You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The `default` profile bill for April 2026 shows $82.80 on VPC + $68.55 on EC2 - Other (~$151 combined, see #103). That's almost half of the bill, and it's the bucket where NAT Gateway data-processing, inter-AZ traffic, and outbound transfer hide. The `cost:analyze` service-level view names these line items but doesn't tell us what's transferring data to where.
Cost Explorer doesn't break egress out by destination. The two real sources are:
Option A — VPC Flow Logs
Enable Flow Logs for each VPC of interest (logs to CloudWatch Logs or S3).
Aggregate by `destination_address` / `destination_port` over the period.
Cross-reference with NAT Gateway / data-transfer pricing to estimate cost.
Pros: authoritative; can break down by destination IP / port / instance.
Cons: requires Flow Logs to be enabled (storage costs ingest charges). Doesn't directly attribute dollar values — those come from `UsageType` line items in Cost Explorer / CUR.
Option B — Cost Explorer `USAGE_TYPE` grouping
`GetCostAndUsage` supports grouping by `USAGE_TYPE`.
This surfaces line items like `DataTransfer-Out-Bytes`, `USE1-NatGateway-Bytes`, `USE1-USE2-AWS-Out-Bytes`, etc.
It tells us kinds of egress (NAT, inter-region, internet) but not destinations.
Cons: doesn't answer "which workload caused this" without correlation to Flow Logs.
Recommended: ship Option B first as a fast win — the usage-type breakdown alone narrows the search space considerably, and the data is one extra Cost Explorer call away. Add Option A as a follow-on for accounts that have Flow Logs enabled.
Acceptance
New subcommand or flag that ranks egress `UsageType`s by cost (Option B baseline).
When VPC Flow Logs are enabled, optionally correlate to top destinations (Option A drilldown).
Context
The `default` profile bill for April 2026 shows $82.80 on VPC + $68.55 on EC2 - Other (~$151 combined, see #103). That's almost half of the bill, and it's the bucket where NAT Gateway data-processing, inter-AZ traffic, and outbound transfer hide. The `cost:analyze` service-level view names these line items but doesn't tell us what's transferring data to where.
Proposal
Surface a breakdown of where egress is going:
```sh
cloud cost:egress
or
cloud cost:analyze --service "EC2 - Other" --by destination
```
Output sketch:
```
Egress endpoints — April 2026 (profile: default)
Destination Volume Cost
─────────────────────────────────────────────────────
0.0.0.0/0 (internet, NAT) 1.8 TB $54.20
us-east-1 inter-AZ 0.4 TB $18.00
…
```
Implementation challenges
Cost Explorer doesn't break egress out by destination. The two real sources are:
Option A — VPC Flow Logs
Option B — Cost Explorer `USAGE_TYPE` grouping
Recommended: ship Option B first as a fast win — the usage-type breakdown alone narrows the search space considerably, and the data is one extra Cost Explorer call away. Add Option A as a follow-on for accounts that have Flow Logs enabled.
Acceptance
Related