Fin Ops Policy Categories
AWS
Compute
Azure SQL – Consider Limiting vCores and Capacity in Non-Production Projects
This FinOps policy requires that Azure SQL databases in non-production environments use reduced vCore counts and lower capacity tiers compared to production. Applying this constraint directly reduces cloud costs by preventing teams from running over-provisioned database resources in environments where peak performance is not required. Why This Policy Matters Non-production environments such as development, staging,…
AWS
Compute
Azure SQL: Consider Using Serverless with Auto-Pause in Non-Production
This FinOps policy recommends switching Azure SQL Database instances in non-production environments to the serverless compute tier with auto-pause enabled. Doing so allows the database to automatically pause during periods of inactivity, eliminating compute charges when the instance is idle. Non-production environments such as development, staging, and testing frequently sit unused for hours or days…
AWS
Compute
OpenSearch: Consider Upgrading Version to Avoid Extended Support Costs
Running an outdated OpenSearch version on AWS triggers extended support charges that increase your monthly instance costs by a fixed percentage. This FinOps policy identifies OpenSearch domains running versions eligible for extended support and recommends upgrading to a current, fully supported version to eliminate that surcharge. Use this policy when auditing OpenSearch infrastructure costs in…
AWS
Compute
DynamoDB: Consider Using On-Demand Tables Rather Than Provisioned in Non-Production Projects
This FinOps policy recommends switching DynamoDB tables in non-production environments from provisioned capacity mode to on-demand capacity mode. Provisioned capacity requires upfront read/write unit commitments that generate costs even when tables sit idle, making it a poor fit for development, staging, and testing workloads. Why This Policy Matters Non-production DynamoDB tables are rarely accessed at…
AWS
Object Storage
Kinesis Data Firehose – Consider Making Delivery Streams Encrypted at Rest
Kinesis Data Firehose delivery streams should be configured with server-side encryption (SSE) to protect sensitive data in transit to its destination. Without encryption at rest, data such as logs, metrics, and transactions is stored in plaintext, creating a compliance and security risk. This FinOps policy applies to any organization using Kinesis Data Firehose to deliver…
AWS
Compute
ECS – Prevent Services from Being Publicly Accessible
This FinOps and security policy requires that Amazon ECS services are not directly reachable from the public internet. Publicly accessible ECS services expand the attack surface, increase the risk of unauthorized access, and commonly violate compliance frameworks such as CIS AWS Foundations Benchmark and PCI-DSS. This policy corresponds to AWS Security Hub control ECS.2. Why…
AWS
Object Storage
Kinesis – Consider Making Streams Encrypted at Rest
Amazon Kinesis Data Streams should be encrypted at rest using AWS Key Management Service (KMS) to protect sensitive data from unauthorized access. This FinOps policy ensures that encryption is enabled at the resource level, satisfying both security requirements and compliance mandates such as AWS Foundational Security Best Practices and NIST SP 800-53. This policy corresponds…
AWS
Compute
SQS – Consider Making Queues Encrypted at Rest
Amazon SQS queues should be encrypted at rest to protect message data from unauthorized access and meet compliance requirements. This FinOps policy ensures that encryption is enabled on all SQS queues, aligning with AWS Security Hub control SQS.1 and frameworks such as AWS Foundational Security Best Practices and NIST SP 800-53. This policy applies to…
Azure
Compute
Azure App Service – Consider Upgrading Isolated Service Plans to v2
App Service Isolated v2 plans offer significant performance improvements and cost optimization opportunities for organizations running Azure App Services. This policy provides guidance on evaluating and migrating to the more cost-effective Isolated v2 service plans. Why This Policy Matters Azure App Service Isolated v2 plans represent a strategic opportunity for organizations to: Performance and Cost…
AWS
Compute
Azure SQL – Consider Limiting vCores and Capacity in Non-Production Projects
This FinOps policy requires that Azure SQL databases in non-production environments use reduced vCore counts and lower capacity tiers compared to production. Applying this constraint directly reduces cloud costs by preventing teams from running over-provisioned database resources in environments where peak performance is not required. Why This Policy Matters Non-production environments such as development, staging,…
AWS
Compute
Azure SQL: Consider Using Serverless with Auto-Pause in Non-Production
This FinOps policy recommends switching Azure SQL Database instances in non-production environments to the serverless compute tier with auto-pause enabled. Doing so allows the database to automatically pause during periods of inactivity, eliminating compute charges when the instance is idle. Non-production environments such as development, staging, and testing frequently sit unused for hours or days…
AWS
Compute
OpenSearch: Consider Upgrading Version to Avoid Extended Support Costs
Running an outdated OpenSearch version on AWS triggers extended support charges that increase your monthly instance costs by a fixed percentage. This FinOps policy identifies OpenSearch domains running versions eligible for extended support and recommends upgrading to a current, fully supported version to eliminate that surcharge. Use this policy when auditing OpenSearch infrastructure costs in…
AWS
Compute
DynamoDB: Consider Using On-Demand Tables Rather Than Provisioned in Non-Production Projects
This FinOps policy recommends switching DynamoDB tables in non-production environments from provisioned capacity mode to on-demand capacity mode. Provisioned capacity requires upfront read/write unit commitments that generate costs even when tables sit idle, making it a poor fit for development, staging, and testing workloads. Why This Policy Matters Non-production DynamoDB tables are rarely accessed at…
AWS
Object Storage
Kinesis Data Firehose – Consider Making Delivery Streams Encrypted at Rest
Kinesis Data Firehose delivery streams should be configured with server-side encryption (SSE) to protect sensitive data in transit to its destination. Without encryption at rest, data such as logs, metrics, and transactions is stored in plaintext, creating a compliance and security risk. This FinOps policy applies to any organization using Kinesis Data Firehose to deliver…
AWS
Compute
ECS – Prevent Services from Being Publicly Accessible
This FinOps and security policy requires that Amazon ECS services are not directly reachable from the public internet. Publicly accessible ECS services expand the attack surface, increase the risk of unauthorized access, and commonly violate compliance frameworks such as CIS AWS Foundations Benchmark and PCI-DSS. This policy corresponds to AWS Security Hub control ECS.2. Why…
AWS
Object Storage
Kinesis – Consider Making Streams Encrypted at Rest
Amazon Kinesis Data Streams should be encrypted at rest using AWS Key Management Service (KMS) to protect sensitive data from unauthorized access. This FinOps policy ensures that encryption is enabled at the resource level, satisfying both security requirements and compliance mandates such as AWS Foundational Security Best Practices and NIST SP 800-53. This policy corresponds…
AWS
Compute
SQS – Consider Making Queues Encrypted at Rest
Amazon SQS queues should be encrypted at rest to protect message data from unauthorized access and meet compliance requirements. This FinOps policy ensures that encryption is enabled on all SQS queues, aligning with AWS Security Hub control SQS.1 and frameworks such as AWS Foundational Security Best Practices and NIST SP 800-53. This policy applies to…