TL;DR: AWS Budgets has sent emails since launch — useful only if a human reads them at 11 PM Friday while a runaway GPU job burns $400/hour. Budget Actions wire a threshold to an automated response: attach a restrictive IAM policy, apply an SCP, or stop tagged EC2/RDS instances. Most teams enable budgets and never turn on the Action side — leaving the most valuable half of the feature on the table. It costs nothing extra, and its whole value is scoping: surgical, not nuclear.
The numbers
- Three action types: IAM policy (attach deny-launch to a user/group/role — existing resources keep running), Service Control Policy (account/OU-wide — high blast radius, disposable accounts only), or stop a targeted EC2/RDS instance.
- Manual vs automatic: manual sends an email and waits for you to click "Execute"; automatic fires with no human in the loop.
- Worked example — a forgotten p4d.24xlarge (~$33/hr): email-only path →
$2,400 burned before Monday; Budget Actions path (deny-launch at 100% forecast, stop-instance at 100% actual) → **$200 instead of $2,400**. - Field examples: a startup's dev-account action fired 4× in a year (~$2,400 saved, 90-min setup); a training-account SCP brake at $100/week took bill incidents to zero.
Do this
- Pick a bounded budget that matters — a dev account, sandbox OU, or a project's cost-allocation tag, not a vanity budget.
- Layer the thresholds: email-only alert at ~80%, the action (the brake) at 100–110%.
- Choose the surgical action: deny-launch IAM policy on the specific role causing overage (doesn't touch running work), plus a stop action on the specific tag — never an account-wide SCP unless the account is disposable.
- Prefer actual over forecasted triggers for real circuit-breaker behavior (forecast is noisy early in the month).
- Start with manual approval, write the recovery runbook first, and flip to automatic only after it fires cleanly 2–3 times.
Gotchas
- Tag-based stop targeting needs tagged resources — an untagged runaway instance is invisible to the stop action; tag hygiene is a prerequisite, not polish.
- The execution role must have permission to attach/detach the policy or stop the instance — a misconfigured role = a silently broken action.
- SCPs deny even root and cascade to child OUs — make sure the detacher role lives in the management account and isn't caught by the SCP; scope to the target account, not the OU, to limit blast radius.
- SCPs don't stop already-running resources — pair a deny-launch SCP with a stop action if you need both layers; and the action fires once per budget period, not permanently.
Skip this if
- It's a production account with a soft cost signal — you want a human paged, not auto-deny; reserve actions for hard, non-negotiable ceilings.
- You haven't set up the parent budgets yet — start with AWS Budgets. For the unanticipated spikes no fixed threshold would catch, pair with AWS Cost Anomaly Detection; scoped actions rely on Cost Allocation Tags and account-level actions on AWS Organizations Consolidated Billing.