How to Stay Inside the AWS Free Tier

April 07, 2027 · 17 min read

Cloud Practitioner · CLF-C02 · part of The Exam Room

The situation

A student has finished the Cloud Practitioner content and wants to actually ship something. The project is modest: a small web app, a personal bookmark manager with a web UI and a REST API. Expected traffic is tens of requests per day, scaling to maybe a few thousand on the day a friend shares it. Storage is measured in megabytes.

The budget is under $5 per month, and the tolerance for surprise bills is exactly zero. A university-aged credit card and no interest in learning about overdraft fees.

The student has heard of the “AWS Free Tier” but every forum thread reads like a warning. They want three things answered before they swipe the card: which services are actually free, for how long, and what specifically triggers a bill.

What actually matters

“Run the app for $5 a month” is the contract, but the shape of the cost is more interesting than the number. A few properties are worth naming up front.

Free-forever versus free-for-now. “AWS Free Tier” is three different programmes glued together under a single marketing banner. Some services are free every month indefinitely. Some are free for the first twelve months of the account. Some are trial-only, a service you enable once and a clock starts that ends silently with a bill on day sixteen or day thirty-one. Which category a service sits in determines whether it’s safe to rely on for a long-lived project, and building a project that lives past twelve months on 12-month-free services is how the anniversary spike happens.

Hourly-billed versus per-use-billed, as an architectural property. Almost every forum horror story is the same shape. Somebody stood up a network primitive “because the tutorial said so” and it billed by the hour whether any packet crossed it or not. Somebody left a virtual machine running. Somebody attached a static IP they stopped using. The common feature isn’t “AWS is expensive”, it’s “this resource bills for existence, not use”. A zero-cost architecture is made entirely of services that bill per use (and therefore drop to zero when the app is idle). Serverless isn’t a trend; for a small project it’s the only pricing model that survives being forgotten about.

Configuration determines whether the free quota applies. The free allowance for a virtual-machine service is typically for a specific tiny instance size; pick a bigger one and none of it applies. The free allowance for a managed database is typically single-AZ on a tiny instance; multi-AZ bills both instances at full price. Some free allowances apply to one capacity mode and not another. “In the free tier” is configuration-sensitive, not service-level.

Quotas are not how budgets blow up. Per-request services typically throttle cleanly and bills grow linearly in small increments. The bills that shock people come from hourly resources the owner forgot about, tens of dollars a month for an idle piece of infrastructure is a lot of headroom for a mistake, and there’s no throttle that makes the cost stop. Pay attention to “how does this bill” at provisioning time, not “how much can I use”.

Trials expire silently. This is the subtle one. Trial clocks vary by service and don’t line up; when they end, the service keeps running and the bill starts. The operational rule is: when you enable a trial, set a calendar reminder a week before it ends, every time, without exception. The alternative is being the forum post.

Two cost guards beat one. Threshold-based guards catch amounts crossing a number. Anomaly-detection guards catch shapes deviating from a baseline. Both are typically free to use; both are worth configuring on day one. An account that spends $0.50 a month consistently and suddenly spends $4 on data transfer hasn’t crossed a budget threshold but has changed shape, and that’s often the early warning before a shape change becomes a bill change.

What we’ll filter on

  1. Free expiry category. Always Free, 12-month, trial, or paid.
  2. Billing shape, per use (idle-safe) or hourly (idle-expensive).
  3. Configuration sensitivity, does the free tier apply to this instance size / table class / deployment type?
  4. Idempotent when forgotten, does the cost keep growing if nobody touches the account for a month?
  5. Trial silence, does the service charge after a silent clock?
  6. Architecture cost, does the service add infrastructure that bills regardless of app state?

The Free Tier landscape

AWS ships three distinct kinds of “free” under a single banner. Legacy accounts (created before 15 July 2025) see all three categories. Post-July-2025 accounts still see most of the same always-free offers, but the 12-month category has been partially replaced by a $200 credit allowance lasting up to six months.

Always Free no expiry; renews every month Lambda 1M requests + 400,000 GB-seconds / month DynamoDB 25 GB storage + 25 RCU + 25 WCU CloudFront 1 TB data out + 10M requests / month SNS 1M publishes / month SQS 1M requests / month CloudWatch 10 custom metrics + 10 alarms Cognito 50,000 monthly active users CloudFormation, IAM, VPC no service charge (ever) 12 Months Free clock starts at account creation EC2 750 hrs / month on t2.micro or t3.micro S3 Standard 5 GB + 20K GET + 2K PUT RDS 750 hrs single-AZ db.t2/t3/t4g.micro EBS 30 GB gp2/gp3 + 2M I/Os ELB 750 hrs + 15 GB processed API Gateway 1M API calls / month Data Transfer Out 100 GB / month across services (expires at 12-month mark) Short-term Trials clock starts when you enable GuardDuty 30-day trial, per protection plan Inspector 15-day trial Detective 30-day trial Macie 30-day trial (limited volume) Redshift 2-month trial, dc2.large node SageMaker 2-month trial (Studio / notebooks) The category that bites. Bills start silently when the trial ends.
Three categories, three durations, three failure modes. The same service can appear in more than one column. S3 has a 12-month allowance, Lambda is always free, GuardDuty is trial-only.

Side by side

Service Category Billing shape Idle cost Configuration trap
Lambda Always Free per use ✓ (zero)
DynamoDB Always Free per use (provisioned) ✓ (zero) on-demand not in free tier
CloudFront Always Free per use ✓ (zero)
S3 12-month per use ✓ (zero) Standard class only
EC2 12-month hourly ✗ (idle = full cost) t2.micro/t3.micro only
RDS 12-month hourly single-AZ micro only
NAT Gateway Not free hourly ✗ (~$33/mo)
Elastic IP (detached) Not free hourly ✗ (~$3.60/mo) free while attached
ALB 12-month then paid hourly ✗ (~$16/mo after yr 1)
GuardDuty 30-day trial per use ✗ (after day 31) clocks per protection plan

Matching workload shape to pricing shape

Tiny hobby app idle most of the time Learning project EC2 for a few months Surprise-bill pattern hourly infra, idle workload Bookmark manager ~100 visitors/month tens of MB of data expected 2+ years Linux server to SSH into always-on EC2 t2.micro small RDS to experiment 9 months of use "Production" app in private subnet NAT Gateway ALB + Multi-AZ RDS idle most of the time All services Always Free? yes All services 12-month free? yes Hourly infra billed regardless? yes Lambda + DynamoDB + S3? CloudFront + Cognito? all per-use, all idle-safe t2.micro / single-AZ? plan for month 12? both yes idle time = full bill ~$60-$100/mo just for infra before any use Serverless always-free ~$0.50/month Route 53 hosted zone only scales past anniversary cleanly 12-month allowances ~$0 for first year calendar reminder at month 11 shut down or migrate Surprise bill $60-$100/month at minimum not a free-tier failure an architecture failure
Three project shapes, three outcomes. Which architecture you pick determines which column you land in.

Each tier in depth

Always Free is the tier a long-lived project lives on. The quotas are generous enough for a small production workload, not just a test. A 128 MB Lambda function running 100 ms per call uses 0.0125 GB-seconds per invocation, so the 400,000 GB-second allowance covers 32 million such calls, the 1-million-request ceiling is what most applications hit first. DynamoDB’s 25 RCU + 25 WCU allowance applies to the Standard table class with provisioned capacity; on-demand capacity has a different pricing model and is not in the free tier. The service-has-no-charge group. CloudFormation, IAM, VPC, Auto Scaling, Organizations, never bills for itself; you pay for the resources these services provision, not for using them.

12 Months Free is the tier that defined the Free Tier for a decade. Legacy accounts still get these offers unchanged. Post-15-July-2025 accounts get a credit-based Free Plan with up to $200 in credits that expire after six months or when consumed. The configuration traps are the same. EC2’s 750 hours applies only to t2.micro and t3.micro, launch a t3.small and the whole instance bills at full rate. RDS’s 750 hours applies only to single-AZ deployments on db.t2/t3/t4g.micro; a Multi-AZ deployment bills both instances even if both are micros. S3’s 5 GB is Standard storage only.

Short-Term Trials are per-service trials that start when you first enable the service. GuardDuty’s 30-day clock runs separately for each protection plan (foundational, Malware Protection, EKS, Lambda, RDS, S3). Inspector is 15 days, not 30. Trials end silently.

A worked monthly trace

Static HTML, CSS, and JavaScript in an S3 bucket, fronted by CloudFront. Dynamic API calls hit API Gateway, which invokes Lambda functions. Persistent state lives in DynamoDB. Authentication is Cognito. Logs go to CloudWatch.

Expected first-month traffic. A hundred unique visitors, each loading the site about five times: 500 page views, ~20 assets each from CloudFront, 10,000 CloudFront requests at ~50 MB of egress. A hundred API calls per visit gives 50,000 API Gateway calls, 50,000 Lambda invocations (128 MB, 50 ms average = 313 GB-seconds), 50,000 DynamoDB requests.

  • CloudFront. 10,000 requests vs 10M cap, 50 MB vs 1 TB. Always Free. $0.
  • S3. ~20 MB static assets. 12-month 5 GB cushion. $0.
  • API Gateway. 50,000 calls vs 1M cap. $0 first year; ~$0.18/month after.
  • Lambda. 50,000 requests and 313 GB-seconds vs 1M and 400,000. Always Free. $0.
  • DynamoDB. 50,000 requests against 25 RCU/WCU. Always Free. $0.
  • Cognito. 100 MAU vs 50,000 cap. Always Free. $0.
  • CloudWatch. Default metrics, small alarms. $0.
  • Route 53 (custom domain). $0.50 per hosted zone per month. $0.50.

Total: about $0.50/month. Almost every component is Always Free, so the 12-month anniversary doesn’t spike the bill.

Where the surprise bills come from

The forum horror stories all have the same shape: a service billed by the hour for existing, regardless of use.

  • NAT Gateway, the top offender. $0.045 per hour to exist, plus $0.045 per GB processed. Running one for a month is ~$32.85 before the first byte. Never in the Free Tier. The fix for a small project: don’t put the application in a private subnet. Lambda outside a VPC doesn’t need one.
  • RDS on the wrong instance type. Free Tier covers db.t2/t3/t4g.micro, single-AZ only. Multi-AZ even on a micro bills both instances at full price.
  • A running EC2 instance past the 12-month clock. The Free Tier does not prompt when it ends; the bill just starts. Idle instances cost the same as busy ones.
  • A detached Elastic IP. Not associated with a running instance: $0.005 per hour, ~$3.60 per month.
  • S3 egress outside the region. Storage is Free Tier; data transfer out is $0.09/GB in most regions.
  • Inspector or GuardDuty enabled “to have a look”. Fine during the trial. On day 16 (Inspector) or day 31 (GuardDuty), pay-as-you-go rates start.
  • An idle ALB past month 12. ~$16.50/month at $0.0225 per hour, plus LCU charges. For tens of requests per day, API Gateway is cheaper.
  • CloudWatch Logs set to “Never Expire”. Over months a chatty app accumulates GBs at $0.03/GB/month.

Serverless services drop to zero when the application is idle. Instance-priced services keep billing while you sleep. The zero-cost architecture is made entirely of the first kind.

Cost guards worth configuring on day one

AWS Budgets sets a dollar amount and alerts when forecast or actual spend crosses a threshold:

  1. A zero-spend budget using the AWS template, tracks 100% of Free Tier usage, alerts at 85%.
  2. A $1/month cost budget at 100% actual spend.
  3. A $5/month cost budget at 50% and 100%.

The first two action-enabled budgets per month are free.

AWS Cost Anomaly Detection uses machine learning to alert when spend deviates from the learned baseline. An account that usually spends $0.50 on Route 53 suddenly spending $4 on Data Transfer Out gets flagged even when the total is still trivial. Free to use.

Common surprises around account creation

The 12-month clock starts at account creation, not at first use. Creating the account in July to “have a look” and starting to build in October leaves nine months.

Free Tier is aggregated across all regions (except GovCloud and China). An EC2 t3.micro in us-east-1 plus another in eu-west-1 uses 1,460 hours/month, not 1,500, the second bills every hour over 750.

Accounts created after 15 July 2025 pick between Free Plan and Paid Plan at signup. Free Plan gives up to $200 in credits, valid for six months or until consumed. “Paid Plan” doesn’t mean “pay by default”; it means “no six-month cap”. A zero-cost architecture stays zero either way.

What’s worth remembering

  1. “Free Tier” means three different things. Always Free (monthly renewal, no expiry), 12 Months Free (expires at 12-month mark), Short-Term Trials (per-service clock on first use).
  2. Always-free services are where long-lived projects live. Lambda, DynamoDB, CloudFront, SNS, SQS, CloudWatch basics, Cognito.
  3. 12-month services bind specific configurations. EC2 t2.micro/t3.micro only. RDS single-AZ only. S3 Standard only.
  4. Short-term trials expire without prompting. Inspector 15 days, GuardDuty 30 days per protection plan.
  5. Surprise bills come from hourly-billed infrastructure, not exceeded quotas. NAT Gateway (~$33/mo), detached Elastic IPs ($3.60/mo), idle load balancers (~$16/mo after year 1).
  6. Serverless drops to zero when idle. Instance-priced services bill per hour regardless.
  7. Budgets and Cost Anomaly Detection are complementary. Budgets catch amounts crossing a threshold; Anomaly Detection catches shapes deviating from baseline.
  8. Free Tier aggregates across regions (except GovCloud and China).
  9. The 12-month clock starts at account creation, not first use.
  10. The new-account experience changed on 15 July 2025, new accounts pick a credit-based Free Plan (up to $200, six months) or Paid Plan. Always-free services apply to both.

These posts are LLM-aided. Backbone, original writing, and structure by Craig. Research and editing by Craig + LLM. Proof-reading by Craig.