These rules verify that foundational AWS cost guardrails are in place, including budget alerts and anomaly detection monitors that catch unexpected spend before it escalates.
| Rule ID | Scan Type | Name |
|---|---|---|
| CLDBRN-AWS-COSTGUARDRAILS-1 | Discovery | AWS Budgets Missing |
| CLDBRN-AWS-COSTGUARDRAILS-2 | Discovery | Cost Anomaly Detection Missing |
CLDBRN-AWS-COSTGUARDRAILS-1
AWS Budgets Missing
Scan type: Discovery
What it checks
Flags AWS accounts that do not have any AWS Budgets configured. Budgets are the simplest guardrail for alerting when spend exceeds a threshold.
Why it matters
Without a budget, there is no automated alert when spending exceeds expected levels. AWS charges accumulate in real time, and a missing budget means a runaway cost event can go unnoticed until the monthly bill arrives. AWS Budgets is free for the first two budgets per account.
What triggers a finding
budgetCount is 0 for the account summary record.
How to remediate
Create at least one AWS Budget in the Billing console or via the API. Start with a monthly cost budget set to your expected spend with an alert at 80% and 100% thresholds.
aws budgets create-budget --account-id 123456789012 \
--budget file://budget.json \
--notifications-with-subscribers file://notifications.json
CLDBRN-AWS-COSTGUARDRAILS-2
Cost Anomaly Detection Missing
Scan type: Discovery
What it checks
Flags AWS accounts that do not have any Cost Anomaly Detection monitors configured. Anomaly Detection uses ML to flag unusual spending patterns automatically.
Why it matters
AWS Cost Anomaly Detection is free and catches spend spikes that fixed-threshold budgets miss. Without it, gradual cost increases or new service charges can go undetected. A single anomaly detection monitor covering the entire account provides broad coverage with zero configuration overhead.
What triggers a finding
monitorCount is 0 for the account summary record.
How to remediate
Create a Cost Anomaly Detection monitor in the AWS Cost Management console. Start with an AWS service monitor type that covers all services, and set up an SNS topic or email for alerts.
See Also
- CLI discover command - scan live AWS resources
- SDK Reference - run discovery programmatically