Compliance Frameworks
BETA// Beta Mapping Disclaimer
Framework mappings are currently in beta. These references are generated based on technical specifications and common industry alignments. Mappings may be incomplete or inaccurate; always consult with a qualified auditor for official compliance validation.
Overview
Create AWS Budgets with SNS-backed alerts for all central Landing Zone accounts (Management, Security, Log Archive, Network) to detect unexpected cost increases early. Complement static budget thresholds with AWS Cost Anomaly Detection for intra-month spike detection that threshold-based budgets alone cannot catch.
Central accounts typically have stable, predictable cost profiles. Any meaningful deviation is worth investigating as it may indicate log bombing, a misconfigured service, unauthorized resource creation, or an active security incident.
Two complementary detection layers are required:
1. AWS Budgets - threshold-based alerting
Configure monthly cost budgets per central account with notifications at:
- 80% of budget: early warning
- 100% of budget: missconfiguration or breach confirmed
- 100% forecasted: proactive alert before the month ends
Use SNS topics (not raw email) as the notification target so alerts can be routed to your incident management tooling (PagerDuty, Slack, etc.) via Lambda or EventBridge.
2. AWS Cost Anomaly Detection - ML-based spike detection
Static budget thresholds only fire when cumulative monthly spend crosses a boundary. A sudden spike on day 3 of the month (e.g., 10x normal daily spend) may not breach the monthly threshold but still warrants immediate investigation. Cost Anomaly Detection uses ML to baseline per-service spend patterns and alerts on deviations regardless of where you are in the billing cycle.
Create one Anomaly Monitor per central account scoped to LINKED_ACCOUNT and configure
an Anomaly Subscription with a minimum impact threshold (e.g., $50 absolute or 20%
relative) to avoid alert fatigue from minor fluctuations.
Unexpected cost increases in central accounts can indicate log bombing attacks, misconfigured services, or unauthorized resource creation. The combination of threshold-based budgets and ML anomaly detection covers both slow-burn overruns and acute spikes, providing the earliest possible signal across both failure modes.
Remediation Strategy
For each central account, deploy an AWS Budget with SNS notifications at 80% and 100% thresholds, and a Cost Anomaly Detection monitor with an alert subscription. Both resources should be deployed from the Management account using the Budgets and Cost Explorer APIs.
Create an SNS topic in each central account (or a shared Security account topic) to receive budget and anomaly alerts.
Subscribe your incident management tool or operations email to the SNS topic.
Deploy an AWS Budget per central account with 80%, 100% actual, and 100% forecasted notifications targeting the SNS topic ARN.
Deploy a Cost Anomaly Detection monitor per central account with a linked-account scope and an anomaly subscription with a $50 minimum impact threshold.
Document the expected monthly cost baseline for each central account to inform budget limit values.
Review and adjust budget limits monthly as part of the FinOps governance cycle.
variable "account_id" { default = "222222222222" }
variable "budget_limit_usd" { default = "1000" }
variable "alert_email" { default = "[EMAIL_ADDRESS]" }
variable "anomaly_threshold_usd" { default = "50" }
# SNS topic for budget and anomaly alerts
resource "aws_sns_topic" "cost_alerts" {
name = "central-account-cost-alerts"
}
resource "aws_sns_topic_subscription" "cost_alerts_email" {
topic_arn = aws_sns_topic.cost_alerts.arn
protocol = "email"
endpoint = var.alert_email
}
# CRITICAL: SNS Topic Policy to allow AWS Budgets and Cost Explorer to publish alerts
resource "aws_sns_topic_policy" "cost_alerts_policy" {
arn = aws_sns_topic.cost_alerts.arn
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "AllowAWSAlertsToPublish"
Effect = "Allow"
Principal = {
Service = [
"budgets.amazonaws.com",
"costalerts.amazonaws.com"
]
}
Action = "SNS:Publish"
Resource = aws_sns_topic.cost_alerts.arn
}
]
})
}
# Monthly cost budget with three notification thresholds
resource "aws_budgets_budget" "central_account" {
name = "central-account-monthly-budget"
budget_type = "COST"
limit_amount = var.budget_limit_usd
limit_unit = "USD"
time_unit = "MONTHLY"
# FIXED: Added the mandatory "notification" block keywords
# 80% actual spend - early warning
notification {
comparison_operator = "GREATER_THAN"
threshold = 80
threshold_type = "PERCENTAGE"
notification_type = "ACTUAL"
subscriber_sns_topic_arns = [aws_sns_topic.cost_alerts.arn]
}
# 100% actual spend - breach notification
notification {
comparison_operator = "GREATER_THAN"
threshold = 100
threshold_type = "PERCENTAGE"
notification_type = "ACTUAL"
subscriber_sns_topic_arns = [aws_sns_topic.cost_alerts.arn]
}
# 100% forecasted - proactive end-of-month warning
notification {
comparison_operator = "GREATER_THAN"
threshold = 100
threshold_type = "PERCENTAGE"
notification_type = "FORECASTED"
subscriber_sns_topic_arns = [aws_sns_topic.cost_alerts.arn]
}
}
# Cost Anomaly Detection monitor scoped to this linked account
resource "aws_ce_anomaly_monitor" "central_account" {
name = "central-account-anomaly-monitor"
monitor_type = "DIMENSIONAL"
monitor_dimension = "SERVICE"
}
resource "aws_ce_anomaly_subscription" "central_account" {
name = "central-account-anomaly-subscription"
frequency = "IMMEDIATE"
monitor_arn_list = [aws_ce_anomaly_monitor.central_account.arn]
subscriber {
type = "SNS"
address = aws_sns_topic.cost_alerts.arn
}
threshold_expression {
dimension {
key = "ANOMALY_TOTAL_IMPACT_ABSOLUTE"
values = [tostring(var.anomaly_threshold_usd)]
match_options = ["GREATER_THAN_OR_EQUAL"]
}
}
}Enforcement Logic
Verify that each central account has an active AWS Budget with notifications configured at 80% and 100% thresholds, and that at least one Cost Anomaly Monitor and Subscription exist with a valid SNS subscriber.
# List all budgets for a central account
aws budgets describe-budgets \
--account-id <ACCOUNT_ID> \
--query 'Budgets[].{Name:BudgetName,Limit:BudgetLimit,TimeUnit:TimeUnit}'
# Verify notification targets for a specific budget
aws budgets describe-notifications-for-budget \
--account-id <ACCOUNT_ID> \
--budget-name "CentralAccountBudget"
# List active anomaly monitors
aws ce get-anomaly-monitors \
--query 'AnomalyMonitors[].{Name:MonitorName,Type:MonitorType,Status:CreationStatus}'
# List anomaly subscriptions
aws ce get-anomaly-subscriptions \
--query 'AnomalySubscriptions[].{Name:SubscriptionName,Frequency:Frequency,Subscribers:Subscribers}'