Skip to content

Cost Anomaly (Bonus)

Overview

A simulated cost spike has been detected in the workshop account. In this bonus exercise, you'll use your AI coding agent to investigate CloudTrail logs for unusual API activity patterns — a common real-world troubleshooting scenario that combines log analysis with security awareness.

What You'll Learn

  • How to use your agent to query CloudTrail for recent API activity
  • How to identify unusual patterns in API call frequency and source
  • How to correlate activity spikes with specific principals and services

Instructions

Explore

Use your agent to investigate what caused an unexpected increase in API activity. Here are some hints:

  1. Ask your agent to look at CloudTrail events from the last few hours and summarize the API call patterns
  2. Look for any unusual volume of calls to expensive services (EC2 RunInstances, Lambda Invoke, S3 operations)
  3. Check if any calls came from unexpected principals or IP addresses
Step-by-step Walkthrough
  1. Start by asking your agent to summarize recent API activity:

Look at CloudTrail events from the last 3 hours. Summarize the API calls by service and event name — which services have the most activity?

  1. Your agent should retrieve events and group them. Look for patterns that seem anomalous — high-frequency calls or services you haven't used yet in the workshop.

  2. Drill into the most active service:

For the service with the most API calls in the last 3 hours, show me the breakdown by event name, the source IP addresses, and which IAM principal made the calls.

  1. Check for any unauthorized or unexpected principals:

Are there any CloudTrail events from principals other than my participant role or the MCP Server agent role? Show me any events from unknown or unexpected IAM entities.

  1. Look at the timing pattern:

Show me the CloudTrail events grouped by 15-minute intervals over the last 3 hours. Is there a burst of activity at any particular time?

  1. Summarize your findings:

Based on the CloudTrail analysis, summarize what caused the activity spike. Was it expected workshop activity or something unusual? What would you recommend checking next?

  1. In a real scenario, you'd escalate findings to security or adjust IAM policies. Here, the activity is from normal workshop operations — but the investigation process is identical to what you'd do for a real cost anomaly.

Validation

This is a bonus lab — there are no automated validation checks. Success means you:

  • ✅ Retrieved and analyzed CloudTrail events using your agent
  • ✅ Identified the top API callers by service and principal
  • ✅ Looked for anomalous patterns (unusual principals, burst timing, unexpected services)

Info

In a production environment, you'd combine CloudTrail analysis with AWS Cost Explorer, CloudWatch anomaly detection, and potentially AWS GuardDuty findings. This lab focuses on the CloudTrail investigation step.

Agent-Specific Tips

Claude Code can handle large sets of CloudTrail events and summarize patterns effectively. Try asking it to create a structured analysis:

Query CloudTrail for the last 3 hours and give me a summary table: service, event name, count, and the principal(s) that made each call. Flag anything unusual.

Kiro can retrieve CloudTrail events and perform analysis across multiple dimensions. Ask it to cross-reference timing and principals:

Look at CloudTrail events from the last 3 hours. Create a timeline showing API call frequency in 15-minute buckets, and highlight any principals making calls outside normal workshop patterns.

Cursor can query CloudTrail through the MCP Server and analyze the results. Be specific about the time window to avoid overwhelming the response:

Get CloudTrail events from the last 3 hours, limited to 50 events. Group them by service and event name, and note any calls from principals other than my role.

Codex can use the CloudTrail LookupEvents API through the MCP Server. Guide it to focus on the key dimensions:

Use CloudTrail LookupEvents for the last 3 hours. Summarize by service, identify the top 5 most frequent API calls, and check if any came from unexpected sources.