Practical FinOps

Managing cloud cost, visibility, and accountability

Mohamed Labouardy

MEAP began June 2025
Last updated October 2025
This book is in development

ISBN 9781633435964
375 pages (estimated)

Included with a Manning Online subscription

printed in black & white

catalog / Software Development / Cloud

resources: Source code Book forum Source code on Github

table of content

1 Introduction to FinOps

1.1 Cloud Cost Struggles: Real Stories

1.1.1 A tech start-up backfires on backers

1.1.2 Expanding platform, expanding cloud costs

1.1.3 Outdated financial practices lead to financial headaches

1.2 The Cloud Revolution

1.2.1 Amazon S3: Unlimited Storage

1.2.2 Amazon EC2: On-Demand Computing

1.3 The Hidden Costs of Cloud

1.4 What’s FinOps?

1.5 FinOps vs. Cloud Cost Management

1.6 Embracing the FinOps Journey

1.6.1 The Cultural Shift Toward FinOps

1.6.2 Overcoming Common Challenges

1.6.3 When Not to Adopt FinOps

1.7 Summary

2 Exploring the FinOps Framework

2.1 Core Principles of FinOps

2.1.1 Collaboration Across Teams

2.1.2 Transparency

2.1.3 Optimization

2.1.4 Accountability

2.1.5 Agility

2.2 Key Personas in FinOps

2.3 The Lifecycle Phases of FinOps

2.3.1 Inform Phase

2.3.2 Optimize Phase

2.3.3 Operate Phase

2.4 Assessing Maturity in FinOps Practices

2.4.1 Pre-Crawl Stage: Awareness and Discovery

2.4.2 Crawl Stage: Early Adoption

2.4.3 Walk Stage: Intermediate Maturity

2.4.4 Run Stage: Full Maturity

2.5 Domains & Capabilities in Depth

2.5.1 Understand Cloud Usage and Cost

2.5.2 Quantify Business Value

2.5.3 Optimize Cloud Usage and Cost

2.5.4 Manage the FinOps Practice

2.6 Summary

3 Building a Cloud Asset Inventory

3.1 Cloud Resources Management

3.1.1 Building an Inventory Using a Bash Script

3.2 Managing Your AWS Inventory

3.2.1 AWS Config

3.2.2 AWS Resources Explorer

3.2.3 AWS Resource Groups

3.3 Building a Multi-Cloud Asset Inventory

3.3.1 CloudQuery

3.4 Summary

4 Tags Management

4.1 Why Tagging?

4.1.1 Tagging in Practice: An Enterprise Example

4.1.2 How Tagging Works Across Cloud Providers

4.1.3 Cloud Native Tools for Tagging Cloud Resources

4.1.4 Third-Party and Open-Source Tagging Tools

4.2 Tagging Best Practices

4.2.1 Develop a Tagging Strategy

4.2.2 Use a Standardized Tagging Convention

4.2.3 Implement Tag Enforcement and Auditing

4.3 Maintaining Effective Tag Hygiene

4.3.1 Regular Tag Audits

4.3.2 Automate Tagging Processes

4.3.3 Remove Outdated Resources

4.3.4 Keep Tagging Schemes Flexible

4.3.5 Use Tag-Based Access Control

4.3.6 Implement a Tag Validation Service

4.3.7 Implement Automated Tag Correction

4.3.8 Implement Tag Version Control

4.4 Summary

5 Mastering Cost Allocation Techniques

5.1 Exploring Cost Allocation Models

5.1.1 Direct Allocation

5.1.2 Shared Cost Allocation

5.1.3 Fixed Allocation

5.2 Leveraging AWS Cost Explorer for Cost Allocation

5.3 Advanced Cost Allocation with AWS Cost and Usage Report

5.3.1 Setting up AWS Cost and Usage Report

5.3.2 Understanding CUR Data Structure

5.3.3 Querying Cost and Usage Reports using Amazon Athena

5.3.4 Building FinOps Dashboards with AWS QuickSight

5.3.5 Exploring Cloud Intelligence Dashboards

5.4 FOCUS

5.5 Summary

6 Forecasting and Budgeting

6.1 Mastering Forecasting

6.1.1 Using AWS Cost Explorer for Forecasting

6.1.2 Using AWS CUR and SageMaker for Forecasting

6.2 Setting up and Managing Budgets

6.2.1 Create AWS Budgets

6.2.2 Estimating Cost for New Projects

6.3 Cost Anomaly Detection

6.4 Summary

7 Compute Optimization Strategies

7.1 AWS Compute Services and Pricing Models

7.1.1 AWS Compute Services

7.1.2 Pricing Models

7.2 Assessing Compute Usage

7.2.1 Understanding Current Usage and Costs

7.2.2 Identifying Wasted Compute Resources

7.3 Implementing Automation for Cost Optimization

7.3.1 Scheduling On/Off Times for Instances

7.3.2 Implementing Spot Instances for CI/CD Pipelines

7.3.3 Lambda Memory Tuning

7.3.4 Rightsizing & Autoscaling Instances

7.3.5 Optimizing Kubernetes Compute Costs

7.3.6 The KPI and Modernization Dashboard

7.3.7 Managing Multi-Cloud Compute Resources

7.4 Summary

8 Storage Optimization Strategies

8.1 Understanding Storage Costs

8.1.1 Overview of Storage Options

8.1.2 Storage Pricing Models

8.1.3 Web Application Storage Cost Breakdown

8.2 Assessing Storage Usage and Cost

8.2.1 Understanding Storage Cost Breakdown

8.2.2 CUDOS Dashboards for Storage

8.2.3 Storage Usage Monitoring

8.3 Best Practices for Storage Optimization

8.3.1 Regular Audits and Cleanup

8.3.2 Automating Lifecycle Management

8.3.3 Enforcing Tagging

8.3.4 Rightsizing Storage Volumes

8.3.5 Setting Budgets for Storage Costs

8.4 Summary

9 Network Optimization Strategies

9.1 Understanding Network Charges

9.1.1 Key Types of AWS Network Costs

9.2 Monitoring and Reporting AWS Network Costs

9.2.1 Getting Visibility with AWS CUR + Athena

9.2.2 Using CloudWatch to Track Network Metrics

9.2.3 Using CUDOS to Visualize Network Charges

9.3 Best Practices for Network Optimization

9.3.1 Use VPC Endpoints Instead of NAT Gateways

9.3.2 Compress Data Before Transfer

9.3.3 Enable Caching with CloudFront

9.3.4 Avoid Cross-AZ Traffic for Internal Services

9.3.5 Use VPC Flow Logs to Trace and Attribute Internal Traffic

9.3.6 Optimize Load Balancer Design

9.3.7 Tune DNS TTLs to Reduce Lookup Overhead

9.3.8 Use Direct Connect for High-Volume Hybrid Traffic

9.3.9 Use CloudWatch to Alert on Traffic Anomalies

9.4 Optimize Network Costs in Multi-Cloud Architectures

9.4.1 Route Through Peering or Direct Connections

9.4.2 Place Dependent Workloads in the Same Region

9.4.3 Compress and Batch Transfers

9.4.4 Use Object Storage as a Transfer Bridge

9.4.5 Track Cross-Cloud Traffic in CUR or Third-Party Tools

9.4.6 Forecast and Model Network Costs

9.5 Summary

10 Cloud Governance

10.1 What Is Cloud Governance?

10.1.1 Governance Components and Their FinOps Impact

10.1.2 Cloud Governance in Practice

10.2 Cloud Center of Excellence (CCoE)

10.2.1 Structure and Roles

10.2.2 KPIs and Measuring Success

10.2.3 Scaling Governance with Enablement

10.3 Accountability and Ownership in Cloud Governance

10.3.1 Role-Based Ownership

10.3.2 Showback and Chargeback Models

10.3.3 Key Accountability Metrics

10.3.4 Governance Roles and RACI

10.4 Bootstrapping Governance in a FinOps-Enabled Organization

10.5 Summary

11 AI-Powered FinOps

11.1 Leveraging LLMs in FinOps Workflows

11.1.1 What is a Large Language Model?

11.1.2 From Natural Language to AWS Config Queries

11.1.3 Using LLMs to Analyze AWS CUR Data

11.2 Building a CUR Chatbot with LLMs

11.3 Agentic FinOps

11.3.1 MCP Server for Cost Explorer

11.3.2 MCP Server For Cost Estimation

11.4 Risks, Limits, and Human-in-the-Loop FinOps

11.4.1 Hallucinations and Fabricated Data

11.4.2 Context Awareness and Operational Boundaries

11.4.3 Token Limits and Dataset Size

11.4.4 Data Privacy and Control

11.5 Summary

Overview

4 Tags Management

Effective tag management is positioned as a cornerstone of FinOps, turning raw cloud spend into business-aware insights through consistent, contextual metadata on resources. Tags—key-value pairs like Environment, Owner, Project, and CostCenter—enable granular cost allocation, accountability, and reporting across teams, projects, and environments, while also supporting chargeback/showback, governance, security controls, and automation-driven optimization (for example, off-hours shutdowns for non-production). The chapter emphasizes multi-cloud applicability with AWS, Azure, and GCP, showing how a coherent taxonomy clarifies spend by department, environment, and initiative, and links resource usage to business outcomes and budgets.

The chapter explains how tagging works across providers—covering key/value limits, case sensitivity, system versus user-defined tags, and scope (resource, group, project)—and maps these concepts to cloud-native tooling for bulk editing, discovery, and reporting. It details practical techniques in AWS using the Console, CLI, Resource Groups and Tag Editor, and the Resource Groups Tagging API; mirrors the approach in Azure and GCP; and extends consistency at scale with Terraform so tags are applied at provision time. For cross-cloud enforcement and remediation, it introduces Cloud Custodian to detect gaps and auto-apply or correct tags, and shows how tagging integrates with a cloud asset inventory to strengthen financial visibility and optimization.

To sustain quality, the chapter lays out a comprehensive operating model: define a tagging strategy and ownership, mandate core tags, standardize naming, and automate application and enforcement. It demonstrates auditing with scheduled reviews and scripts, enforcement with AWS Config (required-tags), AWS Organizations Tag Policies (allowed values), and Service Control Policies (deny untagged creates), plus auto-tagging at resource creation using Lambda. It further promotes tag hygiene with temporal tags for decommissioning, tag-based access control via IAM, validation and automated correction services to prevent drift, and a version-controlled tagging schema integrated into CI/CD. Combined, these practices maintain clean, trustworthy tags that power accurate cost allocation, continuous optimization, and resilient cloud governance.

EC2 instance tags

Creating a resource group

Listing resources based on tag key Environment

Assigning CostCenter tag key to multiple resources

Tagging an S3 bucket

Terraform workflow

Key steps for effective tagging strategy

Created a custom rule

AWS Organization and Tagging Policies

AWS accounts management

Defining a set of authorized values for CostCenter tag

Attaching tagging policy to a production account

Unable to launch EC2 instance with wrong tag value for CostCenter

Enabling of Service Control Policies

Prevent creation of EC2 without a CostCenter tag key

New tags are applied

Steps for maintaining effective tag hygiene

Output of the generated HTML file

Lambda function configuration

Selecting EC2 instance running state as the triggering event

Selecting the Lambda function as the target

Result of Lambda function auto-tagging mechanism

Summary

Tags management is a critical component of FinOps practices, enabling organizations to organize, track, and optimize their cloud resources effectively.
AWS provides native tools like AWS Resource Groups and Tag Editor for efficient tag management, while AWS Config and AWS Organizations offer ways to enforce tagging policies.
Third-party tools like Cloud Custodian offer advanced capabilities for tag management and policy enforcement across multiple cloud environments.
Terraform can be used to implement IaC practices that include consistent tagging as part of resource provisioning.
Regular tag audits are key for maintaining tag hygiene. Tools like custom scripts or AWS Config can be used to identify untagged or improperly tagged resources.
Automating tagging processes using serverless functions (e.g., AWS Lambda, GCP Cloud Functions, Azure Functions) helps ensure consistency and reduces manual errors.
Implementing tag-based access control enhances security and ensures that only authorized personnel can modify tags.
A centralized tag validation service can be created to enforce tag standards across the organization.
Version controlling your tagging schema helps track changes over time and ensures consistency across teams.
Effective tags management supports key FinOps practices such as accurate cost allocation, resource optimization, and financial accountability across all cloud environments.

FAQ

Why is tagging critical for FinOps and cloud cost management?

Tags add business context to resources (for example, Environment, Owner, CostCenter, Project), enabling precise cost allocation, showback/chargeback, and accountability. They power automation (for example, stop non-critical resources off-hours), support compliance and governance, and surface optimization opportunities by making usage analyzable by department, project, or environment.

How do tagging implementations differ across AWS, Azure, and GCP?

All use key–value metadata, but limits vary: AWS ~50 tags/resource, Azure ~50 pairs, GCP up to 64 labels.
Case sensitivity matters; CostCenter and costcenter are distinct.
System vs user-defined tags exist (for example, AWS system tags prefixed with aws:).
Scope differs: AWS tags most resources; Azure supports resource, resource group, subscription; GCP labels at project/resource level.
Provider-specific constraints apply (for example, Azure disallows certain symbols like < and >).

Which tags should be mandatory, and how do we keep them consistent?

Start with a concise core set aligned to FinOps goals: Environment (prod/dev/test), Department, Project, CostCenter, Owner (email or functional address). Standardize naming (for example, CamelCase keys, lowercase values), define allowed values lists (for example, Environment), and document the schema centrally so it’s easy to apply and audit.

How can we enforce tagging at scale across many AWS accounts?

AWS Config required-tags rules to detect non-compliant resources.
AWS Organizations Tag Policies to whitelist allowed values and standardize keys across accounts.
Service Control Policies (SCPs) to deny creation when required tag keys/values are missing.
Azure equivalents: Azure Policy; multi-cloud: Cloud Custodian policies.

What AWS-native tools help discover, apply, and manage tags efficiently?

Console per-service tagging for quick edits.
AWS CLI for bulk and scripted tagging (for example, ec2 create-tags, s3api put-bucket-tagging).
Resource Groups & Tag Editor to search, edit, and apply tags across resource types.
resourcegroupstaggingapi to list and tag resources by filters at scale.

How do Terraform and Cloud Custodian support multi-cloud tag management?

Terraform applies tags/labels at provisioning time across AWS, Azure, and GCP from a single codebase, ensuring resources launch compliant. Cloud Custodian enforces and remediates tagging post-provisioning (for example, add missing CostCenter, normalize values) across AWS, Azure, and GCP via lightweight policy YAML.

What does “maintaining tag hygiene” involve?

Regular audits to find missing, stale, or inconsistent tags; generate reports and charts for coverage and distribution.
Automated detection/correction of drift (for example, capitalization fixes, value normalization).
Continuous education, governance checkpoints, and avoiding tag proliferation.
Version-controlled schema (for example, tags.yaml) to track changes and approvals.

How can we auto-tag resources at creation time?

Use event-driven functions to apply default tags as soon as resources appear. Example: an AWS Lambda triggered by EventBridge on EC2 “running” events that calls CreateTags to add Environment, Owner, CostCenter. Extend similarly for other services or providers.

How do tags enable automation for savings and cleanup?

Optimization tags (for example, AutoShutdown: 8PM-6AM) trigger off-hours shutdown of non-prod workloads.
Temporal tags (for example, DecommissionDate, ExpirationDate) drive automated review and safe removal of “zombie” resources via scripts/Lambda + schedules.

How do we control and validate tag changes to protect data quality?

Tag-based access control (IAM) to restrict who can create/delete/modify critical tags (for example, only TagAdmin/FinOps).
Validation services (for example, Lambda) to check required keys, allowed values, and formats (for example, Owner as email) before acceptance.
Integrate validation and schema checks into CI/CD and IaC PR reviews.

with subscription

$24.99

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more