All Cost Policies follow 'Mark And Sweep' paradigm. Every day, the rules run at a scheduled time and are evaluated. The results are notified via e-mail and also available in Manage -> Overview -> Cost Governance.
Clicking the Cost Governance will navigate to the Cost Governance Overview
Skeleton of a Policy
Rule Description
- This section gives you a general idea of the aforementioned rule and tells you why it should be adhered to.
Results Tab
- This consists of all the Failed Resources, Ignored Resources, and the possible fixes available.
Filter Tab
- This consists of a set of options that can be used to filter out the resources for which the rule should apply. If the options are not set, by default, all resources which fail to comply to the rule will appear.
Action Tab
- Once marked, you can choose to undertake a specific action such as 'Stop', 'Delete', etc, after a resource repeatedly fails a rule over a user specified period of time.
Consider the following illustration of the Public S3 Bucket rule,
Rule Description
An S3 Bucket when made public is automatically vulnerable to security breaches. Apart from this, you will be billed by AWS for every download from a bucket. If there is an unprecedented amount of traffic due to some malicious attack it will quickly become expensive. Hence, a bucket with public permissions should be made private.
Results Tab
- Here, the Failed Resources section contains a list of all the Public S3 Buckets present.
- The Ignore Resources section gives you the option of bypassing the rule for few or all resources.
- This can be done by selecting the resource(s), and then clicking on Ignore All/ Ignore Selected.
- On doing this, you can see that the selected resource(s) are now present in the Ignore Resources section.
- If you want to revert this action you can select the Revoke/ Revoke All option. (ask)
- If an automated fix is not available, you can follow the steps provided in 'how to fix'.
Filter Tab
- Filters can be used to apply the rule to S3 Buckets over only specfic regions.
- This can be done by specifying the Region.
- You can go one step further by specifying the tag(s) of the resource(s) in the 'Inlcude resources with tags' option.
- Once this is done, only the tagged resource(s) will be picked up.
- The same goes for explicitly excluding a resource by specifying the tag(s) of the resource(s) in the 'Exclude resources with tags' option.
- Once this is done the tagged resource(s) will not be picked up.
Action Tab
- On marking the Action tab you can choose to automate an action such as Delete, Stop, etc, for the failing resources after a user specified period of time.
NOTE :
- Initally, when your account is created none of the policies will be failing, after one cycle ie, the next day you will be able to the failing resources.
- Similarly, the applied changes to policies will be updated during the next cycle.
- The actions present in the actions tab are irrevocable
Old AMIs
EBS backed AMIs are charged for the EBS volumes along with the EBS Snapahots. S3 backed AMIs are charged for the S3 storage. Hence, old AMIs should ideally be deregistered to avoid these costs.
Action
- DEREGISTER : Deregisters the old AMI(s).
Old Snapahots
It is advisable to not keep Snapshots older than 10 days due to the incurred cost that comes along with it.
Action
- DELETE : Deletes Snapahots older than 10 days.
Idle EC2 for 3 days
EC2 instances that are running but have a CPU utilization of less than 2% over a period of 72 hours are considered to be idle EC2 instances.
Action
- STOP : Stops the idle EC2 instances.
- TERMINATE : Terminates the idle EC2 instances.
Detached Elastic IPs
AWS enforces an hourly charge if an Elastic IP (EIP) address within your account is not associated with a running EC2 instance or an Elastic Network Interface (ENI).
Action
EC2 with No Network Activity
EC2 instances where the data being sent or received is less than 128Kbs over a period of 5 days is considered to have no network activity.
Action
- STOP : Stops the idle EC2 instances.
- TERMINATE : Terminates the idle EC2 instances.
EMR across Multiple AZs
There are costs incurred when data is being sent from one availability zone to another, hence it is advisable to not have EMR clusters that span over multiple AZs.
Action
- No action available yet.
Public S3 Bucket
An S3 Bucket when made public is automatically vulnerable to security breaches. Apart from this, you will be billed by AWS for every download from a bucket. If there is an unprecedented amount of traffic due to some malicious attack it will quickly become expensive. Hence, a bucket with public permissions should be made private.
Action
- DELETE : Deletes the public S3 Buckets.
S3 VPC EndPoint
A VPC endpoint enables you to privately connect your VPC to your S3 Bucket without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network. As there are charges associated with internet gateways etc, this is a better and safer option.
Action
- No action available yet.
UnderUtilized EC2 Instance
When an EC2 Instance has a CPU utlilization of less than 10% over a period of 5 days it is considered to be underutilized.
Action
- STOP : Stops the underutilized EC2 instances.
- TERMINATE : Terminates the underutilized EC2 instances.
Unused EBS
Elastic Block Stores that are provisioned but unattached incur some cost and hence should be deleted when unused.
Action
- DELETE : Deletes the unused EBS.
Unused Load Balancers
Load Balancers with zero connections(unused) but in active state are still billed for by AWS.
Action
- DELETE : Deletes the unused Load Balancers.
Unused PIOPS Disks
Provisioned IOPS disks that are are underutilized (ie when the average of datapoints is less than the volume of IOPS) for over a period of 5 days are still billed for by AWS.
Action
- TERMINATE : Terminates the unused Provisioned IOPS Disks