How to Analyze High Data Transfer Out of your Nginx Web Server on AWS

Step 1: See Who’s Downloading the Data

Check Your Web Server Access Logs:

sudo cat /var/log/nginx/access.log | awk ‘{print $1}’ | sort | uniq -c | sort -nr | head

This shows the top IPs hitting your site. Note: you may get a ” invalid char ‘▒’ in expression” error when you copy the above string. Simply replace the remove and replace the single quote around the {print $1} statement..

grep <IP> /var/log/nginx/access.log | head

to see what they’re downloading (images, videos, API endpoints, etc.).

Look for:

• Same IP requesting the same file repeatedly

• Bots (e.g. curl, wget, Python-requests, Googlebot, etc.)

• File extensions like .zip, .mp4, .iso, etc.

Step 2: Monitor Real-Time Connections

sudo netstat -tunap | grep ESTABLISHED OR sudo lsof -i -n -P

to see open connections and which process is sending data.

sudo tail -f /var/log/nginx/access.log | grep <122.192>

to monitors Nginx access logs in real time and only shows lines where the client IP contains 122.192.

Step 4: Check for Malware or Unauthorized Access

• Run a quick scan with ClamAV:
• Check for suspicious processes:
  • ps aux –sort=-%cpu | head

Step 5: Reduce or Block Unintended Downloads

Step 6: Add AWS Monitoring & Alerts

• CloudWatch Metrics

  • In EC2 → Monitoring tab → check NetworkOut.

  • Set an alarm if outbound exceeds your expected daily baseline.

• AWS Budget Alert

  • Go to Billing → Budgets → Create a budget → Data transfer cost alert.

• VPC Flow Logs

  • Enable on the instance’s subnet.

  • Analyze for large outbound flows (bytes > 1e7).