Cost Governance Guardrails
Overview
Cost governance ensures cloud spending stays within budget through proactive controls (prevent expensive resources) and reactive monitoring (alerts on spend thresholds).
mermaid
graph TB
subgraph "Preventive Controls"
SCP[Service Control Policies]
Budget[AWS Budgets]
Quotas[Service Quotas]
end
subgraph "Detective Controls"
CUR[Cost & Usage Reports]
Tags[Cost Allocation Tags]
Alerts[Budget Alerts]
end
subgraph "Actions"
Review[Cost Review]
Optimize[Right-sizing]
Reserved[Reserved Instances]
end
Preventive --> Actions
Detective --> Actions
Cost Control Strategies
| Control | Type | Enforcement |
|---|---|---|
| SCPs | Preventive | Block expensive instance types |
| Budgets | Detective | Alert at thresholds |
| Tags | Reporting | Cost allocation by team/project |
| Quotas | Preventive | Limit resource counts |
Best Practices
- •Activate cost allocation tags - In AWS Billing console
- •Set budgets per environment - Different limits for dev/prod
- •Block large instances in dev - SCP restrictions
- •Use Spot/Savings Plans - 50-70% savings
- •Monitor NAT Gateway costs - Use VPC endpoints
- •Right-size regularly - AWS Compute Optimizer
- •Delete unused resources - Automated cleanup
Example 1: Terraform - Budgets + Instance Restrictions
Budget alerts and SCP to block expensive instance types.
📁 Location: terraform/examples/cost-governance/
Key Features
hcl
# AWS Budget with alerts
resource "aws_budgets_budget" "monthly" {
name = "${local.name_prefix}-monthly-budget"
budget_type = "COST"
limit_amount = var.monthly_budget_limit
limit_unit = "USD"
time_unit = "MONTHLY"
cost_filter {
name = "TagKeyValue"
values = ["user:Environment$${var.environment}"]
}
notification {
comparison_operator = "GREATER_THAN"
threshold = 80
threshold_type = "PERCENTAGE"
notification_type = "ACTUAL"
subscriber_email_addresses = var.budget_alert_emails
}
notification {
comparison_operator = "GREATER_THAN"
threshold = 100
threshold_type = "PERCENTAGE"
notification_type = "FORECASTED"
subscriber_email_addresses = var.budget_alert_emails
}
}
# SCP to block expensive instances in non-prod
resource "aws_organizations_policy" "deny_large_instances" {
name = "deny-large-instances-non-prod"
description = "Deny creation of large EC2 instances in non-production"
type = "SERVICE_CONTROL_POLICY"
content = jsonencode({
Version = "2012-10-17"
Statement = [{
Sid = "DenyLargeInstances"
Effect = "Deny"
Action = "ec2:RunInstances"
Resource = "arn:aws:ec2:*:*:instance/*"
Condition = {
StringLike = {
"ec2:InstanceType" = ["*.4xlarge", "*.8xlarge", "*.12xlarge", "*.16xlarge", "*.24xlarge"]
}
}
}]
})
}
Example 2: CDK - Budget Alerts + Cost Tags
Programmatic budget creation with automated tagging.
📁 Location: cdk/examples/cost-governance/
Key Features
typescript
// Create budget with multiple thresholds
new budgets.CfnBudget(this, 'MonthlyBudget', {
budget: {
budgetName: `${props.projectName}-${props.environment}-monthly`,
budgetType: 'COST',
timeUnit: 'MONTHLY',
budgetLimit: {
amount: props.monthlyBudgetLimit,
unit: 'USD',
},
costFilters: {
TagKeyValue: [`user:Project$${props.projectName}`],
},
},
notificationsWithSubscribers: [
{
notification: {
comparisonOperator: 'GREATER_THAN',
threshold: 50,
thresholdType: 'PERCENTAGE',
notificationType: 'ACTUAL',
},
subscribers: props.alertEmails.map(email => ({
subscriptionType: 'EMAIL',
address: email,
})),
},
{
notification: {
comparisonOperator: 'GREATER_THAN',
threshold: 80,
thresholdType: 'PERCENTAGE',
notificationType: 'ACTUAL',
},
subscribers: props.alertEmails.map(email => ({
subscriptionType: 'EMAIL',
address: email,
})),
},
],
});
Common Cost Optimizations
| Area | Optimization | Savings |
|---|---|---|
| EC2 | Savings Plans | 30-70% |
| EC2 | Spot Instances | 60-90% |
| NAT | VPC Endpoints | Variable |
| S3 | Lifecycle policies | 40-60% |
| RDS | Reserved Instances | 30-60% |
| EBS | gp3 vs gp2 | 20% |
Validation Checklist
- • Cost allocation tags activated
- • Budgets set for each environment
- • Alert thresholds at 50%, 80%, 100%
- • SCPs block large instances in dev
- • Monthly cost review scheduled
- • Unused resource cleanup automated
Related Skills
- •Compliance Tagging - Cost allocation tags
- •Policy as Code - Cost policy enforcement
- •Network Segmentation - VPC endpoint savings