A typical first FinOps review pulls 20–40% out of an AWS bill. Not through magic—through patterns. Most teams skip the cheap wins and reach straight for Reserved Instances. We'd suggest the opposite order.
1. Find your NAT gateway tax
A NAT Gateway costs $0.045/hr and $0.045/GB of data processed. The hourly part is fine. The per-GB part bites private subnets that chat with S3 over the public endpoint instead of a Gateway Endpoint.
Add VPC Gateway Endpoints for S3 and DynamoDB. They're free. We've seen this single change cut $4,000–$8,000 a month off bills where private workloads sync with S3 buckets all day.
2. Lifecycle your S3, ruthlessly
Most S3 buckets contain data nobody reads after 30 days. Lifecycle rules move it to Infrequent Access at 30 days, Glacier Instant Retrieval at 90, Deep Archive at a year.
Cost difference between Standard and Deep Archive: roughly 22x. Twelve months of unused logs at $200/mo in Standard cost about $10 in Deep Archive. Do the math on what your bucket actually serves vs. what just sits there.
3. Rightsizing RDS, in stages
RDS is the easiest place to overspend because nobody wants to be the person who downsized the DB. Use Performance Insights to confirm CPU is under 30% for a fortnight, then step down one size. The world doesn't end.
Move from db.m5 to db.m6g (Graviton)—same performance class, 20% cheaper. Move from gp2 to gp3 storage—better IOPS at lower base cost.
4. Graviton everywhere it fits
ARM-based Graviton instances are 20–40% cheaper than equivalent x86 and often faster for typical web workloads. Most Node, Python, Go, and Java code runs unchanged. Containerized? Multi-arch images take an afternoon to set up.
5. Spot for the boring stuff
Batch jobs, CI runners, async workers, ML training—all of it can run on Spot at 60–80% off. Use EKS or ECS managed node groups with Spot + on-demand fallback. The two-minute interruption notice is enough time for almost every job to checkpoint or hand off.
6. CloudWatch logs are a budget hole
Default log retention is 'never expire,' which is great for AWS's revenue. Set retention per log group. Send the truly archival stuff to S3 + Athena via Subscription Filter—cheaper to store, almost as easy to query when you need it.
7. Then, savings plans
Only after you've rightsized do you commit. Compute Savings Plans cover Lambda, Fargate, and EC2 across instance families—they're flexible and the right default. Aim to cover your steady-state baseline only. Burst capacity stays on-demand.
These seven aren't exhaustive. They're the ones we keep applying because they keep working.