Cost optimisation is about choosing cheaper configurations. Cost governance is about controlling who can create recurring spend, how long resources live, and when changes must be reviewed. Optimisation lowers unit cost, but governance prevents the organisational habits that keep waste reappearing.
Why This Matters for Security Teams
In AWS, cost optimisation is often treated as a finance-led exercise, but the real security issue is governance over who can create spend, what is allowed to run unattended, and how long resources remain provisioned. That distinction matters because the cheapest architecture can still become the most expensive if it is easy to repeat, hard to review, and full of standing access. NIST’s Cybersecurity Framework 2.0 frames this as a governance problem, not just a technical one.
NHIMG research on The State of Non-Human Identity Security shows how often organisations struggle to control non-human access in practice, with weak rotation, over-privilege, and poor visibility repeatedly driving risk. The same pattern appears in cloud spend: an ungoverned role, automation token, or CI/CD credential can create persistent resources that bypass normal review. Cost optimisation lowers the unit price of a workload, but cost governance stops the workflow that keeps creating waste after the first fix. In practice, many security teams encounter runaway cloud spend only after an incident review or month-end bill shock, rather than through intentional preventive control.
How It Works in Practice
Cost optimisation in AWS usually means selecting more efficient services, resizing instances, using reserved capacity where appropriate, or removing obvious idle resources. Cost governance sits one layer higher. It defines the rules that prevent recurring waste, including who may provision resources, which accounts or tags are mandatory, when approvals are required, and how exceptions expire. In other words, optimisation changes the shape of the spend, while governance changes the conditions that allow spend to exist.
For security and platform teams, the practical controls are usually a mix of policy, identity, and review:
- Restrict who can launch persistent resources, especially from automation paths and shared service roles.
- Require tagging, ownership, and environment classification before deployment completes.
- Use budget alerts, guardrails, and approval workflows for high-risk services or unbounded scaling.
- Review long-lived credentials and service roles that can create infrastructure without human oversight.
This is where Lifecycle Processes for Managing NHIs becomes relevant: the same lifecycle discipline that governs secrets and workload identities also governs cloud spend created by those identities. If a role can still provision storage, compute, or logging resources after the original project has ended, the organisation has a governance gap, not just an optimisation opportunity. AWS cost controls are strongest when they are embedded into identity, policy, and change management, not bolted on after deployment. These controls tend to break down in multi-account environments with many autonomous pipelines because ownership becomes unclear and approvals are bypassed through automation.
Common Variations and Edge Cases
Tighter cost governance often increases approval overhead and can slow delivery, so organisations need to balance spend control against developer velocity. Best practice is evolving here, and there is no universal standard for how much central control is enough. Some teams focus governance on the highest-risk patterns, while leaving low-risk optimisation choices to application owners.
That tradeoff becomes sharper in environments with elastic workloads, ephemeral environments, or heavy use of infrastructure as code. A resource that is expensive for one team may be acceptable for another if it is short-lived, tagged correctly, and tied to a release window. Likewise, an AWS account can be cost-efficient on paper yet still violate governance if a pipeline can recreate deleted resources without review. NHIMG’s Top 10 NHI Issues is a useful reminder that over-privilege and weak lifecycle discipline often matter more than one-off cleanup. The practical rule is simple: optimisation asks, “Can this be cheaper?” while governance asks, “Should this be allowed to keep existing, and who is accountable when it does?”
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC | Cloud cost governance is an organisational governance and accountability issue. |
| NIST CSF 2.0 | PR.AC | Preventing recurring spend depends on controlling who can provision resources. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Long-lived secrets and service roles often create unmanaged AWS spend. |
Rotate and scope non-human credentials so automation cannot recreate waste indefinitely.
Related resources from NHI Mgmt Group
- What is the difference between attack surface management and NHI governance?
- What is the difference between role-based access and API key governance for NHI security?
- What is the difference between human IAM controls and NHI governance?
- What is the difference between license management and access governance?
