Budgets and budget alarms in AWS can provide early warnings about cloud costs. Cost Explorer allows viewing spending trends while budgets set daily spending limits and trigger alerts. Budget alarms can be automated using infrastructure as code tools like the AWS CDK which defines budgets and alarms declaratively in a programming language for easy replication. While budgets monitor overall spending, they do not detect specific low cost abuses so additional security automation may be needed.

1. Level 1
Foundations of Cloud Security

2. Lesson 3 - Paying your Cloud Bills
Objective 3:
● Tour cost explorer
● Understand budgets and budget alarms
● Use budgeting as an early warning system

3. Billing Sounds Boring
● Your bill is an indicator of compromise you get for “free”
● Often overlooked by security teams
● Goes to a contact no longer with the organization
● Sometimes goes to an Amazon Shopping email

4. Cost Explorer

5. Cost Explorer ( It’s getting better )

6. Budgets

7. Budgets : Daily Fixed Budget

8. Where do they go?
Send these to
distribution lists. The
more eyes the better.

9. Don’t skip this in your lab
● You are responsible for the costs you
incur during the class.
● If you don’t monitor it you’ll probably
have a bad time.

10. What did we do?
● Looked at budgets
● Daily spend budget
based on actual cost
● Set an alert email

11. Some more things about budget alarms
● Can use forecast
○ predictive ML
● They also can surface events
other ways for security
automation

12. Let’s add a sprinkle of DevOps
Q: Can I form these
alarms with software?
A: Absolutely!
Cloudformation,
Terraform, SDK, CDK
all work.

13. Let’s go make them with the CDK
What’s the CDK?
The latest answer in the
battle between
declarative languages
and programming.

14. CDK Provided in the course VM
npm install -g aws-cdk
At your own risk.

15. Setting up some bootstraps
Assume the administrator role
aws-vault exec unfederatedadmin
AWS_DEFAULT_REGION=us-east-1
cdk bootstrap

16. Setting up some bootstraps

17. What did that just do?
New Stack. Created an
S3 bucket with a policy.

18. Now let’s create some billing alarms
● `cdk synth` -- Synthesize the intermediate form ( CloudFormation )
● `cdk deploy` -- Make it live in the environment

19. This is cool because ...
cdk deploy is idempotent
Idempotent - we can run it as many times as we
want and get the same result.

20. The end result is still CloudFormation

21. But we can do anything we can do in python
● Reduces duplication
● Easier to understand
● Reduces errors
● Works in C#, F#,
Typescript, Java, etc

22. End result

23. What else could we do?
● Filter to tags to keep track of a
specific project or application.
● Track spend by service
● Track spend by account

24. Q: How many times do I have to configure this?
● Once per “Organization”
● By default all accounts are
linked to the root account
● Everything is under one
“consolidated bill”
● This used to be called
consolidated billing
● This only gives you ONE org
budget though

25. What this doesn’t do?
● Detect granular low cost abuse
● Detect increase x% in spend
○ Maybe you can write a security automation!
● Alert quickly

26. Questions
Get the AWS CDK setup and practice inspecting it’s output
Instructions are available in labs/03 in the course supplement.

27. Coming Up
Get the AWS CDK setup and practice inspecting it’s output
Instructions are available in labs/01-03 in the course supplement.