AWS Billing for EC2 Data Transfer in Free Tier

I am new to AWS. I recently created a Free Tier account to install WordPress.

I followed instructions like this to install: https://www.wpbeginner.com/wp-tutorials/how-to-install-wordpress-on-amazon-web-services/

Just created a t2.micro EC2 instance under free tier. But I am getting billed $0.010 per GB - regional data transfer - in/out/between EC2 AZs or using elastic IPs or ELB. I use only one zone.

Cost Details Here

I use only one region. Checked VPCs, Subnets. No Elastic IPs or Load Balancers. What should I do?

EDIT: VPC Logs: https://drive.google.com/file/d/1U-6PevU64LLU5JmvCm3UaoJcWNapiWcm/view?usp=sharing

I am getting billed for: APS3-DataTransfer-Regional-Bytes. About 52GB is billed. In VPC Flow Logs, 172.31.41.188 is the assigned IPv4 Server Address. I have stopped the instance now.

Some metrics from CloudWatch: enter image description here

Based on your comment to another answer, AWS Cost Explorer has indicated the billing item is APS3-DataTransfer-Regional-Bytes.

Data transfer within an AWS Region

Data transfer between Availability Zones in the same AWS Region have a UsageType of Region-DataTransfer-Regional-Bytes. For example, the USE2-DataTransfer-Regional-Bytes usage type identifies charges for data transfer between Availability Zones in the US East (Ohio) Region.

https://docs.aws.amazon.com/cur/latest/userguide/cur-data-transfers-charges.html

According to the above documentation, APS3 is indicative of the region where the charge is coming from.

The following link seems to suggest that this might be S3 (not because S3 is in the code) in Asia Pacific (Mumbai) region.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/aws-usage-report-understand.html

Your account is most likely compromised and if you change to that region in the AWS console you will likely find an S3 bucket which is being used to host malicious, or other nefarious data.

However, I wasn’t able to confirm if this might be Asia Pacific Southeast 3 (Jakarta) region as well.

UPDATE

Thank you for the additional info and flow logs. If we filter your flow logs by Action=Accept and sort by Bytes then we quickly see some additional details:

We see this flow log shows a large amount of traffic between your instance's private IP address, and the public IP address 13.233.254.23 which is also owned by Amazon. I also see port 16411 involved in this communication, which is typically reserved for streaming services in Apple's Game Center, but it can certainly be used for any other reason. Amazon seems to be treating this traffic as intra-region traffic suggesting that the IP address 13.233.254.23 (Asia) is in the same region as your instance on 172.31.41.188.

Because port 16411 is always on the external IP address 13.233.254.23, and your EC2 instance is using random ports for the other end of the connection, we can say that your EC2 instance is originating these requests outbound, and based on other details, the connections are resulting in large amount of traffic both inbound and outbound. Based on all the information you have provided, it would appear likely that this server might be streaming video/audio content from an Apple server.

Regardless if we are correct about the usage of port 16411 it is still clear that this type of traffic is unusual for a server only running Wordpress. In addition, I see active SSH sessions (port 22) to at least two public IP addresses. I could accept that one of them is your own, but I question why there is a second from a different IP address.

All of this indicates that your server is not just a WordPress server. It is either compromised and being used nefariously, or you have services installed on this server which are not just serving webpages. The fact that it happens to be communicating predominantly with another AWS owned IP address in the region is probably insignificant, and a red herring on your billing statement. But intra-region traffic is not included in the free tier.

The $0.19 line item could be bandwidth out to the internet, or between AWS availability zones. The bill isn't precise enough to tell you. You could try the "aws cost explorer" service, which lets you drill down some more. It can take 24 hours to activate on a new account, or from when first accessed. Give that a shot, then edit your question to show any more detailed information you find. In cost explorer change "group by" to "usage type" to get more useful information.

19GB is a fair bit of data for a new Wordpress website to use. I run a website with five Wordpress websites and a reviews website, plus a few other things, in December I used < 5GB of bandwidth. I would be looking in CloudWatch at bandwidth graphs to see when it's happening. You could also use VPC Flow Logs, but they're extremely verbose and difficult to read. It could be that your server / software was compromised as soon as it was set up - AWS Inspector can help work that out, and AWS Guard Duty can help as well.

As of late 2021, all AWS users get 100GB of free egress bandwidth across all services, plus 1TB egress from CloudFront (blog link). The CF pricing page says bandwidth from EC2 / S3 / ALB to CloudFront is free, so you'd be best off using CloudFront for the 1TB bandwidth allowance.

Here's a cost explorer graph from my account, slightly cut off.