AgentSkillsCN

Cost Governance Guardrails

实施预算预警、实例限制以及基于标签的成本分配

SKILL.md
--- frontmatter
name: Cost Governance Guardrails
description: Implement budget alerts, instance restrictions, and tag-based cost allocation

Cost Governance Guardrails

Overview

Cost governance ensures cloud spending stays within budget through proactive controls (prevent expensive resources) and reactive monitoring (alerts on spend thresholds).

mermaid
graph TB
    subgraph "Preventive Controls"
        SCP[Service Control Policies]
        Budget[AWS Budgets]
        Quotas[Service Quotas]
    end
    
    subgraph "Detective Controls"
        CUR[Cost & Usage Reports]
        Tags[Cost Allocation Tags]
        Alerts[Budget Alerts]
    end
    
    subgraph "Actions"
        Review[Cost Review]
        Optimize[Right-sizing]
        Reserved[Reserved Instances]
    end
    
    Preventive --> Actions
    Detective --> Actions

Cost Control Strategies

ControlTypeEnforcement
SCPsPreventiveBlock expensive instance types
BudgetsDetectiveAlert at thresholds
TagsReportingCost allocation by team/project
QuotasPreventiveLimit resource counts

Best Practices

  1. Activate cost allocation tags - In AWS Billing console
  2. Set budgets per environment - Different limits for dev/prod
  3. Block large instances in dev - SCP restrictions
  4. Use Spot/Savings Plans - 50-70% savings
  5. Monitor NAT Gateway costs - Use VPC endpoints
  6. Right-size regularly - AWS Compute Optimizer
  7. Delete unused resources - Automated cleanup

Example 1: Terraform - Budgets + Instance Restrictions

Budget alerts and SCP to block expensive instance types.

📁 Location: terraform/examples/cost-governance/

Key Features

hcl
# AWS Budget with alerts
resource "aws_budgets_budget" "monthly" {
  name         = "${local.name_prefix}-monthly-budget"
  budget_type  = "COST"
  limit_amount = var.monthly_budget_limit
  limit_unit   = "USD"
  time_unit    = "MONTHLY"

  cost_filter {
    name   = "TagKeyValue"
    values = ["user:Environment$${var.environment}"]
  }

  notification {
    comparison_operator = "GREATER_THAN"
    threshold           = 80
    threshold_type      = "PERCENTAGE"
    notification_type   = "ACTUAL"
    subscriber_email_addresses = var.budget_alert_emails
  }

  notification {
    comparison_operator = "GREATER_THAN"
    threshold           = 100
    threshold_type      = "PERCENTAGE"
    notification_type   = "FORECASTED"
    subscriber_email_addresses = var.budget_alert_emails
  }
}

# SCP to block expensive instances in non-prod
resource "aws_organizations_policy" "deny_large_instances" {
  name        = "deny-large-instances-non-prod"
  description = "Deny creation of large EC2 instances in non-production"
  type        = "SERVICE_CONTROL_POLICY"

  content = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Sid       = "DenyLargeInstances"
      Effect    = "Deny"
      Action    = "ec2:RunInstances"
      Resource  = "arn:aws:ec2:*:*:instance/*"
      Condition = {
        StringLike = {
          "ec2:InstanceType" = ["*.4xlarge", "*.8xlarge", "*.12xlarge", "*.16xlarge", "*.24xlarge"]
        }
      }
    }]
  })
}

Example 2: CDK - Budget Alerts + Cost Tags

Programmatic budget creation with automated tagging.

📁 Location: cdk/examples/cost-governance/

Key Features

typescript
// Create budget with multiple thresholds
new budgets.CfnBudget(this, 'MonthlyBudget', {
  budget: {
    budgetName: `${props.projectName}-${props.environment}-monthly`,
    budgetType: 'COST',
    timeUnit: 'MONTHLY',
    budgetLimit: {
      amount: props.monthlyBudgetLimit,
      unit: 'USD',
    },
    costFilters: {
      TagKeyValue: [`user:Project$${props.projectName}`],
    },
  },
  notificationsWithSubscribers: [
    {
      notification: {
        comparisonOperator: 'GREATER_THAN',
        threshold: 50,
        thresholdType: 'PERCENTAGE',
        notificationType: 'ACTUAL',
      },
      subscribers: props.alertEmails.map(email => ({
        subscriptionType: 'EMAIL',
        address: email,
      })),
    },
    {
      notification: {
        comparisonOperator: 'GREATER_THAN',
        threshold: 80,
        thresholdType: 'PERCENTAGE',
        notificationType: 'ACTUAL',
      },
      subscribers: props.alertEmails.map(email => ({
        subscriptionType: 'EMAIL',
        address: email,
      })),
    },
  ],
});

Common Cost Optimizations

AreaOptimizationSavings
EC2Savings Plans30-70%
EC2Spot Instances60-90%
NATVPC EndpointsVariable
S3Lifecycle policies40-60%
RDSReserved Instances30-60%
EBSgp3 vs gp220%

Validation Checklist

  • Cost allocation tags activated
  • Budgets set for each environment
  • Alert thresholds at 50%, 80%, 100%
  • SCPs block large instances in dev
  • Monthly cost review scheduled
  • Unused resource cleanup automated

Related Skills