Running a Mature FinOps Practice on AWS and Azure in the Enterprise
A deep-dive into building a production-grade FinOps practice using native AWS and Azure tooling, covering cost visibility, optimization, governance, and cultural change at scale.
Running a Mature FinOps Practice on AWS and Azure in the Enterprise
Cloud spending in the enterprise is no longer a line item you can ignore. In 2026, the average Fortune 500 company is spending north of $50 million annually across AWS and Azure combined—and a disturbing amount of that is waste. Idle resources, oversized instances, orphaned storage volumes, and forgotten dev environments silently bleed budgets dry every single month.
FinOps—Financial Operations for the Cloud—is the discipline that fixes this. But reading a blog post about “the three pillars” isn’t enough. What actually works in practice? How do you wire up AWS and Azure’s native tooling into a real, functioning cost management machine? This guide breaks it down.
Why Most FinOps Initiatives Fail
Let’s start with the uncomfortable truth. Most enterprises that “adopt FinOps” don’t actually change anything. They install a dashboard, hold a quarterly meeting, and call it a day. Six months later, the cloud bill is higher than ever.
The failure modes are predictable:
- No ownership. Nobody’s job is to care about cloud costs.
- No feedback loop. Engineers never see the cost impact of their decisions.
- Tool sprawl. Teams buy third-party platforms before using what the cloud providers already give them for free.
- No tagging discipline. Without consistent resource tags, cost attribution is impossible.
A mature FinOps practice solves all four of these. Here’s how.
Phase 1: Build the Foundation — Visibility and Tagging
You can’t optimize what you can’t see. Before you touch a single resource, you need two things: a tagging strategy and a cost visibility layer.
Tagging Strategy
Every resource across both clouds must be tagged with at minimum:
| Tag Key | Purpose | Example |
|---|---|---|
cost-center | Maps to a finance cost center | CC-4200 |
environment | Dev, staging, prod | production |
team | Owning team | platform-eng |
project | Business initiative | checkout-v3 |
owner | Individual accountable | j.singh@corp.com |
Enforcing Tags on AWS
AWS Organizations provides Tag Policies that enforce tagging at the organizational level. Combine this with AWS Config rules to detect and flag non-compliant resources.
{
"tags": {
"cost-center": {
"tag_key": { "@@assign": "cost-center" },
"enforced_for": { "@@assign": ["ec2:instance", "rds:db", "s3:bucket"] }
}
}
}Use AWS Config with the required-tags managed rule to trigger alerts or even auto-remediation via Lambda when untagged resources appear.
aws configservice put-config-rule \
--config-rule '{
"ConfigRuleName": "required-tags-check",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "REQUIRED_TAGS"
},
"InputParameters": "{\"tag1Key\":\"cost-center\",\"tag2Key\":\"environment\",\"tag3Key\":\"team\"}"
}'Enforcing Tags on Azure
Azure Policy is the equivalent. Create a policy definition that denies resource creation without required tags:
{
"if": {
"anyOf": [
{ "field": "tags['cost-center']", "exists": "false" },
{ "field": "tags['environment']", "exists": "false" },
{ "field": "tags['team']", "exists": "false" }
]
},
"then": {
"effect": "deny"
}
}Assign this at the Management Group level so it cascades across all subscriptions. No exceptions.
Cost Visibility
AWS: Cost Explorer + CUR
AWS Cost Explorer is your starting point. It gives you out-of-the-box views by service, account, region, and tag. But the real power comes from the Cost and Usage Report (CUR).
CUR is a detailed, line-item-level export of every charge on your account. Export it to S3, then query it with Athena:
SELECT
line_item_product_code,
product_region,
resource_tags_user_cost_center,
SUM(line_item_unblended_cost) AS total_cost
FROM cur_database.cur_table
WHERE month = '4' AND year = '2026'
GROUP BY 1, 2, 3
ORDER BY total_cost DESC
LIMIT 20;This gives you granular, queryable cost data that no dashboard can match. Build QuickSight dashboards on top of this for executive reporting.
Azure: Cost Management + Exports
Azure Cost Management is built directly into the portal. Use Cost Analysis to slice spending by subscription, resource group, tag, or meter category.
For programmatic access, configure Scheduled Exports to push cost data to a Storage Account in CSV format, then query it with Azure Data Explorer or Synapse Analytics:
CostData
| where Timestamp > ago(30d)
| summarize TotalCost = sum(Cost) by ResourceGroup, TagCostCenter
| order by TotalCost desc
| take 20Set up Budgets with action groups to alert teams when they hit 75%, 90%, and 100% of their allocated spend.
Phase 2: Optimize — The Big Wins
Once you have visibility, optimization follows a predictable pattern. The biggest savings almost always come from three areas: rightsizing, reservations, and waste elimination.
Rightsizing
AWS
AWS Compute Optimizer analyzes your EC2, EBS, Lambda, and ECS workloads and recommends instance types based on actual utilization. Most enterprises find that 30-40% of their instances are oversized.
aws compute-optimizer get-ec2-instance-recommendations \
--filters "name=Finding,values=OVER_PROVISIONED" \
--query 'instanceRecommendations[*].{
ID: instanceArn,
Current: currentInstanceType,
Recommended: recommendationOptions[0].instanceType,
Savings: recommendationOptions[0].estimatedMonthlySavings.value
}' \
--output tableAct on the top recommendations immediately. A single m5.4xlarge running at 8% CPU that should be a m5.large saves you roughly $350/month. Multiply that across hundreds of instances.
Azure
Azure Advisor provides equivalent rightsizing recommendations. Query them programmatically:
az advisor recommendation list \
--category Cost \
--query "[?shortDescription.solution=='Right-size or shutdown underutilized virtual machines']"Azure also offers VM Insights backed by Azure Monitor Agent, which gives you deep utilization data (CPU, memory, disk, network) to make informed downsizing decisions.
Reserved Instances and Savings Plans
This is where the big money is. On-demand pricing is the cloud equivalent of paying rack rate at a hotel.
AWS Savings Plans
AWS Savings Plans offer up to 72% savings over On-Demand pricing. There are two types:
- Compute Savings Plans: Flexible across instance families, regions, and even services (EC2, Fargate, Lambda). Best for dynamic workloads.
- EC2 Instance Savings Plans: Locked to a specific instance family in a specific region. Deeper discount but less flexibility.
Use the Savings Plans Purchase Recommendations in Cost Explorer. It analyzes your last 7, 30, or 60 days of usage and tells you exactly what commitment will yield the best return.
aws ce get-savings-plans-purchase-recommendation \
--savings-plans-type COMPUTE_SP \
--term-in-years ONE_YEAR \
--payment-option NO_UPFRONT \
--lookback-period-in-days THIRTY_DAYSAzure Reservations
Azure Reservations cover VMs, SQL Database, Cosmos DB, Storage, and more. Use the Reservation Recommendations in the Azure portal or API:
az consumption reservation recommendation list \
--scope "shared" \
--look-back-period "Last30Days" \
--resource-type "VirtualMachines"A common enterprise pattern: purchase 1-year no-upfront reservations to start, covering your baseline steady-state workloads. As confidence grows, move to 3-year all-upfront for the deepest discounts on truly stable infrastructure.
Waste Elimination
The low-hanging fruit that every enterprise has:
| Waste Type | AWS Detection | Azure Detection |
|---|---|---|
| Unattached EBS/Disks | aws ec2 describe-volumes --filters Name=status,Values=available | az disk list --query "[?diskState=='Unattached']" |
| Idle Load Balancers | CloudWatch RequestCount = 0 for 7+ days | Azure Monitor zero-request metrics |
| Old Snapshots | aws ec2 describe-snapshots --owner-ids self --query "sort_by(Snapshots, &StartTime)[:10]" | az snapshot list --query "sort_by([], &timeCreated)[:10]" |
| Unused Elastic IPs | aws ec2 describe-addresses --query "Addresses[?AssociationId==null]" | N/A (Azure doesn’t charge for unattached PIPs the same way) |
| Dev environments running 24/7 | Instance Scheduler | Start/Stop VMs v2 (Azure Automation) |
The dev environment problem is universal. Engineering teams spin up environments Monday morning and forget about them. They run all weekend. AWS Instance Scheduler or Azure’s Start/Stop VMs solution can automatically shut down non-production workloads outside business hours, saving 65%+ on those resources alone.
Phase 3: Govern — Sustained Cost Discipline
Optimization without governance is a one-time cleanup. Governance makes it permanent.
Budgets and Alerts
AWS Budgets
Create budgets per account, per tag, or per service. Set up alerts at multiple thresholds:
aws budgets create-budget \
--account-id 123456789012 \
--budget '{
"BudgetName": "platform-eng-monthly",
"BudgetLimit": { "Amount": "25000", "Unit": "USD" },
"TimeUnit": "MONTHLY",
"BudgetType": "COST",
"CostFilters": { "TagKeyValue": ["user:team$platform-eng"] }
}' \
--notifications-with-subscribers '[
{
"Notification": { "NotificationType": "ACTUAL", "ComparisonOperator": "GREATER_THAN", "Threshold": 80 },
"Subscribers": [{ "SubscriptionType": "EMAIL", "Address": "platform-eng@corp.com" }]
}
]'Azure Budgets
az consumption budget create \
--budget-name "platform-eng-monthly" \
--amount 25000 \
--category Cost \
--time-grain Monthly \
--start-date 2026-04-01 \
--end-date 2027-03-31Wire Azure Budgets to Action Groups that send emails, trigger Logic Apps, or even invoke Azure Functions to automatically scale down resources when budgets are breached.
Anomaly Detection
AWS Cost Anomaly Detection
AWS offers a native anomaly detection service that uses machine learning to identify unusual spending patterns. Create monitors per account, service, or cost allocation tag:
aws ce create-anomaly-monitor \
--anomaly-monitor '{
"MonitorName": "production-spend",
"MonitorType": "DIMENSIONAL",
"MonitorDimension": "SERVICE"
}'It flags spikes like “Your RDS spending increased 340% day-over-day” before they become month-end surprises.
Azure Cost Alerts
Azure Cost Management includes Anomaly Alerts as part of its alerting framework. Configure them through the portal under Cost Management > Cost Alerts. They detect unusual spending patterns and notify via Action Groups.
Account and Subscription Structure
Mature FinOps practices use the cloud account/subscription as a governance boundary:
- AWS: Use AWS Organizations with separate accounts per environment (dev, staging, prod) and per business unit. Apply Service Control Policies (SCPs) to restrict expensive instance types in non-production accounts.
- Azure: Use Management Groups to organize subscriptions. Apply Azure Policy at the management group level. Separate subscriptions for each major workload or team.
This structure makes cost attribution automatic—you know what each account/subscription costs without relying solely on tags.
Phase 4: Culture — The Hardest Part
Tools and policies are necessary but not sufficient. The organizations that truly master FinOps change how engineers think about money.
The FinOps Team
Establish a central FinOps team (even if it’s 2-3 people to start) with this charter:
- Weekly cost reviews with engineering leads
- Monthly showback reports per team showing their cloud spend vs. budget
- Quarterly optimization sprints where teams dedicate time to acting on recommendations
- A Slack/Teams channel where cost anomalies are posted automatically
Engineer Accountability
The most impactful cultural change: put cost data in front of engineers where they already work.
- Add cost widgets to your internal developer portal
- Include estimated monthly cost in pull request checks for Terraform/IaC changes (tools like Infracost do this)
- Add cloud cost as a metric in your team’s sprint retrospectives
- Celebrate cost savings the same way you celebrate feature launches
Showback vs. Chargeback
Most enterprises start with showback (showing teams what they spend without billing them internally). This creates awareness. Mature organizations move to chargeback (internal billing) to create real accountability.
The progression looks like this:
- Visibility (Month 1-3): Dashboards and reports exist. Teams can see their costs.
- Showback (Month 3-6): Monthly reports sent to team leads with commentary.
- Soft Chargeback (Month 6-12): Costs are allocated to teams in planning, but don’t directly impact budgets.
- Full Chargeback (Year 2+): Cloud costs are deducted from team/BU budgets. Engineering decisions now have direct financial consequences.
A Real-World Enterprise FinOps Stack
Here’s what a production-grade FinOps setup looks like using native tooling across both clouds:
| Layer | AWS | Azure |
|---|---|---|
| Cost Data | CUR → S3 → Athena | Cost Exports → Storage → Synapse |
| Dashboards | QuickSight | Power BI |
| Rightsizing | Compute Optimizer | Azure Advisor |
| Reservations | Savings Plans | Azure Reservations |
| Budgets | AWS Budgets | Azure Budgets |
| Anomaly Detection | Cost Anomaly Detection | Cost Alerts |
| Tagging Enforcement | Tag Policies + Config Rules | Azure Policy |
| Waste Automation | Lambda + EventBridge | Azure Functions + Logic Apps |
| IaC Cost Checks | Infracost in CI/CD | Infracost in CI/CD |
You don’t need a $200K/year third-party platform to do this. AWS and Azure give you 90% of what you need out of the box. The remaining 10% is process and culture.
The Bottom Line
Running a mature FinOps practice in the enterprise isn’t a tooling problem—it’s an organizational one. The cloud providers have built excellent native cost management capabilities. The challenge is wiring them together into a coherent system and building a culture where engineers treat cloud spend as a first-class engineering metric.
Start with tagging. Build visibility. Optimize the big three (rightsizing, reservations, waste). Govern with budgets and anomaly detection. And above all, make cost a team sport.
The enterprises that get this right in 2026 aren’t just saving money—they’re building sustainable cloud practices that scale with the business instead of against it.