Skip to content

πŸ’΅ FinOps Cost Optimization β€” Cloud Spend IntelligenceΒΆ

Owner: CFO Β· Also: CEO Β· Board asks: "Where is cloud spend leaking, and what's the fix?" Β· Domain: Finance

Mission: Turn common cost incidents into repeatable, policy-gated runbooks run by AI agents and MCP servers (AWS, Playwright, JIRA) β€” so spend drops while SLOs & security stay green. Strategic AWS Cost Intelligence Platform delivering measurable cost savings across multi-accounts with comprehensive accuracy validation and sub-minute execution performance. Automated cost optimization identifies material savings opportunities through scenario-based analysis (orphaned EBS, idle resources, network inefficiency). FinOps automation connects spend intelligence to executable remediation β€” every optimization is PR-gated and guarded by SLO checks (latency, error-budget) and security gates (encryption, IAM diff, network posture). For CFOs and Finance teams: See the Cloud Foundations Catalog β€” Finance Functional Area for the copy-paste dashboard command and /adlc prompt to enable cost attribution across your organization.

Enterprise FinOps Cost Analytics & Automation

  • Scenario Catalog β†’ Runbooks: Maps cloud cost incidents (e.g., orphaned EBS, idle GPU labs, NAT overbilling, mis-scaled ASG) to executable runbooks with pre-checks, approvals, and auto-rollback. Scenarios and fixes are inspired by the DevOpsCommunity collection (example: spikes from orphaned EBS, uncompressed S3 logs, ASG CPU-only scaling; plus shell/Terraform remediations).
  • Agentic Control-Loop: Amazon Q Developer/Business or Claude Code orchestrates a SpendSense β†’ Decide β†’ Execute β†’ Audit loop using AWS MCP servers (Billing/Cost Management, CloudWatch) and Playwright MCP for browser QA & console sanity checks.
  • Governed Automation: Every change is PR-gated and guarded by SLO checks (latency, error-budget) and security gates (encryption, IAM diff, network posture).

πŸš€ Quick Start GuideΒΆ

Installation & SetupΒΆ

## PyPI Installation (Recommended)
pip install runbooks
runbooks finops --help

## Configure enterprise profiles
export BILLING_PROFILE="your-billing-readonly-profile"
export MANAGEMENT_PROFILE="your-management-readonly-profile"
# export CENTRALISED_OPS_PROFILE="your-ops-readonly-profile"

## Verify access
aws sts get-caller-identity --profile $BILLING_PROFILE

Business Scenarios - Validated Working CommandsΒΆ

## Business scenario matrix (7 working scenarios) - NEW STANDARDIZED PARAMETERS
runbooks finops --help                                                   ## View all functionality
runbooks finops --scenario workspaces --profile $BILLING_PROFILE         ## WorkSpaces optimization
runbooks finops --scenario nat-gateway --profile $BILLING_PROFILE        ## NAT Gateway optimization
runbooks finops --scenario elastic-ip --profile $BILLING_PROFILE         ## Elastic IP management
runbooks finops --scenario ebs-optimization --profile $BILLING_PROFILE   ## EBS optimization
runbooks finops --scenario rds-snapshots --profile $BILLING_PROFILE      ## RDS snapshots cleanup
runbooks finops --scenario backup-investigation --profile $BILLING_PROFILE ## Backup analysis
runbooks finops --scenario vpc-cleanup --profile $BILLING_PROFILE        ## VPC cleanup

## Multi-account Landing Zone operations - NEW PARAMETER
runbooks finops --scenario workspaces --all-profile $MANAGEMENT_PROFILE    ## Multi-account WorkSpaces
runbooks finops --scenario vpc-cleanup --all-profile $MANAGEMENT_PROFILE   ## Organization-wide VPC cleanup

## AWS Cost Explorer metrics (default: UnblendedCost β€” matches AWS Billing Console)
runbooks finops --profile $BILLING_PROFILE                 ## Default: UnblendedCost (actual invoice charges)
runbooks finops --unblended --profile $BILLING_PROFILE     ## Explicit: UnblendedCost (same as default)
runbooks finops --amortized --profile $BILLING_PROFILE     ## Financial: AmortizedCost (RI/SP spread over term)
runbooks finops --cost-metric blended --profile $BILLING_PROFILE  ## BlendedCost (org-wide RI/SP averaging)

Core Dashboard CommandsΒΆ

## Default: Current month analysis - STANDARDIZED PARAMETERS
runbooks finops --profile $BILLING_PROFILE

## Trend: 6-month historical analysis
runbooks finops --trend --profile $BILLING_PROFILE

## Audit: Resource optimization opportunities
runbooks finops --audit --profile $BILLING_PROFILE

## Multi-format executive reporting
runbooks finops --profile $BILLING_PROFILE --csv --markdown --json --pdf

## Multi-account trend analysis - NEW vs LEGACY
runbooks finops --audit --trend --all-profile $MANAGEMENT_PROFILE    ## NEW: Multi-account Landing Zone
runbooks finops --audit --trend --all --profile $BILLING_PROFILE     ## LEGACY: Still supported

πŸ“‹ Complete Command Line Options ReferenceΒΆ

Core FinOps CommandsΒΆ

Option Type Description Default Example
--profile String [NEW] Single AWS profile for targeted analysis default --profile $BILLING_PROFILE
--all-profile String [NEW] Multi-account Landing Zone operations None --all-profile $MANAGEMENT_PROFILE
--profiles Multiple [LEGACY] Multiple AWS profiles for analysis None --profiles prof1 prof2
--all Flag [LEGACY] Use all available AWS profiles False --all
--combine Flag Combine profiles from same AWS account False --combine
--region String AWS region for analysis Current region --region us-east-1
--regions Multiple Multiple regions to analyze All regions --regions us-east-1 us-west-2
--time-range Integer Time range for cost data (days) Current month --time-range 90
--dry-run Flag Preview mode without changes False --dry-run

Analysis & Reporting OptionsΒΆ

Option Type Description Default Example
--audit Flag Comprehensive cost audit report False --audit
--trend Flag 6-month trend analysis False --trend
--validate Flag MCP cross-validation with real-time AWS API False --validate
--validate-claims Flag Run comprehensive financial claim validation using MCP False --validate-claims
--validate-projections Flag Validate individual module savings projections False --validate-projections
--confidence-threshold Float Minimum confidence threshold for validation (%) 99.5 --confidence-threshold 95.0
--show-confidence-levels Flag Display confidence levels for financial claims False --show-confidence-levels
--tag Multiple Cost allocation tag filtering None --tag Environment=prod
--high-cost-threshold Float High cost highlighting threshold 5000.0 --high-cost-threshold 10000
--medium-cost-threshold Float Medium cost highlighting threshold 1000.0 --medium-cost-threshold 500

Export Format OptionsΒΆ

Option Type Description Default Example
--report-type Multiple Output formats (csv,json,pdf,markdown) markdown --report-type csv,json
--csv Flag Generate CSV report (convenience) False --csv
--json Flag Generate JSON report (convenience) False --json
--pdf Flag Generate PDF report (convenience) False --pdf
--export-markdown Flag Rich-styled markdown export False --export-markdown
--report-name String Base name for report files Auto-generated --report-name "monthly-costs"
--dir String Output directory for reports Current directory --dir ./reports/

Display & Formatting OptionsΒΆ

Option Type Description Default Example
--profile-display-length Integer Max characters for profile names No limit --profile-display-length 20
--service-name-length Integer Max characters for service names No limit --service-name-length 15
--max-services-text Integer Max services in text summaries No limit --max-services-text 10
--tech-focus Flag Technical analysis (UnblendedCost) False --tech-focus
--financial-focus Flag Financial reporting (AmortizedCost) False --financial-focus
--dual-metrics Flag Both technical and financial metrics True --dual-metrics
--unblended Flag Use UnblendedCost metrics for technical analysis False --unblended
--amortized Flag Use AmortizedCost metrics for financial analysis False --amortized
--mode String Dashboard mode (single_account/multi_account) Auto-detect --mode multi_account
--top-services Integer Number of top services to display 10 --top-services 15
--top-accounts Integer Number of top accounts to display 5 --top-accounts 8
--services-per-account Integer Services per account in multi-account mode 3 --services-per-account 5
--format String Output format (table/json/csv/markdown) markdown --format table
--no-enhanced-routing Flag Disable enhanced service-focused routing False --no-enhanced-routing

Cost Metric ReferenceΒΆ

The default metric is UnblendedCost β€” the same number shown on your AWS Billing Console "Bills" page and monthly invoice.

Metric What It Shows When To Use Flag
UnblendedCost (default) Actual charges per resource/account Cost optimization, budgeting, showback --cost-metric unblended or no flag
AmortizedCost RI/SP upfront costs spread over term Financial planning, commitment tracking --cost-metric amortized
BlendedCost Weighted average across org RI/SP benefit distribution analysis --cost-metric blended

All personas (CxO, FinOps, Architect, SRE) should use UnblendedCost for consistency β€” it ensures runbooks output matches what you see in the AWS Console and on invoices.

Cost Optimization & Business ScenariosΒΆ

Option Type Description Default Example
--scenario String Business scenario analysis None --scenario nat-gateway
--help-scenario String Display detailed help for specific scenario None --help-scenario vpc-cleanup
--sprint1-analysis Flag Sprint 1 cost optimization analysis False --sprint1-analysis
--optimize-nat-gateways Flag NAT Gateway optimization analysis False --optimize-nat-gateways
--cleanup-snapshots Flag EC2 snapshot cleanup analysis False --cleanup-snapshots
--optimize-elastic-ips Flag Elastic IP optimization analysis False --optimize-elastic-ips
--mcp-validation Flag Enable MCP validation for accuracy cross-checking False --mcp-validation
--validate-mcp Flag Run standalone MCP validation framework False --validate-mcp

PDCA Automation OptionsΒΆ

Option Type Description Default Example
--pdca Flag Run autonomous PDCA cycles for improvement False --pdca
--pdca-cycles Integer Number of PDCA cycles to run 3 --pdca-cycles 5
--pdca-continuous Flag Run PDCA in continuous mode False --pdca-continuous

πŸ”„ Migration Guide: Legacy to Standardized Parameters βœ…ΒΆ

Since we still haven't passed my manager's quality gate, our runbooks's finops haven't reached enterprise-grade production readiness, therefore I decided to deduct Legacy from our deliverables, and we're starting from scratch. 1. ONLY Keep NEW Standardized Parameters: (--profile by default) | New Parameter | Purpose | Use Case | |------------------|-------------|--------------| | --profile | ONLY 1 Single AWS profile for targeted analysis | Individual account cost analysis | | --profiles | βœ… | Keep --profiles for filtered/selected accounts [$BILLING_PROFILE, $TEST_PROFILE] | | --all-profile | Multi-account Landing Zone operations | Organization-wide cost optimization | 2. Simplfy Multi-Account Landing Zone Operations by Depreciated & remove --all --> Migrate to --all-profile for multi-account 3. Depreciated & remove --combine --> Migrate to --profiles for filtered/selected accounts

πŸ“š CLI Export Format Quick ReferenceΒΆ

Convenience Flags (User Friendly) βœ…ΒΆ

export MY_AWS_PROFILE=$BILLING_PROFILE
# Single command export formats - UPDATED WITH NEW STANDARDIZED PARAMETERS
runbooks finops --profile $MY_AWS_PROFILE --csv   # CSV export
runbooks finops --profile $MY_AWS_PROFILE --json  # JSON export
runbooks finops --profile $MY_AWS_PROFILE --pdf   # PDF export
runbooks finops --profile $MY_AWS_PROFILE --csv --markdown --json --pdf

# Multi-account Landing Zone exports - NEW PARAMETER
runbooks finops --all-profile $MANAGEMENT_PROFILE --csv --markdown --json --pdf

# With report naming
runbooks finops --profile $MY_AWS_PROFILE --csv --report-name "monthly-costs"
runbooks finops --profile $MY_AWS_PROFILE --json --report-name "cost-analysis"

Original Method (Still Supported) βœ…ΒΆ

export MY_AWS_PROFILE=$BILLING_PROFILE
# Verbose but explicit format specification - UPDATED PARAMETERS
runbooks finops --profile $MY_AWS_PROFILE --report-type csv
runbooks finops --profile $MY_AWS_PROFILE --report-type json
runbooks finops --profile $MY_AWS_PROFILE --report-type pdf
runbooks finops --profile $MY_AWS_PROFILE --report-type markdown

# Multi-account Landing Zone reporting - NEW PARAMETER
runbooks finops --all-profile $MANAGEMENT_PROFILE --report-type csv
runbooks finops --all-profile $MANAGEMENT_PROFILE --report-type json

Multi-Account Analysis βœ…ΒΆ

# Multiple specific profiles - LEGACY (still supported)
runbooks finops --profiles $BILLING_PROFILE $TEST_PROFILE --combine

# Organization-wide analysis (61 accounts) - NEW vs LEGACY
runbooks finops --all-profile $MANAGEMENT_PROFILE    # NEW: Multi-account Landing Zone
runbooks finops --all --profile $BILLING_PROFILE     # LEGACY: Still supported

βš™οΈ Configuration Files & AutomationΒΆ

YAML Configuration ExampleΒΆ

# .runbooks/finops-config.yaml
finops:
  profiles:
    billing: "aws-admin-Billing-ReadOnlyAccess"
    management: "aws-admin-ReadOnlyAccess"
    operations: "aws-centralised-ops-ReadOnlyAccess"

  default_settings:
    time_range: 30
    high_cost_threshold: 5000.0
    medium_cost_threshold: 1000.0
    enable_mcp_validation: true
    dual_metrics: true

  export_formats:
    default: ["csv", "json"]
    executive: ["pdf", "html"]
    technical: ["json", "markdown"]

  cost_optimization:
    target_reduction: 25.0
    analyze_trends: true
    include_recommendations: true

# Usage with config file
runbooks finops --config .runbooks/finops-config.yaml

TOML Configuration ExampleΒΆ

# pyproject.toml or .runbooks/config.toml
[tool.runbooks.finops]
default_profile = "aws-admin-Billing-ReadOnlyAccess"
time_range = 30
high_cost_threshold = 5000.0
enable_validation = true

[tool.runbooks.finops.profiles]
billing = "aws-admin-Billing-ReadOnlyAccess"
management = "aws-admin-ReadOnlyAccess"
operations = "aws-centralised-ops-ReadOnlyAccess"

[tool.runbooks.finops.export]
formats = ["csv", "json", "pdf"]
output_dir = "./exports/finops/"

Environment Variables ConfigurationΒΆ

# Enterprise environment configuration
export RUNBOOKS_BILLING_PROFILE="aws-admin-Billing-ReadOnlyAccess"
export RUNBOOKS_MANAGEMENT_PROFILE="aws-admin-ReadOnlyAccess" 
export RUNBOOKS_OPERATIONS_PROFILE="aws-centralised-ops-ReadOnlyAccess"
export RUNBOOKS_HIGH_COST_THRESHOLD=5000
export RUNBOOKS_ENABLE_MCP_VALIDATION=true
export RUNBOOKS_DEFAULT_TIME_RANGE=30
export RUNBOOKS_EXPORT_DIR="./exports/finops/"

πŸ“Š Export Formats ReferenceΒΆ

CSV Export FormatΒΆ

Column Description Example Value
service_name AWS service identifier Amazon Elastic Compute Cloud - Compute
current_cost Current period cost 1,234.56
previous_cost Previous period cost 1,100.45
cost_change Absolute cost change 134.11
change_percentage Percentage change 12.2%
cost_trend Trend indicator πŸ“ˆ Increasing

JSON Export FormatΒΆ

{
  "analysis_timestamp": "2025-01-12T10:30:00Z",
  "profile": "aws-admin-Billing-ReadOnlyAccess",
  "time_range": "2024-12-01 to 2024-12-31",
  "total_cost": 15234.67,
  "services": [
    {
      "service_name": "Amazon Elastic Compute Cloud - Compute",
      "current_cost": 1234.56,
      "previous_cost": 1100.45,
      "change_amount": 134.11,
      "change_percentage": 12.2,
      "optimization_opportunities": ["rightsizing", "reserved_instances"]
    }
  ],
  "mcp_validation": {
    "accuracy": 100.0,
    "validated_at": "2025-01-12T10:30:15Z",
    "discrepancies": []
  }
}

PDF Export FormatΒΆ

  • Executive Summary: Key metrics and cost trends
  • Service Breakdown: Detailed service-by-service analysis
  • Optimization Recommendations: Cost reduction opportunities
  • Charts & Visualizations: Cost trends and service distribution
  • Compliance Documentation: Audit-ready reporting

Markdown Export FormatΒΆ

# Cost Analysis Report
**Profile**: aws-admin-Billing-ReadOnlyAccess
**Period**: December 2024
**Total Cost**: $15,234.67

## Service Breakdown
| Service | Current | Previous | Change |
|---------|---------|----------|--------|
| EC2-Instance | $1,234.56 | $1,100.45 | +12.2% |
| S3 | $567.89 | $545.32 | +4.1% |

## Optimization Opportunities
- **EC2 Rightsizing**: Potential cost reduction ($308.64/month)
- **S3 Lifecycle**: Storage optimization ($85.18/month)

πŸ” AWS IAM Permissions RequiredΒΆ

Billing Profile Permissions (Copy-Paste Ready)ΒΆ

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ce:GetCostAndUsage",
        "ce:GetUsageReport", 
        "ce:GetReservationCoverage",
        "ce:GetReservationPurchaseRecommendation",
        "ce:GetReservationUtilization",
        "ce:ListCostCategoryDefinitions",
        "ce:GetCostCategories",
        "ce:GetMetricValue",
        "organizations:ListAccounts",
        "organizations:DescribeOrganization",
        "budgets:ViewBudget",
        "support:DescribeTrustedAdvisorChecks"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow", 
      "Action": [
        "sts:GetCallerIdentity",
        "sts:AssumeRole"
      ],
      "Resource": "*"
    }
  ]
}

Management Profile PermissionsΒΆ

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "organizations:ListAccounts",
        "organizations:DescribeOrganization",
        "organizations:ListOrganizationalUnitsForParent",
        "organizations:ListChildren",
        "organizations:DescribeAccount",
        "organizations:ListAccountsForParent",
        "sts:GetCallerIdentity"
      ],
      "Resource": "*"
    }
  ]
}

Operational Profile PermissionsΒΆ

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "rds:Describe*",
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation",
        "s3:GetBucketNotification",
        "lambda:List*",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "sts:GetCallerIdentity"
      ],
      "Resource": "*"
    }
  ]
}

πŸ’° Copy-Paste CLI Examples (Real Profile Variables)ΒΆ

Quick Start Examples - UPDATED WITH STANDARDIZED PARAMETERSΒΆ

## Set your environment variables (replace with your actual profiles)
export MY_AWS_PROFILE="aws-admin-Billing-ReadOnlyAccess"
export TEST_SRE_PROFILE="aws-shared-services-non-prod-ReadOnlyAccess"
export BILLING_PROFILE="aws-admin-Billing-ReadOnlyAccess"
export MANAGEMENT_PROFILE="aws-admin-ReadOnlyAccess"
export CENTRALISED_OPS_PROFILE="aws-centralised-ops-ReadOnlyAccess"

## Basic cost analysis - STANDARDIZED PARAMETER
runbooks finops --profile $MY_AWS_PROFILE

## Multi-format export - STANDARDIZED PARAMETER
runbooks finops --profile $BILLING_PROFILE --csv --json --pdf --report-name "monthly-analysis"

## Organization-wide analysis with trends - NEW vs LEGACY
runbooks finops --all-profile $MANAGEMENT_PROFILE --audit --trend --csv    ## NEW: Multi-account Landing Zone
runbooks finops --all --profile $BILLING_PROFILE --audit --trend --csv     ## LEGACY: Still supported

## MCP-validated analysis - STANDARDIZED PARAMETER
runbooks finops --profile $BILLING_PROFILE --validate --dual-metrics --audit

Advanced Multi-Account Examples - UPDATED WITH STANDARDIZED PARAMETERSΒΆ

## Cross-account cost comparison - LEGACY (still supported)
runbooks finops --profiles $BILLING_PROFILE $TEST_SRE_PROFILE --combine --audit

## Multi-account Landing Zone analysis - NEW PARAMETER
runbooks finops --all-profile $MANAGEMENT_PROFILE --combine --audit

## Regional cost analysis - STANDARDIZED PARAMETER
runbooks finops --profile $BILLING_PROFILE --regions us-east-1,us-west-2,eu-west-1

## Cost allocation by tags - STANDARDIZED PARAMETER
runbooks finops --profile $BILLING_PROFILE --tag Environment=prod --tag Team=engineering

## Executive dashboard generation - STANDARDIZED PARAMETER
runbooks finops --profile $BILLING_PROFILE --audit --trend --pdf --report-name "executive-dashboard" --dir ./executive-reports/

Automation & CI/CD Examples - UPDATED WITH STANDARDIZED PARAMETERSΒΆ

## Scheduled cost monitoring (for cron/automation) - STANDARDIZED PARAMETER
runbooks finops --profile $BILLING_PROFILE --json --report-name "daily-costs-$(date +%Y%m%d)" --high-cost-threshold 10000

## Multi-account scheduled monitoring - NEW PARAMETER
runbooks finops --all-profile $MANAGEMENT_PROFILE --json --report-name "org-costs-$(date +%Y%m%d)" --high-cost-threshold 50000

## Compliance reporting - STANDARDIZED PARAMETER
runbooks finops --profile $BILLING_PROFILE --audit --pdf --report-name "compliance-$(date +%Y-%m)" --validate

## Performance-optimized analysis - STANDARDIZED PARAMETER
runbooks finops --profile $BILLING_PROFILE --tech-focus --csv --max-services-text 20

πŸš€ Quick Reference Card (Print/Bookmark)ΒΆ

Essential Commands (5-Minute Setup) - UPDATED WITH STANDARDIZED PARAMETERSΒΆ

## 1. Verify AWS access - STANDARDIZED PARAMETER
aws sts get-caller-identity --profile your-billing-profile

## 2. Basic cost dashboard - STANDARDIZED PARAMETER
runbooks finops --profile your-billing-profile

## 3. Export reports for management - STANDARDIZED PARAMETER
runbooks finops --profile your-billing-profile --csv --json --pdf

## 4. Multi-account analysis - NEW vs LEGACY
runbooks finops --all-profile your-management-profile --audit    ## NEW: Multi-account Landing Zone
runbooks finops --all --profile your-billing-profile --audit     ## LEGACY: Still supported

## 5. Validated high-accuracy analysis - STANDARDIZED PARAMETER
runbooks finops --profile your-billing-profile --validate --audit --trend

Required IAM Permissions (minimum)ΒΆ

  • ce:GetCostAndUsage (Cost Explorer access)
  • organizations:ListAccounts (Multi-account visibility)
  • sts:GetCallerIdentity (Profile validation)

Common Profile VariablesΒΆ

export BILLING_PROFILE="your-consolidated-billing-profile"
export MANAGEMENT_PROFILE="your-management-account-profile" 
export SINGLE_AWS_PROFILE="your-single-account-profile"

Typical OutputsΒΆ

  • CSV: Service costs, trends, optimization opportunities
  • JSON: Structured data for automation/integration
  • PDF: Executive reports with charts and analysis
  • Console: Interactive Rich CLI with real-time insights

πŸ’Έ Cost Transparency & AWS API PricingΒΆ

AWS API Costs Per OperationΒΆ

FinOps cost analysis operations incur minimal AWS costs:

API Call Cost Frequency Monthly Cost (Est.)
Cost Explorer API ~$0.01 per request 1-5 per analysis $0.30-$1.50
Organizations API Free 1-3 per analysis $0.00
CloudWatch GetMetric $0.01 per 1,000 requests Variable $0.10-$1.00
S3 Storage (reports) $0.023/GB ~10MB per report $0.01-$0.05

Total Monthly Cost: ~$0.50-$3.00 for regular enterprise usage

Cost-Benefit AnalysisΒΆ

  • API Costs: $0.50-$3.00/month
  • Typical Savings Identified: Measurable optimization opportunities identified per account
  • ROI: Substantial return on investment through automation
  • Break-even: First analysis typically pays for 6-12 months of API costs

Usage Optimization TipsΒΆ

## Minimize API calls - use cached data when possible
runbooks finops --profile $BILLING_PROFILE --time-range 30  ## vs daily calls

## Batch operations for multiple accounts
runbooks finops --all --profile $BILLING_PROFILE  ## vs individual profile calls

## Use appropriate time ranges
runbooks finops --profile $BILLING_PROFILE --time-range 7   ## Weekly analysis
runbooks finops --profile $BILLING_PROFILE --time-range 30  ## Monthly analysis
runbooks finops --profile $BILLING_PROFILE --time-range 90  ## Quarterly analysis

πŸ› οΈ Quick TroubleshootingΒΆ

## Authentication issues
aws sts get-caller-identity --profile $BILLING_PROFILE
aws sso login --profile $BILLING_PROFILE

## Performance optimization
runbooks finops --profile $BILLING_PROFILE --time-range 7  ## Faster analysis
runbooks finops --profile $BILLING_PROFILE --regions us-east-1  ## Specific regions

Common Issues: IAM permissions (ce:GetCostAndUsage required) | Profile configuration (aws configure sso) | Performance optimization (reduce time-range)


πŸ’° Enterprise Business Value & ROI AnalysisΒΆ

Combined Business Intelligence: $630K+ Annual Value + $79,922+ AWSO Savings Identified

Validated Business Scenarios with Quantified SavingsΒΆ

Scenario Command Savings Potential Implementation Status
WorkSpaces Cleanup runbooks finops --scenario workspaces $12,518 annual βœ… Operational
RDS Snapshots Management runbooks finops --scenario rds-snapshots $5K-24K annual βœ… Operational
NAT Gateway Optimization runbooks finops --scenario nat-gateway $12,404+ annual βœ… Operational
Elastic IP Management runbooks finops --scenario elastic-ip $44+ monthly βœ… Operational
EBS Volume Optimization runbooks finops --scenario ebs-optimization Measurable savings opportunity βœ… Operational
VPC Infrastructure Cleanup runbooks finops --scenario vpc-cleanup $5,869+ annual βœ… Operational
Backup Investigation runbooks finops --scenario backup-investigation Framework ready βœ… Operational

Enterprise Performance BenchmarksΒΆ

  • Single Account: Sub-minute execution
  • Multi-Account: Efficient processing for 60+ accounts
  • Export Generation: Fast multi-format output
  • MCP Validation: Cross-validated vs AWS Cost Explorer API
  • Memory Usage: <500MB enterprise-scale operations

Strategic Business ApplicationsΒΆ

  • C-Suite: Monthly board reporting with PDF executive summaries
  • FinOps Teams: Daily multi-account cost monitoring and optimization
  • Technical Teams: DevOps automation with cost impact analysis
  • Compliance: Automated audit documentation for regulatory requirements

Ready-to-Execute High ROI Commands - UPDATED WITH STANDARDIZED PARAMETERSΒΆ

## Immediate value: NAT Gateway analysis - STANDARDIZED PARAMETER
runbooks finops --optimize-nat-gateways --profile $BILLING_PROFILE --audit

## Multi-account NAT Gateway optimization - NEW PARAMETER
runbooks finops --optimize-nat-gateways --all-profile $MANAGEMENT_PROFILE --audit

## RDS snapshot cleanup analysis (validated savings) - STANDARDIZED PARAMETER
runbooks operate rds --snapshots --analysis manual --profile $CENTRALISED_OPS_PROFILE

## Executive reporting with quantified opportunities - STANDARDIZED PARAMETER
runbooks finops --profile $BILLING_PROFILE --audit --trend --pdf --csv

Strategic Priority: WorkSpaces integration development required for highest ROI opportunity ($12,518).

πŸ“š Essential DocumentationΒΆ

ContributingΒΆ

We welcome contributions! Please see our Contributing Guide for details on: - Adding new cost analysis capabilities - Contributing optimization algorithms - Enhancing executive reporting features - Following our enterprise development practices

LicenseΒΆ

This project is licensed under the Apache License 2.0 - see the LICENSE file for details.



πŸ—ΊοΈ Architecture (high level)ΒΆ

flowchart LR
  subgraph Observe
    CUR[(AWS CUR)]
    CAD[Cost Anomaly Detection]
    Telemetry[APM/SLOs]
  end
  subgraph Decide
    CO[Compute Optimizer]
    Recs[Rightsizing & Commit Ladders]
    NetPath[NAT/Endpoint Plans]
    Karpenter[Karpenter Consolidation]
  end
  subgraph Act
    RunbooksCLI[runbooks CLI]
    TF[Terraform]
    SSM[AWS SSM Automation]
  end
  subgraph Audit
    PRs[PRs & Change Windows]
    Drift[Drift Watch]
    KPIs[Unit Economics & Coverage]
  end
  MCP[AWS MCP Servers]
  PlaywrightMCP[Playwright MCP]
  Agent[Claude-Code / Amazon Q CLI]

  CUR --> Agent
  CAD --> Agent
  Telemetry --> Agent
  Agent --> MCP
  Agent --> PlaywrightMCP
  Agent --> Decide
  Decide --> Act
  Act --> Audit

Why this matters

  • Anomaly-first triage (AWS Cost Anomaly Detection) + native rightsizing (Cost Explorer / Compute Optimizer) keeps actions explainable and safe. (Amazon Web Services, Inc.)
  • NAT/egress is tamed using Gateway Endpoints (S3/DynamoDB) and targeted PrivateLink β€” a classic high-leverage save. (AWS Documentation)
  • EKS is tuned with Karpenter consolidation for steady waste reduction. (Karpenter)
  • MCP servers expose AWS resources safely to agents; Playwright MCP enables UI smoke/UAT without bespoke glue. (Amazon Web Services, Inc.)

βœ… Feature MatrixΒΆ

Category What you get Key Tools / Docs
Detect spikes Anomaly monitors, budget thresholds, top-service diffs AWS Cost Anomaly Detection, Budgets, CUR (Athena/Parquet) (Amazon Web Services, Inc.)
Rightsize compute EC2/ASG rightsizing & commit ladders with guard-bands Compute Optimizer, Cost Explorer Rightsizing (AWS Documentation)
Kill waste Orphaned EBS, stale snapshots, stray EIPs, idle GPU labs Scenarios + shell/Terraform patterns (see catalog) (interview.devopscommunity.in)
Trim egress/NAT Endpoint placement (S3/DDB), PrivateLink decisioning Well-Architected COST08, VPC endpoint docs (AWS Documentation)
EKS savings Karpenter consolidation, Spot-safe pools, request hygiene Karpenter docs & consolidation guidance (Karpenter)
MCP wiring AWS MCP (Billing/EKS) + Playwright MCP for QA AWS blogs/awslabs MCP; Playwright MCP repos (Amazon Web Services, Inc.)
Governance SCP/tag enforcement; PR-gated changes; auto-rollback Scenario IAM/tag policies + CI hooks (interview.devopscommunity.in)

πŸš€ QuickstartΒΆ

2) Wire MCP servers (examples)ΒΆ

  • AWS MCP (Billing/Cost & EKS) for agent access to spend and clusters.
  • Playwright MCP for console/UIs (browser automation & accessibility snapshots).
# mcp_servers.yaml (example manifest)
servers:
  aws-billing:
    type: mcp
    endpoint: https://mcp.aws/billing
    auth: { method: "env", vars: ["AWS_PROFILE"] }
  aws-eks:
    type: mcp
    endpoint: https://mcp.aws/eks
    auth: { method: "env", vars: ["AWS_PROFILE"] }
  playwright:
    type: mcp
    endpoint: http://localhost:3333
    args: ["--headless"]

Connect this manifest from your agent client (Claude-Code, Amazon Q CLI, Cursor/Windsurf) to expose tools safely.

3) Initialize FinOpsΒΆ

## Billing lake & anomaly monitors
runbooks finops bootstrap --payer-profile billing
runbooks finops enable-anomaly-detection --notify sns://finops-alerts

(Uses AWS Cost Anomaly Detection to learn baselines & alert on spend spikes.)

4) First savings (safe previews)ΒΆ

## NAT/egress plan (no changes): expect gateway endpoints proposals (S3/DynamoDB)
runbooks vpc optimize-nat --all-accounts --plan

## Compute rightsizing preview: EC2/ASG recommendations
runbooks finops rightsize --sources compute-optimizer,cost-explorer --dry-run

## EKS consolidation: show which nodes can be safely merged
runbooks eks consolidate --cluster prod-eks --dry-run
  • NAT/endpoint design aligns to Well-Architected guidance (Gateway endpoints free; PrivateLink adds hourly/GB cost).
  • Rightsizing sources use Cost Explorer/Compute Optimizer methods.
  • Karpenter consolidation removes under-utilized nodes predictably.

5) Apply with gates (change windows)ΒΆ

## Small batches; PR-gated; with rollback and SLO/security checks
runbooks vpc optimize-nat --execute --change-window "Sat 22:00-23:00"
runbooks finops commit-ladder --target-coverage 75 --ladder "1yr compute + 3yr steady"
runbooks eks consolidate --cluster prod-eks --execute --canary 10%

🧭 Scenario Catalog β†’ Runbooks MappingΒΆ

The DevOpsCommunity scenarios document real-world spikes & fixes: idle load-test farms, orphaned EBS/snapshots, uncompressed S3 logs, mis-scaled ASGs; plus shell & Terraform examples for cleanup, tagging enforcement, lifecycle policies.

Scenario (source) Detection Signals Root Causes Runbook(s) Automation Gates
Spike across EC2/EBS/S3 (scenario_01) CAD alerts; service deltas MTD; infra diffs Load-test EC2 left on; orphaned EBS; S3 logs w/o lifecycle; CPU-only ASG policy finops rightsize, finops detect-orphans, s3 lifecycle plan SLO regression check; IAM diff; encryption on; PR review (interview.devopscommunity.in)
Multi-account spike (scenario_02) Org-wide Cost Explorer trends; monitors by acct/tag Idle GPU instances; unattached EBS/EIPs; unused NAT GWs; ASG not scaling down inventory orphans, vpc optimize-nat, asg policy audit Route-table & endpoint checks; change window; rollback plan (interview.devopscommunity.in)

The scenario set also covers tag enforcement, ASG mixed-instances policies, S3 lifecycle, DynamoDB autoscaling, and NAT cleanup, which we codify into the runbooks above. (interview.devopscommunity.in)


πŸ€– AI Agents (Agile SDLC)ΒΆ

Squad Roster (RACI-style):

  • SpendSense (Observe) β€” reads CUR & Cost Anomaly Detection, raises incidents with top-drivers. (Amazon Web Services, Inc.)
  • RightSizer (Decide) β€” merges Compute Optimizer + Cost Explorer rightsizing into a plan file w/ savings & perf risk. (AWS Documentation)
  • NetPath (Decide) β€” proposes Gateway Endpoints / PrivateLink placements to minimize NAT & egress. (AWS Documentation)
  • KarpenterOps (Decide) β€” computes consolidation actions & PDB-safe drain plans. (Karpenter)
  • CommitPlanner (Decide) β€” Savings Plans/RI laddering for baseline/steady state. (Uses Cost Explorer + forecast from CUR.) (AWS Documentation)
  • ExecGuard (Act) β€” executes runbooks in approved windows; auto-rollback if error-budget burn worsens.
  • PolicyGate (Audit) β€” SCP/tag conformance; drift watch; PR approvals. (interview.devopscommunity.in)
  • UATBot (QA) β€” Playwright MCP browser checks (console/UI smoke) before/after changes. (GitHub)

Sprint cadence:

  • Weekly: anomaly triage β†’ plan β†’ micro-batches β†’ post-change KPI export.
  • Monthly: commitment rebalancing (coverage/utilization), EKS consolidation review.
  • Quarterly: Well-Architected Cost pillar review, NAT/endpoint topology re-assessment.

🧰 Runbooks CLI (examples)¢

# Orphan detection (EBS snapshots, stopped >7d, unassoc EIPs)
runbooks finops detect-orphans --profile $AWS_PROFILE

# NAT/Endpoint plan (AZ-local, S3/DDB gateway endpoints, PL decisions)
runbooks vpc optimize-nat --all-accounts --plan

# Rightsizing (combine CO + CE recommendations)
runbooks finops rightsize --lookback 14d --risk low --approve-threshold 70

# Commit ladder (blended 1-yr compute + 3-yr steady)
runbooks finops commit-ladder --target-coverage 70:80

# EKS consolidation (Karpenter)
runbooks eks consolidate --cluster prod-eks --pdb-aware --canary 10%

πŸ” Safety & GovernanceΒΆ

  • Pre-checks: latency P95/P99, error-budget burn, KMS/encryption required, IAM least-privilege diff, AZ locality for endpoints.
  • Controls: SCPs deny untagged creates; required tags for Owner/CostCenter/Environment/Project; lifecycle rules on S3 & EBS. (Patterns mirror scenario IAM/tag policies.)
  • Change management: PRs with change windows; automatic rollback if SLOs degrade; audit trail + drift alarms.

πŸ“Š KPIs (Exec & Engineering)ΒΆ

Pillar KPI Target
Compute Rightsizing yield (\$/mo) β–² month-over-month
Commitments SP/RI Coverage & Utilization Measured per organization policy
Network NAT/egress delta β–Ό within 30 days
EKS Consolidation savings β–² quarter-over-quarter
Storage Tiering savings (S3/EBS) β–² month-over-month
Governance Tag conformance Continuous measurement via automation
Finance Unit economics (\$/order, \$/tenant, \$/API) Trend to goal

πŸ§ͺ CI/CD + MCP hooksΒΆ

GitHub Actions (skeleton):

name: finops-weekly
on:
  schedule: [{cron: "0 21 * * 5"}]  # Fri 21:00 UTC
jobs:
  nat_and_rightsize_plan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: pip install "runbooks>=1.1.4"
      - run: runbooks finops rightsize --dry-run --out plan/rightsizing.json
      - run: runbooks vpc optimize-nat --plan --out plan/nat.json
      - run: git add plan && git commit -m "weekly finops plans" && git push
  eks_consolidation:
    runs-on: ubuntu-latest
    steps:
      - run: runbooks eks consolidate --cluster prod-eks --dry-run --out plan/eks.json

Agent UAT (Playwright MCP):

  • Post-plan, UATBot executes login/console sanity flows and dashboards checks (e.g., billing console pages, EKS nodes views) to ensure no regressions.

πŸ”„ How this aligns with the DevOpsCommunity scenariosΒΆ

  • We keep their clear incident narratives (e.g., idle GPU labs, orphaned volumes, NAT gateways, mis-scaled ASGs) and practical fix patterns (bash/Terraform, tag enforcement, lifecycle).
  • We add an agentic loop + MCP integration so findings β†’ changes are continuous and governed, not one-offs.

🀝 Contributing¢

  • Add a scenario with: What Happened β†’ Diagnosis β†’ Root Cause β†’ Fix/Workaround β†’ Governance β†’ Runbook.
  • Include pre-checks (SLO/security) & post-checks (KPIs, anomaly delta).
  • PRs require: plan artifacts + UATBot run + rollback notes.

🧭 Roadmap¢

  • FinOps + AI MCP pack: pre-built tools for commitment ladders, NAT topology diffs, S3 tiering, Karpenter health.
  • Multi-cloud adapters (Azure Advisor/GCP Recommender) normalized into the agent loop.
  • Executive dashboards for unit economics & error-budget overlays.

  1. Detect with Anomaly Detection β†’ 2) Decide with native recommenders β†’ 3) Execute via runbooks (gated) β†’ 4) Audit via PRs/KPIs β€” all agent-operated over MCP with Playwright sanity checks. This is how we turn ad-hoc cost firefighting into durable, safe, autonomous FinOps.