Logoskills for everything
Agent Skill
2/7/2026

cost-governance-guardrails

Implement budget alerts, instance restrictions, and tag-based cost allocation

N
nicolasmosquerar
1GitHub Stars
1Views
npx skills add nicolasmosquerar/AI-skills-for-Iac

SKILL.md

Namecost-governance-guardrails
DescriptionImplement budget alerts, instance restrictions, and tag-based cost allocation

name: Cost Governance Guardrails description: Implement budget alerts, instance restrictions, and tag-based cost allocation

Cost Governance Guardrails

Overview

Cost governance ensures cloud spending stays within budget through proactive controls (prevent expensive resources) and reactive monitoring (alerts on spend thresholds).

graph TB
    subgraph "Preventive Controls"
        SCP[Service Control Policies]
        Budget[AWS Budgets]
        Quotas[Service Quotas]
    end
    
    subgraph "Detective Controls"
        CUR[Cost & Usage Reports]
        Tags[Cost Allocation Tags]
        Alerts[Budget Alerts]
    end
    
    subgraph "Actions"
        Review[Cost Review]
        Optimize[Right-sizing]
        Reserved[Reserved Instances]
    end
    
    Preventive --> Actions
    Detective --> Actions

Cost Control Strategies

ControlTypeEnforcement
SCPsPreventiveBlock expensive instance types
BudgetsDetectiveAlert at thresholds
TagsReportingCost allocation by team/project
QuotasPreventiveLimit resource counts

Best Practices

  1. Activate cost allocation tags - In AWS Billing console
  2. Set budgets per environment - Different limits for dev/prod
  3. Block large instances in dev - SCP restrictions
  4. Use Spot/Savings Plans - 50-70% savings
  5. Monitor NAT Gateway costs - Use VPC endpoints
  6. Right-size regularly - AWS Compute Optimizer
  7. Delete unused resources - Automated cleanup

Example 1: Terraform - Budgets + Instance Restrictions

Budget alerts and SCP to block expensive instance types.

📁 Location: terraform/examples/cost-governance/

Key Features

# AWS Budget with alerts
resource "aws_budgets_budget" "monthly" {
  name         = "${local.name_prefix}-monthly-budget"
  budget_type  = "COST"
  limit_amount = var.monthly_budget_limit
  limit_unit   = "USD"
  time_unit    = "MONTHLY"

  cost_filter {
    name   = "TagKeyValue"
    values = ["user:Environment$${var.environment}"]
  }

  notification {
    comparison_operator = "GREATER_THAN"
    threshold           = 80
    threshold_type      = "PERCENTAGE"
    notification_type   = "ACTUAL"
    subscriber_email_addresses = var.budget_alert_emails
  }

  notification {
    comparison_operator = "GREATER_THAN"
    threshold           = 100
    threshold_type      = "PERCENTAGE"
    notification_type   = "FORECASTED"
    subscriber_email_addresses = var.budget_alert_emails
  }
}

# SCP to block expensive instances in non-prod
resource "aws_organizations_policy" "deny_large_instances" {
  name        = "deny-large-instances-non-prod"
  description = "Deny creation of large EC2 instances in non-production"
  type        = "SERVICE_CONTROL_POLICY"

  content = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Sid       = "DenyLargeInstances"
      Effect    = "Deny"
      Action    = "ec2:RunInstances"
      Resource  = "arn:aws:ec2:*:*:instance/*"
      Condition = {
        StringLike = {
          "ec2:InstanceType" = ["*.4xlarge", "*.8xlarge", "*.12xlarge", "*.16xlarge", "*.24xlarge"]
        }
      }
    }]
  })
}

Example 2: CDK - Budget Alerts + Cost Tags

Programmatic budget creation with automated tagging.

📁 Location: cdk/examples/cost-governance/

Key Features

// Create budget with multiple thresholds
new budgets.CfnBudget(this, 'MonthlyBudget', {
  budget: {
    budgetName: `${props.projectName}-${props.environment}-monthly`,
    budgetType: 'COST',
    timeUnit: 'MONTHLY',
    budgetLimit: {
      amount: props.monthlyBudgetLimit,
      unit: 'USD',
    },
    costFilters: {
      TagKeyValue: [`user:Project$${props.projectName}`],
    },
  },
  notificationsWithSubscribers: [
    {
      notification: {
        comparisonOperator: 'GREATER_THAN',
        threshold: 50,
        thresholdType: 'PERCENTAGE',
        notificationType: 'ACTUAL',
      },
      subscribers: props.alertEmails.map(email => ({
        subscriptionType: 'EMAIL',
        address: email,
      })),
    },
    {
      notification: {
        comparisonOperator: 'GREATER_THAN',
        threshold: 80,
        thresholdType: 'PERCENTAGE',
        notificationType: 'ACTUAL',
      },
      subscribers: props.alertEmails.map(email => ({
        subscriptionType: 'EMAIL',
        address: email,
      })),
    },
  ],
});

Common Cost Optimizations

AreaOptimizationSavings
EC2Savings Plans30-70%
EC2Spot Instances60-90%
NATVPC EndpointsVariable
S3Lifecycle policies40-60%
RDSReserved Instances30-60%
EBSgp3 vs gp220%

Validation Checklist

  • Cost allocation tags activated
  • Budgets set for each environment
  • Alert thresholds at 50%, 80%, 100%
  • SCPs block large instances in dev
  • Monthly cost review scheduled
  • Unused resource cleanup automated

Related Skills

Skills Info
Original Name:cost-governance-guardrailsAuthor:nicolasmosquerar
Download
View on GitHub