COST-005 recommended Cost Governance

Cost governance

Cost attribution enables accountability. Regular reviews turn visibility into action.

Question to ask

"Which team is responsible for that $8k AWS charge?"

Pass criteria

  • Costs attributable to projects/teams
  • Tagging enforced (if used)
  • Regular review cadence
  • Reviews lead to actions

Fail criteria

  • All costs in one bucket
  • Tagging not enforced
  • No regular reviews
  • Reviews without actions

Related items

COST-003 Tool budgets defined COST-004 Cost visibility and reporting

Verification guide

Severity: Recommended

Cost attribution enables accountability. Regular reviews turn visibility into action.

Check automatically:

# Check for cloud tagging policies
grep -riE "tag.*policy|required.*tag|cost.*tag|cost.*center|cost.*allocat" docs/ terraform/ --include="*.md" --include="*.tf" 2>/dev/null

# Look for tagging in infrastructure-as-code
grep -riE "tags.*=|labels.*=" terraform/ pulumi/ cdk/ --include="*.tf" --include="*.ts" --include="*.yaml" 2>/dev/null | head -20

# Check for cost review documentation
grep -riE "cost.*review|budget.*review|spend.*review|finops.*meeting" docs/ --include="*.md" 2>/dev/null

# Look for cost allocation documentation
grep -riE "cost.*attribution|cost.*allocation|chargeback|showback" docs/ --include="*.md" 2>/dev/null

Ask user:

  • "Can you attribute costs to specific projects or teams?" (tags, separate accounts, manual)
  • "Is tagging enforced for cloud resources?"
  • "Do you review costs regularly? How often? Who participates?"
  • "What actions come out of cost reviews?" (optimizations, cleanups, budget adjustments)

Cost attribution methods:

Method Pros Cons
Resource tagging Granular, flexible Requires enforcement
Separate accounts Clean separation Overhead to manage
Manual allocation Simple to start Error-prone, labor-intensive
Usage-based split Fair Complex to implement

Pass criteria:

  • Costs attributable to projects/teams (tagging, accounts, or documented allocation)
  • Tagging policy exists and is enforced (if using tags)
  • Regular review cadence (monthly minimum)
  • Reviews lead to actions (optimizations, cleanups, alerts)

Fail criteria:

  • All costs in one bucket, no breakdown possible
  • Tagging exists but not enforced (many untagged resources)
  • Reviews are ad-hoc or never happen
  • Reviews happen but no actions result ("we just look at the numbers")

Cross-reference with:

  • COST-004 (need visibility to do governance)
  • COST-003 (tool ownership enables accountability)

Evidence to capture:

  • Cost attribution method (tags, accounts, manual)
  • Tagging enforcement (policy exists? enforced?)
  • Review cadence and participants
  • Recent actions from cost reviews

Section

38. Cost Monitoring & Budget Alerts

Compliance & Legal

← Previous

COST-004

Cost visibility and reporting

 Next →

DEV-001

Onboarding checklist documented