Generic AWS cost content tells you to right-size EC2, buy Savings Plans, and clean up unattached EBS volumes. Fine. Health tech workloads have a specific shape, though. Long-running services, encryption everywhere, audit logs forever, dev environments that mirror prod for compliance. That shape creates waste patterns the standard checklists don't catch.
Pattern 1: KMS request charges from over-encrypted small objects.
The instinct is correct. Encrypt everything with customer-managed KMS keys for HIPAA. The implementation usually isn't. I see teams encrypting every individual log line, every small JSON blob, every queue message with separate KMS calls. KMS charges $0.03 per 10,000 requests. That sounds cheap until you're making 80 million requests a month from a CloudWatch Logs setup that's encrypting line-by-line.
The fix: use S3 Bucket Keys for objects. This cuts KMS calls by roughly 99% on high-volume buckets. For CloudWatch Logs, encrypt the log group once, not the individual events. Typical savings: $200 to $600 a month on mid-size workloads.
Pattern 2: Multi-AZ RDS where you don't need it, and single-AZ where you do.
Every health tech team I audit either has Multi-AZ on dev environments where it's just doubling cost for no real benefit, or single-AZ on a production database holding PHI where a failover is part of their stated DR plan. Both are wrong, in opposite directions.
The fix: Multi-AZ on production databases with PHI, period. Both for availability and because most BAA-eligible architectures assume it. Single-AZ on dev and staging unless there's a specific reason. Expected savings on a typical audit: $300 to $1,200 a month, plus the dev environment becomes more honest about what production actually costs.
Pattern 3: CloudWatch Logs ingestion and retention that nobody has touched since the account opened.
Default CloudWatch Logs retention is "Never expire." Default. So most accounts have four years of debug-level application logs from services that no longer exist, sitting in Standard tier. CloudWatch Logs ingestion is $0.50 per GB and storage is $0.03 per GB-month. On a typical 50-person health tech company, I find $400 to $900 a month of pure waste here.
The fix: set a default retention policy on every log group. Ninety days for app logs, one year for security-relevant logs, six years for HIPAA-required audit logs only. Not everything. For the historical waste, export to S3 Glacier Deep Archive at $0.00099 per GB-month and delete the CloudWatch copy. The HIPAA retention requirement is satisfied either way. The cost difference is 30x.
These three patterns alone usually account for $1,000 to $2,500 a month of the savings I find on a typical 30 to 60 person health tech audit. The rest comes from EC2 and Fargate sizing, NAT Gateway data transfer (a topic for another issue), and Savings Plan strategy.
If your AWS bill is climbing faster than your headcount, the 2-week Transivone audit identifies and quantifies the savings before you commit to anything. 20% guaranteed or no charge.
— Manan