@icarusmx/creta 1.5.6 → 1.5.8

package/lib/exercises/aws-billing-detective.md

@@ -0,0 +1,588 @@
+# AWS Billing Detective Guide 🕵️
+
+## The Mystery: "I turned everything off but AWS still charges me"
+
+Common culprits (in order of likelihood):
+1. **EBS Volumes** (orphaned disks after stopping EC2)
+2. **Elastic IPs** (charged when not attached to running instance)
+3. **Snapshots** (backups accumulating)
+4. **NAT Gateways** ($0.045/hour = $32/month EACH)
+5. **Load Balancers** (ALB/NLB = $16-22/month each)
+6. **RDS instances** (databases running in background)
+7. **S3 storage** (forgotten buckets)
+8. **CloudWatch logs** (accumulating logs)
+9. **Data transfer** (cross-region/out-to-internet)
+
+---
+
+## Part 1: Get Your AWS Access Keys
+
+### Step 1: Navigate to IAM Console
+1. Log into AWS Console: https://console.aws.amazon.com
+2. Search for "IAM" in top search bar
+3. Click **IAM** (Identity and Access Management)
+
+### Step 2: Create Access Keys
+1. In left sidebar → Click **Users**
+2. Click your username
+3. Click **Security credentials** tab
+4. Scroll to **Access keys** section
+5. Click **Create access key**
+6. Select use case: **"Command Line Interface (CLI)"**
+7. Check acknowledgment box
+8. Click **Next** → **Create access key**
+9. **IMPORTANT:** Download `.csv` or copy both:
+   - Access key ID (like `AKIAIOSFODNN7EXAMPLE`)
+   - Secret access key (like `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`)
+   - **You can't see the secret again!**
+
+### Step 3: (Alternative) Use Existing Keys
+If you already created keys before:
+- Check your `~/.aws/credentials` file
+- Or retrieve from password manager
+- **Never share these or commit to git**
+
+---
+
+## Part 2: Install & Configure AWS CLI
+
+### Install AWS CLI
+
+**macOS:**
+```bash
+brew install awscli
+```
+
+**Linux:**
+```bash
+curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+unzip awscliv2.zip
+sudo ./aws/install
+```
+
+**Windows:**
+Download installer from: https://aws.amazon.com/cli/
+
+### Configure AWS CLI
+
+```bash
+aws configure
+```
+
+You'll be prompted:
+```
+AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
+AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+Default region name [None]: us-east-1
+Default output format [None]: json
+```
+
+**Configuration is saved to:**
+- `~/.aws/credentials` (keys)
+- `~/.aws/config` (region/settings)
+
+### Verify Setup
+
+```bash
+aws sts get-caller-identity
+```
+
+Should return your account ID and user ARN.
+
+---
+
+## Part 3: The AWS Billing Audit
+
+### 🔍 Step 1: Check Which Regions You're Using
+
+AWS charges can hide in regions you forgot about.
+
+```bash
+# List all regions
+aws ec2 describe-regions --output table
+
+# Check which regions have resources
+for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
+  echo "Checking region: $region"
+  aws ec2 describe-instances --region $region --output table 2>/dev/null | grep -v "^$"
+done
+```
+
+**Most common regions:**
+- `us-east-1` (N. Virginia) - DEFAULT, check this first
+- `us-west-2` (Oregon)
+- `eu-west-1` (Ireland)
+
+### 🔍 Step 2: Hunt for EC2 Charges
+
+#### List ALL EC2 Instances (all states)
+
+```bash
+# Check default region
+aws ec2 describe-instances --output table
+
+# Check specific region
+aws ec2 describe-instances --region us-east-1 --output table
+
+# One-liner: Show instance ID, state, and type
+aws ec2 describe-instances \
+  --query 'Reservations[].Instances[].[InstanceId,State.Name,InstanceType]' \
+  --output table
+```
+
+#### Stop Running Instances
+
+```bash
+# Stop specific instance
+aws ec2 stop-instances --instance-ids i-1234567890abcdef0
+
+# Stop ALL running instances in region (⚠️ DANGEROUS)
+aws ec2 stop-instances --instance-ids $(aws ec2 describe-instances \
+  --query 'Reservations[].Instances[?State.Name==`running`].InstanceId' \
+  --output text)
+```
+
+#### Terminate Instances (permanent deletion)
+
+```bash
+# Terminate specific instance
+aws ec2 terminate-instances --instance-ids i-1234567890abcdef0
+```
+
+### 🔍 Step 3: Hunt for EBS Volumes (THE USUAL SUSPECT)
+
+**When you stop an EC2 instance, its disk (EBS volume) keeps running and charging!**
+
+#### List ALL EBS Volumes
+
+```bash
+# Show all volumes with state and size
+aws ec2 describe-volumes \
+  --query 'Volumes[].[VolumeId,State,Size,VolumeType]' \
+  --output table
+
+# Show only AVAILABLE volumes (not attached = wasting money)
+aws ec2 describe-volumes \
+  --filters "Name=status,Values=available" \
+  --query 'Volumes[].[VolumeId,Size,VolumeType,CreateTime]' \
+  --output table
+```
+
+**Available volumes = orphaned disks = charging you for nothing**
+
+#### Calculate EBS Costs
+
+```bash
+# Get total GB of volumes
+aws ec2 describe-volumes \
+  --query 'sum(Volumes[].Size)' \
+  --output text
+
+# Rough cost: gp3 = $0.08/GB/month, gp2 = $0.10/GB/month
+# Example: 100GB gp3 = $8/month
+```
+
+#### Delete Unused EBS Volumes
+
+```bash
+# Delete specific volume
+aws ec2 delete-volume --volume-id vol-049df61146c4d7901
+
+# ⚠️ Delete ALL available volumes (be careful!)
+for vol in $(aws ec2 describe-volumes \
+  --filters "Name=status,Values=available" \
+  --query 'Volumes[].VolumeId' \
+  --output text); do
+  echo "Deleting volume: $vol"
+  aws ec2 delete-volume --volume-id $vol
+done
+```
+
+### 🔍 Step 4: Hunt for Elastic IPs (Silent Killers)
+
+**Elastic IPs are FREE when attached to a running instance.**
+**But they cost $0.005/hour ($3.60/month) when not attached!**
+
+#### List Elastic IPs
+
+```bash
+# Show all Elastic IPs
+aws ec2 describe-addresses --output table
+
+# Show unattached IPs (costing money)
+aws ec2 describe-addresses \
+  --query 'Addresses[?AssociationId==null].[PublicIp,AllocationId]' \
+  --output table
+```
+
+#### Release Elastic IPs
+
+```bash
+# Release specific IP
+aws ec2 release-address --allocation-id eipalloc-12345678
+
+# Release ALL unattached IPs
+for ip in $(aws ec2 describe-addresses \
+  --query 'Addresses[?AssociationId==null].AllocationId' \
+  --output text); do
+  echo "Releasing IP: $ip"
+  aws ec2 release-address --allocation-id $ip
+done
+```
+
+### 🔍 Step 5: Hunt for NAT Gateways (EXPENSIVE!)
+
+**NAT Gateways cost $0.045/hour = $32.40/month EACH + data transfer**
+
+#### List NAT Gateways
+
+```bash
+aws ec2 describe-nat-gateways --output table
+
+# Show only active NAT gateways
+aws ec2 describe-nat-gateways \
+  --filter "Name=state,Values=available" \
+  --query 'NatGateways[].[NatGatewayId,State,SubnetId]' \
+  --output table
+```
+
+#### Delete NAT Gateways
+
+```bash
+# Delete specific NAT gateway
+aws ec2 delete-nat-gateway --nat-gateway-id nat-0a1b2c3d4e5f6g7h8
+
+# Delete ALL NAT gateways (⚠️ careful)
+for nat in $(aws ec2 describe-nat-gateways \
+  --filter "Name=state,Values=available" \
+  --query 'NatGateways[].NatGatewayId' \
+  --output text); do
+  echo "Deleting NAT Gateway: $nat"
+  aws ec2 delete-nat-gateway --nat-gateway-id $nat
+done
+```
+
+### 🔍 Step 6: Hunt for Load Balancers
+
+**ALB = $16-22/month, NLB = $16-22/month**
+
+#### List Load Balancers
+
+```bash
+# Application Load Balancers
+aws elbv2 describe-load-balancers --output table
+
+# Classic Load Balancers
+aws elb describe-load-balancers --output table
+```
+
+#### Delete Load Balancers
+
+```bash
+# Delete Application Load Balancer
+aws elbv2 delete-load-balancer --load-balancer-arn arn:aws:elasticloadbalancing:...
+
+# Delete Classic Load Balancer
+aws elb delete-load-balancer --load-balancer-name my-load-balancer
+```
+
+### 🔍 Step 7: Hunt for RDS Databases
+
+#### List RDS Instances
+
+```bash
+aws rds describe-db-instances \
+  --query 'DBInstances[].[DBInstanceIdentifier,DBInstanceStatus,DBInstanceClass]' \
+  --output table
+```
+
+#### Stop RDS Instance (temporary - 7 days max)
+
+```bash
+aws rds stop-db-instance --db-instance-identifier mydbinstance
+```
+
+#### Delete RDS Instance (permanent)
+
+```bash
+# Without final snapshot
+aws rds delete-db-instance \
+  --db-instance-identifier mydbinstance \
+  --skip-final-snapshot
+
+# With final snapshot (safer)
+aws rds delete-db-instance \
+  --db-instance-identifier mydbinstance \
+  --final-db-snapshot-identifier mydb-final-snapshot
+```
+
+### 🔍 Step 8: Hunt for Snapshots
+
+#### List EBS Snapshots
+
+```bash
+# Show your snapshots
+aws ec2 describe-snapshots --owner-ids self \
+  --query 'Snapshots[].[SnapshotId,VolumeSize,StartTime]' \
+  --output table
+
+# Calculate total GB
+aws ec2 describe-snapshots --owner-ids self \
+  --query 'sum(Snapshots[].VolumeSize)' \
+  --output text
+```
+
+#### Delete Snapshots
+
+```bash
+# Delete specific snapshot
+aws ec2 delete-snapshot --snapshot-id snap-1234567890abcdef0
+
+# Delete old snapshots (BE CAREFUL - this is destructive)
+for snap in $(aws ec2 describe-snapshots --owner-ids self \
+  --query 'Snapshots[].SnapshotId' --output text); do
+  echo "Deleting snapshot: $snap"
+  aws ec2 delete-snapshot --snapshot-id $snap
+done
+```
+
+### 🔍 Step 9: Hunt for S3 Buckets
+
+#### List S3 Buckets and Sizes
+
+```bash
+# List all buckets
+aws s3 ls
+
+# Show bucket sizes (slow, but accurate)
+for bucket in $(aws s3 ls | awk '{print $3}'); do
+  echo "Bucket: $bucket"
+  aws s3 ls s3://$bucket --recursive --summarize | grep "Total Size"
+done
+```
+
+#### Delete S3 Bucket
+
+```bash
+# Empty bucket first
+aws s3 rm s3://my-bucket --recursive
+
+# Then delete bucket
+aws s3 rb s3://my-bucket
+```
+
+### 🔍 Step 10: Check CloudWatch Logs
+
+```bash
+# List log groups
+aws logs describe-log-groups \
+  --query 'logGroups[].[logGroupName,storedBytes]' \
+  --output table
+
+# Delete log group
+aws logs delete-log-group --log-group-name /aws/lambda/my-function
+```
+
+---
+
+## Part 4: The Nuclear Option - Check Everything
+
+### All-Regions Audit Script
+
+Create `aws-audit-all-regions.sh`:
+
+```bash
+#!/bin/bash
+
+echo "=== AWS RESOURCE AUDIT ==="
+echo ""
+
+for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
+  echo "🔍 Checking region: $region"
+  echo ""
+
+  # EC2 Instances
+  instances=$(aws ec2 describe-instances --region $region \
+    --query 'Reservations[].Instances[].[InstanceId,State.Name]' \
+    --output text 2>/dev/null)
+  if [ ! -z "$instances" ]; then
+    echo "  EC2 Instances:"
+    echo "$instances" | sed 's/^/    /'
+  fi
+
+  # EBS Volumes
+  volumes=$(aws ec2 describe-volumes --region $region \
+    --query 'Volumes[].[VolumeId,State,Size]' \
+    --output text 2>/dev/null)
+  if [ ! -z "$volumes" ]; then
+    echo "  EBS Volumes:"
+    echo "$volumes" | sed 's/^/    /'
+  fi
+
+  # Elastic IPs
+  eips=$(aws ec2 describe-addresses --region $region \
+    --query 'Addresses[].[PublicIp,AssociationId]' \
+    --output text 2>/dev/null)
+  if [ ! -z "$eips" ]; then
+    echo "  Elastic IPs:"
+    echo "$eips" | sed 's/^/    /'
+  fi
+
+  # NAT Gateways
+  nats=$(aws ec2 describe-nat-gateways --region $region \
+    --query 'NatGateways[].[NatGatewayId,State]' \
+    --output text 2>/dev/null)
+  if [ ! -z "$nats" ]; then
+    echo "  NAT Gateways:"
+    echo "$nats" | sed 's/^/    /'
+  fi
+
+  echo ""
+done
+```
+
+Run it:
+```bash
+chmod +x aws-audit-all-regions.sh
+./aws-audit-all-regions.sh
+```
+
+---
+
+## Part 5: Use AWS Cost Explorer (Web UI)
+
+1. Go to: https://console.aws.amazon.com/cost-management/home
+2. Click **Cost Explorer** → **Enable Cost Explorer** (if first time)
+3. Wait 24 hours for data to populate
+4. Use filters to see:
+   - **Service** breakdown (what's charging you)
+   - **Region** breakdown (where charges come from)
+   - **Daily costs** (when did charges start)
+
+**Look for:**
+- EC2-Other (EBS volumes)
+- VPC (NAT Gateway, Elastic IPs)
+- RDS
+- S3
+- Data Transfer
+
+---
+
+## Part 6: Set Up Billing Alerts
+
+**Prevent this from happening again:**
+
+```bash
+# Create billing alarm (requires CloudWatch)
+aws cloudwatch put-metric-alarm \
+  --alarm-name "BillingAlarm" \
+  --alarm-description "Alert when AWS bill exceeds $10" \
+  --metric-name EstimatedCharges \
+  --namespace AWS/Billing \
+  --statistic Maximum \
+  --period 21600 \
+  --evaluation-periods 1 \
+  --threshold 10.0 \
+  --comparison-operator GreaterThanThreshold
+```
+
+**Better: Use AWS Budgets (Web UI)**
+1. Go to: https://console.aws.amazon.com/billing/home#/budgets
+2. Create Budget
+3. Set threshold (e.g., $10/month)
+4. Add email alert
+
+---
+
+## Quick Reference: Most Common Commands
+
+```bash
+# Check identity
+aws sts get-caller-identity
+
+# List EC2 instances
+aws ec2 describe-instances --output table
+
+# List EBS volumes (THE MOST COMMON CULPRIT)
+aws ec2 describe-volumes --output table
+
+# List Elastic IPs (unattached = charging)
+aws ec2 describe-addresses --output table
+
+# List NAT Gateways (EXPENSIVE)
+aws ec2 describe-nat-gateways --output table
+
+# List RDS databases
+aws rds describe-db-instances --output table
+
+# List S3 buckets
+aws s3 ls
+
+# Check all regions
+for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
+  echo "Region: $region"
+  aws ec2 describe-instances --region $region --output table
+done
+```
+
+---
+
+## Troubleshooting
+
+### "Unable to locate credentials"
+```bash
+# Check if credentials exist
+cat ~/.aws/credentials
+
+# Reconfigure
+aws configure
+```
+
+### "Region not found"
+```bash
+# Set default region
+aws configure set region us-east-1
+```
+
+### "Access Denied" errors
+- Your IAM user might lack permissions
+- Attach `PowerUserAccess` or `AdministratorAccess` policy in IAM console
+
+### Still being charged?
+1. **Wait 24-48 hours** - AWS billing has delay
+2. **Check Cost Explorer** - see exact service charging you
+3. **Check ALL regions** - use the audit script above
+4. **Check Route 53** - hosted zones cost $0.50/month each
+5. **Check CloudFront** - distributions can accumulate charges
+6. **Contact AWS Support** - they can help identify charges
+
+---
+
+## Prevention Checklist
+
+Before leaving AWS for the day:
+
+- [ ] Stop or terminate ALL EC2 instances
+- [ ] Delete ALL unattached EBS volumes
+- [ ] Release ALL unused Elastic IPs
+- [ ] Delete NAT Gateways if not needed
+- [ ] Delete or stop RDS instances
+- [ ] Check ALL regions (not just default)
+- [ ] Set up billing alerts
+- [ ] Use AWS Free Tier Dashboard to monitor usage
+
+**Rule of thumb:** If you're not actively using AWS, your monthly bill should be $0-2 (maybe Route 53 or minimal S3).
+
+---
+
+## Useful Links
+
+- AWS Cost Explorer: https://console.aws.amazon.com/cost-management/home
+- AWS Free Tier: https://console.aws.amazon.com/billing/home#/freetier
+- AWS Budgets: https://console.aws.amazon.com/billing/home#/budgets
+- IAM Console: https://console.aws.amazon.com/iam
+- Support Center: https://console.aws.amazon.com/support/home
+
+---
+
+**Good luck, detective! 🕵️**