Practical FinOps

Managing cloud cost, visibility, and accountability

Mohamed Labouardy

MEAP began June 2025
Last updated October 2025
This book is in development

ISBN 9781633435964
375 pages (estimated)

Included with a Manning Online subscription

printed in black & white

catalog / Software Development / Cloud

resources: Source code Book forum Source code on Github

table of content

1 Introduction to FinOps

1.1 Cloud Cost Struggles: Real Stories

1.1.1 A tech start-up backfires on backers

1.1.2 Expanding platform, expanding cloud costs

1.1.3 Outdated financial practices lead to financial headaches

1.2 The Cloud Revolution

1.2.1 Amazon S3: Unlimited Storage

1.2.2 Amazon EC2: On-Demand Computing

1.3 The Hidden Costs of Cloud

1.4 What’s FinOps?

1.5 FinOps vs. Cloud Cost Management

1.6 Embracing the FinOps Journey

1.6.1 The Cultural Shift Toward FinOps

1.6.2 Overcoming Common Challenges

1.6.3 When Not to Adopt FinOps

1.7 Summary

2 Exploring the FinOps Framework

2.1 Core Principles of FinOps

2.1.1 Collaboration Across Teams

2.1.2 Transparency

2.1.3 Optimization

2.1.4 Accountability

2.1.5 Agility

2.2 Key Personas in FinOps

2.3 The Lifecycle Phases of FinOps

2.3.1 Inform Phase

2.3.2 Optimize Phase

2.3.3 Operate Phase

2.4 Assessing Maturity in FinOps Practices

2.4.1 Pre-Crawl Stage: Awareness and Discovery

2.4.2 Crawl Stage: Early Adoption

2.4.3 Walk Stage: Intermediate Maturity

2.4.4 Run Stage: Full Maturity

2.5 Domains & Capabilities in Depth

2.5.1 Understand Cloud Usage and Cost

2.5.2 Quantify Business Value

2.5.3 Optimize Cloud Usage and Cost

2.5.4 Manage the FinOps Practice

2.6 Summary

3 Building a Cloud Asset Inventory

3.1 Cloud Resources Management

3.1.1 Building an Inventory Using a Bash Script

3.2 Managing Your AWS Inventory

3.2.1 AWS Config

3.2.2 AWS Resources Explorer

3.2.3 AWS Resource Groups

3.3 Building a Multi-Cloud Asset Inventory

3.3.1 CloudQuery

3.4 Summary

4 Tags Management

4.1 Why Tagging?

4.1.1 Tagging in Practice: An Enterprise Example

4.1.2 How Tagging Works Across Cloud Providers

4.1.3 Cloud Native Tools for Tagging Cloud Resources

4.1.4 Third-Party and Open-Source Tagging Tools

4.2 Tagging Best Practices

4.2.1 Develop a Tagging Strategy

4.2.2 Use a Standardized Tagging Convention

4.2.3 Implement Tag Enforcement and Auditing

4.3 Maintaining Effective Tag Hygiene

4.3.1 Regular Tag Audits

4.3.2 Automate Tagging Processes

4.3.3 Remove Outdated Resources

4.3.4 Keep Tagging Schemes Flexible

4.3.5 Use Tag-Based Access Control

4.3.6 Implement a Tag Validation Service

4.3.7 Implement Automated Tag Correction

4.3.8 Implement Tag Version Control

4.4 Summary

5 Mastering Cost Allocation Techniques

5.1 Exploring Cost Allocation Models

5.1.1 Direct Allocation

5.1.2 Shared Cost Allocation

5.1.3 Fixed Allocation

5.2 Leveraging AWS Cost Explorer for Cost Allocation

5.3 Advanced Cost Allocation with AWS Cost and Usage Report

5.3.1 Setting up AWS Cost and Usage Report

5.3.2 Understanding CUR Data Structure

5.3.3 Querying Cost and Usage Reports using Amazon Athena

5.3.4 Building FinOps Dashboards with AWS QuickSight

5.3.5 Exploring Cloud Intelligence Dashboards

5.4 FOCUS

5.5 Summary

6 Forecasting and Budgeting

6.1 Mastering Forecasting

6.1.1 Using AWS Cost Explorer for Forecasting

6.1.2 Using AWS CUR and SageMaker for Forecasting

6.2 Setting up and Managing Budgets

6.2.1 Create AWS Budgets

6.2.2 Estimating Cost for New Projects

6.3 Cost Anomaly Detection

6.4 Summary

7 Compute Optimization Strategies

7.1 AWS Compute Services and Pricing Models

7.1.1 AWS Compute Services

7.1.2 Pricing Models

7.2 Assessing Compute Usage

7.2.1 Understanding Current Usage and Costs

7.2.2 Identifying Wasted Compute Resources

7.3 Implementing Automation for Cost Optimization

7.3.1 Scheduling On/Off Times for Instances

7.3.2 Implementing Spot Instances for CI/CD Pipelines

7.3.3 Lambda Memory Tuning

7.3.4 Rightsizing & Autoscaling Instances

7.3.5 Optimizing Kubernetes Compute Costs

7.3.6 The KPI and Modernization Dashboard

7.3.7 Managing Multi-Cloud Compute Resources

7.4 Summary

8 Storage Optimization Strategies

8.1 Understanding Storage Costs

8.1.1 Overview of Storage Options

8.1.2 Storage Pricing Models

8.1.3 Web Application Storage Cost Breakdown

8.2 Assessing Storage Usage and Cost

8.2.1 Understanding Storage Cost Breakdown

8.2.2 CUDOS Dashboards for Storage

8.2.3 Storage Usage Monitoring

8.3 Best Practices for Storage Optimization

8.3.1 Regular Audits and Cleanup

8.3.2 Automating Lifecycle Management

8.3.3 Enforcing Tagging

8.3.4 Rightsizing Storage Volumes

8.3.5 Setting Budgets for Storage Costs

8.4 Summary

9 Network Optimization Strategies

9.1 Understanding Network Charges

9.1.1 Key Types of AWS Network Costs

9.2 Monitoring and Reporting AWS Network Costs

9.2.1 Getting Visibility with AWS CUR + Athena

9.2.2 Using CloudWatch to Track Network Metrics

9.2.3 Using CUDOS to Visualize Network Charges

9.3 Best Practices for Network Optimization

9.3.1 Use VPC Endpoints Instead of NAT Gateways

9.3.2 Compress Data Before Transfer

9.3.3 Enable Caching with CloudFront

9.3.4 Avoid Cross-AZ Traffic for Internal Services

9.3.5 Use VPC Flow Logs to Trace and Attribute Internal Traffic

9.3.6 Optimize Load Balancer Design

9.3.7 Tune DNS TTLs to Reduce Lookup Overhead

9.3.8 Use Direct Connect for High-Volume Hybrid Traffic

9.3.9 Use CloudWatch to Alert on Traffic Anomalies

9.4 Optimize Network Costs in Multi-Cloud Architectures

9.4.1 Route Through Peering or Direct Connections

9.4.2 Place Dependent Workloads in the Same Region

9.4.3 Compress and Batch Transfers

9.4.4 Use Object Storage as a Transfer Bridge

9.4.5 Track Cross-Cloud Traffic in CUR or Third-Party Tools

9.4.6 Forecast and Model Network Costs

9.5 Summary

10 Cloud Governance

10.1 What Is Cloud Governance?

10.1.1 Governance Components and Their FinOps Impact

10.1.2 Cloud Governance in Practice

10.2 Cloud Center of Excellence (CCoE)

10.2.1 Structure and Roles

10.2.2 KPIs and Measuring Success

10.2.3 Scaling Governance with Enablement

10.3 Accountability and Ownership in Cloud Governance

10.3.1 Role-Based Ownership

10.3.2 Showback and Chargeback Models

10.3.3 Key Accountability Metrics

10.3.4 Governance Roles and RACI

10.4 Bootstrapping Governance in a FinOps-Enabled Organization

10.5 Summary

11 AI-Powered FinOps

11.1 Leveraging LLMs in FinOps Workflows

11.1.1 What is a Large Language Model?

11.1.2 From Natural Language to AWS Config Queries

11.1.3 Using LLMs to Analyze AWS CUR Data

11.2 Building a CUR Chatbot with LLMs

11.3 Agentic FinOps

11.3.1 MCP Server for Cost Explorer

11.3.2 MCP Server For Cost Estimation

11.4 Risks, Limits, and Human-in-the-Loop FinOps

11.4.1 Hallucinations and Fabricated Data

11.4.2 Context Awareness and Operational Boundaries

11.4.3 Token Limits and Dataset Size

11.4.4 Data Privacy and Control

11.5 Summary

Overview

3 Building a Cloud Asset Inventory

This chapter moves from FinOps foundations to the practical work of establishing a comprehensive cloud asset inventory. It defines an inventory as a centralized, up-to-date record of all resources across cloud environments, enriched with metadata such as region, usage, cost, and tags, and surfaced via dashboards for analysis. The chapter explains why inventories are essential to visibility and accountability, highlighting benefits for security monitoring, compliance and auditing, operational efficiency, cost optimization, and disaster recovery—needs that grow in importance as organizations adopt multi-cloud strategies.

The chapter presents multiple implementation paths, starting with do-it-yourself discovery using the AWS CLI and Bash to enumerate resources like EC2, S3, and Lambda into CSVs—an approach that offers full control but has performance, maintenance, and timeliness limitations. It then introduces AWS-native services that automate and scale inventory management: AWS Config for continuous change tracking, multi-account aggregation, compliance rules, and query-based insights; AWS Resource Explorer for fast, metadata-driven search across regions; and AWS Resource Groups for tag-based grouping and event-driven governance, including enforcing and validating cost allocation tags such as Owner and Environment.

To address multi-cloud visibility, the chapter outlines native options in each provider—GCP Cloud Asset Inventory with scheduled exports to BigQuery, and Azure Resource Graph for KQL-powered cross-subscription queries—and converges on open-source tooling with CloudQuery. CloudQuery unifies assets from AWS, GCP, and Azure into SQL-accessible stores (DuckDB or PostgreSQL), enabling analytics and dashboards. With dbt-based transformations and Grafana for visualization, teams can standardize views, search and segment resources, and derive cost, compliance, and security insights. The chapter closes with best practices: enforce consistent tagging, automate updates, link inventory to cost data, preserve change history, and include rich metadata—laying the groundwork for subsequent tagging and cost optimization efforts.

Building a cloud asset inventory dashboard with custom scripts to track cloud resources usage

Track resources changes with AWS Config

AWS Config’s recording method

AWS Config’s delivery method

AWS managed rules

List of active resources

List of noncompliance EBS volumes

Creating a rule from an AWS-managed rule

Enforcing Owner as a tag key

List of resources missing the Owner tag

List of AWS Config’s built in queries

Number of EC2 instances per instance type

List of EC2 instances with Environment tag key

How AWS Resource Explorer works

Viewing resources via AWS Resource Explorer

Creating a custom view

Custom view details page

Resources belonging to the sandbox environment

Creating a resource group

Automating asset inventory export in GCP

Filtering widgets output by service type

Listing all storage accounts

CloudQuery architecture

Synching S3 and EC2 resources

SHOW TABLES query output

List of EC2 resources

Output of synching command

List of tables storing multi-cloud resources

Building a cloud asset inventory dashboard with Grafana

Grafana list of supported data sources

Output of the SELECT query

List of active S3 buckets

View listing all assets

Connecting Postgres to Grafana

Import a Grafana dashboard via JSON

Asset inventory dashboard

Summary

Building a comprehensive cloud asset inventory is important for implementing effective FinOps practices and achieving visibility into cloud resources.
Custom scripts using cloud provider CLIs can be a good starting point for smaller environments or teams beginning their FinOps journey.
AWS Config tracks configuration changes and resource compliance over time, enabling auditing and security analysis.
AWS Resource Explorer provides search functionality across AWS resources, helping teams quickly locate and analyze cloud assets.
AWS Resource Groups organizes resources by tags or attributes, simplifying management and filtering for operational tasks.
GCP Cloud Asset Inventory offers real-time visibility into GCP resources, allowing exporting of metadata to BigQuery or Cloud Storage for further analysis. Azure Resource Graph enables efficient resource exploration and inventory management across multiple Azure subscriptions.
Multi-cloud inventory tools like CloudQuery offer unified views of resources across different cloud providers, supporting complex FinOps scenarios.
Best practices for cloud asset inventory include implementing consistent tagging, automating inventory updates, integrating with existing CMDBs, and regular auditing.

FAQ

What is a cloud asset inventory and why does it matter?

An asset inventory is a centralized, up-to-date list of all cloud resources (compute, storage, networking, etc.) across providers and regions. It underpins visibility, security, compliance, and FinOps by enabling: - Security monitoring and governance/auditing (track changes, ownership, and access) - Compliance validation (e.g., encryption, exposure) - Operational efficiency (faster troubleshooting and discovery) - Cost optimization (find idle/underutilized resources) - Disaster recovery readiness (backup coverage and restore paths)

How do I quickly build a basic AWS inventory with Bash and the AWS CLI?

Install and configure the AWS CLI and jq. Loop over regions with aws ec2 describe-regions, list instances via aws ec2 describe-instances, and format to CSV with jq (instance ID, type, region, launch time, state, tags). Extend the script to include S3 (list-buckets) and Lambda (list-functions) and append rows to a unified CSV.

What are the limitations of DIY scripts for inventory?

- Slow and brittle at scale; many API calls across regions/services can hit rate limits - Ongoing maintenance when CLIs/APIs change or new services appear - Only a point-in-time snapshot, not real-time - Harder to aggregate across multiple accounts and providers

How does AWS Config help manage inventory and compliance?

AWS Config continuously records resource configurations and history, aggregates across accounts/regions, and evaluates against rules. You can: - Use managed rules (e.g., ec2-volume-inuse-check, eip-attached) and “required-tags” to enforce tagging - Query resources with advanced, SQL-like expressions - Export history to S3 and notify via SNS This brings governance, auditability, and FinOps guardrails (e.g., tagging compliance) into one place.

When should I use AWS Resource Explorer vs. AWS Config?

- Resource Explorer: fast search and discovery across regions using metadata (names, tags, IDs). Create views (e.g., Environment=sandbox) and search via CLI (e.g., resourcetype:ec2:instance, -tag:Environment). Best for ad-hoc discovery and validation. - AWS Config: continuous recording, change history, compliance rules, and advanced queries. Best for governance, audits, and policy enforcement. They complement each other.

How can AWS Resource Groups support FinOps?

Resource Groups let you group assets by tags (e.g., Environment=sandbox) and operate on them collectively. You can: - Monitor group events and trigger automation (e.g., Lambda to validate cost-allocation tags) - Use CLI to define groups filtered by tags This improves accountability and simplifies bulk actions on cost-sensitive environments.

What native options exist for GCP and Azure inventories?

- GCP: Cloud Asset Inventory provides real-time visibility and export to BigQuery/Cloud Storage. Automate exports with Cloud Scheduler + Pub/Sub + Cloud Functions, then build dashboards on BigQuery. - Azure: Resource Graph enables cross-subscription querying with KQL. Filter by tags, resource type, and properties to find idle or misconfigured assets and support cost and compliance analytics.

How do I build a multi-cloud inventory with CloudQuery?

CloudQuery extracts cloud assets via source plugins (AWS/GCP/Azure) and syncs them to a destination (DuckDB/PostgreSQL). Steps: - Install CLI and init a project - Configure sources (tables, regions/projects/subscriptions) and a destination - Run cloudquery sync to populate tables - Query assets with SQL for unified multi-cloud visibility

How can I visualize inventory data with Grafana?

Use a queryable store (e.g., PostgreSQL). Pipeline example: - CloudQuery syncs AWS/GCP/Azure assets into PostgreSQL - Optionally run dbt (e.g., CloudQuery’s AWS Asset Inventory transformation) to create consolidated views - Connect Grafana to PostgreSQL, import a ready-made asset inventory dashboard, and filter by account/region/service

What best practices tie inventory to FinOps outcomes?

- Enforce consistent tagging (Owner, Environment, Cost Center); validate with rules - Automate updates (scheduled syncs, native inventory services) - Link assets to cost data for allocation and optimization - Maintain version history and change tracking - Include rich metadata (owner, environment, purpose, lifespan) - Use queries to find savings (untagged resources, idle EC2, old EBS snapshots, outdated instance classes) and act on them

with subscription

$24.99

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more