Live on AWS

AWS Cost Dashboard

Real-time FinOps dashboard at costing.climacs.net

ECS Fargate

Compute Engine

~$6-7

Weekly Cost

AWS Services

15 min

Data Refresh

TLS 1.3

Encryption

🏗️ Architecture Overview

User costing.climacs.net

☁ AWS Cloud

Account 580796108725 · us-east-1

Route 53 DNS

ACM TLS Certificate

⬡ VPC · Default

172.31.0.0/16

⊞ us-east-1a

ALB Port 443

ECS Fargate 0.25 vCPU / 512MB

⊞ us-east-1b

ALB (multi-AZ) Standby

Subnet B 172.31.144.0/20

⚡ Serverless Data Pipeline

EventBridge Every 15 min

Lambda Aggregator

Athena SQL Queries

S3 CUR Parquet data

S3 Aggregates summary.json

ECR Docker Images

CloudWatch Logs (7d)

AWS Billing CUR Export

HTTPS

TLS 1.3

Read JSON

trigger

query

scan

write

CUR export

Request flow

Data flow

Pipeline flow

AWS Cloud

VPC

Availability Zone

📋 AWS Services Inventory & Estimated Costs

Service	Description & Docs	Hourly	Daily	Weekly	Monthly
ECS Fargate Compute	Serverless container running the FastAPI backend (0.25 vCPU, 512MB). Serves dashboard UI and all API endpoints. No EC2 instances to manage. AWS Fargate Docs → Pricing →	$0.012	$0.30	$2.07	$8.92
Application Load Balancer Networking	Layer 7 load balancer handling HTTPS termination, health checks, and traffic routing to ECS. Fixed hourly cost + LCU usage. Biggest cost driver. AWS ELB Docs → Pricing →	$0.025	$0.61	$4.23	$18.40
Route 53 Networking	Managed DNS service hosting the `costing.climacs.net` A-record alias pointing to the ALB. Also validates ACM certificate via CNAME record. AWS Route 53 Docs → Pricing →	$0.001	$0.02	$0.12	$0.50
ACM Security	AWS Certificate Manager provides free public TLS certificates with automatic renewal. Used for HTTPS on ALB with TLS 1.3 policy. AWS ACM Docs → Pricing →	Free	Free	Free	Free
Lambda Compute	Serverless function (Python 3.9) triggered every 15 min by EventBridge. Runs 6 Athena queries and writes aggregated JSON to S3. ~2,880 invocations/month. AWS Lambda Docs → Pricing →	~$0.00	~$0.00	$0.01	$0.04
EventBridge Management	Serverless event bus scheduling the Lambda aggregator at 15-minute intervals using a cron rule. Default event bus events are free. AWS EventBridge Docs → Pricing →	Free	Free	Free	Free
Athena Analytics	Serverless SQL query engine scanning CUR Parquet files in S3. Billed at $5 per TB scanned. Partition pruning keeps scans minimal (~1-2 MB per query). AWS Athena Docs → Pricing →	~$0.00	$0.003	$0.02	$0.09
S3 Storage	Two buckets: climacs-cur-data (raw CUR Parquet) and costing-aggregates (pre-computed JSON). Also stores Athena query results and Terraform state. AWS S3 Docs → Pricing →	~$0.00	$0.003	$0.02	$0.10
Glue Analytics	Glue Crawler discovers CUR data partitions (year/month/day) and maintains the Glue Data Catalog table schema used by Athena for partition pruning. AWS Glue Docs → Pricing →	~$0.00	~$0.00	$0.01	$0.04
ECR Compute	Elastic Container Registry stores the Docker image for the FastAPI backend. ECS pulls the `:latest` tag on each deployment. Storage at $0.10/GB/month. AWS ECR Docs → Pricing →	~$0.00	~$0.00	$0.01	$0.05
CloudWatch Logs Management	Centralized logging for ECS container output. Log group retention set to 7 days to minimize storage costs. $0.50/GB ingested, $0.03/GB stored. AWS CloudWatch Docs → Pricing →	~$0.00	$0.005	$0.04	$0.15
AWS Budgets Management	Cost guardrail with 3 alert thresholds: 80% actual, 100% actual, and 120% forecasted. Sends email alerts. First 2 budgets are free. AWS Budgets Docs → Pricing →	Free	Free	Free	Free
Estimated Total		~$0.038	~$0.94	~$6.53	~$28.29

💡 Notes: All estimates are for us-east-1 region with this project's actual configuration (0.25 vCPU Fargate, 1 task, minimal traffic). Costs marked "Free" are within AWS Free Tier or have no charge for this usage pattern. ALB is the single largest cost driver (~65% of total). Consider migrating to EC2 t3.nano + Caddy to reduce monthly cost to ~$5/mo. Prices as of April 2026 — visit linked pricing pages for current rates.

🧩 Component Details

ECS Fargate Service Compute

Serverless container running the FastAPI backend. Serves the HTML/JS dashboard and all /api/* endpoints. Reads pre-aggregated JSON from S3. Basic Auth enforced on all API routes.

0.25 vCPU 512 MB Python 3.9 FastAPI Chart.js

View in Console →

Lambda Aggregator Compute

Scheduled every 15 minutes via EventBridge. Runs 6 Athena queries to compute summary, timeseries (hourly/daily), service breakdown, and month-over-month comparisons. Writes compact JSON to S3.

EventBridge 15 min schedule 300s timeout 6 queries

View in Console →

S3 Buckets Storage

Two buckets: climacs-cur-data for raw CUR Parquet files from AWS Billing, and costing-climacs-aggregates for Lambda-computed JSON summaries consumed by the API.

CUR Parquet Aggregates JSON Athena results

Glue + Athena Analytics

Glue Crawler discovers CUR data partitions (year/month/day). Athena provides serverless SQL querying over Parquet files with partition pruning for cost-efficient scans.

Glue Crawler Athena Workgroup Partition pruning

ALB + ACM Networking

Application Load Balancer handles TLS termination with auto-provisioned ACM certificate. HTTP → HTTPS redirect. Health checks on /health. Multi-AZ subnets.

TLS 1.3 ACM cert 2 AZ subnets HTTP redirect

Terraform IaC Infrastructure

All infrastructure defined in code. S3 remote backend for state. 6 Terraform files covering ECS, Lambda, S3/Athena, Route53, and shared config.

ecs.tf lambda.tf s3_athena.tf route53.tf main.tf variables.tf

💰 Cost Breakdown (Demo)

🕐 1-Week Demo

ECS Fargate (0.25 vCPU + 0.5GB) $2.07

ALB (168 hrs × $0.0225) $3.78

Route53 + S3 + Lambda $0.25

Athena queries $0.10

Total (1 week) ~$6.20

📅 Monthly (if kept running)

ECS Fargate $9.00

ALB fixed cost $16.20

Route53 zone $0.50

S3 + Lambda + Athena $1.00

Total (monthly) ~$27/mo

💡 EC2 Alternative (long-term)

EC2 t3.nano $3.80

Caddy (free TLS) $0.00

No ALB needed $0.00

Route53 + S3 + Lambda $1.30

Total (monthly) ~$5/mo

🔐 Security Model

🔒

TLS 1.3 Encryption

ACM-managed certificate with auto-renewal. TLS termination at ALB using policy ELBSecurityPolicy-TLS13.

🔑

HTTP Basic Auth

All /api/* endpoints require credentials. Custom implementation avoids browser popups — the frontend has its own login modal.

🛡️

Least-Privilege IAM

Separate roles for each service: ECS (S3 read-only), Lambda (Athena + S3 read/write), Glue Crawler (S3 read + Glue).

🌐

Network Isolation

ECS tasks only accept traffic from ALB security group on port 8000. No direct internet access to containers.

⚠️ Demo Teardown (after review)

When the demo is complete, destroy all resources to stop billing:

cd terraform && terraform destroy

This will remove all 31 AWS resources. The ECR repository must be deleted separately via AWS CLI.