build.allanninal.dev

Part 6 of 7 · Backup sentinel series ~3 min read

What the backup sentinel costs

The sentinel is one of the cheapest systems in this whole series. Each check reads a small job list from S3, looks at each job’s latest evidence, does a little date-and-size arithmetic, writes a few rows to DynamoDB, and posts a message to Slack only when something actually changed. It calls no model on the check. Bedrock fires once a day for the plain-English summary. At typical SMB volume, the bill is a couple of dollars a month, fixed cost essentially zero.

Key takeaways

  • Around $1.50/month at typical SMB volume (around 30 jobs checked a few times a day).
  • Fixed AWS cost is essentially zero. No always-on compute, no NAT Gateway, no API Gateway.
  • Each check costs pennies — no model calls.
  • Bedrock fires once a day for the summary; that’s the only model cost.
  • At 60 jobs the bill is around $4. At 200 jobs checked hourly it’s around $10.

Cost at three volumes

Monthly cost at three job volumes, broken out by component A horizontal stacked-bar chart showing monthly cost in US dollars at three job volumes and check frequencies. The leftmost bar represents 30 jobs checked a few times a day and shows a total around $1.50, dominated by the everything-else slice (Lambda, DynamoDB, S3, EventBridge Scheduler, CloudWatch) with a tiny sliver for Bedrock and a tiny sliver for SES. The middle bar represents 60 jobs checked hourly and shows a total around $4, with the same shape — the everything-else slice grows roughly linearly with the number of checks because each check still reads every job. The rightmost bar represents 200 jobs checked hourly and shows a total around $10, with everything-else still dominant; Bedrock stays small in absolute terms because it only fires once a day for the summary, and SES stays small because it only carries forwarded reports and the occasional email-fallback alert. Below the chart is a legend explaining the four sections of each bar: Bedrock (daily summary only), SES (forwarded reports and email-fallback alerts), AWS Budgets and Secrets Manager (small fixed amounts), and an everything-else bucket for Lambda runtime, DynamoDB on-demand, S3, EventBridge Scheduler, and CloudWatch. A note at the bottom: the scheduled check is the dominant cost, and even that is fractions of a cent per job per check. $0 $5 $10 $15 $20 30 jobs ~$1.50 60 jobs ~$4 200 jobs ~$10 Bedrock (daily plain-English summary) SES (forwarded reports + email alerts) AWS Budgets + Secrets Manager (fixed) Everything else (Lambda, DDB, S3, Scheduler, CloudWatch) The scheduled check is the dominant cost — and even that is fractions of a cent per job per check.
Fig 6. Monthly cost at three job volumes. Bedrock and SES are small slivers because Bedrock only fires for the daily summary and SES only carries forwarded reports and email-fallback alerts. The dominant cost is the everything-else bucket: each scheduled check reading every job.

Where the dollars actually go

Lambda runtime (the bulk). The checker runs on a schedule. Each run reads the job list from S3, and for each job gathers its latest evidence (a small S3 listing, a report, or a heartbeat lookup), computes whether it’s finished, recent, and the right size, and decides on a state. At 30 jobs a few times a day, that’s a few hundred milliseconds per run. At 200 jobs checked hourly it’s a couple of seconds per run, twenty-four times a day. Either way it’s pennies a month. Add the dispatch Lambda firing only on state changes, the Function URL Lambda for the buttons and heartbeats, and the drive-sync Lambda every fifteen minutes — the Lambda total still lands under a couple of dollars at all three volumes.

DynamoDB on-demand. Two small tables: bk-state and bk-audit. Reads are dominant during each check (one read per job per check). Writes are state changes and audit rows. Pennies a month at any of these volumes.

S3 + Storage. The mirrored job-list CSV plus the raw forwarded reports. A few hundred KB total at SMB volume. Effectively free. (The backups themselves live wherever you already keep them — the sentinel only reads listings and sizes, it doesn’t copy your data.)

EventBridge Scheduler. The check schedule plus the occasional deferred-dispatch one-off from quiet-hours and holiday gates. A handful of invocations a day. Pennies.

SES. Inbound for the forwarding lane: $0.10 per thousand received messages (so cents a year for an SMB). Outbound for email-fallback alerts and the daily summary: $0.10 per thousand sent. Both are negligible at this scale.

Bedrock (only the daily summary). The check uses no Bedrock. Once a day, a single Haiku 4.5 call turns the day’s green/warn/alert states into one calm paragraph: a few hundred input tokens (the state list) and a few hundred output tokens. A fraction of a cent per day, so cents a month at any volume. There is no PDF parsing and no Textract in this system — backup reports are short emails, not scanned documents, so a plain model read is all it needs.

What doesn’t cost money

  • API Gateway. Replaced by Lambda Function URLs for the heartbeat and button endpoints.
  • NAT Gateway. Nothing is in a VPC. No NAT, no $32/month minimum.
  • Always-on compute. No EC2, no Fargate. The checker sleeps between runs.
  • A Knowledge Base. The job list is structured rows, not free text — deterministic lookup beats vector search here. No embeddings, no Knowledge Base, no S3 Vectors needed.
  • Models on the check. The decision on every check is plain Python. Bedrock fires only once a day for the summary.
  • Storing your backups. The sentinel reads where your backups already live; it never copies or re-stores them, so it adds no backup-storage bill.

How the cost scales

Lambda runtime grows with the number of checks — jobs times how often you check them — because every job is evaluated on every run. DynamoDB grows the same way. Bedrock is flat: one summary a day regardless of how many jobs you watch. SES is tied to how many reports you forward and how often you fall back to email, not to job count. So the bill at 500 jobs checked hourly is around $22; at 1,000 it’s around $45. Past those volumes you’d slow the check cadence for jobs that only run weekly (no point checking an 8-day job every hour), which flattens the curve again — an optimization, not a redesign.

Set an AWS Budgets alarm at $15/month so anything unusual pages you before the bill matters. The sentinel’s normal-volume bill stays well under that ceiling.

Last post in the series: the engineering reference. Same system, drawn for engineers — service names, Lambda inventory, IAM scopes, DynamoDB schemas, SES rule set, and EventBridge Scheduler config.

All posts