The Cloud FinOps Prime Directive

By Jeff BramwellOn 0 Comments

When it comes to allocating cloud resource costs to cost centers, teams, and/or products, you must consider the Cloud FinOps Prime Directive (at least, that’s what I call it): No cloud resource should be provisioned without proper tagging.

Cloud FinOps

As anyone who has had to explain where all the money is going on cloud costs can tell you, properly tagging your cloud resources is a must. However, tagging isn’t, and can’t be, the full solution. Here are a few items to consider:

  1. Not every resource (in AWS) supports tagging. Some resources simply cannot be tagged. In the case of these resources, you must rely on other mechanisms to allocate costs.
  2. While you can create Service Control Policies (SCPs) in AWS to ensure resources are properly tagged, you will no doubt have to add exceptions to your policies as your footprint grows. For example, some third-party solutions might not automatically tag resources as they spin them up. If you have an SCP in place that does not allow an EC2 to be started unless it is first tagged, your third-party solution simply might not work. I have come across this multiple times while working with AWS. In these types of scenarios, you must backfill the tags after the resources have been created or, as stated in #1 above, find other mechanisms to allocate cost.
  3. Cost centers and owners change more often than we might realize. Having these tags on every resource can turn into a lot of maintenance overhead. An alternative solution is to include an ID (e.g., apm-id) to a record in an Application Portfolio Management (APM) solution, such as ServiceNow (or similar product). The APM ID on each resource – think of it as a foreign key – then maps to a specific record in the APM product that includes metadata such as cost center, owner, product name, links to documentation, etc. If any of the metadata changes, it can be changed in one place (the APM solution) and the ID does not have to change on the resource tag. For convenience, you can set up a daily process that dumps the APM data into an S3 bucket for use with Athena/QuickSight.
  4. Depending on the number of workloads/products you are supporting in the cloud, it might make sense to give every product (or team) its own account. By doing this, you know the cost for every resource in that account is to be allocated to a single product or team. It’s still good practice to tag every resource you can in these accounts, but you at least have a fallback for cost allocation on untagged resources. Just don’t forget to apply tags to the account itself!

To reiterate, it’s important to tag every resource you can, but it’s also important to know that tagging isn’t the full answer to your cloud FinOps needs.

CategoriesAWS Cloud FinOps

Leave a Reply

Your email address will not be published. Required fields are marked *