PProfessNet Academy
Amazon AWS — fundamentals/06core11 min

Cost control and tagging

Cloud costs can spiral out of control. AWS provides tools to monitor them, but it all starts with tagging — which is at the same time an important signal for security and governance.

Tagging — the foundation of everything

Tags are key-value pairs assigned to resources. A consistent tagging strategy lets you filter costs, automate and enforce policies. A minimal set:

TagExampleWhat for
envprod, devseparating environments
ownerteam-zeusaccountability
cost-centerCC-4471billing
data-classconfidentialdata security
# Otaguj instancję EC2
aws ec2 create-tags --resources i-0abc123 \
  --tags Key=env,Value=prod Key=owner,Value=team-zeus

Tip: enforce tags through SCPs or Tag Policies in Organizations. A resource without an owner is a resource nobody will clean up — and one nobody is monitoring for security.

Cost Explorer and budgets

Cost Explorer visualizes spending over time, broken down by service, account or tag. AWS Budgets sends alerts when cost (or its forecast) exceeds a threshold.

# Budżet 1000 USD/miesiąc z alertem
aws budgets create-budget --account-id 111122223333 \
  --budget '{"BudgetName":"zeus-monthly","BudgetLimit":{"Amount":"1000","Unit":"USD"},"TimeUnit":"MONTHLY","BudgetType":"COST"}'

The most common sources of waste

  • EC2 instances left running in dev after working hours,
  • unattached EBS volumes and old snapshots,
  • unused Elastic IPs (billed when unassigned),
  • oversized instances (rightsizing via Compute Optimizer),
  • S3 data in the Standard class that should long ago have been in Glacier.

Tagging and security

Tags are not only about cost. A data-class=confidential tag lets you automatically require encryption and restricted access. An owner tag enables quick assignment of a security finding to the right team. No tags = no context = slower incident response.

How ZEUS sees it

ZEUS reads the tags of all resources during inventory. It uses them to assign findings to teams (by the owner tag), group risk by environment (env) and identify resources holding sensitive data (data-class). Resources without the required tags ZEUS itself reports as a governance finding — because the absence of an owner hampers remediation and lowers the operational maturity of the environment.

In the final lesson of this track we will see how the ZEUS connector to AWS is configured.