Financial billing and cost controls
In a cloud environment, setting up services can be as easy as providing a credit card number. Although this provides the benefit of making cloud services easy to enable and consume, this also adds risk in terms of business continuity (what if the credit card holder leaves the company?), as well as a company being financially liable for overages or the misuse of services (someone stands up a rogue server for crypto mining). Like controls in legacy environments that may check who is authorized to approve purchases at a given amount, this should be assessed within the cloud environment as well. Additionally,the IT auditor should ensure there are controls in place that allow an organization to limit potential cost overages and that proper alerting and notification are in place to monitor billing and cost status.
Depending on how the environment has been configured, some access controls may be defined around who can access billing and cost information. In some cases, an individual may be named as an account owner and retain access to billing and cost details based on that status. In AWS, you may see information about billing in the top-right navigation area, as shown in Figure 5.16:
Figure 5.16 – AWS navigation to Service Quotas and Billing Dashboard
Here, you can see there are navigation links to both Service Quotas and Billing Dashboard. Quotas are an important component of capacity and thus cost.
When accessing the Billing Dashboard area in AWS, as shown in Figure 5.17, information regarding usage reports, cost categories, and allocation tags is also available:
Figure 5.17 – AWS Billing Dashboard
Earlier in this chapter, we reviewed the use and importance of tagging from a change management perspective. Now, we can see that they are also relevant for financial change management.
Within the Microsoft Azure portal, there are a few different places where you can review cost management options. One way to navigate is by searching for billing and then going to the Cost Management + Billing blade (as shown in Figure 5.18) . From here, you can select the option for Billing scopes, asshown in the left-hand side navigation menu:
Figure 5.18 – Azure navigation to Cost Management + Billing
After you’ve selected a billing scope, as shown in Figure 5.19, you can view more information regarding the configuration and setup of cost alerts and analysis:
Figure 5.19 – Azure Cost Management + Billing
After selecting a scope, you can also see or create budget alerts (as shown in Figure 5.20):
Figure 5.20 – Azure – Create budget
Like AWS and Microsoft Azure,GCP offers options to view and control billing. You can see this information by selecting the Billing product in the left navigation panel, as shown inFigure 5.21:
Figure 5.21 – Google Cloud Billing
In GCP, you can also see details regarding quota limits, quota usage, and requests for increases (as shown in Figure 5.22):
Figure 5.22 – Google Cloud quota increase
Now that we’ve reviewed how to view billing and cost controls, let’s discuss financial resource ownership in cloud environments.
Financial resource ownership
As we reviewed in Chapter 1, Cloud Architecture and Navigation, cloud services operate on the Shared Responsibility Model. Understanding this becomes increasingly important as you begin to assess change management controls, which is the ability to log and view changes in a cloud environment and protect against unexpected costs. In most scenarios, it is not the responsibility of the cloud provider to prevent an organization from occurring overages because they have consumed more resources than planned or because there is a lack of controls around who can request increased quota and services. An organization must be vigilant in establishing and communicating a financial ownership and responsibility structure, with both process and technical controls that enforce that structure.
Summary
In this chapter, we looked at some essential areas for IT controls, change management, and financial resource management, where configuration options exist for identity and access management within the three major cloud providers. We covered where policy and tagging configuration can be found and how this information may be automated and influence access.
We also reviewed tools available for change management controls in a CI/CD cloud environment, as well as how to view change history. We finished this chapter by reviewing some features available for billing and cost controls and the importance of determining financial resource ownership.
In the next chapter, we’ll look at executing an effective cloud portal audit plan and some tips and techniques that will support that.