All Cloud Scal3 products are reviewed by AWS via their Foundation Technical Review.

FinOps Center is aligned to Customer Deployed Solution that requires that Customer Guidance is provided aligned to AWS Best Practices and are detailed in the subsection of the category.

Additionally our AWS Marketplace products are validated by the AWS Marketplace Onboarding team that both scans the AMIs that we upload and validate that our CloudFormation template adhere to their standards.

FinOps Center is deployed entirely within customer’s AWS account and is built 100% on native AWS services, enabling centralized operations management, governance, and observability aligned with AWS best practices. It provides customers with full ownership and control of their operational environment while supporting scalable, secure, and compliant centralized management across their AWS workloads.

Centralized Operational Control

The solution is designed to support centralized visibility and control through seamless integration with AWS native tools, allowing customers to centrally manage infrastructure, security, and operations. Key components include:

• AWS CloudFormation: FinOps Center serverless infrastructure and application code is deployed with CloudFormation, ensuring consistency of deployments.

• AWS Control Tower and AWS Organizations Alignment: FinOps Center integrates with the Account Management APIs that are accessed from the Delegated Admin account enabling onboarding of new AWS Account immediately vs when the account appears on the Cost and Usage Report

Centralized Monitoring and Logging

To support operational excellence and proactive issue detection, the solution integrates natively with:

• Amazon CloudWatch (Logs, Metrics, Alarms, Dashboards): All FinOps Center operations are monitored by CloudWatch, which provides real-time performance monitoring and unified observability across application components.

• AWS CloudTrail and AWS Config: Aligned to AWS Best Practices, all FinOps Center transactions and configuration updates are tracked with AWS CloudTrail and AWS Config.

Centralized Compliance and Governance

The solution promotes centralized compliance through:

• AWS Config Rules and Conformance Packs: Evaluate resource configurations continuously across all regions and accounts to ensure compliance with internal policies and industry regulations.

• IAM, SCPs, and Resource Policies: Secure access to resources is managed centrally using AWS IAM policies, permission boundaries, and Service Control Policies (SCPs) where AWS Organizations is used.

FinOps Center S3, Lambda, and DynamoDB components like any other application via VPC Endpoints.

New VPC

• 1 VPC, e.g. 10.0.0.0/16

• At least 2 public and 2 private subnets across 2 AZs

FinOps Center is 100% Cloud-Native leveraging a number of AWS Services. The Full Architecture runs Across Multiple AWS Account Aligned to the Multi-Acccount Strategy.

In the Master Payer Account - FinOps Center leverages the Cost & Usage Report (CUR) for Billing information. The CUR is stored in a s3 Bucket in the Master Payer Account. Customers leverage AWS Bucket Replication (and Batch Operations) to move the CUR Objects to the S3 bucketing in the FinOps Center Installed Account.

One of the limitations of the CUR is the delay in Accounts showing up on the file. During the Account Vending Process, this delay will add work to align AWS Accounts to Financial Budgets. To facilitate this end-to-end process, FinOps Center (in the Delegated Admin / CloudOps Account) queries the Organization/Account Management API to immediately make Accounts onboarded even prior to the Account having billing.

All Cloud Scal3 products are sold exclusively via the AWS Marketplace.

Any customerized offering or pricing is handled via the Standard Private Offers processes within Marketplace.

• US East (N. Virginia) (us-east-1)

• US East (Ohio) (us-east-2)

• US West (N. California) (us-west-1)

FinOps Center stores data in DynamoDB and aligns to general practices of using DynamoDB for Storage and Security.

As with all data storied in DynamoDB, customers can chose to encrypt the data at rest with the default AWS Owned , AWS Managed, or Customer Managed Keys

Delegated Admin Account via Security Hub Configuration

AWS Multi-Account Framework

AWS Control Tower with Multi-Account Strategy

AWS Cloud Financial Management

AWS Service Limits

Cognito Quotas

DynamoDB

Lambda

Security, Monitoring, and Backup

DynamoDB

Encryption

Monitoring

Backup

Lambda

Security

Monitoring

VPC Endpoints

IAM Best Practice

Amazon Q in QuickSight Community

Cloud Intelligence Dashboard Framework

Agent Bill Agentic CFM

Required Tools used for Health Validation

• AgentCore Observability (request traces, token validity, workflow action traces)

• Amazon CloudWatch (metrics, logs, alarms on Lambda, ECS, AppSync)

FinOps Center

To recovery FinOps Center the application and the database need to be restored to the last know functioning state.

If their is an issue with the application after patching the environment with a new release, return to the ami of the prior release and launch instance. The cdk bucket will load with the previous release. Return to the CloudFormation and the stack with the previous releases JSON Object.

FinOps Center stores all of its data in DynamoDB. During the installation, the DynamoDB tables are enabled with Point-in-time Recovery. If any tables needs to be recovered, an engineer can log into the console, navigate to the DynamoDB service, and restore any table to the time of last operation.

RTO Target

FinOps Center RTO is plus 2 hours from your original installation time. This is based on a scenerio where your AWS Account has been compromised and you need to restore the DynamoDB tables from an S3 backup in a new CloudOps Designated Admin Account.

RPO Target

FinOps Center RPO is close to zero as the Cost and Usage Report will be created in the MaterPayer Accounts. Any budget mapping can be be restored from backup but it would cause any data lose.

• Complete QuickStart and Create Business Requirements Document

• Allocated AWS Accounts to Financial Budgets prior to adding users

• Communicate to users that they will receive emails inviting them to FinOps Center but that they should wait a day to enter the application or they may not have their experience loaded

FinOps Center stores data in DynamoDB and aligns to general practices of using DynamoDB for Storage and Security.

As with all data storied in DynamoDB, customers can chose to encrypt the data at rest with the default AWS Owned , AWS Managed, or Customer Managed Keys

All FinOps Center APIs are managed by Cognito

FinOps Center AppSync API Credential Management

• Amazon Cognito Federated Identities issue short-lived AWS credentials using STS under an IAM role.

• Amazon Cognito User Pools issue JWT tokens that are used to authenticate AppSync requests.

• Because Cognito-issued credentials are automatically rotated and expire frequently (typically after 1 hour), long-term key rotation is not required for day-to-day operations.

FinOps Center has a low burden on Technical Operations Teams once the pre-requisite AWS components are configured and the Application is deployed.

Skills of the Technical operations Team:

• AWS Engineering with specific understanding of the S3 Bucket Replication, CloudFormation, VPC Configuration, and Web Application Management leveraging CloudFront.

• AWS Data Engineering with understanding of DynamoDB Backups to S3

• Account Vending Process with Tools like Control Tower

Operational Checklist to Validate Functional Application

1. Validate that Cost and Usage Report has replicated to the Cloud Operations Account Bucket.

2. Compare loading of the Application Updated (Note: The application time stamp should be approximately 1 hr after the Bucket timestamp. This is due to the allowance of “eventual consistency” of bucket replication).

The Finance and Business Teams are the primary users of FinOps Center and will need to be enabled in operations of the applications. In the Finance and Business Teams, there should be members that are comfortable in the development of QuickSight Dashboards and how to share information to the Technical Operations Team to make a Dashboard available to different Roles.

The Finance and Business Team are the key to driving spend accountability with FinOps Center. They must daily monitor spending, card approval, and account mapping to validate that users are acting on the data.

FinOps Center leverages native services encryption of data at rest and in transit.

All FinOps Center data is stored in S3 or DynamoDB when at rest. When users are accessing the application CloudFront provides the SSL connection for the frontend application.

1. React Frontend (S3 Hosting)

Data at Rest:

• S3 Server-Side Encryption (SSE):

  • SSE-S3: Encrypts objects using AES-256, managed by S3.

  • SSE-KMS: Uses AWS Key Management Service (KMS) for encryption keys, giving more control over key policies and auditability.

  • SSE-C: Customer-provided encryption keys, if you prefer to manage keys outside AWS.

• Client-Side Encryption: Use AWS SDK for encryption before uploading objects to S3. You manage keys and encrypt data client-side.

Data in Transit:

• Use HTTPS (TLS 1.2 or higher) for all communications to and from S3.

• Enforce HTTPS using S3 bucket policies or CloudFront distribution.

2. QuickSight Dashboards

Data at Rest:

• QuickSight encrypts your data at rest using AWS KMS by default.

• For additional control, configure your own KMS Customer Managed Key (CMK) for QuickSight to use.

Data in Transit:

• All communication between QuickSight, S3, and other AWS services is protected using TLS 1.2.

Embedded Dashboards:

• Use secure HTTPS connections for embedding dashboards within your React frontend.

• FinOps Center Custom IAM policies and Row-Level Security (RLS) to ensure users only see authorized data.

3. Lambda Functions (Business Logic)

Data at Rest:

• By default, AWS Lambda encrypts deployment packages and environment variables at rest using AWS-managed keys.

• For additional control, use KMS for:

  • Encrypting environment variables (configure KMS keys in Lambda function settings).

  • Encrypting sensitive application secrets (e.g., credentials, tokens) stored in AWS Secrets Manager or SSM Parameter Store.

Data in Transit:

• All data passed to and from Lambda is encrypted using TLS 1.2.

• Use HTTPS endpoints for API Gateway and other services invoked by Lambda.

4. DynamoDB (Application Data)

Data at Rest:

• Default Encryption with AWS KMS: All DynamoDB tables are encrypted at rest using AES-256.

• Use Customer Managed KMS Keys (CMK) for:

  • More control over the encryption keys.

  • Auditability and fine-grained key management.

Data in Transit:

• All DynamoDB connections use TLS 1.2 to secure data in transit.

• Enforce the use of HTTPS for all interactions with DynamoDB.

5. Cross-Service Encryption Management

• Use AWS Key Management Service (KMS) to unify encryption management across services like S3, Lambda, DynamoDB, and QuickSight.

• Monitor key usage with AWS CloudTrail for auditing encryption activities.

Summary Table of Encryption Options

Tools for Monitoring and Auditing Encryption

• AWS CloudTrail: Track key usage, access logs, and API calls.

• AWS CloudWatch: Monitor encryption-related metrics.

• AWS Config: Ensure encryption configurations remain compliant with best practices.

Agent Bill Bedrock Agent

Agent Bill has an additional encrypted connection between the MCP Server on Lambda to the Bedrock Agent/Action Group.

Data in Transit:

• All data passed to and from Lambda (MCP Server) is encrypted using TLS 1.2.

• Use HTTPS endpoints for API Gateway and other services invoked by Lambda.

Fault Conditions during installation will be discovered during the CloudFormation Template deployment.

If there is an issue during installation, CloudFormation will provide Root Cause Analysis.

Common Fault Conditions

• Wrong Path to Cost and Usage Report

• Cost and Usage Bucket was not created in US-East-1 causing S3 Bucket Notification Error

FinOps Center

FinOps Center provides auditability across all solution using AWS-native logging, monitoring, and compliance tools. Activity logs are collected across the entire stack—including authentication, business logic, orchestration, data access, and storage—to support customer audit and compliance requirements.

AWS Service Logging

• Amazon Cognito Authentication and authorization events—such as user sign-ins, token refreshes, and federated identity access—are logged through AWS CloudTrail, enabling traceability of identity events and user sessions.

• AWS Lambda All Lambda function invocations, including business logic execution and data processing, are logged to Amazon CloudWatch Logs. Function invocation metadata, API calls made by functions, and errors are also captured in CloudTrail.

• AWS Step Functions Workflow execution history, state transitions, and error handling logic are logged via CloudWatch Logs, while CloudTrail captures orchestration activity and API interactions initiated by workflows.

• Amazon S3 (for web hosting) Static web content access and object-level interactions are logged via S3 Server Access Logs or CloudTrail Data Events, providing visibility into frontend usage patterns.

• AWS AppSync GraphQL queries, mutations, and subscriptions are recorded by CloudTrail, allowing full traceability of frontend-to-backend data access. Resolver execution logs can also be sent to CloudWatch Logs for detailed debugging and auditing.

• Amazon EventBridge Events published to or routed through EventBridge are tracked in CloudTrail, providing insight into event-based workflows, system integration points, and automation triggers.

• Amazon DynamoDB All reads, writes, updates, and deletes on DynamoDB tables used for application data are auditable through CloudTrail Data Events (if enabled). This captures the full lifecycle of data access patterns. Additionally:

  • DynamoDB Streams can be used to monitor real-time changes to data for audit trails or downstream processing.

Centralized Logging and Audit Readiness

To support customer audit and compliance needs, the solution integrates the following centralized logging tools:

• AWS CloudTrail: Captures all control-plane and (where enabled) data-plane API calls across services. Trails can be configured for multi-account logging with delivery to Amazon S3, encrypted using AWS KMS, and analyzed via Athena, OpenSearch, or third-party SIEM tools.

• Amazon CloudWatch Logs and Metrics: Provide real-time operational visibility into application performance, execution paths, and anomalies.

Within FinOps Center, we currently support Annual Budgets that are aligned to Calendar years.

Another key Time definition is Period. A Period represents the Work Week for Billing and is defined as below:

For Spend Cards, the First Period of each month is from the 1st day till Saturday 11:59. The Last Period of each month is Sunday 00:01 till the last day of the month.

Spend Cards run every Monday for the previous Period. The final Cards run when FinOps Center recieves a CUR with the AWS Invoices that signifies the Spending is final.

Within FinOps Center, the AWS spend as of - is approximately 1 hour after the Cost and Usage report has created a new file. As FinOps Center leverages S3 Bucket Replication it can take time for all of the Cost and Usage data to Replicate so we wait to start the spending onboarding.

FinOps Center

FinOps Center is a web application that may experience typical issues from users around login issues or page loading (especially updates). Additionally, during the initial 24hrs of installing FinOps Center the application may be awaiting data population from the Cost & Usage Report (CUR).

If users are having issues with their initial logging into FinOps Center it could be an issue with the Cognito temporary password. It is common that the remedy is to delete the users from the Cognito User Pool and Re-Create them in the FinOps Center Configuration.

During initial configuration of the application the AWS CUR Data is not loading you may need to wait until the next cycle to run. Have a member of your technical team navigate to the S3 bucket in the FinOps Center installed account and view when the last CUR was created keeping in mind that the CUR creation time is UCT. If a CUR cycle has run after the time of the upload of the Chart/Budget File, contact support.

Agent Bill Amazon Q in QuickSight

If users are having issues accessing the Amazon Q in QuickSight Topics, validate that the following are configured apppriately:

• The FinOps Center application URL has been added to the QuickSight Admin

• Validate in the Topic ID has been added to the Configuration Page

• Validate that the Topics have been added to the Role from the QuickSight Console

• if you can't see the Topics, validate that your Author Pro has the Topics Role

Agent Bill Agentic CFM

Cost Optimization Hub Data

If Cost Optimization Hub Data is not loading in the Cost Optiizatoin Raw Table,, navigate to the Lambda service in the Console (CostOptimizationLambda881C3E41) and run Test to trigger the Lambda.

During the installation of FinOps Center, the following roles are created in customers accounts: