A good FinOps approach helps to manage cloud economics and avoid cost surprises. Putting the wrong guardrails in place will slow down the development process and put your business at risk. On the other hand, having no controls in place is a guaranteed cost shock. During this presentation, Gerald from Cuscal Payments will discuss how you can find the right balance for your organisation.

1. Cloud Cost Governance Automation
How to get started &
building continuous feedback loops

2. 2
Agenda
◆ Intro
◆ Cost governance & SDLC
◆ AWS services grouped by SDLC phase
◆ Key takeaways
Estimations &
Business
Case
Investment
Governance
Consumption Chargeback Optimisation
Value
Realisation
Budget &
Forecasting
Focus
Focus

3. 3
◆ Name: Gerald Bachlmayr
◆ Role: Principal Cloud Architect at Cuscal
◆ Industry: Financial Services
◆ Background: Software engineering
◆ AWS: 9 years experience
◆ LinkedIn: https://www.linkedin.com/in/bachlmayr/
Intro

4. Cost Governance & SDLC

5. 5
Software Development Life-cycle: Iterative
◆ Plan
◆ Design
◆ Implement
◆ Test
◆ Deploy
◆ Maintain
Source: https://aws.amazon.com/what-is/sdlc/

6. 6
SDLC & FinOps relevant AWS Services
Plan & Design Implement & Test Deploy Maintain & Improve
AWS Pricing Calculator Tagging AWS Organizations AWS Config
AWS Budget + Alerts Cost Allocation Tags SCPs AWS Cost Explorer
AWS Savings Plan Tag Policies Trusted Advisor
Cost Anomaly
Detection
Rightsizing Rec.

7. 7
How to Get Started?
◆ Identify existing data points
○ E.g. your AWS invoice
◆ Identify cost inefficiencies
○ E.g. with Trusted Advisor
○ E.g. AWS Config
◆ Implement guardrails
○ E.g. budget alerts
○ Third party tools
◆ Measure & improve
○ E.g. improve granularity → tags
$

8. Plan & Design

9. 9
AWS Pricing Calculator - Service Selection

10. 10
AWS Pricing Calculator - TGW Example

11. 11
AWS Pricing Calculator - Share Link
Share !

12. 12
AWS Budgets
◆ How does it work:
○ Define Budget
○ Define alerts → percent or forecast

13. 13
AWS Budgets - Templates

14. 14
AWS Budgets - Budget Types
◆ Fixed
○ Same amount every period
◆ Planned
○ Budget amount for up to
12 months or 4 quarters.
◆ Auto-adjusting
○ Dynamic amount based on history
More info: https://docs.aws.amazon.com/cost-management/latest/userguide/budget-
methods.html

15. 15
Savings Plan
◆ Types:
○ Compute
○ EC2
○ SageMaker
◆ Limitation:
● Refresh up tp to three
times/day for consolidated
billing

16. Implement

17. 17
Tags - Resource Level
◆ Meta data for AWS resources
○ E.g. costcentre
○ CloudFormation
○ Terraform
◆ Syntax example - YAML:
Tags:
- Key: "keyname1"
Value: "value1"
- Key: "keyname2"
Value: "value2"

18. 18
Cost Allocation Tags - Billing Console
◆ Activate tags for cost allocation
○ Not all tags are useful for
billing
◆ Related Services:
○ Tag Editor
○ Resource Groups

19. 19
Tag Policies - AWS Organizations
◆ Tag enforcement
○ E.g. list of values
◆ Target definition:
○ E.g. OU-level

20. Deploy

21. 21
AWS Organizations & Guardrails
◆ Preventive guardrails:
Service Control Policies (SCPs)
◆ Detective guardrails:
AWS Config

22. 22
AWS Service Control Policy (SCP)
What are SCPs?
◆ SCPs do not grant permissions
to users, but
◆ Make sure certain actions
cannot be performed within a
given scope,
e.g. a region or OU
◆ Fine-grained permissions are
possible for AWS resources
Cost control use cases
◆ Enforce tagging
→ Cost break-down
◆ Enforce smaller instances in
development / test
◆ Deny certain resource types
Examples:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_poli
cies_scps_examples.html

23. 23
SCP - Limit instance type
◆ Preventive guardrails:
Service Control Policies (SCPs)
◆ Detective guardrails:
AWS Config

24. 24
SCP - Error when provisioning 2Xlarge

25. 25
SCP - Making sense out of the error message
◆ CLI (e.g. Cloud Shell):
aws sts decode-authorization-
message --encoded-message
encoded-message
{ "DecodedMessage":
"{"allowed":false,"explicitDeny":true,
"matchedStatements":
{"items":[{"statementId":"Statement1",
"effect":"DENY", ....
"actions":{"items":[{"value":"ec2:RunInstances
"}]},
"resources":{"items":[{"value":"arn:aws:ec2:*:*:*/
*"}]},
"conditions":{"items":[{"key":"ec2:InstanceTyp
e",
"values":
{"items":[{"value":"nano"},{"value":"micro"},
{"value":"small"},{"value":"medium"},
{"value":"large"}
.....
}

26. Maintain & Continuous Improvement

27. 27
AWS Config - What is it?
◆ Recording
◆ Timelines
◆ Compliance Rules
◆ Conformance Pack
◆ Auto-remediations
◆ Aggregation
(regions, accounts)

28. 28
AWS Config - Examples
◆ List of Guardrails
◆ Non-compliant accounts
◆ Non-compliant rules

29. 29
AWS Cost Explorer
◆ Features:
○ Dashboards
○ Customised forecast
○ Programmatic access
○ Single view across
regions & accounts

30. 30
AWS Trusted Advisor
◆ Recommendation on:
○ Cost optimisation
○ Performance
○ Security
○ Fault tolerance
○ Service limits
◆ Check Levels
○ No Problem detected
○ Investigation recommended
○ Action recommended

31. 31
AWS Cost Anomaly Detection
◆ Cost Monitor
○ E.g. Linked accounts, or
○ Cost Allocation Tag
◆ Subscription
○ Frequency
○ Threshold

32. 32
Rightsizing Recommendations
◆ Automatic review of historical data
◆ Recommendations based on utilisation

33. Key Takeaways

34. 34
Key Takeaways
◆ Leverage existing data points
○ E.g. your AWS cost explorer
◆ Invest in cost visibility
○ E.g. with Trusted Advisor (Business Plan +)
◆ Establish guardrails & provide transparency
○ E.g. budget alerts; stop instances
◆ Consider a DEV instance for AWS Organizations
○ Controlled testing of guardrails
◆ Measure & improve
○ Improve granularity → tags
○ Leverage automation, including IaC
$

35. Thank you!
Questions?
We are hiring