for under $100/month. Not a toy project. A real app with HTTPS, a managed database, auto-scaling, logging, and CI/CD.

The $97/Month Production Stack

Here's exactly what we run in production and what it costs:

Service	Config	Monthly Cost
ECS Fargate	1 task × 0.5 vCPU / 1 GB RAM	$18
Application Load Balancer	HTTPS + routing	$22
RDS PostgreSQL	db.t4g.micro, 20 GB storage	$15
ECR	Container images (~2 GB stored)	$3
CloudWatch	Logs (30-day retention) + basic metrics	$5
Route 53	1 hosted zone + DNS queries	$2
Data Transfer	~50 GB egress	$5
ACM (SSL)	Certificate	Free
Secrets Manager	4 secrets	$2
S3	Static assets + backups (~10 GB)	$0.25
NAT Gateway	❌ We don't use one	$0
	Total	~$72

Wait, that's $72, not $97? Yes. $72 is the baseline. The remaining $25 is headroom for traffic spikes, additional logging, and the occasional one-off task. Budget $100, spend $72, keep $28 as buffer.

Architecture Choices That Save Money

Decision	Savings
Fargate instead of EC2	No idle server costs; pay per task
db.t4g.micro (Graviton) instead of db.t3.small	40% cheaper, better performance
No NAT Gateway	Saves $32+/month (use VPC endpoints instead)
30-day log retention	Prevents CloudWatch storage from growing forever
ACM for SSL	Free certificates (vs. $10–$100/year elsewhere)
Single AZ for dev/staging	Avoids cross-AZ data transfer charges

5 Silent AWS Budget Killers

These are the line items that quietly eat your budget while you're heads-down building:

1. NAT Gateway: The $32/Month Surprise

What it is: A managed service that allows resources in a private subnet to reach the internet.

Why it's expensive:

$0.045/hour = $32.40/month just for existing
Plus $0.045 per GB of data processed through it
A typical setup with 2 AZs = $65/month before any data

How startups get stuck with it: Most "production-ready" VPC templates include NAT Gateways by default. You deploy a CloudFormation template, and suddenly you're paying $65/month for network plumbing.

The fix:

# Check if you have NAT Gateways running
aws ec2 describe-nat-gateways \
  --filter "Name=state,Values=available" \
  --query "NatGateways[].{ID:NatGatewayId,SubnetId:SubnetId}" \
  --output table

Alternatives:
| Solution | Cost | Trade-off |
|---|---|---|
| VPC Endpoints (for S3, ECR, etc.) | $7–$10/mo per endpoint | Only for AWS services |
| Public subnets for Fargate | $0 | Requires security groups |
| NAT Instance (t4g.nano) | ~$3/mo | You manage it |
| No NAT (use Fargate in public subnet) | $0 | Simplest for most startups ⭐ |

Pro tip: If your ECS tasks only need to reach AWS services (ECR, S3, CloudWatch, Secrets Manager), use VPC Gateway Endpoints (free for S3 and DynamoDB) and Interface Endpoints ($7/mo each) instead of a NAT Gateway.

2. Unattached EBS Volumes: Paying for Nothing

What it is: When you terminate an EC2 instance, its EBS volumes can stick around, costing $0.10/GB/month.

# Find all unattached EBS volumes
aws ec2 describe-volumes \
  --filters "Name=status,Values=available" \
  --query "Volumes[].{ID:VolumeId,Size:Size,Created:CreateTime}" \
  --output table

# Delete them (after confirming they're not needed!)
aws ec2 delete-volume --volume-id vol-xxxxxxxxxxxxx

Typical waste: 5 forgotten 100 GB volumes = $50/month for nothing.

3. CloudWatch Logs: The Infinite Growth Problem

What it is: CloudWatch Logs has no default retention policy. Your logs will grow forever unless you explicitly set a retention period.

# Check log groups with no retention (never-expire)
aws logs describe-log-groups \
  --query "logGroups[?retentionInDays==null].{Name:logGroupName,StoredBytes:storedBytes}" \
  --output table

# Set 30-day retention on all log groups
for group in $(aws logs describe-log-groups \
  --query "logGroups[?retentionInDays==null].logGroupName" \
  --output text); do
  aws logs put-retention-policy \
    --log-group-name "$group" \
    --retention-in-days 30
  echo "Set 30-day retention: $group"
done

Pricing:

Log ingestion: $0.50 per GB
Log storage: $0.03 per GB/month
An app logging 1 GB/day without retention = $11/month in storage after 1 year (and growing)

4. Unused Elastic IPs: The $3.65/Month Paperweight

What it is: Elastic IPs are free when attached to a running instance. The moment they're unattached, AWS charges $0.005/hour = $3.65/month per IP.

# Find unattached Elastic IPs
aws ec2 describe-addresses \
  --query "Addresses[?AssociationId==null].{IP:PublicIp,AllocationId:AllocationId}" \
  --output table

# Release them
aws ec2 release-address --allocation-id eipalloc-xxxxxxxxxxxxx

5. Cross-AZ Data Transfer: The Hidden Per-GB Tax

What it is: Data transfer between Availability Zones costs $0.01/GB in each direction ($0.02/GB round trip). If your app server is in us-east-1a and your database is in us-east-1b, every query pays this tax.

The fix: For dev/staging environments, keep everything in a single AZ. For production, this is an acceptable cost for high availability but be aware of it.

The 10-Minute AWS Cost Audit

Run these commands right now. They take 10 minutes and will immediately reveal waste:

Step 1: What's Costing You Money? (2 minutes)

# Top 5 spending services this month
aws ce get-cost-and-usage \
  --time-period Start=$(date -u +%Y-%m-01),End=$(date -u +%Y-%m-%d) \
  --granularity MONTHLY \
  --metrics "UnblendedCost" \
  --group-by Type=DIMENSION,Key=SERVICE \
  --query "ResultsByTime[0].Groups | sort_by(@, &Metrics.UnblendedCost.Amount) | reverse(@) | [:5].{Service:Keys[0],Cost:Metrics.UnblendedCost.Amount}" \
  --output table

Step 2: Find Zombie Resources (3 minutes)

# Unattached EBS volumes
aws ec2 describe-volumes --filters "Name=status,Values=available" \
  --query "length(Volumes[])" --output text

# Unused Elastic IPs
aws ec2 describe-addresses --query "length(Addresses[?AssociationId==null])" --output text

# Idle load balancers (0 healthy targets)
aws elbv2 describe-target-health \
  --query "TargetHealthDescriptions[?TargetHealth.State!='healthy']" --output json

# Old snapshots (>90 days)
aws ec2 describe-snapshots --owner-ids self \
  --query "length(Snapshots[?StartTime<='$(date -u -v-90d +%Y-%m-%dT%H:%M:%S)'])" \
  --output text

Step 3: Check Log Retention (2 minutes)

# Log groups with no retention (infinite storage)
aws logs describe-log-groups \
  --query "length(logGroups[?retentionInDays==null])" --output text

# Total stored log bytes
aws logs describe-log-groups \
  --query "sum(logGroups[].storedBytes)" --output text

Step 4: NAT Gateway Check (1 minute)

# Running NAT Gateways (each = $32+/mo)
aws ec2 describe-nat-gateways \
  --filter "Name=state,Values=available" \
  --query "length(NatGateways[])" --output text

Step 5: Set Up Billing Alerts (2 minutes)

# Create a $100 monthly budget with email alert
aws budgets create-budget \
  --account-id $(aws sts get-caller-identity --query Account --output text) \
  --budget '{
    "BudgetName": "Monthly-100-Limit",
    "BudgetLimit": {"Amount": "100", "Unit": "USD"},
    "TimeUnit": "MONTHLY",
    "BudgetType": "COST"
  }' \
  --notifications-with-subscribers '[{
    "Notification": {
      "NotificationType": "ACTUAL",
      "ComparisonOperator": "GREATER_THAN",
      "Threshold": 80,
      "ThresholdType": "PERCENTAGE"
    },
    "Subscribers": [{
      "SubscriptionType": "EMAIL",
      "Address": "your-email@example.com"
    }]
  }]'

8 Rules for Staying Under $100/Month

Rule 1: Start With the Smallest Instance That Works

Service	Don't Start With	Start With	Savings
RDS	db.t3.medium ($50/mo)	db.t4g.micro ($12/mo)	$38/mo
ElastiCache	cache.t3.small ($25/mo)	cache.t4g.micro ($9/mo)	$16/mo
ECS Fargate	1 vCPU / 2 GB ($43/mo)	0.5 vCPU / 1 GB ($18/mo)	$25/mo
EC2 (if needed)	t3.medium ($30/mo)	t4g.micro ($6/mo)	$24/mo

The rule: Start at the smallest Graviton (t4g) instance. Monitor for 2 weeks. Scale up only if performance requires it.

Rule 2: Use Graviton Everywhere

AWS Graviton (ARM-based) processors offer 20–40% better price-performance versus x86:

Service	x86 Price	Graviton Price	Savings
Fargate (1 vCPU)	$0.04048/hr	$0.03238/hr	20%
RDS (db.t3.micro)	$0.017/hr	$0.016/hr (t4g)	6%
ElastiCache	$0.017/hr	$0.014/hr	18%
EC2 (t3.micro)	$0.0104/hr	$0.0084/hr (t4g)	19%

Most Node.js and Python apps run identically on Graviton. No code changes needed.

Rule 3: Set Up Budget Alerts Before You Deploy Anything

Configure three alerts:

$50 (50%) : "You're halfway. Check Cost Explorer."
$80 (80%) : "Slow down. Review what's running."
$100 (100%) : "Stop and investigate immediately."

Enable Cost Anomaly Detection (free), it uses ML to detect unusual spending patterns and alerts you within 24 hours.

Rule 4: Set Log Retention to 30 Days

Unless you have compliance requirements, 30 days of logs is enough for debugging. After 30 days, export important logs to S3 (where storage costs $0.023/GB/month instead of CloudWatch's $0.03/GB/month).

Rule 5: Use VPC Endpoints Instead of NAT Gateways

For most startups, you only need your containers to reach AWS services. VPC Gateway Endpoints for S3 and DynamoDB are free. Interface Endpoints for ECR, Secrets Manager and CloudWatch are ~$7/month each, still cheaper than a NAT Gateway.

Rule 6: Delete Everything You're Not Using

Run this monthly:

Delete unattached EBS volumes
Release unused Elastic IPs
Remove old ECR images (keep last 5 tags)
Delete unused security groups
Remove old CloudFormation stacks

# ECR lifecycle policy - keep only the last 5 images
aws ecr put-lifecycle-policy \
  --repository-name my-app \
  --lifecycle-policy-text '{
    "rules": [{
      "rulePriority": 1,
      "description": "Keep last 5 images",
      "selection": {
        "tagStatus": "any",
        "countType": "imageCountMoreThan",
        "countNumber": 5
      },
      "action": {"type": "expire"}
    }]
  }'

Rule 7: Use the Free Tier Aggressively

Services with generous always-free tiers:

Service	Free Tier (Forever)
Lambda	1M requests + 400K GB-seconds/month
DynamoDB	25 GB storage + 25 read/write units
S3	5 GB storage (12 months), then ~$0.023/GB
CloudWatch	10 custom metrics + 5 GB log ingestion
SNS	1M publishes
SQS	1M requests
API Gateway	1M HTTP API calls (12 months)
Secrets Manager	30-day free trial per secret
ACM	Unlimited free SSL certificates

Strategy: Use Lambda for cron jobs and event processing (free tier covers most startups). Use DynamoDB for session storage or caching (free tier = 25 GB). These free tiers are permanent and they don't expire after 12 months.

Rule 8: Don't Buy Savings Plans Until Month 3

Savings Plans offer 20–72% discounts, but they require a 1 or 3-year commitment. Don't commit until:

Your architecture is stable (no major changes planned)
You have 3+ months of Cost Explorer data
You've right-sized all instances first

When you're ready:

# See what AWS recommends for Savings Plans
aws ce get-savings-plans-purchase-recommendation \
  --savings-plans-type COMPUTE_SP \
  --term-in-years ONE_YEAR \
  --payment-option NO_UPFRONT \
  --lookback-period-in-days SIXTY_DAYS

AWS Activate: Free Credits for Startups

If you haven't applied yet, do it today:

Package	Credits	Who Qualifies
Activate Founders	Up to $1,000	Self-funded / bootstrapped startups
Activate Portfolio	$10,000–$100,000	Backed by a VC, accelerator, or incubator

How to apply:

Go to aws.amazon.com/activate
Create an AWS Builder ID
Fill in company details (use a professional domain email, not Gmail)
For Portfolio tier, get an Organization ID from your investor/accelerator
Credits typically arrive within 7–10 business days

Pro tip: $1,000 in credits at our $97/month run rate = 10 months of free infrastructure. Apply before you start building.

The Monthly FinOps Checklist

Run this on the 1st of every month (set a calendar reminder):

[ ] Review Cost Explorer : check for unexpected spikes
[ ] Check budget alerts : are you on track?
[ ] Delete zombie resources : EBS volumes, Elastic IPs, old snapshots
[ ] Review log storage : is anything growing unexpectedly?
[ ] Check ECR images : is the lifecycle policy working?
[ ] Review Trusted Advisor : check cost optimization recommendations
[ ] Tag new resources : ensure everything has Environment/Service/Owner tags
[ ] Update team : share the bill breakdown with your co-founder

How TurboDeploy Keeps Your Bill Low

Every TurboDeploy deployment is cost-optimized by default:

Feature	How It Saves Money
Right-sized Fargate tasks	We recommend the smallest task size that works
Graviton by default	ARM-based tasks for 20% savings
No NAT Gateway	Public subnets with security groups
ECR lifecycle policies	Auto-cleanup old images
CloudWatch log retention	30-day retention set automatically
Cost dashboard	See exactly what each app costs
Budget alerts	Configured during onboarding

We built TurboDeploy because we were tired of the Platform Tax on Heroku, but we also didn't want to accidentally rack up a different kind of tax on AWS.

Your FinOps Action Plan

When	What	Estimated Savings
Today	Set up AWS Budgets + Cost Anomaly Detection	$0 (prevention)
This week	Run the 10-minute cost audit above	$15–$30/mo
This month	Right-size instances, set log retention, delete zombies	$20–$40/mo
Month 3	Evaluate Savings Plans + migrate to Graviton	$10–$20/mo more
Ongoing	Monthly checklist on the 1st	Prevents drift

TL;DR

Rule	Action
Start small	t4g.micro for everything. Scale up when you prove you need it.
Use Graviton	20–40% cheaper. Same code. No changes needed.
No NAT Gateway	Use VPC Endpoints or public subnets. Saves $32+/month.
Set log retention	30 days. Otherwise logs grow forever.
Budget alerts	Set at $50, $80, $100. Non-negotiable.
Delete zombies	Monthly: EBS volumes, EIPs, old snapshots, unused LBs.
Free tier	Lambda + DynamoDB + SQS free tiers are permanent. Use them.
Savings Plans	Wait until Month 3. Right-size first.
AWS Activate	Apply for $1,000–$100,000 in free credits.
Monthly audit	10 minutes. First of every month. No excuses.

Want AWS infrastructure that's cost-optimized from day one? TurboDeploy deploys to your AWS account with Graviton, right-sized tasks, no NAT Gateways, and automatic budget alerts. We handle the infrastructure, you keep the savings.

Start deploying

DEV Community