Summary
Governance is a crucial part of your FinOps implementation. Without governance, all you have is good intent. Governance provides guardrails for your FinOps practices to be executed in a standardized and scalable way.
Authentication and authorization are both required for any activity within AWS, FinOps-related or otherwise. It’s important to streamline cross-account access via roles and IAM policies that adhere to the principle of least privilege.
You can use SCPs and tagging policies to enforce compliance for the accounts and OUs. All accounts and associated entities are subject to any SCPs. Thus, the allowed permissions are the union between the permission boundary and IAM policy for an entity.
For day-to-day operations, AWS Config, AWS Service Catalog, and AWS CloudTrail are governance-focused services that help with enforcing compliance and auditing account activity.
We have established the right foundation by setting up a multi-account environment, analyzing...