COST01-04 Establishing Cloud Resource and Permissions Management Policies

High

Cost optimization is a cross-departmental effort. As cloud resources account for a significant portion of expenditures on the cloud, it is essential to establish clear policies that define how resources are managed. As mentioned above, a best practice is to use separate accounts to isolate resources across organizations or departments. Even within a single entity, segregating accounts or environments by function, such as development, testing, core services, and non-core services, enhances operational clarity and cost control.

Despite decentralized accounts or environments, resource and permissions management should remain centralized. The central team, such as the cloud business office, cloud center of excellence, and FinOps team, must assign groups and roles to each account. This structured approach ensures that only authorized personnel can create, modify, or disable resources. Additionally, a unified resource and cost view is essential for centralizing bill management and tracking expenditures.

You can use IAM to implement fine-grained permissions management to control resource access of users in a single account.

For cross-account management, you can use service control policies (SCPs) provided by Organizations to centrally manage permissions of every account.