Amazon Kinesis Data Streams should be encrypted at rest using AWS Key Management Service (KMS) to protect sensitive data from unauthorized access. This FinOps policy ensures that encryption is enabled at the resource level, satisfying both security requirements and compliance mandates such as AWS Foundational Security Best Practices and NIST SP 800-53. This policy corresponds…
This FinOps and security policy requires that Amazon ECS services are not directly reachable from the public internet. Publicly accessible ECS services expand the attack surface, increase the risk of unauthorized access, and commonly violate compliance frameworks such as CIS AWS Foundations Benchmark and PCI-DSS. This policy corresponds to AWS Security Hub control ECS.2. Why…
Kinesis Data Firehose delivery streams should be configured with server-side encryption (SSE) to protect sensitive data in transit to its destination. Without encryption at rest, data such as logs, metrics, and transactions is stored in plaintext, creating a compliance and security risk. This FinOps policy applies to any organization using Kinesis Data Firehose to deliver…
Storing sensitive information such as database passwords, API keys, and authentication tokens directly in ECS container environment variables creates significant security risks and compliance violations. This FinOps policy helps organizations identify and remediate insecure secret management practices in their ECS infrastructure while reducing potential security breaches. Why this policy matters Container environment variables in ECS…
Database Migration Service (DMS) replication instances that are publicly accessible create unnecessary security risks and potential compliance violations. This FinOps policy ensures DMS replication instances are configured with private access only, reducing attack surface while maintaining operational functionality. When DMS instances are publicly accessible, they can be reached from the internet, creating opportunities for unauthorized…
CloudFront distributions should have a default root object configured to prevent user access errors and reduce unnecessary costs. The default root object is the file that CloudFront returns when users access your distribution’s root URL without specifying a particular file. Without this configuration, users may encounter 403 or 404 errors, leading to poor user experience…
AWS ElastiCache Redis versions 4, 5, and 6 will transition to extended support pricing, resulting in significant cost increases. Upgrading to newer Redis versions before support deadlines helps avoid these additional charges while maintaining security and performance standards. Why This Policy Is Important ElastiCache Redis extended support pricing represents a substantial increase in operational costs….
Ensure that the OpenAI Tokens-Per-Minute (TPM) limits meet your organization’s specific requirements based on the model and SKU being used. For example, ‘gpt-4:Standard:10’ means that GPT-4 models using the Standard SKU should use a value of less than or equal to 10K TPM. Managing TPM limits appropriately helps control costs, prevent unexpected billing spikes, and…
Ensure that OpenAI deployment SKUs meet your organization’s specific requirements. These can be based on your organization’s data processing location compliance or usage (e.g., Standard for variable workloads, ProvisionedManaged for high volume). When deploying OpenAI services in Azure, selecting the appropriate SKU (Stock Keeping Unit) is a critical decision that impacts cost efficiency, performance, and…
OpenAI frequently releases newer models that provide improved performance, capabilities, and cost efficiency. Organizations using older models may be overspending while receiving inferior results. By systematically adopting the latest appropriate models, your organization can realize significant cost savings while maintaining or improving capabilities. This policy ensures your organization leverages the most cost-efficient OpenAI models available,…
Upgrade legacy Azure storage accounts to general-purpose v2 (Storage V2) to optimize storage costs, improve performance, and access advanced features. Why Upgrade Storage Account Types? Azure recommends general-purpose v2 accounts for most storage scenarios. These accounts provide significant advantages over older storage account types, offering more flexibility, cost-effectiveness, and advanced management capabilities. Key Benefits of…
Azure storage accounts can generate significant unnecessary costs when blob storage isn’t managed efficiently. A lifecycle policy automates data management, transitioning blobs between access tiers or deleting unused data to optimize storage expenses and improve overall cloud infrastructure efficiency. Why This Policy Matters Effective blob storage management is crucial for controlling cloud infrastructure costs. Without…