[Disclosure] I'm Co-Founder and CEO of a company named http://vantage.sh/ that helps developers track and reduce cloud costs - I also previously worked at both AWS and DigitalOcean.
We hear about this all the time from AWS customers and its a large reason why people connect their account to Vantage which will help alert you if costs change intra-month. The first $2,500 in AWS costs per month are tracked for free so I thought I'd mention this here for potentially being helpful to the community.
If you don't want to remember to set up billing alerts, we provide basically a turn-key experience around this that takes less than a few minutes to setup: http://vantage.sh/
The list of permissions is a whittled down version of what's available in the AWS managed policy of "ReadOnlyAccess" and doesn't allow us to do things like read from S3 Buckets or read from RDS instances. Basically just List/Describe actions.
IAM permissions are written about more here in our documentation and are ultimately handled gracefully if you want to remove some. For example, if you just want to hand Vantage access to billing, S3 and EC2, it will do the job as best it can with just those permissions: https://docs.vantage.sh/permissions/
We hear about this all the time from AWS customers and its a large reason why people connect their account to Vantage which will help alert you if costs change intra-month. The first $2,500 in AWS costs per month are tracked for free so I thought I'd mention this here for potentially being helpful to the community.
If you don't want to remember to set up billing alerts, we provide basically a turn-key experience around this that takes less than a few minutes to setup: http://vantage.sh/