Implement groups and roles

PostedDecember 20, 2024

UpdatedMarch 21, 2025

ByKevin McCaffrey

Implementing groups and roles is crucial for enforcing governance policies within your cloud environment. This approach enables organizations to maintain control over resources, ensuring that costs are managed while achieving business objectives efficiently. It encourages accountability and oversight, preventing unapproved resource expenditures.

Best Practices

Role-Based Access Control (RBAC)

Environment Segregation

Questions to ask your team

What processes are in place to ensure that resource creation aligns with cost management policies?
How are permissions for creating, modifying, and deleting resources assigned and reviewed?
Do you have separate roles for development, testing, and production environments to minimize unnecessary costs?
How often do you audit group and role configurations to ensure compliance with your cost optimization policies?
What tools or mechanisms do you use to monitor and optimize resource usage according to the roles defined?

Who should be doing this?

Cloud Administrator

Define and implement IAM groups and roles to enforce cost-control policies.
Monitor resource usage and compliance with established policies.
Manage permissions associated with various environments (development, test, production).

Cost Governance Officer

Establish cost governance policies across teams.
Conduct regular audits of resource usage to ensure adherence to cost optimization strategies.
Provide training on resource management practices and cost-saving measures.

Development Team Lead

Ensure that development teams adhere to defined roles and permissions when creating and managing resources.
Coordinate with administrators to request needed resources while staying within budget constraints.
Review and optimize resource utilization on an ongoing basis.

Finance Analyst

Analyze cost reports and usage patterns to identify areas for cost savings.
Assist in establishing budgets aligned with resource utilization policies.
Collaborate with other roles to align financial objectives with operational capabilities.

Security Officer

Review IAM policies to ensure they do not introduce security vulnerabilities while optimizing costs.
Engage in audits and compliance checks related to resource access and usage.
Promote awareness of secure resource management practices across teams.

What evidence shows this is happening in your organization?

Cost Governance Policy Template: A template outlining governance policies for cost management, including guidelines for resource allocation, approval workflows, and roles and responsibilities.
IAM Role Management Report: A report detailing the implementation of IAM roles aligned with cost management policies, including assigned permissions for development, testing, and production groups.
Cost Optimization Dashboard: A dashboard that visualizes resource usage and budget adherence, allowing teams to monitor costs in real-time and ensure compliance with governance policies.
Resource Management Checklist: A checklist to verify compliance with governance policies regarding resource creation, modification, and decommissioning, ensuring that roles are applied correctly.
Governance Strategy Guide: A guide outlining strategies for implementing cost governance through defined groups and roles, with best practices for maintaining oversight while promoting innovation.

Cloud Services

AWS

AWS Identity and Access Management (IAM): IAM allows you to create users, groups, and policies to control access to AWS services. This is essential for enforcing governance and ensuring that only authorized users can create or modify resources.
AWS Organizations: AWS Organizations helps you centrally manage and govern multiple AWS accounts, enabling you to set service control policies to limit what can be done across accounts and ensure cost governance.
AWS Budgets: AWS Budgets allows you to set cost and usage budgets that alert you if you exceed your thresholds, ensuring you stay aware of spending and can govern usage effectively.

Azure

Azure Active Directory (AAD): Azure AD provides identity management capabilities that allow you to create roles and control access to Azure resources, ensuring that only authorized users can provision or modify resources.
Azure Policy: Azure Policy helps you enforce organizational standards and assess compliance at scale, ensuring governance over which resources can be created or modified.
Azure Cost Management: Azure Cost Management helps you track and optimize your Azure spending and provides insights to help govern costs effectively.

Google Cloud Platform

Identity and Access Management (IAM): IAM allows you to manage access control by defining who can take what action on specific resources, critical for governance and cost control in GCP.
Resource Manager: Resource Manager allows you to programmatically manage your GCP resources and set policies to enforce governance on how resources are deployed and managed across the organization.
Google Cloud Billing: Google Cloud Billing provides insights into your resource usage and costs, allowing you to set budgets and alerts for better cost governance.

Question: How do you govern usage?
Pillar: Cost Optimization (Code: COST)

Operational Excellence

Determine what your priorities are

Structure your organization to support your business outcomes

Organizational culture to support your business outcomes

Implement observability in your workload

Reduce defects, ease remediation, and improve flow into production

Mitigate deployment risks

Be ready to support a workload

Uilize workload observability

Understand the health of your operations

Manage workload and operations events

Evolve your operations

Security

Securely operate your workload

Manage identities for people and machines

Manage permissions for people and machines

Detect and investigate security events

Protect your network resources

Protect your compute resources

Classify your data

Protect your data at rest

Protect your data in transit

Anticipate, respond to, and recover from incidents

Incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle

Reliability

Manage service quotas and constraints

Plan your network topology

Design your workload service architecture

Design interactions in a distributed system to prevent failures

Design interactions in a distributed system to mitigate or withstand failures

Monitor workload resources

Design your workload to adapt to changes in demand

Implement change

Back up data

Fault isolation to protect your workload

Design your workload to withstand component failures

Test reliability

Plan for disaster recovery (DR)

Cost Optimization

Implement cloud financial management

Govern usage

Monitor your cost and usage

Decommission resources

Evaluate cost when you select services

Meet cost targets when you select resource type, size and number

Use pricing models to reduce cost

Plan for data transfer charges

Manage demand, and supply resources

Evaluate new services

Evaluate the cost of effort

Performance

Select the appropriate cloud resources and architecture patterns for your workload

Select and use compute resources in your workload

Store, manage, and access data in your workload

Select and configure networking resources in your workload

Support more performance efficiency for your workload

Sustainability

Select Regions for your workload

Align cloud resources to your demand

Take advantage of software and architecture patterns to support your sustainability goals

Take advantage of data management policies and patterns to support your sustainability goals

Select and use cloud hardware and services in your architecture to support your sustainability goals

Implement organizational processes support your sustainability goals