Anatomy of a $100K AWS Bill: What Most CFOs Miss

A note on this story: The dollar figures below are based on a composite of 5 real AWS invoices we've audited (Series B–C SaaS companies, $5M–$30M ARR). Numbers are rounded for readability; every cost pattern is real.

A CFO once told me: "I sign off on a $100K AWS invoice every month. I have no idea what's in it. Nobody on my team can explain it to me in less than 90 minutes. So I just approve it and pray."

That conversation is the reason this post exists.

Below is a line-by-line autopsy of a real $100K AWS bill. By the end, you'll know:

• Where the money actually goes (it's not where you think)
• The 7 hidden multipliers that turn a $50K bill into a $100K bill
• The 4 questions every CFO should ask before approving the next invoice
• How to find $20K–$40K of waste in 30 minutes — without reading a single line of code

Let's open the bill.

---

The $100K, broken down

Here's the actual breakdown of the invoice (cleaned, anonymised, rounded to thousands):

Service	Monthly cost	% of bill
EC2 (compute)	$34,000	34%
Data transfer (egress)	$14,000	14%
RDS (databases)	$11,000	11%
S3 (storage)	$9,000	9%
CloudWatch (logs/metrics)	$7,500	7.5%
Lambda + API Gateway	$5,500	5.5%
EBS (block storage)	$5,000	5%
ECS / Fargate	$4,000	4%
Other (DynamoDB, ELB, NAT, etc.)	$10,000	10%
Total	$100,000	100%

Most CFOs look at this and zoom in on EC2. "It's compute, of course it's expensive. Nothing we can do."

That's the wrong line to zoom in on. The money is hiding somewhere else.

---

The 7 hidden multipliers (in order of how often they show up)

1. NAT Gateway data transfer — $4K–$8K/month, almost always wasted

Every time a private-subnet pod talks to the internet (npm install, S3, an external API), it goes through a NAT Gateway. AWS charges:

• $0.045/hour per NAT Gateway (~$32/month per AZ)
• $0.045/GB processed

The hourly fee is fine. The $0.045/GB is what kills you. Every 100GB of egress through NAT = $4.50, but compounded over a month of busy services that's easily $5K–$10K.

The CFO question: "How much of our data transfer goes through NAT Gateways vs VPC endpoints?"

The fix: VPC endpoints for S3 and DynamoDB are FREE for traffic. One day of work routes 60% of NAT traffic to free interfaces. Typical savings: $3K–$6K/month.

2. CloudWatch Logs — death by a thousand log lines

CloudWatch charges:

• $0.50 per GB ingested
• $0.03 per GB stored
• $0.005 per GB scanned in Logs Insights queries

A noisy microservice logging at DEBUG level can ingest 100GB/day = $1,500/month by itself. Multiply across 30 services and you've burned $15K–$45K/year on logs no one reads.

The CFO question: "Which services are responsible for our top 5 CloudWatch ingestion lines?"

The fix: Set log retention to 14 days for everything except security/audit. Drop DEBUG in production. Move historical logs to S3 with lifecycle to Glacier. Typical savings: $2K–$5K/month.

3. Idle RDS replicas — $1.5K–$3K/month each

Every read replica costs the same as the primary. Most teams spin up a "for safety" replica during a launch and forget it. We've found one company running 5 idle replicas of a single Postgres instance — burning $11K/month on databases no application was reading from.

The CFO question: "Show me a list of every RDS replica with read IOPS in the last 7 days."

The fix: RDS Performance Insights → filter for replicas with <5% read activity → terminate. Some need to stay (HA), most don't. Typical savings: $2K–$4K/month.

4. EBS volumes orphaned from terminated EC2s

When you terminate an EC2 instance with "delete on termination = false", the EBS volume sticks around. We see fleets with 300+ orphaned gp3 volumes averaging $40/month each. That's $12K/month of paying for storage attached to nothing.

The CFO question: "What % of our EBS volumes have a state of 'available' (i.e., unattached)?"

The fix: AWS CLI: aws ec2 describe-volumes --filters Name=status,Values=available. Snapshot anything you might need, delete the rest. Typical savings: $1K–$3K/month.

5. S3 versioning + lifecycle never set — exponential storage growth

S3 versioning is ON by default in many production buckets. Without a lifecycle policy, every overwrite of a 100MB file creates a new 100MB version. After 12 months of CI deploys overwriting the same 50 keys, you've stored 600x what you intended.

The CFO question: "Do we have an S3 lifecycle policy on every bucket >1TB?"

The fix: Lifecycle policy: expire non-current versions after 30 days, transition to Glacier after 90. Typical savings: $1K–$4K/month on a $9K storage line.

6. On-demand EC2 when 80% of usage is steady-state

Reserved Instances and Savings Plans are 30–50% cheaper than on-demand for workloads that run 24/7. But 65% of mid-market companies we audit run 80%+ of their EC2 fleet on-demand. The reason isn't ignorance — it's risk aversion. Engineering doesn't want to commit. Finance doesn't want to lock in. So the company pays the on-demand premium forever.

The CFO question: "What % of our EC2 spend is on Savings Plans or RIs?"

The fix: Compute Savings Plans cover the entire EC2 + Fargate + Lambda surface area, no commitment to instance family. 1-year, no-upfront SPs at 80% coverage typically save $8K–$15K/month on a $34K EC2 line.

7. Inter-AZ data transfer — the silent tax

AWS charges $0.01/GB to send data between Availability Zones inside the same region. Sounds cheap. But a chatty microservice architecture with 30 services pinging each other across AZs at 10MB/sec/service = 30 services × 10 MB/s × 86,400 s/day × 30 days × 2 (in+out) × $0.01/GB = ~$15.5K/month in inter-AZ traffic.

The CFO question: "What's our inter-AZ data transfer line item, and which services drive it?"

The fix: Topology-aware routing (Istio, Linkerd, AWS App Mesh) — keep service-to-service traffic in the same AZ when possible. Typical savings: $2K–$5K/month.

---

The 4 questions every CFO should ask before approving next month's bill

You don't need to be technical. You need 4 questions:

1. "What was our top 5 cost driver last month, and how did each one change vs the previous month?"
2. "What % of our compute spend is on Reserved Instances or Savings Plans?"
3. "Do we have idle resources flagged anywhere — orphaned EBS volumes, unused RDS replicas, dormant S3 versioning?"
4. "What's our anomaly detection MTTD — the time between an unexpected cost spike and someone seeing it?"

If your engineering team can answer these four questions in under 5 minutes, you have FinOps maturity. If they say "let me check, I'll get back to you next week", you have a $20K-$40K/month waste problem hiding in your bill.

---

How to find $20K–$40K of waste in 30 minutes

You don't need a consultant. You don't need a $150K/year platform. You need three things:

1. AWS Cost Explorer — filter by service, group by usage type, look at the top 10 line items
2. AWS Trusted Advisor — the "Cost Optimization" tab flags idle/orphaned resources
3. A spreadsheet — copy this month's top 10 line items vs last month's, sort by % change

That's it. You'll find at least 3 of the 7 multipliers above in 30 minutes.

Or — if you want it done in 10 minutes, CARTIE AI runs all 7 checks automatically and gives you the dollar figure for each one. Try the demo — paste your AWS billing CSV, get the autopsy.

---

The hardest truth in cloud finance

Most CFOs sign $100K invoices they can't explain.

It's not a finance failure. It's a tooling failure. The native AWS dashboards are designed for engineers, not CFOs. Every CFO I've talked to has the same instinct: "I should be able to read this bill the way I read the SaaS subscriptions list."

You should. And you can. The question is whether you've built (or bought) the tooling that translates 90 pages of CSV into 4 questions and 7 answers.

If you're a CFO reading this and your team can't answer the 4 questions in 5 minutes — that's your action item this week. Good luck. 🥃