arrow_backBack to Guides

CostGuard

intermediate

Setting Up CostGuard Automated Policies

Configure automated cost governance policies to prevent budget overruns and enforce tagging standards across your AWS organization.

schedule15 min readLast updated: January 10, 2026

check_circlePrerequisites

  • check_circleAWS Organization with multiple accounts
  • check_circleIAM permissions for AWS Config and Lambda
  • check_circleCostGuard account (free tier available)

menu_bookIn This Guide

1.Introduction

CostGuard helps enforce cost governance policies across your AWS organization. It can automatically:

- Terminate or stop non-compliant resources - Enforce tagging requirements before resource creation - Right-size instances based on utilization - Clean up unused resources (EBS volumes, snapshots, IPs)

This guide walks through setting up your first CostGuard policies.

2.Policy Types Overview

CostGuard supports several policy types:

**Preventive Policies** - Block resource creation that doesn't meet criteria - Required tags enforcement - Instance type restrictions - Region restrictions

**Detective Policies** - Find and alert on non-compliant resources - Untagged resources - Oversized instances - Unused resources

**Remediation Policies** - Automatically fix issues - Auto-stop idle development instances - Delete unattached EBS volumes - Release unused Elastic IPs

3.Step 1: Install the CostGuard Agent

Deploy the CostGuard agent using CloudFormation or Terraform. The agent runs as a Lambda function that evaluates resources against your policies.

bash
# Using AWS CLI
aws cloudformation create-stack \
  --stack-name costguard-agent \
  --template-url https://costguard.morphlix.com/templates/agent.yaml \
  --parameters ParameterKey=ApiKey,ParameterValue=YOUR_API_KEY \
  --capabilities CAPABILITY_IAM

# Or using Terraform
module "costguard" {
  source  = "morphlix/costguard/aws"
  version = "1.2.0"

  api_key = var.costguard_api_key

  # Optional: restrict to specific regions
  regions = ["us-east-1", "us-west-2"]
}

4.Step 2: Define a Tagging Policy

Let's create a policy that requires all EC2 instances to have Environment and Owner tags:

yaml
# tagging-policy.yaml
name: required-tags-ec2
description: Require Environment and Owner tags on all EC2 instances
resource_types:
  - AWS::EC2::Instance

mode: preventive  # Block creation of non-compliant resources

rules:
  - name: environment-tag
    condition:
      tag_exists: Environment
    values:
      - production
      - staging
      - development

  - name: owner-tag
    condition:
      tag_exists: Owner
    pattern: "^[a-z]+\.[a-z]+@company\.com$"

actions:
  on_violation: deny
  notification:
    slack: "#cloud-governance"
    message: "EC2 instance creation blocked: missing required tags"

5.Step 3: Create a Cleanup Policy

This policy automatically cleans up unused resources to reduce waste:

yaml
# cleanup-policy.yaml
name: unused-resource-cleanup
description: Remove unused EBS volumes and Elastic IPs

schedules:
  - cron: "0 2 * * *"  # Run daily at 2 AM UTC

rules:
  - name: unattached-ebs-volumes
    resource_type: AWS::EC2::Volume
    condition:
      status: available
      age_days: "> 7"
    action: delete
    dry_run: false  # Set to true for testing

  - name: unused-elastic-ips
    resource_type: AWS::EC2::EIP
    condition:
      association_id: null
      age_days: "> 3"
    action: release

  - name: old-snapshots
    resource_type: AWS::EC2::Snapshot
    condition:
      age_days: "> 90"
      tag_not_exists: DoNotDelete
    action: delete

notifications:
  summary:
    slack: "#cloud-costs"
    email: cloud-team@company.com

6.Step 4: Set Up Development Instance Scheduling

Automatically stop development instances outside business hours to save costs:

yaml
# dev-scheduling-policy.yaml
name: dev-instance-scheduling
description: Stop dev instances outside business hours

resource_types:
  - AWS::EC2::Instance

filters:
  - tag:Environment: development

schedules:
  - name: stop-evenings
    action: stop
    cron: "0 19 * * MON-FRI"  # 7 PM weekdays
    timezone: America/New_York

  - name: start-mornings
    action: start
    cron: "0 7 * * MON-FRI"  # 7 AM weekdays
    timezone: America/New_York

  - name: stop-weekends
    action: stop
    cron: "0 19 * * FRI"  # Friday 7 PM

exclusions:
  - tag:AlwaysOn: "true"

estimated_savings: "$2,400/month"  # Based on current usage

7.Monitoring and Reporting

CostGuard provides a dashboard showing: - Policy compliance rates - Resources blocked/remediated - Estimated savings from cleanup policies - Trend of tagging compliance over time

You can export compliance reports for auditing and share them with stakeholders to demonstrate governance improvements.

Need Help?

Our team is here to help you get set up.

Get expert guidance on implementing CostGuard for your infrastructure.

Contact Supportarrow_forward