Portfolio Cost Controls

Problem

A portfolio should be easy for reviewers to explore, but public endpoints can create cost risk. Cost control has to be part of the design before interactive demos go live.

Current controls

• Static content stays on S3 and CloudFront.
• Cost-bearing demos require Cognito sign-in and API Gateway JWT authorization.
• Registration is restricted to the owner email and @amazon.com reviewer addresses.
• API Gateway applies a small shared throttle to the portfolio backend.
• DynamoDB stores per-user daily quota counters with TTL cleanup.
• S3 demo objects expire automatically after two days.
• Presigned upload and download links expire in minutes.
• Lambda functions use small memory sizes and short timeouts.
• SES remains sandboxed because the contact form only sends to a verified private inbox.

Current limits

• Dead Drop: 2 MB files and three reviewer uploads per day.
• Background remover: 1 MB PNG files, one million pixels, and three reviewer runs per day.
• Warehouse simulator: 25 package events per run and three reviewer runs per day.
• Single-table inventory: capped stock deltas, short-lived records, and three reviewer actions per day.
• Prompt cost guard: 4,000-character prompt cap, no paid model invocation, and three reviewer estimates per day.
• Edge latency probe: eight tiny samples per run and three reviewer probes per day.
• DR pattern selector: one DynamoDB plan record per run and no always-on multi-region infrastructure.
• Telemetry counter: aggregate-only DynamoDB records with no visitor identity storage.
• Contact form: honeypot, validation, message-size cap, and daily client rate limiting.

Tradeoff

I attempted to reserve Lambda concurrency for the demo function, but the account did not have enough unreserved concurrency headroom for that setting. The deployed control set still bounds spend through authentication, quotas, file-size caps, API throttles, lifecycle cleanup, and short-lived access links.