AWS FinOps Agent: How to Cut Your AWS Bill with Amazon's New Agent
The AWS FinOps Agent is a Bedrock-powered AI agent that AWS launched in preview in June 2026 to audit your AWS billing data, identify cost-optimization opportunities and propose specific remediation actions — right-sizing recommendations, idle-resource removal, Savings Plan and Reserved Instance purchase suggestions, storage-tier transitions. It runs in your AWS account, reads your Cost Explorer and CloudWatch data, and posts findings as structured Bedrock agent traces. For typical mid-market AWS workloads, the FinOps Agent identifies 60–75% of the savings a human FinOps consultant would surface — and it does so continuously, not just once during a review engagement.
This guide breaks down what the AWS FinOps Agent does, what it misses (still significant), how to combine it with engineering judgment for the full 30–40% bill cuts most accounts carry as waste, and when to deploy it inside your AWS account vs delegating cost work to a human team.
What the AWS FinOps Agent actually does
The FinOps Agent runs as a Bedrock agent inside your AWS account, scoped to read Cost Explorer, CloudWatch metrics, AWS Compute Optimizer, AWS Trusted Advisor and AWS Cost Optimization Hub. It surfaces five categories of finding: right-sizing recommendations (instances over-provisioned for actual utilisation), idle and orphaned resources (unattached EBS volumes, old snapshots, unused Elastic IPs, idle Load Balancers), pricing-model opportunities (workloads suitable for Savings Plans, Reserved Instances or Spot), storage tier transitions (S3 Standard data that hasn't been accessed in 30+ days), and configuration anti-patterns (NAT Gateway over-use, cross-AZ traffic, unoptimised CloudFront cache rules).
Each finding ships with a structured remediation proposal — the specific CLI command, Terraform diff, or CloudFormation change that would implement the fix. The agent does NOT auto-apply changes; every action is gated on human approval. AWS positions this explicitly: the FinOps Agent is a research-and-proposal layer, not an autonomous cost-cutter.
Typical cost-saving findings — what to expect
| Category | Typical share of identified savings | Confidence of recommendation |
|---|---|---|
| Right-sizing (over-provisioned compute) | 30–45% | High — backed by CloudWatch utilisation data |
| Savings Plans / Reserved Instances | 20–30% | High — easy to model on Cost Explorer history |
| Idle and orphaned resources | 10–15% | Very high — black-and-white |
| Storage tier transitions | 8–15% | Medium — depends on access pattern data |
| Spot adoption for non-critical workloads | 5–10% | Low — requires application-level review |
| Network and traffic optimisations | 2–8% | Medium — easy to identify, harder to fix |
What the FinOps Agent misses
The FinOps Agent is excellent at infrastructure-level waste (the categories above). It systematically misses three areas where the largest savings often live, and which still require engineering judgment.
- ›Architectural overspend — choosing the wrong service entirely (e.g. running batch on EC2 when AWS Batch + Spot is 10x cheaper, or using NAT Gateway when VPC Endpoints would save thousands per month). The agent optimises within your current architecture; it doesn't propose architectural rewrites.
- ›Application inefficiency — bloated container images, N+1 database queries hitting RDS at scale, missing caching layers, unbatched API calls to expensive services. These show up as 'high RDS bill' or 'high Bedrock spend' but the root cause is code, not configuration.
- ›Multi-account governance — Landing Zone misconfigurations, cross-account data transfer, dev/staging environments left running 24/7 without auto-shutdown, untagged costs allocated to the wrong team. The agent works per-account; the architectural picture lives across accounts.
Deploy strategy — how we recommend using it
The right model for most teams: deploy the FinOps Agent for continuous infrastructure-level cost surveillance, then run a quarterly engineering-led FinOps review for the architectural and application-level wins the agent can't see. This combination captures 90–95% of available savings — typically 30–40% of the bill on accounts that haven't had a FinOps pass before.
- ›Step 1 — Enable AWS Cost Optimization Hub in your management account. Agent prerequisite.
- ›Step 2 — Deploy the FinOps Agent in each member account with read-only IAM (no execute scope). Start with the agent posting findings to a Slack channel or Jira queue.
- ›Step 3 — Triage findings weekly. Approve the obvious right-sizing and idle-resource cleanup with one-click; defer the structural recommendations to your engineering team.
- ›Step 4 — Run a quarterly Well-Architected + FinOps review focused on architectural and application-level overspend the agent can't see.
- ›Step 5 — Bake learnings into infrastructure-as-code so future deployments don't repeat the same waste.
Frequently asked questions
How much does the AWS FinOps Agent cost?
In preview (June 2026): no per-feature charge. You pay only for the underlying Bedrock model usage (typically $30–$200/month per account depending on findings volume and which model the agent uses — Claude Sonnet on Bedrock is the default). AWS has signalled standard Bedrock-agent pricing at GA but exact rates aren't published yet.
Is the FinOps Agent a replacement for a human FinOps consultant?
No — it's a multiplier, not a replacement. The agent surfaces 60–75% of the infrastructure-level findings a consultant would. The remaining 25–40% of savings — architectural overspend, application inefficiency, multi-account governance — still requires engineering judgment. Best practice in 2026: deploy the agent for continuous surveillance, engage humans for quarterly architectural reviews.
Does the FinOps Agent work across multi-account AWS Organizations?
Yes — deploy per member account with read scope, aggregate findings into the management account. We typically wire findings into a central Slack channel or Jira project for cross-account triage. AWS's own roadmap suggests a multi-account-aware mode in 2027, but for now you operate it per-account with central aggregation.
Can we customise what the FinOps Agent recommends?
Yes — the agent is built on Bedrock AgentCore so you can extend its tool definitions to include custom finders (e.g. 'flag all RDS instances in dev environments running 24/7' or 'detect NAT Gateway costs above $100/account/month'). Custom finders typically take 1–2 days of engineering each. We deliver these as part of FinOps engagements.
How does this compare to AWS Trusted Advisor or Cost Optimization Hub?
Trusted Advisor and Cost Optimization Hub are static rule-based checkers — they produce a fixed list of findings. The FinOps Agent reads the same underlying data plus CloudWatch utilisation, plus your Cost Explorer history, and generates structured recommendations with remediation proposals. It also runs continuously and explains findings in natural language. Trusted Advisor is still useful as a baseline; the agent is the active layer on top.
Can the FinOps Agent auto-apply changes?
By default, no — every change is gated on human approval. You can configure it to auto-execute low-risk findings (idle resource cleanup, snapshot deletion) if you trust the categorisation, but we recommend keeping the approval step for at least the first 60 days while you calibrate confidence in the agent's recommendations.
Last updated June 19, 2026 · Written by Vijay Amin, iMagic Solutions.