· engineering  · 4 min read

Cost-Control "Kill Switch" for AWS CloudFront?

Trying to use AWS Cloudwatch to implement a "kill switch" that automatically disables CloudFront distribution if the bandwidth cost exceeds a specified threshold.

Trying to use AWS Cloudwatch to implement a "kill switch" that automatically disables CloudFront distribution if the bandwidth cost exceeds a specified threshold.

A client has an AWS setup that serves a static site from S3 via CloudFront, including some large files.
This configuration presents a risk: a bug, or a malicious actor could exploit this by frequently requesting these files, rapidly inflating our AWS bill.
Given that AWS’s EstimatedCharges metric updates every six hours and resets monthly, monitoring this is not suitable for immediate responses required by our scenario.

AWS CloudFront does contain some mitigation against DDOS attacks, but not at the application layer.
The client would rather interrupt the service for everyone, than face extremely high bills.

Cost Calculation

We have configured our CloudFront with PriceClass_100 to ensure content delivery from American and European edge locations, minimizing costs from more expensive regions.
Serving under 10TB, our costs are approximately $0.085 per GB, as bandwidth is the primary cost factor. Our objective is to monitor this and trigger protective measures if costs risk exceeding our budget.

Max Bytes=(BudgetCost per GB)×10243\text{Max Bytes} = \left( \frac{\text{Budget}}{\text{Cost per GB}} \right) \times 1024^3