AWS Cost Agent: AI-Powered Cost Analysis You Can Self-Host
Your AWS bill is a black box. This agent cracks it open — scanning 25+ resource types across every region, identifying waste, and giving you copy-pasteable CLI commands to fix it. Powered by Amazon Bedrock. Fully open source.
Amazon Bedrock
Cost Explorer
Docker
Strands Agents
The Problem With AWS Cost Visibility
If you’ve ever opened the AWS Billing Console and tried to figure out why your bill jumped 30% last month, you know the feeling. Cost Explorer shows you which services are spending money. It doesn’t tell you why, and it definitely doesn’t tell you what to do about it.
The real cost problems are hiding in plain sight:
We built the AWS Cost Agent to solve this. It scans your entire AWS environment, feeds the results to an AI agent, and produces prioritized, actionable recommendations — with real CLI commands using your actual resource IDs.
How It Works
The AWS Cost Agent runs as a self-hosted Docker container. Point it at your AWS credentials, click “Analyze,” and let the AI agent do the rest.
The Analysis Pipeline
When you kick off an analysis, three things happen in sequence:
A parallel scanner hits every enabled region simultaneously (10 concurrent threads), cataloging EC2 instances, RDS databases, S3 buckets, Lambda functions, ECS clusters, ElastiCache, OpenSearch, DynamoDB, Redshift, SageMaker endpoints, NAT Gateways, EIPs, EBS volumes, snapshots, load balancers, CloudFront distributions, API Gateways, and more — 25+ resource types in total.
The agent queries AWS Cost Explorer for the last 30 days of spending, grouped by service, region, usage type, and (for Organizations) linked account. This gives the AI the financial context it needs to prioritize recommendations by actual dollar impact.
The scan results and cost data are fed to an Amazon Bedrock agent (Nova Lite by default, configurable). The agent analyzes the data using custom tools — NAT Gateway analysis, data transfer deep-dives, cost breakdowns — and returns prioritized recommendations with copy-pasteable AWS CLI commands.
After the initial analysis, you can ask follow-up questions in an interactive chat. The AI agent retains the full context of your scan and can even make additional AWS API calls on the fly to investigate specific findings deeper.
What It Finds
The scanner doesn’t just list resources — it identifies specific waste patterns and optimization opportunities:
| Category | What It Detects | Why It Matters |
|---|---|---|
| Orphaned Storage | Unattached EBS volumes, orphaned snapshots from deleted AMIs, stale AMIs | Storage costs that accumulate indefinitely with zero utility |
| Idle Compute | Low-CPU RDS instances, idle load balancers, underutilized EC2 | You’re paying for capacity nobody is using |
| Quick Wins | gp2 → gp3 EBS upgrades, unassociated Elastic IPs, CloudWatch log groups with no retention | Low-risk changes with immediate savings |
| Networking | NAT Gateway traffic patterns, cross-AZ data transfer, idle endpoints | Data transfer is often the largest hidden cost |
| AI/ML Spend | Bedrock per-model token usage, caller attribution (which Lambda/ECS calls Bedrock), provisioned throughput | GenAI costs are growing fast and difficult to attribute |
The Bedrock usage analysis is worth calling out specifically. Most cost tools treat AI/ML as a single line item. The AWS Cost Agent breaks it down per model, shows invocation counts and token usage from CloudWatch metrics, and traces callers by checking which IAM roles on your Lambda functions and ECS tasks have Bedrock permissions. If you’re running generative AI workloads, this alone makes the tool worth deploying.
Multi-Account Support Out of the Box
If you’re running AWS Organizations, the Cost Agent discovers all member accounts automatically and lets you analyze them individually or together. No manual account list to maintain.
Cross-account access uses STS AssumeRole with a dedicated IAM role in each member account. The repo includes two ways to set this up:
Shell Script
Run setup-org-role.sh against each member account. Creates the IAM role with the correct trust policy and read-only permissions. Good for small organizations.
CloudFormation StackSet
Deploy the IAM role to all member accounts at once using CloudFormation StackSets. Automatically covers new accounts as they join the organization. The right choice for anything beyond a handful of accounts.
Once the roles are in place, the agent’s account selector shows every account with its name and ID. Pick one, or analyze the entire organization’s spend from a single dashboard.
The Architecture
The agent is designed to be simple to deploy and simple to operate. No external databases, no SaaS dependencies, no data leaving your AWS account.
| Layer | Technology | Why |
|---|---|---|
| Backend | Python 3.11 / Flask | Lightweight, single-file entry point |
| AI Agent | AWS Strands Agents SDK + Bedrock | Native tool use, not just prompt wrapping |
| Default Model | Amazon Nova Lite | Low cost, fast inference, configurable |
| Frontend | Vanilla JS / CSS | Zero build step, no npm dependencies |
| Deployment | Docker / Docker Compose | One command to run, Kubernetes manifests included |
| Data Storage | Local filesystem (Docker volume) | Analysis history saved as downloadable Markdown |
The AI layer is the key differentiator. This isn’t a dashboard that shows you numbers — it’s an agent with tool use. The Strands Agent can call back into AWS during the interactive chat session using the use_aws tool, meaning it can investigate things the initial scan didn’t cover. Ask it “why is my NAT Gateway bill so high?” and it will pull flow log data, analyze traffic patterns, and recommend VPC endpoint alternatives — with specific commands to create them.
Get Started in 5 Minutes
The setup is straightforward. You need AWS credentials with read-only access and Amazon Bedrock model access enabled.
# Clone the repository git clone https://github.com/45squaredLLC/aws-cost-agent.git cd aws-cost-agent # Option A: Run the setup script (creates IAM user + .env) bash setup-aws.sh # Option B: Create .env manually from the template cp .env.example .env # Launch docker compose up --build
Open http://localhost:5000 and click “Analyze My AWS Account.” The scan takes a few minutes depending on how many regions and resources you have. Results are displayed in the browser and saved as Markdown for your records.
The repo also includes production deployment examples for Docker with nginx reverse proxy and a full Kubernetes manifest set (namespace, secret, deployment, service, PVC, and ingress).
Why We Open Sourced It
Cost optimization tools shouldn’t require you to send your AWS inventory to a third party. Your resource data, your spending patterns, your infrastructure topology — that’s sensitive information. We built the AWS Cost Agent to run entirely within your own environment. Credentials never leave your network. The only external call is to Amazon Bedrock for the AI analysis, and that stays within your AWS account.
Open sourcing it means you can audit every line of code, customize the scanning logic, swap in a different Bedrock model, or extend the agent’s tools for your specific needs. Fork it, modify it, run it in your VPC — that’s the point.
Stay in the Loop
We write about AWS cost optimization, AI agents, and cloud infrastructure. Subscribe and get our next post straight to your inbox.
No spam. Unsubscribe anytime.