COST02-BP05 Implement cost controls
Implement controls based on organization policies and defined groups and roles. These certify that costs are only incurred as defined by organization requirements such as control access to regions or resource types.
Level of risk exposed if this best practice is not established: Medium
Implementation guidance
A common first step in implementing cost controls is to set up notifications when cost or
usage events occur outside of policies. You can act quickly and
verify if corrective action is required without restricting or negatively impacting workloads
or new activity. After you know the workload and environment limits, you can enforce
governance. AWS Budgets
Once you set up your budget limits with AWS Budgets, use AWS Cost Anomaly Detection
Enforce governance policies in AWS through AWS Identity and Access Management
Governance can also be implemented through management of AWS service quotas. By ensuring service quotas are set with minimum overhead and accurately maintained, you can minimize resource creation outside of your organization’s requirements. To achieve this, you must understand how quickly your requirements can change, understand projects in progress (both creation and decommission of resources), and factor in how fast quota changes can be implemented. Service quotas can be used to increase your quotas when required.
Implementation steps
-
Implement notifications on spend: Using your defined organization policies, create AWS Budgets
to notify you when spending is outside of your policies. Configure multiple cost budgets, one for each account, which notify you about overall account spending. Configure additional cost budgets within each account for smaller units within the account. These units vary depending on your account structure. Some common examples are AWS Regions, workloads (using tags), or AWS services. Configure an email distribution list as the recipient for notifications, and not an individual's email account. You can configure an actual budget for when an amount is exceeded, or use a forecasted budget for notifying on forecasted usage. You can also preconfigure AWS Budget Actions that can enforce specific IAM or SCP policies, or stop target Amazon EC2 or Amazon RDS instances. Budget Actions can be started automatically or require workflow approval. -
Implement notifications on anomalous spend: Use AWS Cost Anomaly Detection
to reduce your surprise costs in your organization and analyze root cause of potential anomalous spend. Once you create cost monitor to identify unusual spend at your specified granularity and configure notifications in AWS Cost Anomaly Detection, it sends you alert when unusual spend is detected. This will allow you to analyze root case behind the anomaly and understand the impact on your cost. Use AWS Cost Categories while configuring AWS Cost Anomaly Detection to identify which project team or business unit team can analyze the root cause of the unexpected cost and take timely necessary actions. -
Implement controls on usage: Using your defined organization policies, implement IAM policies and roles to specify which actions users can perform and which actions they cannot. Multiple organizational policies may be included in an AWS policy. In the same way that you defined policies, start broadly and then apply more granular controls at each step. Service limits are also an effective control on usage. Implement the correct service limits on all your accounts.
Resources
Related documents:
Related videos:
Related examples:
-
Create IAM Policy to control access to Amazon EC2 resources using Tags
-
Restrict the access of IAM Identity to specific Amazon EC2 resources
-
Well-Architected Labs: Cost and Usage Governance (Level 100)
-
Well-Architected Labs: Cost and Usage Governance (Level 200)
-
Slack integrations for Cost Anomaly Detection using AWS Chatbot