Categories
Security & Monitoring

Improve Your SCP Foundation In AWS Organizations

scp800600

AWS Organizations now supports the full IAM policy language in Service Control Policies (SCPs). In this post, learn how to use the new features safely along with some examples.

(Oh, and for those unclear on the niche image header. – Ed)

Table of Contents

Introduction

On 19 September 2025, AWS announced and posted that AWS Organizations now offers full IAM policy language support for service control policies (SCPs):

AWS Organizations now offers full IAM policy language support for service control policies (SCPs), enabling you to write SCPs with the same flexibility as IAM managed policies. With this launch, SCPs now support use of conditions, individual resource ARNs, and the NotAction element with Allow statements. Additionally, you can now use wildcards at the beginning or middle of Action element strings and the NotResource element.

In this post, I’ll explain what this change means in practice, provide examples from my AWS accounts, and share patterns to help adopt the new features safely. Whether implementing organization-wide guardrails, securing sandbox accounts or preventing accidental outages, this guidance will show how to get the most from SCPs after this update.

Service Control Policies

This section examines SCPs in closer detail. What are they? What do they do? And what benefits do they offer?

What Are SCPs?

Service Control Policies (SCPs) are an AWS Organizations feature that apply permission guardrails across multiple AWS accounts. To use SCPs, the AWS Organization must have all features enabled.

SCPs do not grant permissions. Instead, they define the maximum available permissions that IAM users and roles in an account can receive. Any action not permitted by an SCP is implicitly denied, even if an IAM policy within the account allows it. SCP syntax is similar to that used by IAM permission policies and resource-based policies (such as S3 bucket policies).

SCPs can be attached to the root of an AWS Organization, to an Organizational Unit (OU), or to individual accounts.

What Do SCPs Do?

SCPs use IAM policies and resource policies to determine whether to permit an action. The evaluation process consists of three parts:

Hierarchy & Inheritance

SCPs flow down through an AWS Organization. Attach a policy at the root, and everything underneath, including both OUs and accounts, inherits it. Each account ends up with the combined effect of every SCP above it.

Testing policies in a non-production OU before using them more widely helps to prevent unexpected lockouts!

Interaction with IAM and Resource Policies

SCPs define the boundaries within which IAM and resource policies operate. If either an SCP or IAM policy denies the action, then the request will be rejected. SCPs apply to all IAM users in an account, including the root user. Service-linked roles are usually exempt, allowing AWS services to function properly.

AWS have great documentation regarding how SCPs and IAM are evaluated.

Allow and Deny Approaches

By default, each account inherits the AWS-managed FullAWSAccess SCP that imposes no restrictions. Administrators can then apply additional policies using one of two strategies:

  • Deny list: Retain FullAWSAccess and add explicit Deny statements for disallowed services or actions.
  • Allow list: Remove FullAWSAccess and explicitly allow only the required services and actions. Everything else is implicitly denied.

In both models, explicit Deny statements always take priority.

Benefits Of SCPs

SCPs provide several advantages for organizations operating at scale or under compliance requirements:

  • Centralised Governance: Policies can be applied uniformly across all accounts from a single, central location. This reduces configuration drift and ensures consistent governance.
  • Enforcing Least Privilege: SCPs support least privilege by limiting available services and actions to only those that are approved. Additionally, newly launched AWS services can be blocked until they are approved.
  • Compliance & Risk Management: SCPs can implement controls like restricting access, requiring encryption or preventing the deletion of critical resources. These measures help reduce the risks associated with accidental misconfigurations and malicious actions.
  • Scalability & Efficiency: Managing IAM policies across multiple accounts is inefficient. SCPs streamline management by allowing the implementation of guardrails at both the OU and root levels.
  • Autonomy With Boundaries: SCPs create a secure outer boundary, allowing account teams to manage IAM policies within that boundary. This approach strikes a balance between enabling self-service and maintaining organizational controls.

Useful SCP & IAM Sites

This section has sites that I frequently hunt for when researching or writing SCPs for my AWS Organizations. This can be a struggle, as I usually forget what they’re called or what to search for! So for all the times I’ve remembered that these sites exist but couldn’t find them, they are here. This one’s for you Future Damo.

aws.permissions.cloud

aws.permissions.cloud compiles and organises a comprehensive collection of AWS IAM actions, managed policies, and permission metadata. This is presented in a searchable and structured format that includes tables and visualisations. The website uses the IAM Dataset created by AWS Community Hero Ian Mckay. Users can navigate the site using the left sidebar or by searching for a specific managed policy, IAM permission, or API method using the search bar at the top.

When comparing permissions.cloud‘s S3 Permissions Reference to the AWS S3 Service Authorization Reference, the two have many similarities. However, permissions.cloud features a better layout and includes a Used By column that indicates which AWS APIs use that IAM action.

In some cases this may be obvious, like the S3.AbortMultipartUpload API call using the s3:AbortMultipartUpload IAM action. Where this shines is with less obvious cases, like the FSx.CreateAndAttachS3AccessPoint API‘s use of the s3:CreateAccessPoint IAM action. While this information is all available in the documentation, having it all together in a searchable table is highly convenient.

2025 09 30 permissionscloud

asecure.cloud

asecure.cloud is a cloud security and compliance platform that aggregates AWS-recommended security configurations, automates environment assessments and enables rapid infrastructure-as-code remedial deployment.

The platform includes a library of security controls for numerous AWS services, IAM policies, cost controls and a configuration builder. While some content is premium-only, the free resources are substantial. Examples can be deployed using CloudFormation (and Terraform in many cases) custom templates, as well as AWS CLI scripts. For example, this page has a repository for Service Control Policy templates in several formats.

2025 09 28 asecurecloudSCPs

Speaking of which…

SCPs I Use

This section has some SCPs I use in my previously discussed AWS Organization. Each SCP has a policy and a brief description of what it does.

Deny LeaveOrganization

This policy, included in the AWS example SCPs, stops member account administrators from removing their accounts from an AWS Organization:

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "organizations:LeaveOrganization"
            ],
            "Resource": "*"
        }
    ]
}
  • Actions: Targets organizations:LeaveOrganization.
  • EffectDeny – Blocks the specified action
  • Condition: None – applies unconditionally to all accounts
  • Result: The account cannot leave an AWS Organization.

Restrict EC2 Instance Type

This asecurecloud policy prevents the launch of any EC2 instance type that isn’t allowed. I’m no big user of EC2, so this is currently set to t3.micro:

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotEquals": {
                    "ec2:InstanceType": "t3.micro"
                }
            }
        }
    ]
}
  • Action: Targets ec2:RunInstances
  • EffectDeny – blocks the action when conditions are met
  • ConditionStringNotEquals with ec2:InstanceType: "t3.micro"
  • Result: Denies launching any EC2 instance that is NOT a t3.micro

Restrict Lambda Python Runtime

This policy prevents the deployment of Lambda functions using the specified runtimes. This ensures that an account’s Lambda functions are consistent:

JSON
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyUnsupportedLambdaRuntimes",
      "Effect": "Deny",
      "Action": [
        "lambda:CreateFunction",
        "lambda:UpdateFunctionConfiguration"
      ],
      "Resource": "*",
      "Condition": {
        "ForAllValues:StringEquals": {
          "lambda:Runtime": [
            "python3.11",
            "python3.10",
            "python3.9"
          ]
        }
      }
    }
  ]
}

How it works:

  • Actions: Targets both lambda:CreateFunction and lambda:UpdateFunctionConfiguration
  • EffectDeny – blocks actions when conditions are met.
  • ConditionForAllValues:StringEquals with denied runtimes.
  • Result: Users can’t create or update Lambda functions using Python 3.9, 3.10, or 3.11.

Restrict AWS Service Use

This policy restricts AWS service usage to only specified services in approved regions.

JSON
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowServicesBasedOnRegion",
      "Effect": "Allow",
      "Action": [
        "ec2:*",
        "s3:*",
        "states:*",
        "lambda:*",
        "cloudformation:*",
        "iam:*",
        "cloudwatch:*"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": [
            "AWS-REGION-1",
            "AWS-REGION-2"
          ]
        }
      }
    }
  ]
}

Actions:

  • ec2:* – All EC2 operations
  • s3:* – All S3 operations
  • states:* – All Step Functions operations
  • lambda:* – All Lambda operations
  • cloudformation:* – All CloudFormation operations
  • iam:* – All IAM operations
  • cloudwatch:* – All CloudWatch operations
  • EffectAllow – Permits the specified actions when conditions are met.
  • ConditionsStringEquals with aws:RequestedRegion matching “AWS-REGION-1” or “AWS-REGION-2”

Result:

  • Only the seven specified service categories are allowed.
  • These services only work in the two specified regions.
  • All other AWS services are implicitly denied.
  • All other regions are blocked for any service.

Summary

In this post, we learned how to use the new AWS Organizations SCP features safely along with some examples.

Full support for IAM policy language in SCPs greatly enhances the governance capabilities of AWS Organizations. This allows for resource-level constraints, conditional logic and advanced action matching. To implement these features effectively, follow clear change control processes:

  • Validate policies in isolated OUs
  • Run representative simulations.
  • Stage deployments.
  • Ensure that centralised documentation and incident recovery plans are established.

Like this post? Click the button below for links to contact, socials, projects and sessions:

SharkLinkButton 1

Thanks for reading ~~^~~

Categories
Data & Analytics

Visualising FinOps With AWS Cost Management Dashboards

VisualisingFinOpsWithAWSCostManagement4Dashboards

In this post, I explore how AWS Billing & Cost Management Dashboards streamline FinOps, monitor service costs and create clear, shareable visual narratives.

(Also, yes – amazonwebshark has been around since 2021 and I can’t believe this is the first time FinOps has been mentioned – Ed.)

Table of Contents

Introduction

On 20 August 2025, AWS announced the general availability of Billing and Cost Management Dashboards. Before this, visualising costs meant flipping between various invoices and Cost Explorer windows. This new feature eliminates that. Users can now visualise and analyse AWS spending in a single view using custom dashboards, combining data from AWS Cost Explorer with Savings Plans and Reserved Instance coverage and utilisation reports.

As a long-time data professional and analytics geek, I loves me some graphs. And as someone who regularly uses Cost Explorer in various ways, I was keen to check this out. One thing led to another and this post emerged!

I’ll begin by examining the benefits of the new AWS Billing and Cost Management Dashboards and how to access them. Then I’ll build two dashboards – one in a standalone AWS account and another in my AWS Organisation Management account. Finally, I’ll examine how to share dashboards between AWS accounts.

Firstly though, I’ll be talking about FinOps, visualisation narratives and data storytelling in this post. These might be new concepts to some, so let’s start with some explainers.

About FinOps

FinOps is short for ‘Financial Operations’. It’s the practice of bringing together finance, engineering, and business teams to maximise the value of cloud spend. Instead of cloud bills being something only Finance is concerned with, FinOps makes cost awareness part of everyday decisions – both non-technical and technical.

FinOps isn’t just for accountants. Engineers can see how their services contribute to the monthly bill, Finance can track patterns and generate forecasts, and leadership gets high-level visuals they can view and share without needing to interact with spreadsheets and raw data. FinOps can also help during negotiations with service providers and cloud platforms, from SLAs to resource reservations.

Data Storytelling & Narratives

Visualisation narratives and data storytelling both focus on using charts and visuals to add context to raw data. They combine data, visuals and narrative to show both what is happening and why it matters. The goal is to create a unified message that moves from context to evidence to insight, rather than using isolated charts.

In cost management, this means structuring dashboards so visuals tell a story: a high-level view of overall spend, followed by the accounts or services driving these costs, and then the details that provide supporting evidence. This turns a dashboard into a coherent narrative that links costs to activity and business goals.

The value lies in this clarity. Narratives reduce noise, highlight what matters, and make cost information accessible to both technical and non-technical teams. They also reflect FinOps guidance on timely and accessible reporting, aligning with the AWS Well-Architected focus on continual optimisation.

Dashboard Benefits

AWS Billing and Cost Management Dashboards help support key industry standard cost guidance. An example of this is the FinOps Foundation‘s FinOps Principles, including:

  • Enabling teams and account owners to monitor and manage cloud spend without relying on external teams or tools.
  • Allowing centralised FinOps teams to highlight and promote key cost metrics consistently across the organisation.
  • Providing real-time updates, ensuring accuracy and constant access without requiring data team oversight.
  • Supporting collaboration between finance and technology teams to understand costs and their alignment with business goals.

AWS Billing and Cost Management Dashboards also align with the AWS Well-Architected Framework’s Cost Optimization Pillar goals. For example:

  • Encouraging active and ongoing management of cloud costs, rather than end-of-month reporting.
  • Increasing awareness of usage and expenditure to enable informed decisions.
  • Making it simple to identify resources or services that may not be cost-effective.
  • Revealing usage trends against demand to ensure resources scale appropriately without overspending.
  • Showing long-term patterns to validate optimisation efforts and drive continuous improvement.

Additionally, sharing dashboards from AWS Organization Management accounts means fewer people need direct access to the account itself, supporting security best practices. And because Billing and Cost Management Dashboards are free to use and require no knowledge of Amazon Quicksight, they come with almost no technical or financial overhead.

Creating Dashboards

The new AWS Billing & Cost Management Dashboards are accessible via Billing & Cost ManagementDashboards:

2025 08 24 AWSBIllingDashboardsNew

The Dashboards console then appears, showing all dashboards by default and a tab for shared dashboards:

2025 08 24 AWSBIllingDashboardsAll

Finally, this is the screen for adding widgets to a new dashboard:

2025 08 24 AWSBIllingDashboardsEmpty

There are two types of widgets:

  • Custom widgets for bespoke reporting needs.
  • Predefined widgets for common use cases. These can also be customised as needed.

These widget types are explained fully in the AWS Cost Management widget types documentation. Having selected and positioned a widget, it can then be customised using the Cost Explorer UI and features, including filters, dimensions, and granularity.

(Aside – there are several widgets aimed at Reservations and Savings Plans. I don’t really use these in my AWS accounts, so you won’t see them being used in this post – Ed)

AWS Cost Explorer and Cost Management Dashboards use the same billing data but serve different purposes. Cost Explorer is ideal for digging into details, while Dashboards focus on building clean, repeatable and shareable views that fit into reports or presentations for technical and non-technical stakeholders.

When creating or editing dashboards, time periods can be set at both the dashboard and widget levels:

  • Dashboard-level time periods apply temporarily to all widgets and reset when leaving or refreshing the dashboard.
  • Widget-level time periods are saved with each widget and persist until changed.

Single Account Dashboard

In this section, the focus is on building a dashboard for a standalone AWS account. Using a mix of predefined and custom widgets, it’s possible to track costs at both the service and API operation level, reveal usage patterns over time, and spot trends that may indicate opportunities for optimisation.

Monthly Service Costs

Let’s start with a predefined Monthly Costs By Service widget:

2025 08 24 SingleAccMonthlyService

This chart displays six months of service usage, with S3 accounting for the majority and showing a recent downward trend. While there are empty sections showing service utilisation with very low or no cost, I’ve left the widget filterless in case that changes in future.

Daily Service Costs

Next, let’s include a predefined Daily Costs widget:

2025 08 24 SingleAccDaily

This is the default bar chart, and it’s not that useful here because it doesn’t tell me much. So let’s make some changes. This menu is available for all widgets:

2025 08 24 SingleOptions

Under Change Vizualisation Type, there are options for a bar chart, line chart, stacked bar chart and table. Given that I want to track my cost trends over time, a line chart is best suited here.

The Daily Costs line graph looks like this:

2025 08 24 SingleAccDailyLine

This still isn’t great as the regular spikes are off-putting. These spikes are a combination of Route53 hosted zones and Tax. However, as both these costs are only debited once a month, and at the same time each month (the 1st), they appear out of place here, as the spikes create an alarming-looking chart. In reality, these are standard events.

Looking back at the earlier chart, the biggest cost by far is S3. Let’s adjust the graph to analyse that by updating the Service filter to only include S3. A quick update of the chart’s title and description produces this:

2025 08 24 SingleAccDailyLineS3

This is much more helpful! Easier to read and comprehend, and has a clear message and narrative. Daily S3 costs in this account were around 20¢ per day from February to May, then almost halved in June and were under 1¢ per day by the end of July.

Spotting sudden drops like this is useful, as it can flag lifecycle rules kicking in, data movement between storage classes or workload shifts. Equally, a steady rise can indicate the need for lifecycle policies or changes in access patterns.

API Operation Costs

Let’s go deeper into the account spend with a custom Cost widget grouped by the API Operation dimension:

2025 08 24 SingleAccCostsAPI

Urgh. Couple of problems here:

  • The chart’s narrative is hard to understand as the bars are sorted by total expenditure across the entire time period of the chart. For example, StandardIAStorage is huge in May, barely there in June and gone in July. And it’s not even in the July bars at all. Yet it’s always the first bar because it’s the biggest spend overall. Confused yet?
  • The legend confuses further. No Operation is Tax – while this is correct within the context of the API Operation dimension, it doesn’t help the chart’s story. And Others is no help at all.
  • Finally, that axis is no use. What was the cost of PutObject in May? And how does it compare to July? No idea.

Given that I want to examine individual API-level costs here, a table is a better choice. It provides precise totals with no need for axis interpretation, shows a $0 spent as a value rather than the absence of a column, and eliminates the requirement to compress everything into a summarised, non-scrolling visual, thereby removing the vague Others legend and axis.

Finally, let’s exclude Tax from the Service filter (yes Tax is a service) and I get something far closer to what I want:

2025 08 24 SingleAccCostsAPITable

This dashboard allows me to track both monthly and daily spending, analyse costs by service and API operation, and identify any unusual spikes or drops. It simplifies monitoring trends, such as changes in S3 usage, and helps me pinpoint exactly where expenses are occurring. This way, I can quickly focus on areas that may require attention, turning detailed cost data into a clear and understandable overview of account activity.

AWS Organisations Dashboard

In this section, the focus shifts to dashboards in an AWS Organisation Management account. The goal is to track costs across multiple linked accounts, understand how AWS credits are being used, and monitor S3 Standard usage.

Note that the charts in this section appear slightly different, as they exclude my organisation’s AWS accounts. While the names are fine, the charts also include AWS account IDs, which I consider sensitive and prefer not to share.

Linked Account Costs

Let’s start with a default predefined Monthly Costs By Linked Account widget:

2025 08 25 MultiLinked

Ok so there’s a lot of empty space here. Although this organisation has existed for a while, it only began generating costs in May 2025. Additionally, the chart does not include any costs for July. This is because I applied my AWS Community Builder credits then, so future months will also follow this behaviour by default.

Let’s make this chart more useful by changing the date range from the last six months to the last three months and amending the Charge Type filter to exclude AWS credits, thereby showing my original spend:

2025 08 25 MultiLinkedAmended

As the July spend now dwarfs that of the other months, the axis makes the visual fairly useless. What’s July’s blue bar value? For that matter, what’s June’s green bar value? No idea at all.

Given that I want exact values, and that these values can be wildly different from month to month, this visual works far better as a table:

2025 08 25 MultiLinkedAmendedTable

The monthly spend for each member account is now far easier to see.

AWS Credits Usage

In the first chart I excluded my AWS credits to see my original spend. But it’d also be helpful to know more about my Community Builder credit usage. Am I burning through them quicker than anticipated? To what extent are the credits covering my AWS spend? And, given they’ll expire eventually, should I be bolder with my cloud spend to get the most out of my credits while I have them?

To visualise this, let’s make a custom Cost widget focusing on the Charge Type dimension:

2025 08 25 MultiCostType

This is already helpful but, like the first chart, a table is better here for precision and clarity:

2025 08 25 MultiCostTypeTable

And let’s update the widget’s title and description to communicate what is being shown:

2025 08 25 MultiCostTypeTableDescription

S3 Standard Usage

Finally, I want to create an early warning system. When storing objects in S3, the default is usually Standard. There’s nothing wrong with this, and S3 Standard is a good choice for short-lived data.

However, it’s also among the most expensive of the S3 storage classes, and if multiple accounts in my organisation are using S3 Standard when they don’t need to, then I’m neither following best practice nor am I well-architected.

So monitoring my organisation member accounts’ use of S3 Standard is a good idea. This will measure when my S3 standing utilisation is trending upwards, showing me where to focus my optimisation efforts if they are needed. I can do this using a Custom Usage widget, configured with a Usage Type Group of S3 Standard:

2025 08 25 MultiUsageS3

As this value is being tracked over time, a line chart is more suitable:

2025 08 25 MultiUsageS3Line

I experimented with changing the granularity from monthly to daily, but I wanted to keep this dashboard for monthly reporting, intended for observability rather than alerting. That’d be better suited to a custom usage AWS Budget configured to monitor a daily S3 Storage: Standard usage type group.

This trend can be further tracked by adjusting the dashboard’s date range. The visuals below show cost data from 01 July to 25 August, showing a downward S3 Standard usage trend and my August 2025 costs up to that point:

2025 08 25 MultiAugust

This multi-account dashboard allows me to track monthly spending across linked accounts. It provides insights into how AWS credits are being used to offset costs and helps me monitor trends in S3 Standard storage across the organisation. With this dashboard, I can easily identify which accounts are driving costs, understand how credits are applied, and pinpoint areas where S3 usage may need optimisation. It transforms multiple streams of raw billing data into a simple, cohesive view.

Sharing Dashboards

Once dashboards are created, they can be shared. Sharing allows teams, finance stakeholders, and other account holders to view or collaborate on dashboards without requiring direct access to the underlying AWS account. This makes it easier to align on costs, promote FinOps practices, and ensure visibility across the organisation.

Accounts can be shared both within and outside of an AWS Organization:

2025 08 28 SelectRecip

Behind the scenes, both sharing options are handled by AWS Resource Access Manager (RAM). If an active AWS Organization exists, then the dropdown list is populated with the member accounts. Alternatively, account IDs can be entered manually.

While this view is the same whether AWS Organizations is enabled or not, accounts not in an AWS Organization will see an error when interacting with this list:

2025 08 24 SharingError

As accounts are selected, their access can be set as:

  • Can View: Recipients can view the dashboard but cannot make changes.
  • Can Edit: Recipients can view and modify the dashboard configuration.

The selection process is very flexible. A single sharing configuration can include both internal and external accounts, and can assign these accounts to either permission scope. Accounts are added to the Added Recipients section as they are selected, showing which accounts can access the dashboard and with what scope:

2025 08 28 AddedRecipients

These accounts will then view the dashboard in the Shared With Me tab of their Billing & Cost Management console. While users can view the dashboard layout and widget configurations, they don’t have access to the underlying data. Also, the data they do see is based on their IAM permissions.

Sharing dashboards enables collaboration among teams and finance stakeholders, offering visibility into costs while eliminating the need for direct account access.

Summary

In this post, I explored how AWS Billing & Cost Management Dashboards streamline FinOps, monitor service costs and create clear, shareable visual narratives.

As demonstrated, I’m already using this feature and am a very happy customer! I love how simple and expressive it is, and especially appreciate not having to manage any backend ETLs or pipelines. I am 100% the type of user this feature was built for, and it delivers exactly what I need to monitor, understand and communicate AWS costs across accounts with minimal effort.

I’ve got a few wishlist items. Exporting daily dashboard snapshots via SNS to Slack or email would be useful. This is a PowerBI feature that would work well here, especially since the data wouldn’t be shared – only a snapshot of the dashboard and a link to the resource. Support for CloudFormation and CDK would also make adoption and repeatability easier.

AWS Billing & Cost Management Dashboards make it simpler to build cost narratives, share insights, and track usage without the overhead of QuickSight or third-party tools. They are available at no additional cost in all AWS commercial regions.

Like this post? Click the button below for links to contact, socials, projects and sessions:

SharkLinkButton 1

Thanks for reading ~~^~~

Categories
Training & Community

Exploring The AWS Free Tier Changes

ExploringTheAWSFreeTierChanges800600

AWS has announced changes to its Free Tier. In this post, learn what’s changed, what’s included, and what it means for new and returning users.

Table of Contents

Introduction

Out of the blue on 11 July, AWS announced fundamental changes to the AWS free tier:

AWS accounts launched before 15 July retain their current free tier duration, allowances and terms and conditions. New AWS accounts after this date now offer two options – a Paid Plan and a Free Plan.

For those familiar with AWS, the Paid Plan resembles the AWS we know and are used to. This plan is designed for production applications, grants access to all AWS services and features, and provides payment options like pay-as-you-go and savings plans.

2025 07 15 AWSConsoleSignupPaid

The new Paid Plan also includes the existing always-free services, including:

Then there’s the Free Plan:

2025 07 15 AWSConsoleSignupFree

The free plan also includes the always-free services alongside some entirely new aspects, so let’s take a closer look at its main features.

Major Changes

This section examines the main features of the new AWS Free Plan.

Credits

Where previously new users had free tier allowances on several services, they now receive $100 USD in AWS credits at signup.

A further $100 USD credits can be earned by completing activities using foundational AWS services. This includes launching an EC2 instance, creating an AWS Lambda-backed web app and, brilliantly, setting up an AWS Budget cost budget! Incentivising this for new AWS users is long overdue.

Free plan credits expire 12 months after the date of issuance. However, this doesn’t equate to having twelve months of account access…

Account Expiry

With the previous free tier offering, accounts remained open after the free tier period ended. Now there’s an in-built expiry:

Your free plan expires the earlier of (1) 6 months from the date you opened your AWS account, or (2) once you have exhausted your Free Tier credits.

https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/free-tier-FAQ.html

When a free plan expires, the account will close automatically and access to current resources and data will be lost. AWS retains the data for 90 days after the free plan’s expiry, after which it will be entirely erased.

Retrieval after this point is possible, but requires an upgrade to a paid plan to reopen the account. Note that this isn’t automatic – users must consent to being charged as part of the upgrade process.

The expiration date, credit balance, and remaining days of a free tier account can be monitored through the Cost and Usage widget in the AWS Management Console Home, or programmatically using the AWS SDK and command line at no cost via the GetAccountPlanState API. AWS will also send periodic email alerts regarding credit balances and the end of the free plan period.

Service Restrictions

Where previously a new account could use most AWS offerings immediately, free plan accounts now have some limitations. This is the AWS rationale:

Additionally, free account plans don’t have access to certain AWS services that would rapidly consume the entire AWS Free Tier credit amount, or hardware purchases.

https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/free-tier.html

There’s roughly a 50/50 eligibility split of the AWS service catalogue, with some interesting choices that I’ll go into…

New User Considerations

This section examines considerations of the AWS free tier changes for beginners with no prior AWS experience.

Usage-Linked Closure Is Good…

The new Free Plan stops one of the tales as old as time, where new AWS users join up, try out all their shiny new toys and then get spiked by a massive bill. Or their access keys are exposed and stolen, creating a massive bill. Or they spin up an EC2 instance outside of the free tier and get a massive bill. And so on.

Well now, the user only spends their credits. And when the credits are used up, the account closes. The user loses their free plan, but they don’t lose the shirt off their back. Nor do they have to go to AWS cap in hand.

This also addresses another common concern: “I forgot my account was open, and now it’s been hacked!” Not anymore – accounts will close automatically after six months. This feature also helps limit financial damage from DDoS attacks, exposed credentials and similar risks.

Sounds great, right?

…But Isn’t Infallible

There are circumstances where having account closure linked to a credit balance is less desirable:

  • A user builds something that explodes in popularity.
  • Online attackers deliberately target an account.
  • A user misconfigures a resource.

These circumstances, and others, will quickly eat through the credits and trigger the account’s closure. What would happen in this situation is currently unclear – would AWS hit the brakes immediately? Is there a grace period of any sort? Either way, observability and monitoring are vital – the budget alert is a great start, and CloudWatch is included in the Free Plan.

Potential Credits Confusion

Finally, I feel that there may be potential confusion between the free plan credits that expire in twelve months and the free plan that expires in six months. My interpretation is that free users upgrading to a paid plan after six months will be able to continue using any remaining credits for the following six months.

I feel that some new users will see their account expiry coming up while their credits have over six months remaining, assume the account expiry is wrong and then be surprised when their account shuts. It sounds like AWS will make this as obvious as possible to account owners. I guess we’ll find out on Reddit in six months…

Experienced User Considerations

This section discusses the AWS free tier changes for users with prior AWS experience.

Free Tier Policing

I’ve already seen this ruffle some Internet feathers.

Traditionally, AWS were fairly flexible with new accounts. While officially only one email address can be associated with an account, AWS kinda ignored plus addressing. This allowed users to have multiple free tier accounts, and to start a new account when the free tier on their existing one expired.

Well not any more! AWS make it very clear in their FAQs:

“You would be ineligible for free plan or Free Tier credits if you have an existing AWS account, or had one in the past. The free plan and Free Tier credits are available only to new AWS customers.”

https://aws.amazon.com/free/free-tier-faqs/

Now, if a user has an existing account and tries to make a new one, even with plus addressing, they will see this message at the end of the process:

2025 07 15 AWSConsoleNotEligable

No doubt there are parts of the Internet that will find ways around this. I haven’t pursued it personally as I was only interested in checking the restrictions of certain services. AWS themselves don’t have this problem of course, and have their own blog post about the Free Tier update with various screenshots and explanations.

Speaking of restrictions…

Unusual Service (In)Eligibility Choices

This section is based on the original Excel sheet given by AWS in July 2025 and may be subject to change – Ed

As mentioned earlier, AWS now limit the available services on their Free plan:

Free account plans don’t have access to certain AWS services that would rapidly consume the entire AWS Free Tier credit amount, or hardware purchases.

https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/free-tier.html

That said, there are some unusual choices here regarding services that are and aren’t eligible for the free plan.

Firstly, Glue is enabled, but Athena isn’t. So new users can create Glue resources, but can’t interact with them using Athena. I’m confused by this – for Athena to be costly, it usually requires querying data in the TB range that a new AWS account simply wouldn’t contain. Nor does it need specialised hardware. AWS even credits Athena with “Simple and predictable pricing” on its feature page, so why the Free Plan exclusion?

Also confusingly, CodeBuild and CodePipeline are eligible, but CodeDeploy isn’t. Can’t say I understand the logic behind this either!

Other exclusions make more sense. S3 is eligible, but Glacier services aren’t. Fair enough – Glacier is for long-lived storage, while free plans have six-month limits. Presumably, S3 Intelligent Tiering also excludes Glacier on the Free Plan.

Elsewhere, EC2 is eligible but I’ve not been able to check how limited the offering is. Trawling Reddit suggests only the t3.micro instance is available, but if this isn’t the case then many instance types exist that could rapidly burn through $200.

ec2 free limits

AWS CloudHSM is also eligible, with average costs around $1.50 per instance per hour. This totals about $36 per day or $100 over three days, somewhat contradicting AWS’s reasoning for the limitations. And while users could be frugal with using it, these are new users who are likely to be using AWS for the first time.

There’s a list of Free Plan eligible services, but it’s not easy to browse.

Immediate Credit Expiry

Finally, new users should be aware that certain actions immediately forfeit free tier credits. Most notably:

When your account joins AWS Organizations or sets up an AWS Control Tower landing zone, your AWS Free Tier credits expire immediately and your account will not be eligible to earn more AWS Free Tier credits.

https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/free-tier-FAQ.html

Now, these are hardly services that a new user would need. However, an organisation or educational body would want to bear this in mind if they were encouraging staff or students to try AWS out. The free accounts must remain under the ownership of individual users. Any attempt to bring them into an existing AWS Organisation will kill their free tier!

Separately, this simplifies things for those of us already using Organisations or Control Tower – accounts created using these services will immediately be on the paid plan with no usage restrictions.

Summary

This blog post focused on the recent changes to AWS’s Free Tier, which allows new users to select either a Paid Plan or a Free Plan. It highlighted the main modifications made, specified which services were included or excluded, and considered the impact of these changes on both novice and seasoned users.

Overall, I see this as a positive change. The AWS Free Tier offering has been divisive for some time, and these changes go a long way towards softening many of its rough edges. While not everyone will get what they want, these changes greatly help to address the concerns and challenges faced by newbies in the past.

New users of AWS in 2025 should consider the same advice as in years prior:

  • Security first, always.
  • Check the cost of services before spinning them up.
  • Turn unused services off.
  • And finally, don’t forget to set that budget alarm!

New users can sign up for an AWS Free Plan at aws.amazon.com/free.

2025 07 15 AWSFreeTierStart

Like this post? Click the button below for links to contact, socials, projects and sessions:

SharkLinkButton 1

Thanks for reading ~~^~~