WAF++ WAF++
Back to WAF++ Homepage

Evidence & Audit (Cost Optimization)

Cost optimization compliance must be auditable. This page describes which evidence types WAF++ expects for the Cost pillar and how audits are structured.

Evidence Types

Evidence Type Description Typical Sources

IaC Evidence

Terraform code with budget resources, tag modules, lifecycle policies, VPC endpoints. CI gate logs with tagging compliance checks.

Git repository, CI/CD logs (GitHub Actions, GitLab CI, atlantis)

Cost Reporting Evidence

Monthly cost reports, budget alert logs, tagging compliance reports, anomaly detection findings.

AWS Cost Explorer, Azure Cost Management, GCP Billing Reports, FinOps dashboard

Process Evidence

Monthly FinOps review records with action items. Quarterly architecture board review records. Cost debt register version history.

ITSM (Jira, ServiceNow), Confluence, Git history of cost debt register

Architecture Evidence

ADR documents with completed cost impact sections. Lock-in score assessments. Architecture board approvals for lock-in score >= 4.

Git repository (docs/adr/), architecture board meeting notes

Config Evidence

Exported lifecycle policies, log retention configurations, budget definitions, VPC endpoint inventory.

AWS Config, Azure Resource Graph, GCP Asset Inventory

Optimization Evidence

Rightsizing review records. Reservation portfolio export. RI utilization reports. Compute Optimizer recommendations (accepted/rejected with rationale).

AWS Compute Optimizer, Azure Advisor, GCP Recommender, rightsizing review documents

Minimum Evidence Requirements

Each piece of evidence in the cost context MUST:

  • Be dated and versioned (no undated screenshot from the console UI)

  • Be attributed to a control ID (e.g. WAF-COST-010 in the file name or in the ticket reference)

  • Be traceable: source, responsible party, scope clearly recognizable

  • Be retained: at least 2 years for operational evidence; 5 years for governance/ADR evidence

Audit Structure (Cost Focus)

A cost optimization audit typically follows this sequence:

Phase 1: Check Transparency Foundation

  • Does a tagging taxonomy exist? → WAF-COST-010

  • Is tagging enforced in the CI gate?

  • What is the current tagging compliance rate?

  • What share of cloud costs is attributed to workloads (vs. "Untagged")?

Phase 2: Check Budget Governance

  • Are budget limits defined as IaC resources? → WAF-COST-020

  • Do alerts exist at 80% and 100% budget consumption?

  • Were alerts triggered in the last 3 months? How were they handled?

Phase 3: Check Waste and Rightsizing

The most common cost waste patterns:

  1. Idle ComputeWAF-COST-030

    • Are there resources with rightsizing-reviewed tag older than 90 days?

    • Which instances have < 5% CPU utilization over 7 days?

  2. Infinite RetentionWAF-COST-040

    • Do all S3 buckets have lifecycle policies?

    • Do all log groups have retention_in_days != 0 set?

  3. Uncontrolled EgressWAF-COST-090

    • Are VPC endpoints for S3/KMS deployed?

    • Are there public IPs on internal compute resources?

Phase 4: Check Architectural Cost Debt

  • Does a cost debt register exist? → WAF-COST-100

  • Does every entry have an owner and a status?

  • Has a quarterly architecture board review been conducted?

  • Do current ADRs contain cost impact sections? → WAF-COST-050

Phase 5: Check FinOps Processes

  • Do monthly engineering reviews take place? → WAF-COST-060

  • Are action items documented and traceable?

  • Is RI/SP coverage >= 70%? → WAF-COST-080

  • Are observability costs below 20% of the total budget? → WAF-COST-070

Evidence Mapping per Control

Control ID Primary Evidence Secondary Evidence

WAF-COST-010

CI gate log with tagging compliance check; Terraform mandatory tag module

Monthly tagging compliance report (target >= 95%)

WAF-COST-020

Terraform budget resources in repository; alert notification configuration

Alert delivery evidence from the last 3 months

WAF-COST-030

Rightsizing review records; tag rightsizing-reviewed with date on compute

Compute Optimizer export with accepted/rejected recommendations

WAF-COST-040

Terraform lifecycle configurations; log group retention settings

AWS Config report: S3 buckets without lifecycle policy (target: 0)

WAF-COST-050

ADR documents with cost impact assessment section; lock-in score assessments

Architecture board approvals for lock-in score >= 4

WAF-COST-060

Monthly FinOps review records; quarterly AB review record

Action item tracker with completion status

WAF-COST-070

Terraform log retention configurations; log tiering strategy

Observability cost share report (target: < 20%)

WAF-COST-080

Reservation portfolio export; RI utilization report

Tag capacity-commitment on baseline compute resources

WAF-COST-090

VPC endpoint resources in Terraform; CDN configuration

Egress cost trend report (monthly)

WAF-COST-100

Cost debt register (Git-versioned); AB review entry for current quarter

ADR links to cost debt entries

Automated Evidence Collection

The WAF++ Checker integration enables automated evidence collection for IaC-based controls:

# Example: WAF++ Checker call for cost controls
wafpp check \
  --pillar cost \
  --controls WAF-COST-010,WAF-COST-020,WAF-COST-040,WAF-COST-070,WAF-COST-090 \
  --engine terraform \
  --path ./infrastructure/terraform \
  --output-format sarif \
  --evidence-export ./evidence/cost-$(date +%Y-%m).json

The checker generates:

  • SARIF report for CI integration and GitHub Code Scanning

  • JSON evidence artifact with timestamp and control ID mapping

  • Markdown summary for pull request comments

For process controls (WAF-COST-050, WAF-COST-060, WAF-COST-100), manual evidence collection is required: review records, ADR documents, cost debt register.