DEV Community

Cover image for From Chaos to Control: The AWS Governance Framework That Saves Money
SUDO Consultants profile image maryam mairaj
maryam mairaj for SUDO Consultants

Posted on

From Chaos to Control: The AWS Governance Framework That Saves Money

#aws #governance #costoptimization #ai

The Bill Nobody Expected

Last quarter, a Dubai-based SaaS company we work with opened its AWS bill to find it had jumped from AED 68,000 to AED 96,000. No new product launch. No traffic spike. Just drift.

When we dug in, here's what we found: an EC2 fleet in eu-west-1 that the DevOps team had forgotten after a client demo three months earlier. An RDS instance for a decommissioned analytics pipeline is still running at full capacity. Several unattached Elastic IPs. And not a single resource tagged with an owner or cost centre.

Nobody had done anything malicious. The team was just moving fast, and the environment had grown faster than their ability to see it. That's the governance gap. And it shows up in AWS bills across the UAE every single month.

This guide walks you through fixing it. Not only conceptually, but with exact steps, real configuration, and the specific AWS tools that make governance stick.

🔗 If you’re building your cloud foundation in the UAE, read: How UAE-Based Businesses Can Gain a Competitive Edge with AWS Cloud Adoption

Why Cloud Costs Spiral: The Governance Gap

Cloud overspending rarely comes from one big mistake. It comes from small operational gaps that compound over time:

• Resources provisioned for a demo, a test, or a one-off project and never cleaned up
• Dev and staging environments running 24/7 when they only need to be on during business hours
• No tagging policy, so when you open Cost Explorer, you see one number with no breakdown
• Multiple AWS accounts with no consolidated billing or budget alerts

The result: your infrastructure is doing exactly what it was told to do. The problem is nobody told it to stop.

The fix is four disciplines, each with a specific AWS implementation. Here's how to set them up.

🔗 Sound familiar? See how other UAE organisations have dealt with this: Common Cloud Adoption Challenges in the Middle East and How to Overcome Them

Hands-On Implementation: The 4 Pillars

Pillar 1: Tagging & Resource Attribution

Without tags, your AWS bill is a black box. Tags are how you connect every dollar back to a team, a project, and an environment. The goal here is to enforce tags automatically, not rely on developers remembering.

We'll set this up using AWS Tag Policies inside AWS Organizations, then add an AWS Config rule to catch anything that slips through.

Step-by-Step: Create and Enforce a Tag Policy

AWS Console:

AWS Console → AWS Organizations → Policies → Tag Policies → Create Policy

1. Open AWS Organizations: Sign in to your management account. Search for organizations in the Service search bar and go to Organizations. In the left menu, go to Policies → Tag Policies.

2. Enable Tag Policies: If this is your first Tag Policy, click Enable Tag Policies. This activates enforcement across all accounts in your organization.

3. Click Create Policy: Give it a name like -mandatory-tags. In the JSON editor, write the policy according to the tags and:

{
"tags": {
"Environment": {
"tag_key": { "@@assign": "Environment" },
"tag_value": { "@@assign": ["production","staging","development","sandbox"] },
"enforced_for": { "@@assign": ["ec2:instance","rds:db","s3:bucket","lambda:function"] }
},
"Team": {
"tag_key": { "@@assign": "Team" },
"tag_value": { "@@assign": ["engineering","data","devops","marketing","product"] },
"enforced_for": { "@@assign": ["ec2:instance","rds:db","lambda:function"] }
},
"CostCentre": {
"tag_key": { "@@assign": "CostCentre" },
"enforced_for": { "@@assign": ["ec2:instance","rds:db","s3:bucket"] }
}
}
}

4. Attach the policy: Click Next, then attach to the Root of your organisation (or to a specific OU). Click Create Policy.
5. Add a Config rule for enforcement: Go to AWS Config → Rules → Add Rule. Search for required tags. Select the scope of changes, and set the required tag keys as Environment, Team, and Cost Centre. Any resource missing these tags will appear as NON_COMPLIANT within minutes.

CLI Alternative

Create a tag policy JSON file and write the tag enforcement policy as per your needs
Apply tag policy via CLI

aws organizations create-policy \
 -content file://tag-policy.json \
 -description "SUDO mandatory tags" \
 -name sudo-mandatory-tags \
 -type TAG_POLICY

Attach to the organization root

aws organizations attach-policy \
 -policy-id p-xxxxxxxxxx \
 -target-id r-xxxx

Pillar 2: Cost Visibility & Budget Alerts

Tags are useless without a way to read them. AWS Cost Explorer turns your tagging data into per-team cost reports. AWS Budgets adds proactive alerting so teams know when they're approaching their limit, not after they've crossed it.

Step-by-Step: Enable Cost Explorer and Set Up Team Views

AWS Console:

AWS Console → Billing & Cost Management → Cost Explorer → Enable Cost Explorer

1. Enable Cost Explorer: Go to Billing & Cost Management → Cost Explorer. If not already enabled, click Enable Cost Explorer. It takes up to 24 hours to populate historical data on first activation.

2. Create a Team spend view: In Cost Explorer, click Date Range. Set the date range to Last 3 months or as per your need. Under Group by, select Tag → . You'll see a stacked bar chart showing spend by tag per month. If bars show 'No tag', those are untagged resources; fix them using Pillar 1.

3. Enable Cost Anomaly Detection: In Cost Management → Cost Anomaly Detection, create a new monitor. Select AWS Services as the monitor type. Click Next.
To set up alerts, select Create a new subscription. Select the alert frequency, whether you want to receive daily alerts or weekly. Set an alert threshold of $200 (adjust to your scale). Add your cloud team email as a subscriber and click " Create monitor.
This catches unexpected spikes like looping lambda functions or forgotten EC2 instances before they compound and alerts your team.

Step-by-Step: Create a Budget Alert Per Team
AWS Console:

AWS Console → Billing & Cost Management → Budgets → Create Budget

  1. Go to Billing & Cost Management
  2. On the left bar, go to Budgets → Create Budget — Select Cost Budget. Click Next.

3. Name and scope the budget: Set name as Monthly-Budget. Set period to Monthly. Select Recurring Budget. Select the budgeting method as Fixed/Planned. Set the budgeted amount, for example, $5,000 USD.
For the budget scope, select Filter specific AWS cost dimensions, select Dimension as Tag, select your tag, select the respective value, and click Apply filter. Click Next.
4. Set alert thresholds: Add two alerts: 80% of the budgeted amount (Actual), and 100% of the budgeted amount (Actual). Add email subscribers for your team and to receive alerts, either enter the existing SNS topic ARN or create a new one.
5. Click Create Budget: Repeat this for each application or team. A budget takes effect immediately and tracks against real spend.

CLI Alternative

aws budgets create-budget \
--account-id 123456789012 \
--budget '{
"BudgetName": "Monthly-Budget",
"BudgetLimit": {"Amount": "5000", "Unit": "USD"},
"CostFilters": {"TagKeyValue": ["user:Application$Betterlife"]},
"TimeUnit": "MONTHLY",
"BudgetType": "COST"
}' \
-notifications-with-subscribers '[{
"Notification": {
"NotificationType": "ACTUAL",
"ComparisonOperator": "GREATER_THAN",
"Threshold": 80
},
"Subscribers": [{"SubscriptionType": "EMAIL", "Address": "cloudops@company.ae"}]
}]'

Pillar 3: Guardrails with Service Control Policies (SCPs)

The first two pillars show you what's happening. This pillar prevents costly mistakes before they happen. Service Control Policies are rules you attach to your AWS organisation or accounts that enforce hard limits regardless of what any IAM user or role is allowed to do.

Think of SCPs as the last line of defence. Even if a developer has full admin access, an SCP can stop them from spinning up a GPU instance or deploying into an unapproved region. You write the rule once, attach it to the account or OU, and it applies automatically to everyone.

SCPs require AWS Organizations to be enabled. If you're running a single AWS account, you'll need to create an organisation first; it's free and takes about 5 minutes.

🔗 Going deeper on AWS security and compliance? Read: Implementing AWS Security & Compliance: A Hands-On Guide to IAM, Recovery, and Governance

Prerequisite: Enable SCPs in AWS Organizations
AWS Console:

AWS Console → AWS Organizations → Policies → Service Control Policies

1. Open AWS Organizations — In your management account, search for AWS Organizations and open it.
2. Enable Service Control Policies — In the left menu, go to Policies → Service Control Policies. If SCPs are not yet enabled, click Enable Service Control Policies. This takes effect immediately.

Step-by-Step: Create and Attach an SCP
AWS Console:

AWS Console → AWS Organizations → Policies → Service Control Policies → Create Policy

1. Click Create Policy — Give it a clear name, e.g., deny-non-approved-regions. In the JSON editor, paste your SCP. Two of the most impactful ones for UAE businesses are below.

SCP 1 — Restrict all activity to approved regions only. This prevents accidental deployments in us-east-1, eu-west-1, or any other region your team defaults to out of habit:

{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DenyNonApprovedRegions",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": ["me-south-1", “me-central-1”]
}
}
}]
}

⚠️ Important: Before attaching this SCP, verify that all your active workloads are already running in the regions you are allowing. Attaching this to an account with resources in other regions will block operations on those resources.

SCP 2 — Block high-cost GPU and memory-intensive instances from being launched without prior approval:

{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DenyExpensiveInstanceTypes",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringLike": {
"ec2:InstanceType": ["p4d.*", "p3.*", "x1e.*", "u-*"]
}
}
}]
}

  1. Click Create Policy — Once the JSON is in place, click Create Policy. The policy is saved but not yet active.
  2. Attach the SCP to your account or OU — Go back to AWS Organizations → AWS Accounts. Select the account or Organisational Unit (OU) you want to apply the policy to. Click Policies tab → Attach → select your SCP → Attach Policy. The policy takes effect immediately.
  3. Test the SCP — In the target account, try launching an EC2 instance in a blocked region or with a blocked instance type. You should see: 'An error occurred (AccessDenied): Explicit deny in a service control policy.' That means it's working.

🔗 Setting up governance as part of a cloud migration? Our Cloud Migration Services help design scalable, governance-ready AWS architectures from day one. → sudoconsultants.com/cloud-migration-services

Pillar 4: Continuous Optimisation with Trusted Advisor & Compute Optimizer

The first three pillars establish control. This pillar keeps improving. AWS Trusted Advisor and Compute Optimizer scan your environment continuously and surface specific waste with dollar estimates attached. The goal is to turn these findings into a monthly action backlog, not a report nobody reads.

Step-by-Step: Action Trusted Advisor Cost Findings
AWS Console:

AWS Console → Trusted Advisor → Cost Optimization

1. Open Trusted Advisor: Search for Trusted Advisor in the console. Note: Full Cost Optimization checks require AWS Business or Enterprise Support. If you're on Developer support, upgrade or use Compute Optimizer (free) as your primary tool.

2. Go to Cost Optimization tab: You'll see checks for: Low Utilization Amazon EC2 Instances, Idle Load Balancers, Underutilized Amazon EBS Volumes, Unassociated Elastic IP Addresses, and Amazon RDS Idle DB Instances.

3. Click each check: Expand the check to see the resource list with estimated monthly savings per resource. Download the CSV for your monthly review.

4. Action the findings: For each flagged resource, verify with the owning team (use the owner tag from Pillar 1), then stop, resize, or terminate. Add unresolved items to your engineering backlog with the estimated savings attached.

Step-by-Step: Right-Size with Compute Optimizer
AWS Console:

AWS Console → AWS Compute Optimizer → Opt in → EC2 instances

1. Opt in to Compute Optimizer: Go to AWS Compute Optimizer. Click Get Started and opt in for your account (or all accounts via Organizations). It begins analysing your EC2 instances immediately full recommendations appear after 14 days of utilisation data.
2. Review EC2 recommendations: Click EC2 instances. Filter by Finding: Over-provisioned. For each instance, Compute Optimizer shows the current type, recommended type, projected CPU/memory utilisation, and estimated monthly savings.

What This Looked Like for the SaaS Team

📊 AED 96,000 → AED 71,500 in 90 days. Same product. Same team. Better governance.

Quick-Start Checklist: What to Do This Week

You don't need to implement all four pillars at once. This is the order that delivers early wins:

  1. Enable AWS Cost Explorer, if not active, takes 2 minutes, data appears within 24 hours
  2. Run a tagging audit, go to Cost Explorer, group by Tag: Team. How much shows as No Tag?
  3. Set up one budget alert, pick your highest-spending account and set an 80% alert
  4. Open Trusted Advisor Cost Optimization, note the top 3 flagged items and their estimated savings
  5. Draft your tag taxonomy, list the 4 to 5 mandatory tag keys your organisation needs before creating the Tag Policy

These five steps cost nothing and take less than two hours. They will give you more visibility into your AWS spend than most organisations in the UAE have today.

Key Takeaways
• Cloud overspending is a governance problem and every piece of it is fixable with native AWS tools
• Tags are the foundation. Without them, all other cost management is guesswork
• AWS Budgets with team-scoped alerts turns end-of-month surprises into mid-month conversations
• SCPs make cost control structural, not dependent on developer discipline
• Trusted Advisor and Compute Optimizer deliver specific, dollar-valued findings, and treat them as a monthly backlog
• The companies controlling AWS costs in the UAE aren't spending less; they know exactly where every dirham is going

How SUDO Helps

At SUDO, we implement this exact framework for businesses across the UAE, from the initial tagging strategy and Control Tower deployment through to ongoing FinOps on AWS advisory and monthly governance reviews. As an AWS Premium Tier Partner and trusted cloud consulting UAE practice, we help organisations across Dubai and the GCC take control of their AWS spend.
If your AWS bill feels like a black box, or if you know there's waste but can't locate it, the right starting point is a clear assessment of where your governance gaps are.

🔗 Learn more about how SUDO approaches cost management: Cost Optimization Strategies in Managed Cloud Services

Ready to Close the Governance Gap?

Cloud governance is not overhead. It is the operating model that makes everything else work.
The four steps above are not complex. They are just disciplines applied through the right tools. Start with what you can measure. Then control what you cannot yet.

The bill that arrives next month will look different.

Contact us

Top comments (0)