Schema Forge
Cost Management Automation
Cloud cost management requires continuous monitoring and rapid response to anomalies. These automations implement FinOps practices within the CMDB.
CM-01: Daily Cost Synchronization
Update Monthly Spend on all Cloud Account objects with current billing data from cloud providers.
AQL Query:
objectType = "Cloud Account" AND Status = "Active"Actions:
- Query AWS Cost Explorer API for each account
- Query Azure Cost Management API for subscriptions
- Query GCP Cloud Billing for projects
- Update Monthly Spend attribute via Import API
CM-02: Cost Anomaly Detection
Detect unusual spending patterns and alert stakeholders before budget overruns.
Alert Thresholds:
| Increase | Severity | Action |
|---|---|---|
| 10-20% | Info | Log for weekly review |
| 20-50% | Warning | Email Account Owner |
| 50-100% | High | Email Owner + FinOps Manager |
| 100%+ | Critical | Page FinOps on-call |
CM-03: Orphaned Resource Detection
Identify cloud resources that may be abandoned or unused, representing unnecessary cost.
Detection Categories:
- Stopped databases for 30+ days
- Empty namespaces without deployments
- Inactive serverless functions (no invocations 60+ days)
- Storage buckets without access patterns
AQL Query (Inactive Functions):
objectType = "Serverless Function" AND Status = "Inactive"Security Posture Automation
Security posture automation monitors cloud configuration and alerts on misconfigurations or drift from security baselines.
SP-01: Public Storage Detection
Detect object storage buckets with public access enabled and alert security team.
AQL Query:
objectType = "Object Storage" AND "Public Access" = "Allowed" AND Status = "Active"Actions:
- Alert Security team immediately
- Create security incident
- Consider auto-remediation (block public access)
- Verify approval documentation for legitimate public buckets
SP-02: Encryption Compliance Monitoring
Ensure all storage and database resources have encryption enabled per policy.
AQL Queries:
-- Storage without encryption
objectType = "Object Storage" AND Encryption = "None" AND Status = "Active"
-- Production storage without KMS
objectType = "Object Storage" AND Encryption NOT IN ("SSE-KMS", "Customer Managed")
AND "Cloud Account".Environment = "Production"SP-03: Service Mesh mTLS Compliance
Ensure production service meshes have strict mTLS enabled.
AQL Query:
objectType = "Service Mesh" AND Status = "Active"
AND Cluster.Environment = "Production" AND "mTLS Status" != "Strict"Actions:
- If Permissive: Alert Platform Engineering, create migration task
- If Disabled: Create P2 security incident, escalate to Security Lead
Kubernetes Lifecycle Automation
Kubernetes automations manage cluster version compliance, namespace governance, and workload health.
KL-01: Cluster Version Compliance
Track Kubernetes version compliance and schedule upgrades before end-of-life.
AQL Queries:
-- Clusters with outdated versions (N-3 or older)
objectType = "Kubernetes Cluster" AND Version < "1.27" AND Status = "Active"
-- Clusters without version information
objectType = "Kubernetes Cluster" AND Version is EMPTY AND Status = "Active"
-- Clusters approaching end of support (N-2)
objectType = "Kubernetes Cluster" AND Version LIKE "1.27%" AND Status = "Active"Actions:
- CRITICAL (N-3+): Create P3 incident, schedule emergency upgrade
- WARNING (N-2): Create upgrade task, target 90 days
- INFO (N-1): Add to quarterly planning
KL-02: Deployment Health Monitoring
Detect failed or degraded deployments and update CMDB status.
AQL Query:
objectType = "Deployment" AND Status = "Failed"Actions:
- On status change to "Failed": Create P2 incident, notify Team Owner
- On status change to "Degraded": Alert Team Owner, log for trend analysis
- On status change to "Running" (recovery): Close related incidents
KL-03: Stale Namespace Detection
Identify namespaces without recent activity that may be candidates for cleanup.
Detection Criteria:
- No deployments in namespace
- No pods running for 90+ days
- No recent resource changes
Actions:
- Flag namespace in CMDB (Status = "Deprecated")
- Notify Team Owner requesting confirmation
- After 30 days without response: Escalate to team manager
- After 60 days: Archive namespace resources
Cloud Inventory Synchronization
Inventory synchronization ensures CMDB reflects actual cloud state.
IS-01: Multi-Cloud Resource Sync
Synchronize cloud resources from AWS, Azure, and GCP with JSM Assets.
| Cloud Service | Schema Object Type | Sync Method |
|---|---|---|
| AWS Organizations | Cloud Account | Organizations API |
| EKS / AKS / GKE | Kubernetes Cluster | Provider APIs |
| ECR / ACR / GCR | Container Registry | Provider APIs |
| Lambda / Functions | Serverless Function | Provider APIs |
| RDS / Cloud SQL | Managed Database | Provider APIs |
| S3 / GCS / Blob | Object Storage | Provider APIs |
Drift Detection:
- Resources in CMDB but not in cloud: Flag for review (deleted?)
- Resources in cloud but not in CMDB: Import automatically
- Attribute mismatches: Update CMDB with cloud values
Sync Frequency Recommendations
| Resource Type | Frequency | Rationale |
|---|---|---|
| Cloud Accounts | Daily | Low change frequency |
| Kubernetes Clusters | Every 6 hours | Version and status changes |
| Namespaces | Every 6 hours | Team activity varies |
| Deployments | Every 4 hours | High change frequency |
| Cost Data | Daily | Billing data refreshes daily |
| Security Config | Every 4 hours | Detect misconfigs quickly |