All cheat sheets
Cost Governancecheat sheet

AWS Budget Actions

A regular budget emails you; a Budget Action does the thing for you — attach a deny-IAM policy, apply an SCP, or stop tagged EC2/RDS when a threshold breaks. The difference between an alarm and a circuit breaker, and it costs nothing extra.

Last reviewed: July 14, 2026

TL;DR: AWS Budgets has sent emails since launch — useful only if a human reads them at 11 PM Friday while a runaway GPU job burns $400/hour. Budget Actions wire a threshold to an automated response: attach a restrictive IAM policy, apply an SCP, or stop tagged EC2/RDS instances. Most teams enable budgets and never turn on the Action side — leaving the most valuable half of the feature on the table. It costs nothing extra, and its whole value is scoping: surgical, not nuclear.

The numbers

  • Three action types: IAM policy (attach deny-launch to a user/group/role — existing resources keep running), Service Control Policy (account/OU-wide — high blast radius, disposable accounts only), or stop a targeted EC2/RDS instance.
  • Manual vs automatic: manual sends an email and waits for you to click "Execute"; automatic fires with no human in the loop.
  • Worked example — a forgotten p4d.24xlarge (~$33/hr): email-only path → $2,400 burned before Monday; Budget Actions path (deny-launch at 100% forecast, stop-instance at 100% actual) → **$200 instead of $2,400**.
  • Field examples: a startup's dev-account action fired 4× in a year (~$2,400 saved, 90-min setup); a training-account SCP brake at $100/week took bill incidents to zero.

Do this

  1. Pick a bounded budget that matters — a dev account, sandbox OU, or a project's cost-allocation tag, not a vanity budget.
  2. Layer the thresholds: email-only alert at ~80%, the action (the brake) at 100–110%.
  3. Choose the surgical action: deny-launch IAM policy on the specific role causing overage (doesn't touch running work), plus a stop action on the specific tag — never an account-wide SCP unless the account is disposable.
  4. Prefer actual over forecasted triggers for real circuit-breaker behavior (forecast is noisy early in the month).
  5. Start with manual approval, write the recovery runbook first, and flip to automatic only after it fires cleanly 2–3 times.

Gotchas

  • Tag-based stop targeting needs tagged resources — an untagged runaway instance is invisible to the stop action; tag hygiene is a prerequisite, not polish.
  • The execution role must have permission to attach/detach the policy or stop the instance — a misconfigured role = a silently broken action.
  • SCPs deny even root and cascade to child OUs — make sure the detacher role lives in the management account and isn't caught by the SCP; scope to the target account, not the OU, to limit blast radius.
  • SCPs don't stop already-running resources — pair a deny-launch SCP with a stop action if you need both layers; and the action fires once per budget period, not permanently.

Skip this if

Run this audit with your AI assistant

Paste this into Claude, ChatGPT, or any agent that can run the AWS CLI with read-only credentials. It audits your account for exactly the waste this sheet describes — and changes nothing.

You are auditing an AWS account/Org for Budget Actions guardrail
opportunities. Use the AWS CLI with READ-ONLY credentials. Do not
create, modify, or delete anything — report findings and recommended
(unapplied) fixes only.

1. Current state: aws budgets describe-budgets, and for each,
   describe-budget-actions-for-budget — which budgets have ACTIONS vs
   alert-only. Flag high-variance non-prod budgets (dev/sandbox/training)
   with no action.
2. Scope the source: for each candidate, identify the IAM role/group that
   typically causes overage and the resource tags to target. Recommend a
   narrow deny (e.g. ec2:RunInstances, rds:CreateDBInstance,
   sagemaker:CreateTrainingJob) on that role + a stop-instances action on
   the tag — NOT an account-wide SCP unless it's a disposable account.
3. Trigger type: recommend ACTUAL over FORECASTED for circuit-breaker
   behavior (forecast is noisy early-month). Recommend manual approval
   for the first 2-3 firings, then automatic.
4. Execution-role + tag hygiene: verify a valid action execution role
   exists with attach/stop permissions; flag untagged resources that a
   stop action couldn't target.

Report a table: budget | env | has action? | recommended action type +
scope | trigger (actual/forecast) | approval mode | recovery-runbook
present? Change nothing.
Works with any assistant that can run shell commands.

Want the guided version?

The AWS Budget Actions walkthrough covers this topic interactively — it asks about your setup, branches to what’s relevant, and quizzes you on the tricky parts. Free and anonymous.

Start the walkthrough