Cost Intelligence Dashboard
A serverless FinOps platform that detects spend anomalies and forecasts cost before the billing period closes, with least-privilege isolation at every layer.
/01Problem
Cloud spend surprises arrive after the billing period closes, when it is too late to act. Untagged resources make attribution impossible. The goal was to surface anomalies and a forward forecast early enough to do something about them.
/02Approach
- A Lambda ingester pulls 90 days of Cost Explorer data into a DynamoDB single-table store daily.
- It runs z-score anomaly detection per service against a 30-day rolling baseline at a 2.5σ threshold, and generates a 14-day linear regression forecast on aggregate spend.
- A second Lambda scans all account resources via the Resource Groups Tagging API and flags missing required tags.
- An SNS alert fires on every analysis run that finds outliers; EventBridge Scheduler triggers ingestion at 01:00 UTC and analysis at 02:00 UTC.
/03Architecture
Results are served through an API Gateway HTTP API to a React frontend on S3 behind CloudFront with Origin Access Control.
Three separate IAM execution roles enforce least privilege at each layer: the ingester (ce:GetCostAndUsage, tag:GetResources, DynamoDB write), the analyzer (DynamoDB read/write, SNS publish), and the API (DynamoDB read only).
/04Outcome
Spend anomalies are flagged before the billing period closes, and tagging gaps surface with the specific missing tag so cost attribution stays reliable.
34 resources provisioned in Terraform with an S3 remote backend and native state locking, deployed via GitHub Actions OIDC.